Optimal selection of IT security safeguards from an existing knowledge base

In this paper, a combinatorial optimization model is proposed to efficiently select security safeguards in order to protect IT infrastructures and systems. The approach is designed to provide very concrete decision support for an organization as a whole or separately for specific systems. It can be applied in practice without requiring the decision maker himself to collect extensive input data. This is accomplished by using an existing comprehensive and highly accepted knowledge base as a basis for decision making. For our analysis, we use the publicly available IT baseline protection catalogues of the German Federal Office for Information Security (BSI). The catalogues contain more than 500 threats and over 1200 safeguard alternatives to choose from. Applying our model, it is possible to make use of this knowledge and determine optimal selections of safeguards according to given security requirements. The approach supports the decision maker in establishing an effective baseline security strategy.

[1]  Loren Paul Rees,et al.  IT security planning under uncertainty for high-impact events , 2012 .

[2]  H. Vincent Poor,et al.  Infrastructure security games , 2014, Eur. J. Oper. Res..

[3]  Xing Gao,et al.  A game-theoretic analysis of information sharing and security investment for complementary firms , 2014, J. Oper. Res. Soc..

[4]  Christian Ullrich,et al.  Valuation of IT Investments Using Real Options Theory , 2013, Bus. Inf. Syst. Eng..

[5]  Jingguo Wang,et al.  Research Note - A Value-at-Risk Approach to Information Security Investment , 2008, Inf. Syst. Res..

[6]  Makoto Goto,et al.  Optimal Timing of Information Security Investment: A Real Options Approach , 2009, WEIS.

[7]  Rok Bojanc,et al.  Quantitative Model for Economic Analyses of Information Security Investment in an Enterprise Information System , 2012 .

[8]  Theodosios Tsiakis Information Security Expenditures: a Techno-Economic Analysis , 2010 .

[9]  Kjell Hausken,et al.  Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.

[10]  Lawrence A. Gordon,et al.  Information Security Expenditures and Real Options: A Wait-and-See Approach , 2003 .

[11]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[12]  Loren Paul Rees,et al.  Decision support for Cybersecurity risk planning , 2011, Decis. Support Syst..

[13]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[14]  Samir Chatterjee,et al.  Cyber-risk decision models: To insure IT or not? , 2013, Decis. Support Syst..

[15]  Carsten Maple,et al.  A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem , 2012, Decis. Support Syst..

[16]  Brigitte Werners,et al.  A Quantitative Threat Modeling Approach to Maximize the Return on Security Investment in Cloud Computing , 2013 .

[17]  Stefan Fenz,et al.  Formalizing information security knowledge , 2009, ASIACCS '09.

[18]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[19]  Tadeusz Sawik,et al.  Selection of optimal countermeasure portfolio in IT security planning , 2013, Decis. Support Syst..

[20]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[21]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[22]  Walter S. Baer,et al.  Cyberinsurance in IT Security Management , 2007, IEEE Security & Privacy.

[23]  Brigitte Werners,et al.  Optimizing Information Security Investments with Limited Budget , 2014, OR.

[24]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[25]  Theodore S. Glickman Program portfolio selection for reducing prioritized security risks , 2008, Eur. J. Oper. Res..