Mission-Oriented Security Model, Incorporating Security Risk, Cost and Payout

One of the most difficult challenges facing network operators is to estimate risk and allocate resources in adversarial environments. Failure to properly allocate resources leads to failed activities, poor utilization, and insecure environments. In this paper, we explore an optimization-based approach to allocating resources called a mission-oriented security model. This model integrates security risk, cost and payout metrics to optimally allocate constrained secure resources to discrete actions called missions. We model this operation as a Mixed Integer Linear Program (MILP) which can be solved efficiently by different optimization solvers such as MATLAB MILP solver, IBM-CPLEX optimizer or CVX solver. We further introduce and explore a novel method to evaluate security risk in resource planning using two datasets—the Ponemon Institute cost of breach survey and CSI/FBI surveys of security events. Data driven simulations are used to validate the model robustness and uncover a number of insights on the importance of risk valuation in resource allocation.

[1]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[2]  Thomas F. La Porta,et al.  Mapping sample scenarios to operational models , 2016, MILCOM 2016 - 2016 IEEE Military Communications Conference.

[3]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[4]  C. Floudas Nonlinear and Mixed-Integer Optimization: Fundamentals and Applications , 1995 .

[5]  Hannes Holm A Large-Scale Study of the Time Required to Compromise a Computer System , 2014, IEEE Transactions on Dependable and Secure Computing.

[6]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[7]  Thomas F. La Porta,et al.  Self-Adaptive Resource Allocation for Event Monitoring with Uncertainty in Sensor Networks , 2015, 2015 IEEE 12th International Conference on Mobile Ad Hoc and Sensor Systems.

[8]  William H. Sanders,et al.  Model-based evaluation: from dependability to security , 2004, IEEE Transactions on Dependable and Secure Computing.

[9]  Ananthram Swami,et al.  Security and Science of Agility , 2014, MTD '14.

[10]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[11]  D. Rajan Probability, Random Variables, and Stochastic Processes , 2017 .

[12]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[13]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[14]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[15]  Kevin Jones,et al.  A review of cyber security risk assessment methods for SCADA systems , 2016, Comput. Secur..

[16]  Norman F. Schneidewind Cyber Security Prediction Models , 2009 .