EURO Journal on Decision Processes

, Volume 4, Issue 1–2, pp 85–117 | Cite as

Selecting security control portfolios: a multi-objective simulation-optimization approach

  • Elmar Kiesling
  • Andreas Ekelhart
  • Bernhard Grill
  • Christine Strauss
  • Christian Stummer
Original Article
  • 113 Downloads

Abstract

Organizations’ information infrastructures are exposed to a large variety of threats. The most complex of these threats unfold in stages, as actors exploit multiple attack vectors in a sequence of calculated steps. Deciding how to respond to such serious threats poses a challenge that is of substantial practical relevance to IT security managers. These critical decisions require an understanding of the threat actors—including their various motivations, resources, capabilities, and points of access—as well as detailed knowledge about the complex interplay of attack vectors at their disposal. In practice, however, security decisions are often made in response to acute short-term requirements, which results in inefficient resource allocations and ineffective overall threat mitigation. The decision support methodology introduced in this paper addresses this issue. By anchoring IT security managers’ decisions in an operational model of the organization’s information infrastructure, we provide the means to develop a better understanding of security problems, improve situational awareness, and bridge the gap between strategic security investment and operational implementation decisions. To this end, we combine conceptual modeling of security knowledge with a simulation-based optimization that hardens a modeled infrastructure against simulated attacks, and provide a decision support component for selecting from efficient combinations of security controls. We describe the prototypical implementation of this approach, demonstrate how it can be applied, and discuss the results of an in-depth expert evaluation.

Keywords

IT security analysis Multi-objective portfolio selection Interactive decision support Simulation Genetic algorithm 

