Most enterprises aiming to deploy cost-effective security configuration follow information security standards and guidelines to adopt cybersecurity controls such as CIS Critical Security Controls (CIS CSC) [2]. With the increased dependency over cyber, the landscape of cyber attacks is escalating quickly, and as a consequence, hundreds of cybersecurity controls have to be delineated to implement NIST Cybersecurity Framework (i.e., identify, protect, detect, respond and recover) [6]. The security configuration comprised of the appropriate set of security controls requires not only to be optimized regarding Return on Investment (RoI) but also to be resilient in order to tackle the failures against diversified cyber attacks. However, the composition of such optimal and resilient cybersecurity portfolio (security configuration) is a highly complex and error-prone task as there are exponential numbers of ways to construct a portfolio due to a large number of security controls, threats, resource, and usability constraints. The objective of this research is to develop a novel and an automated approach to compose the optimal and resilient risk mitigation planning by selecting the most critical security controls (CSC) considering affordable residual risk (risk appetite), budget, resiliency, and enterprise-oriented usability constraints. We developed a model named "Cyber Defense Matrix (CDM)" that resemblances the deployed cyber defense strategy. The structure of CDM incorporating three dimensions: Security Function (what), Enforcement Level (where), and Kill Chain Phase (why) enables the composition of multi-layer and multi-stage resilient defense configuration. Our approach leverages CDM to determine which security controls are needed for "what" security function (Identify, Protect, Detect, Respond, and Recover), "where" each security control should be enforced in the cyber systems (Network, Device, People, Application, and Data), and "why" they are effective (i.e., against what attack and wherein the kill chain). We formulate the approach to compute the resilient cybersecurity planning as CDM using SMT constraints.
[1]
Jeffrey Dean,et al.
Efficient Estimation of Word Representations in Vector Space
,
2013,
ICLR.
[2]
MalacariaPasquale,et al.
Decision support approaches for cyber security investment
,
2016
.
[3]
Robert J. Kauffman,et al.
Risk Management of Contract Portfolios in IT Services: The Profit-at-Risk Approach
,
2008,
J. Manag. Inf. Syst..
[4]
Loren Paul Rees,et al.
Decision support for Cybersecurity risk planning
,
2011,
Decis. Support Syst..
[5]
Carsten Maple,et al.
A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem
,
2012,
Decis. Support Syst..