Breach incidents at organizations such as
JPMorgan Chase, eBay, Home Depot, Sony
Pictures Entertainment, the European Central
Bank and the US Postal Service1 beg the
questions: Why are breaches continuing despite
deploying cutting-edge solutions supported
by compliance to thwart the attacks? Are
applications more secure relative to current
threats or less secure? How much more security
is required? What is the current level of risk
posed by application security? Can the security
budget be decreased or should it be increased?
If increased, to what extent is risk reduced?
What is the applications’ change in the risk level
before and after the deployment of innovative
No definitive answer exists for these questions
because there is no standard metric to know
the exact status of application security.
Unanswered questions have paved the way for
attackers to continue exploiting applications.
Therefore, a security metric that can quantify
the risk posed by applications is essential to
make decisions in security management and
Currently, a generic risk assessment
metric is used to assess application security
risk (ASR). This does not encompass the
basic factors of application security such as
compliance, countermeasure efficiency and
application priority. Obviously, the results are
not commensurate with actual risk posed by
application security. Real application security
risk is perceived and not measured. Hence,
organizations are not able to implement the
required security controls. The business is
unaware of its applications’ susceptibility to
attack. This is the main reason for continued
attacks on applications despite deploying robust
security measures. ASR measurement requires
a specifically designed metric that involves
all of the factors of application security. This
article aims to define the standard for security in
applications by designing a metric.
The entire process of metric design allows
the business to find the optimum answer for the
• What path could an attacker take to get inside
• What tools are required to defeat the existing
• What are the possible signs of an attack
particular to each category of application?
• Can existing security measures detect the attack?
Answering these questions ensures that the
organization has considered potential attacks
and helps toward the implementation of required
controls, if existing measures are inadequate.
EVALUATION OF THE EXISTING RISK METRIC
In general, risk is the probability of occurrence of
an event that would have a negative effect on a
goal. 2 Risk is a field. It is perception dependent.
No clear definition for the concept of ASR
exists. However, in this article, ASR is defined
as a measure of an application’s susceptibility
to an attack and the impact of that attack. The
following generic formula is currently used (with
slight variations) to measure risk:
Risk = Probability of Attack × Impact of Attack
Considering this equation, the impact of an
attack is relatively easy and straightforward to
assess. The term “probability of attack” indicates
how likely it is that the attack occurs. The
calculation of the probability of an attack has
practical limitations. 3 The probability of simple
situations (e.g., tossing a coin, picking a card,
throwing a die) can be derived from probability
principles. Evaluating the probability of real-time events (e.g., weather incidents, hurricanes,
earthquakes) is possible based on historical
records. But in the case of attacks, probability
does not work because attackers do not work in
any statistical pattern. For instance, consider the
breach of retailer Home Depot in 2014. There is
no previous history of breaches at Home Depot.
What was the probability of a Home Depot breach
before it happened, and what is the probability of a
Shubhamangala B. R.
is pursuing a Ph.D. with
particular interests in
application security, security
and risk. She is an associate
professor in the Department
of Computer Science and
Engineering at Jain University
(Bangalore, India). She has
been previously published
in the American Society for
Quality Software Quality
Professional journal and many
of her papers are indexed in
the Institute of Electrical and
Electronics Engineers’ Explore
database. She can be reached
Snehanshu Saha, Ph.D., has
taught computer science at
PES Institute of Technology
South Campus (Bangalore,
India) since 2011 and heads
the Center for Basic Initiatives
in Mathematical Modeling.
Saha has been working on the
subvocalization of text using
and has published scholarly
articles on the subject.
Application Security Risk
Assessment and Modeling
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article: