Information infrastructure risk prediction through platform vulnerability analysis

•A risk prediction methodology based on SCAP specifications is proposed.•The methodology is demonstrated with an example from the e-banking sector.•Distribution fitting and Kolmogorov–Smirnov test are utilized.•A BBN topology to perform predictions on risk elements is developed.•The main contribution is to provide a proactive approach about zero-day risks.

The protection of information infrastructures is important for the function of other infrastructure sectors. As vital parts for the information infrastructure operation, software-based platforms, face a series of vulnerabilities and threats. This paper aims to provide a complementary approach to existing vulnerability prediction solutions and launch the measurement of zero-day risk by introducing a risk prediction methodology for an information infrastructure. The proposed methodology consists of four steps and utilizes the outcomes of a proper analysis of security measurements provided by specifications from the Security Content Automation Protocol. First, we identify software platform assets that support an information infrastructure and second we measure the historical rate of vulnerability occurrences. Third, we use a distribution fitting procedure to estimate the statistical correlation between empirical and reference probability distributions and verify the statistical significance of the distribution fitting results with the Kolmogorov–-Smirnov test. Fourth, we develop conditional probability tables that constitute a Bayesian Belief Network topology as means to enable risk prediction and estimation on security properties. The practicality of the risk prediction methodology is demonstrated with an implementation example from the electronic banking sector. The contribution of the proposed methodology is to provide auditors with a proactive approach about zero-day risks.