1,055 research outputs found
Recommended from our members
Managing Information Security Investments Under Uncertainty: Optimal Policies for Technology Investment and Information Sharing
Information systems are an integral part of today\u27s business environment. Businesses, government organizations, and the society rely on these systems for various transactions, most of which have huge financial implications. Hence, attacks that breach information systems result in interruption of operations, loss of data and customer confidence, constituting a significant threat to firms.
The losses due to attacks on information systems can be mitigated through investments in information security technologies and services. In this thesis we study three practical problems related to information system security investment management: (1) Optimal policies for technology investment in information system security; (2) Optimal policies for information sharing in information system security; and (3) Asymmetric information sharing in information system security.
We believe that firms can benefit from this work either through direct implementation for specific guidance, or through indirect use of several policy results obtained. An important characteristic of this studies is that we build this models by using real-world data through survey to information system security practitioners. As one of the few studies on information system security investment management through operations management approaches, this work also set the first step for futures studies on related topics that can be explored by researchers in the field of management science
Multi-Criteria Selection of Capability-Based Cybersecurity Solutions
Given the increasing frequency and severity of cyber attacks on information systems of all kinds, there is interest in rationalized approaches for selecting the âbestâ set of cybersecurity mitigations. However, what is best for one target environment is not necessarily best for another. This paper examines an approach to the selection that uses a set of weighted criteria, where the security engineer sets the weights based on organizational priorities and constraints. The approach is based on a capability-based representation for defensive solutions. The paper discusses a group of artifacts that compose the approach through the lens of Design Science research and reports performance results of an instantiation artifact
Military and Security Applications: Cybersecurity (Encyclopedia of Optimization, Third Edition)
The domain of cybersecurity is growing as part of broader military and security applications, and the capabilities and processes in this realm have qualities and characteristics that warrant using solution methods in mathematical optimization. Problems of interest may involve continuous or discrete variables, a convex or non-convex decision space, differing levels of uncertainty, and constrained or unconstrained frameworks. Cyberattacks, for example, can be modeled using hierarchical threat structures and may involve decision strategies from both an organization or individual and the adversary. Network traffic flow, intrusion detection and prevention systems, interconnected human-machine interfaces, and automated systems â these all require higher levels of complexity in mathematical optimization modeling and analysis. Attributes such as cyber resiliency, network adaptability, security capability, and information technology flexibility â these require the measurement of multiple characteristics, many of which may involve both quantitative and qualitative interpretations. And for nearly every organization that is invested in some cybersecurity practice, decisions must be made that involve the competing objectives of cost, risk, and performance. As such, mathematical optimization has been widely used and accepted to model important and complex decision problems, providing analytical evidence for helping drive decision outcomes in cybersecurity applications. In the paragraphs that follow, this chapter highlights some of the recent mathematical optimization research in the body of knowledge applied to the cybersecurity space. The subsequent literature discussed fits within a broader cybersecurity domain taxonomy considering the categories of analyze, collect and operate, investigate, operate and maintain, oversee and govern, protect and defend, and securely provision. Further, the paragraphs are structured around generalized mathematical optimization categories to provide a lens to summarize the existing literature, including uncertainty (stochastic programming, robust optimization, etc.), discrete (integer programming, multiobjective, etc.), continuous-unconstrained (nonlinear least squares, etc.), continuous-constrained (global optimization, etc.), and continuous-constrained (nonlinear programming, network optimization, linear programming, etc.). At the conclusion of this chapter, research implications and extensions are offered to the reader that desires to pursue further mathematical optimization research for cybersecurity within a broader military and security applications context
Preparing for the Apocalypse: A Multi-Prong Proposal to Develop Countermeasures for Chemical, Biological, Radiological, and Nuclear Threats
The false alarm of an Hawaiian nuclear attack in January 2018 is an example of the lack of U.S. preparedness for attacks using nuclear and other weapons of mass destruction. To address such threats, this Article proposes the establishment of a nation-wide integrated defense of health countermeasures initiative ( DHCI ), is a multi-prong program to create a defensive triad comprising government, private industry, and academia to develop countermeasures for health threats posed by chemical, biological, radiological, and nuclear ( CBRN ) attacks. Key elements of our multi-faceted proposal include the use of the governmentâs Other Transaction Authority to simplify procurement arrangements, the establishment of public-private partnerships with an information commons for the sharing and the use of certain information and trusted intermediaries to protect proprietary information pursuant to cooperative research and development agreements ( CRADAs ), and the creation of a network of incubators sited in ecosystems of excellence. Although our proposal focuses on health countermeasures, it may be applied to other urgent national needs, such as rebuilding U.S. infrastructure
Information Security Risk Management: In Which Security Solutions Is It Worth Investing?
