Skip to Main Content
Given the increasing dependence of information society on information and communication technologies, the information security risks of these systems should be measured and improved. In this paper, we propose to model information security risks based on attack graphs as a special Bayesian network. Bayesian networks allow to combine historical quantitative information with qualitative information in a systematic way. It can also provide the capabilities of using conditional probabilities to address the general cases of interdependency between vulnerabilities.