Abstract
Organizations’ information infrastructures are exposed to a large variety of threats. The most complex of these threats unfold in stages, as actors exploit multiple attack vectors in a sequence of calculated steps. Deciding how to respond to such serious threats poses a challenge that is of substantial practical relevance to IT security managers. These critical decisions require an understanding of the threat actors—including their various motivations, resources, capabilities, and points of access—as well as detailed knowledge about the complex interplay of attack vectors at their disposal. In practice, however, security decisions are often made in response to acute short-term requirements, which results in inefficient resource allocations and ineffective overall threat mitigation. The decision support methodology introduced in this paper addresses this issue. By anchoring IT security managers’ decisions in an operational model of the organization’s information infrastructure, we provide the means to develop a better understanding of security problems, improve situational awareness, and bridge the gap between strategic security investment and operational implementation decisions. To this end, we combine conceptual modeling of security knowledge with a simulation-based optimization that hardens a modeled infrastructure against simulated attacks, and provide a decision support component for selecting from efficient combinations of security controls. We describe the prototypical implementation of this approach, demonstrate how it can be applied, and discuss the results of an in-depth expert evaluation.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
The acronym MOSES\(^{3}\) stands for Multi-Objective decision Support in Efficient Security Safeguard Selection.
References
Ammann P, Wijesekera D, Kaushik S (2002) Scalable, graph-based network vulnerability analysis. In: Proceedings of the conference on computer and communications security, ACM, pp 217–224
Baker WH, Wallace L (2007) Is information security under control? Investigating quality in information security management. IEEE Secur Priv 5(1):36–44
Barlette Y, Fomin VV (2010) The adoption of information security management standards. In: Information resources management: concepts. Methodologies, tools and applications. IGI Global, Pennsylvania, pp 69–90
Bistarelli S, Fioravanti F, Peretti P (2006) Defense trees for economic evaluation of security investments. In: Proceedings of the international conference on availability, reliability and security. IEEE, pp 416–423
BSI (2013) BSI-standards. Tech. Rep, German Federal Office for Information Security
Chi SD, Park JS, Jung KC, Lee JS (2001) Network security modeling and cyber attack simulation methodology. In: Varadharajan V, Mu Y (eds) Information security and practice (LNCS 2119). Springer, Berlin, pp 320–333
Cohen F (1999) Simulating cyber attacks, defences, and consequences. Comput Secur 18(6):479–518
Cook D, Hofman H, Lee EK, Yang H, Nikolau B, Wurtele E (2007) Exploring gene expression data, using plots. J Data Sci 5(2):151–182
Dahl OM, Wolthusen SD (2006) Modeling and execution of complex attack scenarios using interval timed colored petri nets. In: Proceedings of the international workshop on information assurance, IEEE, pp 157–168
Dalton GC, Mills RF, Colombi JM, Raines RA (2006) Analyzing attack trees using generalized stochastic Petri nets. In: Proceedings of the information assurance workshop, IEEE, pp 116–123
Deb K, Pratap A, Agarwal S, Meyarivan T (2000) A fast elitist multi-objective genetic algorithm: NSGA-II. IEEE Trans Evolut Comput 6(2):182–197
Draper MD, Livnat Y, Riesenfeld RF (2009) A survey of radial methods for information visualization. IEEE Trans Vis Comput Gr 15(5):759–776
Economist (2014) Defending the digital frontier: a special report on cyber-security. The Economist, 12 July 2014
Edge KS, Dalton GC, Raines RA, Mills RF (2006) Using attack and protection trees to analyze threats and defenses to homeland security. In: Proceedings of the military communications conference, IEEE, pp 1–7
Ekelhart A, Kiesling E, Grill B, Strauss C, Stummer C (2015) Integrating attacker behavior in IT security analysis: a discrete-event simulation approach. Inf Technol Manag 16(3):221–233
Fenz S, Ekelhart A (2011) Verification, validation, and evaluation in information security risk management. IEEE Secur Priv Mag 9(2):58–65
