Home > Publications
Home University of Twente
Prospective Students
Intranet (internal)

EEMCS EPrints Service

25270 Quantitative penetration testing with item response theory
Home Policy Brochure Browse Search User Area Contact Help

Arnold, F. and Pieters, W. and Stoelinga, M.I.A. (2013) Quantitative penetration testing with item response theory. In: 9th International Conference on Information Assurance and Security, IAS 2013, 4-6 Dec 2013, Gammarth, Tunisia. pp. 49-54. IEEE. ISBN 978-1-4799-2989-4

Full text available as:


553 Kb
Open Access

Official URL:

Exported to Metis


Existing penetration testing approaches assess the vulnerability of a system by determining whether certain attack paths are possible in practice. Thus, penetration testing has so far been used as a qualitative research method. To enable quantitative approaches to security risk management, including decision support based on the cost-effectiveness of countermeasures, one needs quantitative measures of the feasibility of an attack. Also, when physical or social attack steps are involved, the binary view on whether a vulnerability is present or not is insufficient, and one needs some viability metric. When penetration tests are performed anyway, it is very easy for the testers to keep track of, for example, the time they spend on each attack step. Therefore, this paper proposes the concept of quantitative penetration testing to determine the difficulty rather than the possibility of attacks based on such measurements. We do this by step-wise updates of expected time and probability of success for all steps in an attack scenario. In addition, we show how the skill of the testers can be included to improve the accuracy of the metrics, based on the framework of item response theory (Elo ratings). We prove the feasibility of the approach by means of simulations, and discuss application possibilities.

Item Type:Conference or Workshop Paper (Full Paper, Talk)
Research Group:EWI-DIES: Distributed and Embedded Security, EWI-FMT: Formal Methods and Tools
Research Program:CTIT-ISTRICE: Integrated Security and Privacy in a Networked World
Research Project:TREsPASS: Technology-supported Risk Estimation By Predictive Assessment Of Socio-technical Security
Additional Information:Foreground = 100%; Type of activity = publication, presentation; Main leader = UT; Type of audience = scientific community, industry; Size of audience = 30; Countries addressed = international;
Uncontrolled Keywords:item response theory, penetration testing, quantitative security, security metrics, socio-technical security
ID Code:25270
Deposited On:15 November 2014
More Information:statisticsmetis

Export this item as:

To correct this item please ask your editor

Repository Staff Only: edit this item