Adaptive modeling for security vulnerability propagation to predict the impact of business process redesign

Abstract

Background: Business process redesign (BPR) is typical in organizations and is followed by adaptive maintenance on supporting applications. However, BPR leads to information security vulnerabilities that can propagate to its supporting applications. Methods: This study proposes a new method called Node Strength-based Vulnerability Modeling (NSVM) for modeling security vulnerability propagation in the business processes and IT service layers. We applied the concept of social network strength to build our propagation model. The propagation model is needed to predict the impact of BPR on application vulnerabilities. We chose e-commerce applications as a case study. We evaluated the vulnerability propagation model by comparing the predicted vulnerability scores from the model with the actual scores of e-commerce applications in the National Vulnerability Database. Results: Our experimentation indicates that the propagation strength between nodes is influenced by Common Weakness Enumerations (CWEs) between them. Thus, the vulnerability propagation model can predict vulnerability scores at module nodes in the IT service layer. In the NSVM, the best prediction scores were obtained by aggregating the adjacency and initial scores using the maximum principle approach. The best evaluation results yield mean absolute error (MAE), root mean squared error (RMSE), and mean squared error (MSE) scores of 0.60, 1.44, and 1.16, respectively. Conclusion: Our study shows that the vulnerability propagation model with an adaptive mechanism based on BPR can be used to predict security vulnerability scores as the impact of business process redesign.