MAIA: Methodology for Assessing the Impacts of Threats to Information Systems
Resumo
Context: Cyberattacks have increased in the last decades. The lack of security results in scenarios full of vulnerabilities in information systems. A pentest can be defined as a proactive attempt to assess the security of an information system. It is mandatory in specific organizational scenarios and must be performed by third-party companies, which can imply high costs for the organization. Problem: Some organizations are often unfamiliar with a pentest or cannot pay for it. Other solutions must be proposed for them. Solution: An Information System Threat Impact Assessment Methodology (MAIA) easy to follow was this work’s objective. The goals were the methodology itself and the index that could quantify the vulnerabilities’ impacts. IS Theory: This work followed the General Systems Theory, in particular with regard to systems security. Method: The research is prescriptive in nature, and its evaluation was carried out through a case study in a big company. The results are both quantitative and qualitative. Summary of Results: The practical results in a real organization show the vulnerabilities identified, and the final vulnerability index indicated a high risk to the company. It shows the MAIA applicability. Contributions and Impact on the IS area: The main contribution is a methodology that is an alternative approach to traditional pentests. The methodology may be conducted by multidisciplinary teams. Decisions regarding the correction of vulnerabilities can be taken based on the results of MAIA.
Palavras-chave:
Information Systems Security, Penetration Testing, Attack, Threats, Vulnerabilities, Methodology, Quantification, Risks
Referências
Ahmed Aleroud and Lina Zhou. 2017. Phishing environments, techniques, and countermeasures: A survey. Computers & Security 68 (2017), 160–196.
Taylor Armerding. 2018. The 17 biggest data breaches of the 21st century. CSO online 26 (2018).
Ömer Aslan, Semih Serkant Aktuğ, Merve Ozkan-Okay, Abdullah Asim Yilmaz, and Erdal Akin. 2023. A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and Solutions. Electronics 12, 6 (2023). DOI: 10.3390/electronics12061333
Matthew Bach-Nutman. 2020. Understanding the top 10 owasp vulnerabilities. arXiv preprint arXiv:2012.09960 (2020).
Daniel Dalalana Bertoglio and Avelino Francisco Zorzo. 2016. Tramonto: Uma estratégia de recomendações para testes de penetração. In Anais do XVI Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais. SBC, 366–379.
Chris Binnie and Rory McCune. 2021. Server Scanning With Nikto. (2021).
Kevin Cardwell. 2016. Building Virtual Pentesting Labs for Advanced Penetration Testing. Packt Publishing Ltd.
Giovanna Culot, Guido Nassimbeni, Matteo Podrecca, and Marco Sartor. 2021. The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda. The TQM Journal 33, 7 (2021), 76–105.
Lucas Soares Da-Silva, Carlos Renato Storck, Ivan Fontainha de Alvarenga, Thiago Augusto Alves, and Fátima de Lima Procópio Duarte-Figueiredo. 2025. Local 5G and 6G micro-operators for new business models: a systematic literature review. OBSERVATÓRIO DE LA ECONOMÍA LATINOAMERICANA 23, 2 (fev. 2025), e9023. DOI: 10.55905/oelv23n2-088
Lucas Soares Da-Silva, Carlos Renato Storck, and Fatima de LP Duarte-Figueiredo. 2019. A Dynamic Load Balancing Algorithm for Data Plane Traffic.. In LANOMS.
Yuri Diógenes and Daniel Mauser. 2016. Certificação Security+: da prática para o exame SYO-401. Novaterra Editora e Distribuidora LTDA.
Simon Donig, Markus Eckl, Sebastian Gassner, and Malte Rehbein. 2023. Web archive analytics: Blind spots and silences in distant readings of the archived web. Digital Scholarship in the Humanities 38, 3 (04 2023), 1033–1048. DOI: 10.1093/llc/fqad014 arXiv: [link]
Fábio Coutinho dos Santos, Fátima Duarte-Figueiredo, Robson E. De Grande, and Aldri L. dos Santos. 2024. Enhancing a fog-oriented IoT authentication and encryption platform through deep learning-based attack detection. Internet of Things 27 (2024), 101310. DOI: 10.1016/j.iot.2024.101310
Asligul Erkan-Barlow, Thanh Ngo, Rajni Goel, and Denise W Streeter. 2023. An in-depth analysis of the impact of cyberattacks on the profitability of commercial banks in the United States. Journal of Global Business Insights 8, 2 (2023), 120–135.
