A framework for secure IT operations in an uncertain and changing environment

We propose a novel framework to optimally select effective IT security safeguards.The framework covers uncertain and dynamic aspects within the IT security process.Practical applicability is ensured by using extensive real-world security knowledge.The knowledge base covers 80 system components, 518 threats, and 1244 safeguards.Several MILP models are proposed to determine optimal selections of safeguards. In this paper, a quantitative approach is proposed that addresses various decision making challenges within the IT security process of an organization. The approach serves as a framework that facilitates multiple applications to optimize the security of IT systems in different environmental settings. Addressing this problem is a critical challenge for almost all organizations and it still lacks a comprehensive and consistent quantitative treatment. The key question of the corresponding decision problem is which safeguards to select in order to achieve sufficient security. The proposed framework addresses this by establishing a generally applicable problem structure and by reusing existing knowledge in order to reduce implementation costs of the approach. Based on this foundation, efficient MILP models are applied to support the establishment of an effective IT security strategy. Depending on the knowledge an organization is able to provide, decisions take uncertainty and even dynamic aspects into account. As a result, deployed safeguards are robust against uncertain security threats and remain stable over several planning periods even if the system or the threat environment changes. This is a significant advancement that results in higher security in the short-term and lower costs in the mid- and long-term.

[1]  Jingguo Wang,et al.  Research Note - A Value-at-Risk Approach to Information Security Investment , 2008, Inf. Syst. Res..

[2]  Makoto Goto,et al.  Optimal Timing of Information Security Investment: A Real Options Approach , 2009, WEIS.

[3]  Christian Ullrich,et al.  Valuation of IT Investments Using Real Options Theory , 2013, Bus. Inf. Syst. Eng..

[4]  Daniel J. Ryan,et al.  Quantifying information security risks using expert judgment elicitation , 2012, Comput. Oper. Res..

[5]  Melvyn Sim,et al.  Robust discrete optimization and network flows , 2003, Math. Program..

[6]  Brigitte Werners,et al.  Optimizing Information Systems Security Design Based on Existing Security Knowledge , 2015, CAiSE Workshops.

[7]  Walter S. Baer,et al.  Cyberinsurance in IT Security Management , 2007, IEEE Security & Privacy.

[8]  Tadeusz Sawik,et al.  Selection of optimal countermeasure portfolio in IT security planning , 2013, Decis. Support Syst..

[9]  Theodosios Tsiakis Information Security Expenditures: a Techno-Economic Analysis , 2010 .

[10]  Loren Paul Rees,et al.  Decision support for Cybersecurity risk planning , 2011, Decis. Support Syst..

[11]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[12]  Arkadi Nemirovski,et al.  Robust solutions of Linear Programming problems contaminated with uncertain data , 2000, Math. Program..

[13]  Samir Chatterjee,et al.  Cyber-risk decision models: To insure IT or not? , 2013, Decis. Support Syst..

[14]  Rok Bojanc,et al.  Quantitative Model for Economic Analyses of Information Security Investment in an Enterprise Information System , 2012 .

[15]  Brigitte Werners,et al.  Optimizing Information Security Investments with Limited Budget , 2014, OR.

[16]  Rüdiger Schultz,et al.  A note on second-order stochastic dominance constraints induced by mixed-integer linear recourse , 2011, Math. Program..

[17]  Loren Paul Rees,et al.  IT security planning under uncertainty for high-impact events , 2012 .

[18]  Brigitte Werners,et al.  Optimal selection of IT security safeguards from an existing knowledge base , 2016, Eur. J. Oper. Res..

[19]  Jae Choi,et al.  A system dynamics model for information security management , 2015, Inf. Manag..

[20]  Qing Hu,et al.  A System Dynamics Model of Information Security Investments , 2007, ECIS.

[21]  Lawrence A. Gordon,et al.  Information Security Expenditures and Real Options: A Wait-and-See Approach , 2003 .

[22]  Brigitte Werners,et al.  A Quantitative Threat Modeling Approach to Maximize the Return on Security Investment in Cloud Computing , 2013 .

[23]  Denis Trček Using System Dynamics for Managing Risks in Information Systems , 2008 .

[24]  Carsten Maple,et al.  A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem , 2012, Decis. Support Syst..

[25]  Borka Jerman Blažič,et al.  A case study of usability testing: the SUMI evaluation approach of the EducaNext portal , 2008 .

[26]  Theodore S. Glickman Program portfolio selection for reducing prioritized security risks , 2008, Eur. J. Oper. Res..

[27]  Stefan Fenz,et al.  Formalizing information security knowledge , 2009, ASIACCS '09.

[28]  Brigitte Werners,et al.  Optimal Information Security Expenditures Considering Budget Constraints , 2015, PACIS.