Decision support for the optimal allocation of security controls

Zhang, He; Chari, Kaushal; Agrawal, Manish

doi:10.1016/j.dss.2018.10.001

Cited by 6 publications

(5 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We were inspired by these works in the creation of our own mission decomposition model presented in our earlier paper 4 . The model used in our work uses the AND/OR notation and is based on the constraint satisfaction problem 17,20,24,25 . The difference between our approach and the related work is that we do not consider mission capacity; functional requirements, that is, constraints, are a binary matter.…”

Section: Related Workmentioning

confidence: 99%

“…4 The model used in our work uses the AND/OR notation and is based on the constraint satisfaction problem. 17,20,24,25 The difference between our approach and the related work is that we do not consider mission capacity; functional requirements, that is, constraints, are a binary matter. The logic of the model used in our work allows selecting the most resilient configuration among all feasible ones, that is, to derive a Bayesian network of associated privileges including both critical targets and likely attacker positions and to calculate the resilience of the configuration.…”

Section: Mission-centric Cybersecuritymentioning

confidence: 99%

“…Emerging issues in this domain seem to be privacy risk management 56 and the use of distributed ledger technologies (e.g., blockchain) that would enable privacy-preserving countermeasure selection. 57 A survey on reaction framework and optimal selection of countermeasures against cyber attacks was presented by Nespoli et al 51 Recent related work includes the work by Zhang et al, 24 who presented a constraint optimization model that could be used as a decision support system for the allocation of security controls. However, the paper's main contribution is a proposed stochastic optimization model to handle uncertainties in breach probability estimation.…”

Section: Decision Support In Cybersecuritymentioning

confidence: 99%

See 2 more Smart Citations

Mission‐centric decision support in cybersecurity via Bayesian Privilege Attack Graph

Javorník

Husák

2022

Engineering Reports

View full text Add to dashboard Cite

We present an approach to decision support in cybersecurity with respect to cyber threats and stakeholders' requirements. We approach situations in which cybersecurity experts need to take actions to mitigate the risks, such as temporarily putting an IT system out of operation, but need to consult them with other stakeholders. We propose a decision support system that uses a mission decomposition model representing the organization's functional and security requirements on its IT infrastructure. Based on the cybersecurity state assessment, that is, discovery of vulnerabilities and attacker's position, the decision support system calculates the resilience metrics for each IT infrastructure's configuration, that is, how likely are they to not be disrupted. The calculation is enabled by two novel formal models, Privilege-Exploit Attack Graph and Bayesian Privilege Attack Graph, which reduce complex attack graphs into a comprehensible bipartite graph. Moreover, they illustrate the impact of exploiting the vulnerabilities and attackers gaining the privileges. The system recommends the most resilient mission configurations that are comprehensible to both cybersecurity experts and non-technical stakeholders, who may then choose which configuration to apply. Our approach is illustrated in a case study of a real-world medical information system.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Mission-centric Cybersecuritymentioning

confidence: 99%

Section: Decision Support In Cybersecuritymentioning

confidence: 99%

See 1 more Smart Citation

Mission‐centric decision support in cybersecurity via Bayesian Privilege Attack Graph

Javorník

Husák

2022

Engineering Reports

View full text Add to dashboard Cite

show abstract

“…Besides investing in cyber controls, parts of the literature have looked into the effect of uncertainties during the risk assessment phases and how these affect the investment decisions [ 58 , 59 ]. The same works compute optimal strategies given these uncertainties offering cybersecurity investment models that are robust to these uncertainties meaning that they optimise return on security investment despite not having the accurate values about the probabilities of different cyber attacks being materialised.…”

Section: Related Workmentioning

confidence: 99%

Automated Cyber and Privacy Risk Management Toolkit

González-Granadillo

Menesidou

Papamartzivanos

et al. 2021

Sensors

View full text Add to dashboard Cite

Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a Privacy Impact Assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and Personally Identifiable Information (PII) that may occur during the dynamic life-cycle of systems. In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner but it also offers decision-support capabilities, to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit in the academic literature that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organisation, as a reference sector that faces critical cyber and privacy threats.

show abstract

“…De los 35 artículos seleccionados, cinco se refieren a investigaciones que incluyen modelos de optimización cuantitativos para la selección de ISC (Almeida & Respício, 2018;Kawasaki & Hiromatsu, 2014;Sawik, 2013;Yevseyeva, Basto-Fernandes, Emmerich, & van Moorsel, 2015;Zhang, Chari, & Agrawal, 2018). Estos enfoques proponen un modelo de selección de controles mediante la aplicación de un modelo de optimización de multi-objetivos, en el que relacionan los controles con sus riesgos asociados y su distribución de costos, para obtener una solución óptima.…”

Section: Gestión De Los Controles De Seguridad De La Informaciónunclassified

Comparación de dos enfoques cuantitativos para seleccionar controles de seguridad de la información

Dieguez

Cares

2019

RISTI

View full text Add to dashboard Cite

Resumen: Proporcionar procesos y herramientas sistemáticos para tomar una decisión sobre inversiones en seguridad en un escenario con restricciones presupuestarias, es de suma importancia para asegurar que dichas decisiones se tomen adecuadamente. Presentamos un enfoque de programación de conjunto de respuestas (ASP) para resolver este problema. Nuestra propuesta se compara con el desarrollo del problema utilizando programación lineal (PL). Ilustramos la fase de modelado y el rendimiento computacional de ambas soluciones. El modelo ASP presenta tiempos de resolución del tipo exponencial a medida que aumenta el número de controles sobre los que debe decidirse. Por otro lado, el modelo basado en PL no presenta variaciones importantes en sus tiempos de resolución de problemas. Sin embargo, el problema es más fácil de modelar en ASP. Luego, esta propuesta tiene ventajas para modelar y resolver problemas específicos en los que se requiere una respuesta rápida con una baja cantidad de controles. Palabras-clave:Answer set programming; Programación lineal; Optimización; Controles de seguridad de la información; Sistema de gestión de seguridad de la información. Comparing Two Quantitative Approaches to Select Information Security ControlsAbstract: Provide systematic processes and tools to make a decision about security investments under a scenario of budget constraints, is of paramount importance to assure that such decisions are soundly made. We present a answer set programming (ASP) approach to solve this problem. Our proposal is then compared against a traditional linear programming (LP) operational research technique. We illustrate the modeling phase and computational performance of both solutions. The model based on ASP presents resolution times of the exponential type as the number of controls over which it must be decided increases. On the other hand, the model based on LP does not present important variations in its problem resolution times. RISTI, N.º 32, 06/2019Comparación de dos enfoques cuantitativos para seleccionar controles de seguridad de la información However, the problem is easier to model in ASP. Then, this proposal has advantages for modeling and solving specific problems in which a rapid response is required and which do not require many controls.

show abstract

Decision support for the optimal allocation of security controls

Cited by 6 publications

References 14 publications

Mission‐centric decision support in cybersecurity via Bayesian Privilege Attack Graph

Mission‐centric decision support in cybersecurity via Bayesian Privilege Attack Graph

Automated Cyber and Privacy Risk Management Toolkit

Comparación de dos enfoques cuantitativos para seleccionar controles de seguridad de la información

Contact Info

Product

Resources

About