A comprehensive security control selection model for inter-dependent organizational assets structure

Purpose – This paper aims to propose a comprehensive model to find out the most preventive subset of security controls against potential security attacks inside the limited budget. Deploying the appropriate collection of information security controls, especially in information system-dependent organizations, ensures their businesses' continuity alongside with their effectiveness and efficiency. Design/methodology/approach – Impacts of security attacks are measured based on interdependent asset structure. Regarding this objective, the asset operational dependency graph is mapped to the security attack graph to assess the risks of attacks. This mapping enables us to measure the effectiveness of security controls against attacks. The most effective subset is found by mapping its features (cost and effectiveness) to items’ features in a binary knapsack problem, and then solving the problem by a modified version of the classic dynamic programming algorithm. Findings – Exact solutions are achieved using the dyn...

[1]  Loren Paul Rees,et al.  IT security planning under uncertainty for high-impact events , 2012 .

[2]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[3]  Ruth Breu,et al.  Quantitative Assessment of Enterprise Security System , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[4]  Peter Martini,et al.  Graph based Metrics for Intrusion Response Measures in Computer Networks , 2007 .

[5]  Wolfgang Boehmer,et al.  Appraisal of the Effectiveness and Efficiency of an Information Security Management System Based on ISO 27001 , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[6]  Jeannette M. Wing,et al.  Scenario graphs and attack graphs , 2004 .

[7]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[8]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[9]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[10]  Emmanuel Aroms,et al.  NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems , 2012 .

[11]  Tansu Alpcan,et al.  Dynamic Control and Mitigation of Interdependent IT Security Risks , 2010, 2010 IEEE International Conference on Communications.

[12]  Ruth Breu,et al.  Using an Enterprise Architecture for IT Risk Management , 2006, ISSA.

[13]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[14]  Carsten Maple,et al.  A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem , 2012, Decis. Support Syst..

[15]  Loren Paul Rees,et al.  Decision support for Cybersecurity risk planning , 2011, Decis. Support Syst..

[16]  Eirik Albrechtsen,et al.  Implementation and effectiveness of organizational information security measures , 2008, Inf. Manag. Comput. Secur..

[17]  Ebenezer Paintsil Taxonomy of security risk assessment approaches for researchers , 2012, 2012 Fourth International Conference on Computational Aspects of Social Networks (CASoN).

[18]  Indrajit Ray,et al.  Towards an efficient vulnerability analysis methodology for better security risk management , 2010 .

[19]  Indrajit Ray,et al.  Optimal security hardening on attack tree models of networks: a cost-benefit analysis , 2012, International Journal of Information Security.

[20]  Javier Santos,et al.  Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness , 2006, ISC.

[21]  Daniel L. Moody,et al.  Measuring the Value Of Information - An Asset Valuation Approach , 1999, ECIS.

[22]  Youki Kadobayashi,et al.  Exploring attack graph for cost-benefit security hardening: A probabilistic approach , 2013, Comput. Secur..

[23]  Maryam Shahpasand,et al.  Optimum Countermeasure Portfolio Selection , 2014 .

[24]  Tadeusz Sawik,et al.  Selection of optimal countermeasure portfolio in IT security planning , 2013, Decis. Support Syst..

[25]  Ralph Spencer Poore Valuing Information Assets for Security Risk Management , 2000, Inf. Secur. J. A Glob. Perspect..

[26]  Margarida Vaz Pato,et al.  A two state reduction based dynamic programming algorithm for the bi-objective 0-1 knapsack problem , 2011, Comput. Math. Appl..

[27]  Hong-li Liu,et al.  Measuring Effectiveness of Information Security Management , 2009, 2009 International Symposium on Computer Network and Multimedia Technology.

[28]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[29]  Stefan Fenz,et al.  Interactive Selection of ISO 27001 Controls under Multiple Objectives , 2008, SEC.

[30]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[31]  Tansu Alpcan,et al.  Integrated security risk management for IT-intensive organizations , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[32]  Tansu Alpcan,et al.  Modeling dependencies in security risk management , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).

[33]  Tai-Myung Chung,et al.  Two-Dimensional Qualitative Asset Analysis Method based on Business Process-Oriented Asset Evaluation , 2005, J. Inf. Process. Syst..

[34]  Daniel Bachlechner,et al.  To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool , 2012, WEIS.