Security attribute evaluation method: a cost-benefit approach

Any opinions, findings and conclusions or recommendations expressed in this publication are those of the author and do not necessarily reflect those of the sponsor or other entity. Abstract A security manager's selection of risk-mitigation controls for an information system's security architecture depends on the organization's risk-management process. Current security risk-management processes require security managers to thoroughly analyze their organization's threats, vulnerabilities, and assets before selecting cost-effective risk-mitigation controls. The most common risk-management method, Annualized Loss Expectancy (ALE), expects security managers to assess the probabilistic damage from different types of attacks, investing only in those risk-mitigation controls that cost less than the anticipated loss in asset value. The problem with current risk-mitigation-control cost-benefit analysis methods is that they attempt to give security managers the ability to make precise security investment recommendations or decisions based on imprecise information, such as estimated probabilities or expected economic loss in asset value. This thesis proposes the Security Attribute Evaluation Method (SAEM) as an alternative to current risk-mitigation-control cost-benefit analysis methods. SAEM uses multi-attribute decision analysis techniques from the field of Decision Sciences to guide a security manager in his or her selection of risk-mitigation controls for the organization's information system security architecture. In contrast with current cost-benefit analysis methods, SAEM focuses on the relative benefit of risk-mitigation controls rather than the economic net value of the information system with and without the risk-mitigation control. In addition, SAEM integrates a new coverage-analysis model that allows security mangers to evaluate how a risk-mitigation control contributes to the security architecture's defense-in-depth design, a fundamental security engineering design principle. In this thesis, I present the results of using SAEM with the security managers of three different organizations—a large commercial company, a large government organization, and a small hospital. SAEM provided these security managers with insight into their risk priorities and, in two organizations, SAEM highlighted weaknesses in their security architectures. Overall, the security managers felt that SAEM's coverage-analysis model was very helpful in assessing how risk-mitigation controls support the organization's defense-in-depth security strategy. iv v ACKNOWLEDGMENTS

[1]  DoD 5200 . 28-STD-DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION , 2002 .

[2]  Thomas Finne,et al.  A conceptual framework for information security management , 1998, Comput. Secur..

[3]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[4]  M. Bohanec,et al.  The Analytic Hierarchy Process , 2004 .

[5]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[6]  Gary Stoneburner,et al.  SP 800-27 Rev. A. Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A , 2004 .

[7]  Gary Stoneburner,et al.  Engineering principles for information technology security (a baseline for achieving security) :: recommendations of the National Institute of Standards and Technology , 2001 .

[8]  M. E. Kabay,et al.  Computer Security Handbook , 2002 .

[9]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[10]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[11]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[12]  Jonathan K. Millen,et al.  A resource allocation model for denial of service , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[13]  D. Winterfeldt,et al.  Comparison of weighting judgments in multiattribute utility measurement , 1991 .

[14]  Thomas Finne,et al.  The three categories of decision-making and information security , 1998, Comput. Secur..

[15]  Mark Klein,et al.  Quantifying the costs and benefits of architectural decisions , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[16]  Gary Stoneburner SP 800-33. Underlying Technical Models for Information Technology Security , 2001 .

[17]  Jyrki Kontio,et al.  A case study in applying a systematic method for COTS selection , 1996, Proceedings of IEEE 18th International Conference on Software Engineering.

[18]  Shon Harris,et al.  Cissp Certification Exam Guide , 2003 .

[19]  Catherine A. Meadows,et al.  A Cost-Based Framework for Analysis of Denial of Service Networks , 2001, J. Comput. Secur..

[20]  D. A. Seaver,et al.  A comparison of weight approximation techniques in multiattribute utility decision making , 1981 .

[21]  H. Raiffa,et al.  Decisions with Multiple Objectives , 1993 .

[22]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[23]  Gary Stoneburner,et al.  Underlying technical models for information technology security :: recommendations of the National Institute of Standards and Technology , 2001 .

[24]  G. W. Fischer Range Sensitivity of Attribute Weights in Multiattribute Value Models , 1995 .

[25]  Ching-Lai Hwang,et al.  Multiple attribute decision making : an introduction , 1995 .

[26]  Christopher M. King,et al.  Security Architecture: Design, Deployment and Operations , 2001 .

[27]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[28]  Thomas G. Lane A Design Space and Design Rules for User Interface Software Architecture , 1990 .