Mathematics Subject Classification

68U20 68U35 90B50 90C27 91B32 

References

  1. Ammann P, Wijesekera D, Kaushik S (2002) Scalable, graph-based network vulnerability analysis. In: Proceedings of the conference on computer and communications security, ACM, pp 217–224Google Scholar
  2. Baker WH, Wallace L (2007) Is information security under control? Investigating quality in information security management. IEEE Secur Priv 5(1):36–44CrossRefGoogle Scholar
  3. Barlette Y, Fomin VV (2010) The adoption of information security management standards. In: Information resources management: concepts. Methodologies, tools and applications. IGI Global, Pennsylvania, pp 69–90Google Scholar
  4. Bistarelli S, Fioravanti F, Peretti P (2006) Defense trees for economic evaluation of security investments. In: Proceedings of the international conference on availability, reliability and security. IEEE, pp 416–423Google Scholar
  5. BSI (2013) BSI-standards. Tech. Rep, German Federal Office for Information SecurityGoogle Scholar
  6. Chi SD, Park JS, Jung KC, Lee JS (2001) Network security modeling and cyber attack simulation methodology. In: Varadharajan V, Mu Y (eds) Information security and practice (LNCS 2119). Springer, Berlin, pp 320–333Google Scholar
  7. Cohen F (1999) Simulating cyber attacks, defences, and consequences. Comput Secur 18(6):479–518CrossRefGoogle Scholar
  8. Cook D, Hofman H, Lee EK, Yang H, Nikolau B, Wurtele E (2007) Exploring gene expression data, using plots. J Data Sci 5(2):151–182Google Scholar
  9. Dahl OM, Wolthusen SD (2006) Modeling and execution of complex attack scenarios using interval timed colored petri nets. In: Proceedings of the international workshop on information assurance, IEEE, pp 157–168Google Scholar
  10. Dalton GC, Mills RF, Colombi JM, Raines RA (2006) Analyzing attack trees using generalized stochastic Petri nets. In: Proceedings of the information assurance workshop, IEEE, pp 116–123Google Scholar
  11. Deb K, Pratap A, Agarwal S, Meyarivan T (2000) A fast elitist multi-objective genetic algorithm: NSGA-II. IEEE Trans Evolut Comput 6(2):182–197CrossRefGoogle Scholar
  12. Draper MD, Livnat Y, Riesenfeld RF (2009) A survey of radial methods for information visualization. IEEE Trans Vis Comput Gr 15(5):759–776CrossRefGoogle Scholar
  13. Economist (2014) Defending the digital frontier: a special report on cyber-security. The Economist, 12 July 2014Google Scholar
  14. Edge KS, Dalton GC, Raines RA, Mills RF (2006) Using attack and protection trees to analyze threats and defenses to homeland security. In: Proceedings of the military communications conference, IEEE, pp 1–7Google Scholar
  15. Ekelhart A, Kiesling E, Grill B, Strauss C, Stummer C (2015) Integrating attacker behavior in IT security analysis: a discrete-event simulation approach. Inf Technol Manag 16(3):221–233CrossRefGoogle Scholar
  16. Fenz S, Ekelhart A (2011) Verification, validation, and evaluation in information security risk management. IEEE Secur Priv Mag 9(2):58–65CrossRefGoogle Scholar
  17. Fenz S, Ekelhart A, Neubauer T (2011) Information security risk management: in which security solutions is it worth investing? Commun Assoc Inf Syst 28:329–356Google Scholar
  18. Franqueira VNL, Lopes RHC, van Eck P (2009) Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients. In: Proceedings of the symposium on applied computing, ACM, pp 66–73Google Scholar
  19. Gettinger J, Kiesling E, Stummer C, Vetschera R (2013) A comparison of representations for discrete multi-criteria decision problems. Decis Support Syst 54(2):976–985CrossRefGoogle Scholar
  20. Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans Inf Syst Secur 5(4):438–457CrossRefGoogle Scholar
  21. Gupta M, Rees J, Chaturvedi A, Chi J (2006) Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decis Support Syst 41(3):592–603CrossRefGoogle Scholar
  22. Hoo S (2000) How much is enough: a risk management approach to computer security. PhD Thesis, Consortium for research on information security and policy (CRISP), Stanford UniversityGoogle Scholar
  23. Inselberg A (2009) Parallel coordinates: visual multidimensional geometry and its applications. Springer, BerlinCrossRefGoogle Scholar
  24. Islam T, Wang L (2008) A heuristic approach to minimum-cost network hardening using attack graph. Proceedings of the conference on new technologies, mobility and security, IEEE, pp 1–5Google Scholar
  25. ISO (2013) ISO/IEC 27001:2013: Information technology, security techniques, information management systems, requirements. Tech. Rep, International Organization for Standardization/International Electrotechnical CommissionGoogle Scholar
  26. Jaisingh J, Rees J (2001) Value at risk: a methodology for information security risk assessment. In: Proceedings of the conference on information systems and technology, INFORMS, pp 3–4Google Scholar
  27. Kaspersky (2014) IT security risks survey 2014: a business approach to managing data security threats. http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report. Accessed 11 July 2015
  28. Keeney RL (2013) Identifying, prioritizing, and using multiple objectives. Eur J Decis Process 1(1–2):45–67CrossRefGoogle Scholar
  29. Kiesling E, Ekelhart A, Grill B, Strauss C, Stummer C (2013a) Simulation-based optimization of information security controls: an adversary-centric approach. In: Pasupathy R, Kim SH, Tolk A, Hill R, Kuhl ME (eds) Proceedings of the winter simulation conference. IEEE, pp 2054–2065Google Scholar
  30. Kiesling E, Ekelhart A, Grill B, Strauss C, Stummer C (2013b) Simulation based optimization of IT security controls: Initial experiences with metaheuristic solution procedures. In: Fink A, Geiger M (eds) Proceedings of the workshop of the EURO working group on metaheuristics, pp 18–20Google Scholar
  31. Kiesling E, Ekelhart A, Grill B, Stummer C, Strauss C (2014) Evolving secure information systems through attack simulation. In: Proceedings of the Hawaii international conference on system science, IEEE computer society, pp 4868–4877Google Scholar