Ajinkya A Farsole, Amurta G Kashikar, and Apurva Zunzunwala. 2010. Ethical hacking. International Journal of Computer Applications 1, 10 (2010), 14–20.
F. Duarte Figueiredo and A. Loureiro. 2004. DiffMobil–Uma Arquitetura de Qualidade de Serviço Fim-a-Fim em Redes GPRS. In Tese de Doutorado, Universidade Federal de Minas Gerais (Ed.). Departamento de Ciência da Computação.
Mohamed C Ghanem and Thomas M Chen. 2019. Reinforcement learning for efficient network penetration testing. Information 11, 1 (2019), 6.
Diptiben Ghelani. 2022. Cyber security, cyber threats, implications and future perspectives: A Review. Authorea Preprints (2022).
Liz Izhikevich, Gautam Akiwate, Briana Berger, Spencer Drakontaidis, Anna Ascheman, Paul Pearce, David Adrian, and Zakir Durumeric. 2022. ZDNS: a fast DNS toolkit for internet measurement. In Proceedings of the 22nd ACM Internet Measurement Conference. 33–43.
Tomoko Kaneko, Yuji Takahashi, Takao Okubo, and Ryoichi Sasaki. 2018. Threat analysis using STRIDE with STAMP/STPA. In The international workshop on evidence-based security and privacy in the wild. 10–17.
Rajiv Kumar and Katlego Tlhagadikgora. 2019. Internal network penetration testing using free/open source tools: Network and system administration approach. In Advanced Informatics for Computing Research: Second International Conference, ICAICR 2018, Shimla, India, July 14–15, 2018, Revised Selected Papers, Part II 2. Springer, 257–269.
Yuchong Li and Qinghui Liu. 2021. A comprehensive review study of cyberattacks and cyber security; Emerging trends and recent developments. Energy Reports 7 (2021), 8176–8186.
Johnny Long, Bill Gardner, and Justin Brown. 2011. Google hacking for penetration testers. Vol. 2. Elsevier.
Efrem Eladie de Oliveira Lousada and Fátima de Lima Procópio Duarte Figueiredo. 2024. CN-ffVP: uma solução para mitigação de tempestade de broadcast baseada em métricas de redes complexas, distância e energia dos nos. OBSERVATÓRIO DE LA ECONOMÍA LATINOAMERICANA 22, 1 (jan. 2024), 4494–4512. DOI: 10.55905/oelv22n1-237
Gordon Fyodor Lyon. 2009. Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure.
Peter Mell and Tim Grance. 2002. Use of the common vulnerabilities and exposures (cve) vulnerability naming scheme. NIST Special Publication 800 (2002), 51.
Daniel Moreno. 2016. Pentest em redes sem fio. Novatec Editora.
Marcin Nawrocki, Matthias Wählisch, Thomas C Schmidt, Christian Keil, and Jochen Schönfelder. 2016. A survey on honeypot software and data analysis. arXiv preprint arXiv:1608.06249 (2016).
Chris Nickerson, Dave Kennedy, E Smith, A Rabie, S Friedli, J Searle, B Knight, C Gates, and J McCray. 2014. Penetration testing execution standard. URL: [link] (2014).
Sean-Philip Oriyano. 2016. CEH v9: Certified Ethical Hacker Version 9 Study Guide. John Wiley & Sons.
Gaetano Perrone, Simon Pietro Romano, Nicola d’Ambrosio, and Vittoria Pacchiano. 2024. Unleashing Exploit-Db Data for the Automated Exploitation of Intentionally Vulnerable Docker Containers. Available at SSRN 4779063 (2024).
Sudhanshu Raj and Navpreet Kaur Walia. 2020. A Study on Metasploit Framework: A Pen-Testing Tool. In 2020 International Conference on Computational Performance Evaluation (ComPE). 296–302. DOI: 10.1109/ComPE49325.2020.9200028
Fatima Salahdine and Naima Kaabouch. 2019. Social engineering attacks: A survey. Future internet 11, 4 (2019), 89.
