CCE Theses and Dissertations

Campus Access Only

All rights reserved. This publication is intended for use solely by faculty, students, and staff of Nova Southeastern University. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, now known or later developed, including but not limited to photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the author or the publisher.

Date of Award


Document Type

Dissertation - NSU Access Only

Degree Name

Doctor of Philosophy in Information Systems (DISS)


Graduate School of Computer and Information Sciences


James Cannady

Committee Member

Glyn Gowing

Committee Member

George Thurmond


Information Security


Business objectives and methods in an organization change periodically. Their supporting Information Systems (ISs) change even more dynamically for various reasons: system upgrades, software patches, routine maintenance, and intentionally or unintentionally induced attacks. Unless regular, routine, and timely risk assessments are conducted, changes in IS risks may never be noticed. Risk assessments need to be performed more frequently and faster in order to discover potential threats and to determine the changes that must be made to corporate computing environments to address them. Furthermore, conducting risk assessments on organizational assets can be time consuming, burdensome, and misleading in many cases because of the dynamically changing security states of assets. In theory, each asset can change its security states from one of secure, mitigated, vulnerable, or compromised. However, the secure state is only temporary and imaginary; it may never exist. Therefore, it is more accurate to say that each asset changes its security state from mitigated, vulnerable, or compromised. If we can predict an asset's future security state based on its current security state, we would have a good indicator of risk for the organization's mission-critical assets. Similarly, if risk factors of each mission critical asset could be quantified in near real-time, a risk assessment could be valuable in informing organizational stakeholders of the level of risk of their mission critical assets, which would then aid in their risk mitigation decisions. Quantifying organizational IS risk factors could be meaningful to an organization because quantifying risk levels could prompt a solution space in mitigating risks.

In this research, we introduce an effective risk assessment using hidden Markov models (HMMs) in order to predict future security states and to quantify dynamically changing organizational IS assets by exploring possible security states from an insider user's perspective. HMMs have been used in many scientific fields to predict future states based on current states. Using these models, organizational mission critical assets could be assessed for their risk levels in a near real-time basis to determine the future risk level of each dynamically changing asset due to internally or externally induced threats.

To access this thesis/dissertation you must have a valid OR email address and create an account for NSUWorks.

Free My Thesis

If you are the author of this work and would like to grant permission to make it openly accessible to all, please click the Free My Thesis button.

  Contact Author

  Link to NovaCat