  32. Kiesling E, Ekelhart A, Grill B, Stummer C, Strauss C (2015) Multi-objective evolutionary optimization of computation-intensive simulations: the case of security control selection. In: Proceedings of the 11th metaheuristics international conference, pp 1–3Google Scholar
  33. Lotov A, Miettinen K (2008) Visualizing the Pareto frontier. In: Branke J, Deb K, Miettinen K, Slowinski R (eds) Multiobjective optimization (LNCS 5252). Springer, Berlin, pp 213–243CrossRefGoogle Scholar
  34. Lukasiewycz M, Glaß M, Reimann F, Teich J (2011) Opt4J: a modular framework for meta-heuristic optimization. In: Proceedings of the conference on genetic and evolutionary computation, ACM, pp 1723–1730Google Scholar
  35. Luke S, Cioffi-Revilla C, Panait L, Sullivan K, Balan G (2005) MASON: a multiagent simulation environment. Simulation 81(7):517–527CrossRefGoogle Scholar
  36. Ma Z, Smith P (2013) Determining risks from advanced multi-step attacks to critical information infrastructures. In: Luiijf E, Hartel P (eds) Critical information infrastructures security (LNCS 8328). Springer, Berlin, pp 142–154CrossRefGoogle Scholar
  37. Mauw S, Oostdijk M (2006) Foundations of attack trees. In: Won D, Kim S (eds) Information security and cryptology (LNCS 3935). Springer, Berlin, pp 186–198Google Scholar
  38. McAfee (2014) Net losses: estimating the global cost of cybercrime 2014. http://www.mcafee.com/de/resources/reports/rp-economic-impact-cybercrime2. Accessed 11 July 2015
  39. Mizzi A (2005) Return on information security investment. Are you spending enough? Are you spending too much? http://security.ittoolbox.com/documents/return-on-information-security-investment-14513. Accessed 11 July 2015
  40. Moore A (2001) Attack modeling for information security and survivability. Tech. Rep., Software Engineering Institute, Carnegie Mellon UniversityGoogle Scholar
  41. National Bureau of Standards (1979) Guideline for automatic data processing risk analysis. Tech. Rep, Institute for Computer Science and Technology, National Bureau of StandardsGoogle Scholar
  42. NIST (2011) Managing information security risk: Organization, mission, and information system view. Tech. Rep., NIST SP 800-39, National Institute of Standards and Technology, US Department of CommerceGoogle Scholar
  43. Neubauer S, Stummer C, Weippl E (2006) Workshop-based multiobjective security safeguard selection. Proceedings of the international conference on availability, reliability and security. IEEE, pp 366–373Google Scholar
  44. Ou X, Boyer WF, McQueen MA (2006) A scalable approach to attack graph generation. In: Proceedings of the conference on computer and communications security, ACM, pp 336–345Google Scholar
  45. Panchenko A, L Pimenidis (2006) Towards practical attacker classification for risk analysis in anonymous communication. In: Leitold H, Markatos EP (eds) Communications and multimedia security (LNCS 4237). Springer, Berlin, pp 240–251CrossRefGoogle Scholar
  46. Papadaki K, Polemi N (2007) Towards a systematic approach for improving information security risk management methods. Proceedings of the international symposium on personal, indoor and mobile radio communications, IEEE, pp 1–4Google Scholar
  47. Pieters W (2011) Representing humans in system security models: an actor-network approach. J Wirel Mob Netw Ubiquitous Comput Depend Appl 2(1):75–92Google Scholar
  48. Ritchey RW, Ammann P (2000) Using model checking to analyze network vulnerabilities. In: Proceedings of the IEEE symposium on security and privacy, IEEE, pp 156–165Google Scholar
  49. Sawilla RE, Ou X (2008) Identifying critical attack assets in dependency attack graphs. In: Jojadia S, Lopez J (eds) Computer security (LNCS 5283), Springer, Berlin, pp 18–34Google Scholar
  50. Schneier B (2000) Secrets & lies: digital security in a networked world, Wiley, New YorkGoogle Scholar
  51. Stoneburner G, Goguen AY, Feringa A (2002) Risk management guide for information technology systems: recommendations of the National Institute of Standards and Technology. Tech. Rep., NIST SP 800-30, National Institute of Standards and Technology, US Department of CommerceGoogle Scholar
  52. Strauss C, Stummer C (2002) Multiobjective decision support in IT-risk management. Int J Inf Technol Decis Mak 1(2):251–268CrossRefGoogle Scholar
  53. Stummer C, Kiesling E, Gutjahr WJ (2009) A multicriteria decision support system for competence-driven project portfolio selection. Int J Inf Technol Decis Mak 8(2):379–401CrossRefGoogle Scholar
  54. Tunçalp D (2014) Diffusion and adoption of information security management standards across countries and industries. J Glob Inf Technol Manag 17(4):221–227Google Scholar
  55. Vetschera R (2013) Negotiation processes: an integrated perspective. Eur J Decis Process 1(1–2):135–164CrossRefGoogle Scholar
  56. Vincke P (1992) Multicriteria decision-aid, Wiley, New YorkGoogle Scholar
  57. Wang J, Chaudhury A, Rao HR (2008) Research note: a value-at-risk approach to information security investment. Inf Syst Res 19(1):106–120CrossRefGoogle Scholar
  58. Wang L, Noel S, Jajodia S (2006) Minimum-cost network hardening using attack graphs. Comput Commun 29(18):3812–3824CrossRefGoogle Scholar
  59. Wielemaker J, Schrijvers T, Triska M, Lager T (2012) SWI-Prolog. Theory Pract Logic Program 12(1–2):67–96CrossRefGoogle Scholar
  60. Zitzler E, Laumanns M, Thiele L (2002) SPEA2: improving the strength pareto evolutionary algorithm for multiobjective optimization. In: Giannakoglou K, Tsahalis D, Periaux J, Papailiou K, Fogarty T (eds) Evolutionary methods for design, optimisation and control. CIMNE, Barcelona, pp 1–6Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg and EURO - The Association of European Operational Research Societies 2016

Authors and Affiliations

  • Elmar Kiesling
    • 1
  • Andreas Ekelhart
    • 2
  • Bernhard Grill
    • 2
  • Christine Strauss
    • 3
  • Christian Stummer
    • 4
  1. 1.Institute of Software Technology and Interactive SystemsVienna University of TechnologyViennaAustria
  2. 2.Secure Business AustriaViennaAustria
  3. 3.Faculty of Business, Economics, and StatisticsUniversity of ViennaViennaAustria
  4. 4.Department of Business Administration and EconomicsBielefeld UniversityBielefeldGermany

Personalised recommendations