Karen Scarfone and Peter Mell. 2009. An analysis of CVSS version 2 vulnerability scoring. In 2009 3rd International Symposium on Empirical Software Engineering and Measurement. IEEE, 516–525.
Carlos R. Storck, Efrem E. de O. Lousada, Guilherme G. de O. Silva, Raquel A.F. Mini, and Fátima Duarte-Figueiredo. 2021. FiVH: A solution of inter-V-Cell handover decision for connected vehicles in ultra-dense 5G networks. Vehicular Communications 28 (2021), 100307. DOI: 10.1016/j.vehcom.2020.100307
Carlos Renato Storck and Fátima Duarte-Figueiredo. 2020. A Performance Analysis of Adaptive Streaming Algorithms in 5G Vehicular Communications in Urban Scenarios. In 2020 IEEE Symposium on Computers and Communications (ISCC). 1–7. DOI: 10.1109/ISCC50000.2020.9219682
A. Tanenbaum, D. Wetherall, and N. Feamster. 2021. Computer Networks. In Book, Pearson (Ed.). Education Limited.
Aan Fleur Terrens, Sze-Ee Soh, and Prue Morgan. 2022. What web-based information is available for people with Parkinson’s disease interested in aquatic physiotherapy? A social listening study. BMC neurology 22, 1 (2022), 170.
Matt Tigner, Hayden Wimmer, and Carl M Rebman. 2021. Analysis of kali linux penetration tools: A survey of hacking tools. In 2021 International Conference on Electrical, Computer and Energy Technologies (ICECET). IEEE, 1–6.
Ferzha Putra Utama and Raden Muhammad Hilmi Nurhadi. 2024. Uncovering the Risk of Academic Information System Vulnerability through PTES and OWASP Method. CommIT (Communication and Information Technology) Journal 18, 1 (2024). DOI: 10.21512/commit.v18i1.9384
Michael Völske, Janek Bevendorff, Johannes Kiesel, Benno Stein, Maik Fröbe, Matthias Hagen, and Martin Potthast. 2021. Web archive analytics. arXiv preprint arXiv:2107.00893 (2021).
Ludwig Von Bertalanffy. 1950. An outline of general system theory. The British Journal for the Philosophy of science 1, 2 (1950), 134–165.
Asriza Yolanda and Cutifa Safitri. 2023. Analyzing Proxychains Traffic on the Pentest Scenario: Enhancements in Network Forensics through Wireshark. In 2023 International Conference on Information Technology and Computing (ICITCOM). IEEE, 340–345.
Taylor Armerding. 2018. The 17 biggest data breaches of the 21st century. CSO online 26 (2018).
Ömer Aslan, Semih Serkant Aktuğ, Merve Ozkan-Okay, Abdullah Asim Yilmaz, and Erdal Akin. 2023. A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and Solutions. Electronics 12, 6 (2023). DOI: 10.3390/electronics12061333
Matthew Bach-Nutman. 2020. Understanding the top 10 owasp vulnerabilities. arXiv preprint arXiv:2012.09960 (2020).
Daniel Dalalana Bertoglio and Avelino Francisco Zorzo. 2016. Tramonto: Uma estratégia de recomendações para testes de penetração. In Anais do XVI Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais. SBC, 366–379.
Chris Binnie and Rory McCune. 2021. Server Scanning With Nikto. (2021).
Kevin Cardwell. 2016. Building Virtual Pentesting Labs for Advanced Penetration Testing. Packt Publishing Ltd.
Giovanna Culot, Guido Nassimbeni, Matteo Podrecca, and Marco Sartor. 2021. The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda. The TQM Journal 33, 7 (2021), 76–105.
Lucas Soares Da-Silva, Carlos Renato Storck, Ivan Fontainha de Alvarenga, Thiago Augusto Alves, and Fátima de Lima Procópio Duarte-Figueiredo. 2025. Local 5G and 6G micro-operators for new business models: a systematic literature review. OBSERVATÓRIO DE LA ECONOMÍA LATINOAMERICANA 23, 2 (fev. 2025), e9023. DOI: 10.55905/oelv23n2-088
Lucas Soares Da-Silva, Carlos Renato Storck, and Fatima de LP Duarte-Figueiredo. 2019. A Dynamic Load Balancing Algorithm for Data Plane Traffic.. In LANOMS.
