Optimizing Information Systems Security Design Based on Existing Security Knowledge

Information systems and the information enclosed are of significant value and it is indispensable for organizations to ensure their protection. To achieve high security, existing knowledge is available and provides recommendations and guidelines to follow. Due to the large amount of data and the complex dependencies within their structure, it is often challenging to make informed design decisions. This paper proposes a quantitative model that is tailored to the optimal selection of security safeguards from an existing security knowledge base. The input data are extracted from the extensive IT baseline protection catalogues of the German Federal Office for Information Security (BSI). The total amount of data include more than 500 threats and 1200 safeguard options. In an application example, we illustrate that an optimal decision can reduce the number of required safeguards substantially while still maintaining a high security level.

[1]  Tadeusz Sawik,et al.  Selection of optimal countermeasure portfolio in IT security planning , 2013, Decis. Support Syst..

[2]  Makoto Goto,et al.  Optimal Timing of Information Security Investment: A Real Options Approach , 2009, WEIS.

[3]  Samir Chatterjee,et al.  Cyber-risk decision models: To insure IT or not? , 2013, Decis. Support Syst..

[4]  Christian Ullrich,et al.  Valuation of IT Investments Using Real Options Theory , 2013, Bus. Inf. Syst. Eng..

[5]  Lawrence A. Gordon,et al.  Information Security Expenditures and Real Options: A Wait-and-See Approach , 2003 .

[6]  Theodosios Tsiakis Information Security Expenditures: a Techno-Economic Analysis , 2010 .

[7]  Loren Paul Rees,et al.  IT security planning under uncertainty for high-impact events , 2012 .

[8]  Brigitte Werners,et al.  A Quantitative Threat Modeling Approach to Maximize the Return on Security Investment in Cloud Computing , 2013 .

[9]  Carsten Maple,et al.  A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem , 2012, Decis. Support Syst..

[10]  Rok Bojanc,et al.  Quantitative Model for Economic Analyses of Information Security Investment in an Enterprise Information System , 2012 .

[11]  Walter S. Baer,et al.  Cyberinsurance in IT Security Management , 2007, IEEE Security & Privacy.

[12]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..