Dynamic Control and Mitigation of Interdependent IT Security Risks

Security risk management for information technology-based organizations has become increasingly important in recent years. However, the risk assessment and mitigation strategies that these organizations employ have remained relatively ad hoc and qualitative. In this paper, we extend a quantitative framework for risk assessment called Risk-Rank [1] to include risk mitigation through Markov Decision Processes. By doing so, we provide an analysis-to-action quantitative approach to security risk management, enabling IT managers to perform more comprehensive evaluations of their risk exposures. We demonstrate the effectiveness of this approach through an example related to the patching of computers in a corporate network.

[1]  Tansu Alpcan,et al.  Modeling dependencies in security risk management , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).

[2]  François Fouss,et al.  Random-Walk Computation of Similarities between Nodes of a Graph with Application to Collaborative Recommendation , 2007, IEEE Transactions on Knowledge and Data Engineering.

[3]  Amy Nicole Langville,et al.  A Survey of Eigenvector Methods for Web Information Retrieval , 2005, SIAM Rev..

[4]  Nicholas Bambos,et al.  SecureRank: A Risk-Based Vulnerability Management Scheme for Computing Infrastructures , 2007, 2007 IEEE International Conference on Communications.

[5]  Nicholas Bambos,et al.  Dynamic Risk Mitigation in Computing Infrastructures , 2007, Third International Symposium on Information Assurance and Security.

[6]  Christian Bauckhage Image Tagging Using PageRank over Bipartite Graphs , 2008, DAGM-Symposium.