Yuri Diógenes and Daniel Mauser. 2016. Certificação Security+: da prática para o exame SYO-401. Novaterra Editora e Distribuidora LTDA.
Simon Donig, Markus Eckl, Sebastian Gassner, and Malte Rehbein. 2023. Web archive analytics: Blind spots and silences in distant readings of the archived web. Digital Scholarship in the Humanities 38, 3 (04 2023), 1033–1048. DOI: 10.1093/llc/fqad014 arXiv: [link]
Fábio Coutinho dos Santos, Fátima Duarte-Figueiredo, Robson E. De Grande, and Aldri L. dos Santos. 2024. Enhancing a fog-oriented IoT authentication and encryption platform through deep learning-based attack detection. Internet of Things 27 (2024), 101310. DOI: 10.1016/j.iot.2024.101310
Asligul Erkan-Barlow, Thanh Ngo, Rajni Goel, and Denise W Streeter. 2023. An in-depth analysis of the impact of cyberattacks on the profitability of commercial banks in the United States. Journal of Global Business Insights 8, 2 (2023), 120–135.
Ajinkya A Farsole, Amurta G Kashikar, and Apurva Zunzunwala. 2010. Ethical hacking. International Journal of Computer Applications 1, 10 (2010), 14–20.
F. Duarte Figueiredo and A. Loureiro. 2004. DiffMobil–Uma Arquitetura de Qualidade de Serviço Fim-a-Fim em Redes GPRS. In Tese de Doutorado, Universidade Federal de Minas Gerais (Ed.). Departamento de Ciência da Computação.
Mohamed C Ghanem and Thomas M Chen. 2019. Reinforcement learning for efficient network penetration testing. Information 11, 1 (2019), 6.
Diptiben Ghelani. 2022. Cyber security, cyber threats, implications and future perspectives: A Review. Authorea Preprints (2022).
Liz Izhikevich, Gautam Akiwate, Briana Berger, Spencer Drakontaidis, Anna Ascheman, Paul Pearce, David Adrian, and Zakir Durumeric. 2022. ZDNS: a fast DNS toolkit for internet measurement. In Proceedings of the 22nd ACM Internet Measurement Conference. 33–43.
Tomoko Kaneko, Yuji Takahashi, Takao Okubo, and Ryoichi Sasaki. 2018. Threat analysis using STRIDE with STAMP/STPA. In The international workshop on evidence-based security and privacy in the wild. 10–17.
Rajiv Kumar and Katlego Tlhagadikgora. 2019. Internal network penetration testing using free/open source tools: Network and system administration approach. In Advanced Informatics for Computing Research: Second International Conference, ICAICR 2018, Shimla, India, July 14–15, 2018, Revised Selected Papers, Part II 2. Springer, 257–269.
Yuchong Li and Qinghui Liu. 2021. A comprehensive review study of cyberattacks and cyber security; Emerging trends and recent developments. Energy Reports 7 (2021), 8176–8186.
Johnny Long, Bill Gardner, and Justin Brown. 2011. Google hacking for penetration testers. Vol. 2. Elsevier.
Efrem Eladie de Oliveira Lousada and Fátima de Lima Procópio Duarte Figueiredo. 2024. CN-ffVP: uma solução para mitigação de tempestade de broadcast baseada em métricas de redes complexas, distância e energia dos nos. OBSERVATÓRIO DE LA ECONOMÍA LATINOAMERICANA 22, 1 (jan. 2024), 4494–4512. DOI: 10.55905/oelv22n1-237
Gordon Fyodor Lyon. 2009. Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure.
Peter Mell and Tim Grance. 2002. Use of the common vulnerabilities and exposures (cve) vulnerability naming scheme. NIST Special Publication 800 (2002), 51.
Daniel Moreno. 2016. Pentest em redes sem fio. Novatec Editora.
