Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Window

Beres, Yolanta; Griffin, Jonathan; Shiu, Simon; Heitman, M.; Markle, D.; Ventura, P.

doi:10.1109/acsac.2008.42

Cited by 25 publications

(31 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recent work by the present authors and others (see, for example, [3,5,6,13,27]) has begun to develop a new methodology for addressing this problem that integrates two main approaches. On the one hand, we employ executable mathematical models of the underlying system captured within its dynamic threat and economic environments.…”

Section: Introductionmentioning

confidence: 99%

“…The experience of security managers and researchers (e.g., [1,3,5,11,27]) suggests that accounting-based approaches to addressing this problem, employing return-on-investment-type calculations, cannot adequately address the operational and dynamic aspects of the analysis that is required. Indeed, very few business or IT stakeholders have a good understanding of how security choices affect business outcomes.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Decision support for systems security investment

Beresnevichiene

Pym

Shiu

2010

2010 IEEE/IFIP Network Operations and Management Symposium Workshops

Self Cite

View full text Add to dashboard Cite

Information security managers with fixed budgets must invest in security measures to mitigate increasingly severe threats whilst maintaining the alignment of their systems with their organization's business objectives. The state of the art lacks a systematic methodology to support security investment decisionmaking. We describe a methodology that integrates methods from multi-attribute utility evaluation and mathematical systems modelling. We illustrate our approach using a collaborative case study with the security managers of a large organization divesting itself of its IT support services. The case study was validated against the experience and observations of the security managers and delivered, according to their judgement, useful results. Specifically, by integrating a mathematical model of system behaviour with an account of the utility of available security investment strategies, the case study has enabled them to understand better the trade-offs between the security performance and the operational consequences of their choices.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Decision support for systems security investment

Beresnevichiene

Pym

Shiu

2010

2010 IEEE/IFIP Network Operations and Management Symposium Workshops

Self Cite

View full text Add to dashboard Cite

show abstract

“…In the case of risk management and mitigation of vulnerability, this is a utility-of-action problem, which has been explored extensively in applied, commercial, contexts in [8,9,24], work which has directly informed the present paper. To demonstrate this issue appropriately in a timing framework, we treat system vulnerabilities as being stochastic discount factors that erode the attributes of a system.…”

Section: Introductionmentioning

confidence: 99%

Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach

Ioannidis

Pym

Williams

2012

Economics of Information Security and Privacy III

View full text Add to dashboard Cite

This paper addresses the question of determining the optimal timing of interventions in information security management. Using utility theory, we derive the limiting condition under which, given a potential or realized risk, a decision to invest, delay, or abandon can be justified. Our primary focus is on the decision to defer costly deterministic investments, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with irreversible fixed costs that introduces a rigidity into the investment decision-making profile. This rigidity introduces delay in the implementation of security measures, resulting in cyclical investments in information security, as the decision-maker determines the optimal investment horizon. We therefore show that cycles emerge endogenously given the policy-maker's chosen trade-offs between investment and the deterioration of the system attributes.

show abstract

“…Within the years 2002-2009 we have found several, though sketchy, publicly-announced instances of working exploits for Cisco vulnerabilities 3 . These exploits related to vulnerabilities for which a patch had been released over a year earlier by the vendor.…”

Section: The Threat Environmentmentioning

confidence: 99%

“…We have previously developed a model of the patch management processes to explore the risk exposure window across Wintel environment in an organization [3]. We have adapted this model for network environment by introducing new features such as slower patching rate through patch uptake function and allowing longer patch assessment and preparation time.…”

Section: Patch Release and Patch Management Processesmentioning

confidence: 99%

Optimizing Network Patching Policy Decisions

Beres

Griffin

2012

IFIP Advances in Information and Communication Technology

Self Cite

View full text Add to dashboard Cite

Abstract. Patch management of networks is essential to mitigate the risks from the exploitation of vulnerabilities through malware and other attacks, but by setting too rigorous a patching policy for network devices the IT security team can also create burdens for IT operations or disruptions to the business. Different patch deployment timelines could be adopted with the aim of reducing this operational cost, but care must be taken not to substantially increase the risk of emergency disruption from potential exploits and attacks. In this paper we explore how the IT security policy choices regarding patching timelines can be made in terms of economically-based decisions, in which the aim is to minimize the expected overall costs to the organization from patching-related activity. We introduce a simple cost function that takes into account costs incurred from disruption caused by planned patching and from expected disruption caused by emergency patching. To explore the outcomes under different patching policies we apply a systems modelling approach and Monte Carlo style simulations. The results from the simulations show disruptions caused for a range of patch deployment timelines. These results together with the cost function are then used to identify the optimal patching timelines under different threat environment conditions and taking into account the organization's risk tolerance.

show abstract

Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Window

Cited by 25 publications

References 7 publications

Decision support for systems security investment

Decision support for systems security investment

Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach

Optimizing Network Patching Policy Decisions

Contact Info

Product

Resources

About