As companies are increasingly exposed to information security threats, decision makers are permanently forced to pay attention to security issues. Information security risk management provides an approach for measuring the security through risk assessment, risk mitigation, and risk evaluation. Although a variety of approaches have been proposed, decision makers lack well-founded techniques that (1) show them what they are getting for their investment, (2) show them if their investment is efficient, and (3) do not demand in-depth knowledge of the IT security domain. This article defines a methodology for management decision makers that effectively addresses these problems. This work involves the conception, design, and implementation of the methodology into a software solution. The results from two qualitative case studies show the advantages of this methodology in comparison to established methodologies
Selecting optimal subset of security controls
Open Access journalChoosing an optimal investment in information security is an issue most companies face these days. Which security controls to buy to protect the IT system of a company in the best way? Selecting a subset of security controls among many available ones can be seen as a resource allocation problem that should take into account conflicting objectives and constraints of the problem. In particular, the security of the system should be improved without hindering productivity, under a limited budget for buying controls. In this work, we provide several possible formulations of security controls subset selection problem as a portfolio optimization, which is well known in financial management. We propose approaches to solve them using existing single and multiobjective optimization algorithms
Recommended from our members
Risk mitigation decisions for it security
Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically. © 2014 ACM
Matching Possible Mitigations to Cyber Threats: A Document-Driven Decision Support Systems Approach
Cyber systems are ubiquitous in all aspects of society. At the same time, breaches to cyber systems continue to be front-page news (Calfas, 2018; Equifax, 2017) and, despite more than a decade of heightened focus on cybersecurity, the threat continues to evolve and grow, costing globally up to $575 billion annually (Center for Strategic and International Studies, 2014; Gosler & Von Thaer, 2013; Microsoft, 2016; Verizon, 2017). To address possible impacts due to cyber threats, information system (IS) stakeholders must assess the risks they face. Following a risk assessment, the next step is to determine mitigations to counter the threats that pose unacceptably high risks. The literature contains a robust collection of studies on optimizing mitigation selections, but they universally assume that the starting list of appropriate mitigations for specific threats exists from which to down-select. In current practice, producing this starting list is largely a manual process and it is challenging because it requires detailed cybersecurity knowledge from highly decentralized sources, is often deeply technical in nature, and is primarily described in textual form, leading to dependence on human experts to interpret the knowledge for each specific context. At the same time cybersecurity experts remain in short supply relative to the demand, while the delta between supply and demand continues to grow (Center for Cyber Safety and Education, 2017; Kauflin, 2017; Libicki, Senty, & Pollak, 2014). Thus, an approach is needed to help cybersecurity experts (CSE) cut through the volume of available mitigations to select those which are potentially viable to offset specific threats.
This dissertation explores the application of machine learning and text retrieval techniques to automate matching of relevant mitigations to cyber threats, where both are expressed as unstructured or semi-structured English language text. Using the Design Science Research Methodology (Hevner & March, 2004; Peffers, Tuunanen, Rothenberger, & Chatterjee, 2007), we consider a number of possible designs for the matcher, ultimately selecting a supervised machine learning approach that combines two techniques: support vector machine classification and latent semantic analysis. The selected approach demonstrates high recall for mitigation documents in the relevant class, bolstering confidence that potentially viable mitigations will not be overlooked. It also has a strong ability to discern documents in the non-relevant class, allowing approximately 97% of non-relevant mitigations to be excluded automatically, greatly reducing the CSEâs workload over purely manual matching. A false v positive rate of up to 3% prevents totally automated mitigation selection and requires the CSE to reject a few false positives.
This research contributes to theory a method for automatically mapping mitigations to threats when both are expressed as English language text documents. This artifact represents a novel machine learning approach to threat-mitigation mapping. The research also contributes an instantiation of the artifact for demonstration and evaluation. From a practical perspective the artifact benefits all threat-informed cyber risk assessment approaches, whether formal or ad hoc, by aiding decision-making for cybersecurity experts whose job it is to mitigate the identified cyber threats. In addition, an automated approach makes mitigation selection more repeatable, facilitates knowledge reuse, extends the reach of cybersecurity experts, and is extensible to accommodate the continued evolution of both cyber threats and mitigations. Moreover, the selection of mitigations applicable to each threat can serve as inputs into multifactor analyses of alternatives, both automated and manual, thereby bridging the gap between cyber risk assessment and final mitigation selection
Preparing for the Apocalypse: a Multi-Prong Proposal to Develop Countermeasures for Biological, Chemical, Radiological, and Nuclear Threats
The false alarm of an Hawaiian nuclear attack in January 2018 is an example of the lack of U.S. preparedness for attacks using nuclear and other weapons of mass destruction. To address such threats, this Article proposes the establishment of a nation-wide integrated defense of health countermeasures initiative (âDHCIâ), which is a multi-prong program to create a defensive triad comprising government, private industry, and academia to develop countermeasures for health threats posed by biological, chemical, radiological, and nuclear (âBCRNâ) attacks. Key elements of our multi-faceted proposal include the use of the governmentâs Other Transaction Authority to simplify procurement arrangements, the establishment of public-private partnerships with an information commons for the sharing and the use of certain information and trusted intermediaries to protect proprietary information pursuant to cooperative research and development agreements (âCRADAsâ), and the creation of a network of incubators sited in ecosystems of excellence. Although our proposal focuses on health countermeasures, it may be applied to other urgent national needs, such as rebuilding U.S. infrastructure
- âŠ