Marcin Nawrocki, Matthias Wählisch, Thomas C Schmidt, Christian Keil, and Jochen Schönfelder. 2016. A survey on honeypot software and data analysis. arXiv preprint arXiv:1608.06249 (2016).
Chris Nickerson, Dave Kennedy, E Smith, A Rabie, S Friedli, J Searle, B Knight, C Gates, and J McCray. 2014. Penetration testing execution standard. URL: [link] (2014).
Sean-Philip Oriyano. 2016. CEH v9: Certified Ethical Hacker Version 9 Study Guide. John Wiley & Sons.
Gaetano Perrone, Simon Pietro Romano, Nicola d’Ambrosio, and Vittoria Pacchiano. 2024. Unleashing Exploit-Db Data for the Automated Exploitation of Intentionally Vulnerable Docker Containers. Available at SSRN 4779063 (2024).
Sudhanshu Raj and Navpreet Kaur Walia. 2020. A Study on Metasploit Framework: A Pen-Testing Tool. In 2020 International Conference on Computational Performance Evaluation (ComPE). 296–302. DOI: 10.1109/ComPE49325.2020.9200028
Fatima Salahdine and Naima Kaabouch. 2019. Social engineering attacks: A survey. Future internet 11, 4 (2019), 89.
Karen Scarfone and Peter Mell. 2009. An analysis of CVSS version 2 vulnerability scoring. In 2009 3rd International Symposium on Empirical Software Engineering and Measurement. IEEE, 516–525.
Carlos R. Storck, Efrem E. de O. Lousada, Guilherme G. de O. Silva, Raquel A.F. Mini, and Fátima Duarte-Figueiredo. 2021. FiVH: A solution of inter-V-Cell handover decision for connected vehicles in ultra-dense 5G networks. Vehicular Communications 28 (2021), 100307. DOI: 10.1016/j.vehcom.2020.100307
Carlos Renato Storck and Fátima Duarte-Figueiredo. 2020. A Performance Analysis of Adaptive Streaming Algorithms in 5G Vehicular Communications in Urban Scenarios. In 2020 IEEE Symposium on Computers and Communications (ISCC). 1–7. DOI: 10.1109/ISCC50000.2020.9219682
A. Tanenbaum, D. Wetherall, and N. Feamster. 2021. Computer Networks. In Book, Pearson (Ed.). Education Limited.
Aan Fleur Terrens, Sze-Ee Soh, and Prue Morgan. 2022. What web-based information is available for people with Parkinson’s disease interested in aquatic physiotherapy? A social listening study. BMC neurology 22, 1 (2022), 170.
Matt Tigner, Hayden Wimmer, and Carl M Rebman. 2021. Analysis of kali linux penetration tools: A survey of hacking tools. In 2021 International Conference on Electrical, Computer and Energy Technologies (ICECET). IEEE, 1–6.
Ferzha Putra Utama and Raden Muhammad Hilmi Nurhadi. 2024. Uncovering the Risk of Academic Information System Vulnerability through PTES and OWASP Method. CommIT (Communication and Information Technology) Journal 18, 1 (2024). DOI: 10.21512/commit.v18i1.9384
Michael Völske, Janek Bevendorff, Johannes Kiesel, Benno Stein, Maik Fröbe, Matthias Hagen, and Martin Potthast. 2021. Web archive analytics. arXiv preprint arXiv:2107.00893 (2021).
Ludwig Von Bertalanffy. 1950. An outline of general system theory. The British Journal for the Philosophy of science 1, 2 (1950), 134–165.
Asriza Yolanda and Cutifa Safitri. 2023. Analyzing Proxychains Traffic on the Pentest Scenario: Enhancements in Network Forensics through Wireshark. In 2023 International Conference on Information Technology and Computing (ICITCOM). IEEE, 340–345.
Publicado
19/05/2025
Como Citar
NETO, Albany; DUARTE-FIGUEIREDO, Fátima.
MAIA: Methodology for Assessing the Impacts of Threats to Information Systems. In: SIMPÓSIO BRASILEIRO DE SISTEMAS DE INFORMAÇÃO (SBSI), 21. , 2025, Recife/PE.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 115-124.
DOI: https://doi.org/10.5753/sbsi.2025.246384.
