Selecting Optimal Subset of Security Controls

Abstract Choosing an optimal investment in information security is an issue most companies face these days. Which security controls to buy to protect the IT system of a company in the best way? Selecting a subset of security controls among many available ones can be seen as a resource allocation problem that should take into account conflicting objectives and constraints of the problem. In particular, the security of the system should be improved without hindering productivity, under a limited budget for buying controls. In this work, we provide several possible formulations of security controls subset selection problem as a portfolio optimization, which is well known in financial management. We propose approaches to solve them using existing single and multiobjective optimization algorithms.

[1]  Stephen S. Bonham IT Project Portfolio Management , 2004 .

[2]  L. Phillips,et al.  Multi-criteria analysis: a manual , 2009 .

[3]  Antonio J. Nebro,et al.  jMetal: A Java framework for multi-objective optimization , 2011, Adv. Eng. Softw..

[4]  A. E. Eiben,et al.  Introduction to Evolutionary Computing , 2003, Natural Computing Series.

[5]  R. Tibshirani,et al.  An introduction to the bootstrap , 1993 .

[6]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[7]  Carsten Maple,et al.  A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem , 2012, Decis. Support Syst..

[8]  Carlos M. Fonseca,et al.  A Portfolio Optimization Approach to Selection in Multiobjective Evolutionary Algorithms , 2014, PPSN.

[9]  M. Petkovic,et al.  Consumerization of IT: Risk Mitigation Strategies and Good Practices. Responding to the Emerging Threat Environment. , 2011 .

[10]  I. Linkov,et al.  Managing A Portfolio of Risks , 2010 .

[11]  Zbigniew Michalewicz,et al.  Handbook of Evolutionary Computation , 1997 .

[12]  Thomas Bartz-Beielstein,et al.  Parallel Problem Solving from Nature – PPSN XIII , 2014, Lecture Notes in Computer Science.

[13]  E Ferguson,et al.  From comparative risk assessment to multi-criteria decision analysis and adaptive management: recent developments and applications. , 2006, Environment international.

[14]  R. K. Ursem Multi-objective Optimization using Evolutionary Algorithms , 2009 .

[15]  Kaisa Miettinen,et al.  Nonlinear multiobjective optimization , 1998, International series in operations research and management science.

[16]  Zachary A. Collier,et al.  Multiscale approach to the security of hardware supply chains for energy systems , 2013, Environment Systems and Decisions.

[17]  Loren Paul Rees,et al.  IT security planning under uncertainty for high-impact events , 2012 .

[18]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[19]  Tadeusz Sawik,et al.  Selection of optimal countermeasure portfolio in IT security planning , 2013, Decis. Support Syst..

[20]  Craig W. Kirkwood,et al.  Strategic decision making : multiobjective decision analysis with spreadsheets : instructor's manual , 1996 .

[21]  Shawn Butler,et al.  Improving Security Technology Selections with Decision Theory , 2001 .