Fenz S, Ekelhart A, Neubauer T (2011) Information security risk management: in which security solutions is it worth investing? Commun Assoc Inf Syst 28:329–356
Franqueira VNL, Lopes RHC, van Eck P (2009) Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients. In: Proceedings of the symposium on applied computing, ACM, pp 66–73
Gettinger J, Kiesling E, Stummer C, Vetschera R (2013) A comparison of representations for discrete multi-criteria decision problems. Decis Support Syst 54(2):976–985
Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans Inf Syst Secur 5(4):438–457
Gupta M, Rees J, Chaturvedi A, Chi J (2006) Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decis Support Syst 41(3):592–603
Hoo S (2000) How much is enough: a risk management approach to computer security. PhD Thesis, Consortium for research on information security and policy (CRISP), Stanford University
Inselberg A (2009) Parallel coordinates: visual multidimensional geometry and its applications. Springer, Berlin
Islam T, Wang L (2008) A heuristic approach to minimum-cost network hardening using attack graph. Proceedings of the conference on new technologies, mobility and security, IEEE, pp 1–5
ISO (2013) ISO/IEC 27001:2013: Information technology, security techniques, information management systems, requirements. Tech. Rep, International Organization for Standardization/International Electrotechnical Commission
Jaisingh J, Rees J (2001) Value at risk: a methodology for information security risk assessment. In: Proceedings of the conference on information systems and technology, INFORMS, pp 3–4
Kaspersky (2014) IT security risks survey 2014: a business approach to managing data security threats. http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report. Accessed 11 July 2015
Keeney RL (2013) Identifying, prioritizing, and using multiple objectives. Eur J Decis Process 1(1–2):45–67
Kiesling E, Ekelhart A, Grill B, Strauss C, Stummer C (2013a) Simulation-based optimization of information security controls: an adversary-centric approach. In: Pasupathy R, Kim SH, Tolk A, Hill R, Kuhl ME (eds) Proceedings of the winter simulation conference. IEEE, pp 2054–2065
Kiesling E, Ekelhart A, Grill B, Strauss C, Stummer C (2013b) Simulation based optimization of IT security controls: Initial experiences with metaheuristic solution procedures. In: Fink A, Geiger M (eds) Proceedings of the workshop of the EURO working group on metaheuristics, pp 18–20
Kiesling E, Ekelhart A, Grill B, Stummer C, Strauss C (2014) Evolving secure information systems through attack simulation. In: Proceedings of the Hawaii international conference on system science, IEEE computer society, pp 4868–4877
Kiesling E, Ekelhart A, Grill B, Stummer C, Strauss C (2015) Multi-objective evolutionary optimization of computation-intensive simulations: the case of security control selection. In: Proceedings of the 11th metaheuristics international conference, pp 1–3
Lotov A, Miettinen K (2008) Visualizing the Pareto frontier. In: Branke J, Deb K, Miettinen K, Slowinski R (eds) Multiobjective optimization (LNCS 5252). Springer, Berlin, pp 213–243
Lukasiewycz M, Glaß M, Reimann F, Teich J (2011) Opt4J: a modular framework for meta-heuristic optimization. In: Proceedings of the conference on genetic and evolutionary computation, ACM, pp 1723–1730
Luke S, Cioffi-Revilla C, Panait L, Sullivan K, Balan G (2005) MASON: a multiagent simulation environment. Simulation 81(7):517–527
Ma Z, Smith P (2013) Determining risks from advanced multi-step attacks to critical information infrastructures. In: Luiijf E, Hartel P (eds) Critical information infrastructures security (LNCS 8328). Springer, Berlin, pp 142–154
Mauw S, Oostdijk M (2006) Foundations of attack trees. In: Won D, Kim S (eds) Information security and cryptology (LNCS 3935). Springer, Berlin, pp 186–198
McAfee (2014) Net losses: estimating the global cost of cybercrime 2014. http://www.mcafee.com/de/resources/reports/rp-economic-impact-cybercrime2. Accessed 11 July 2015
Mizzi A (2005) Return on information security investment. Are you spending enough? Are you spending too much? http://security.ittoolbox.com/documents/return-on-information-security-investment-14513. Accessed 11 July 2015
Moore A (2001) Attack modeling for information security and survivability. Tech. Rep., Software Engineering Institute, Carnegie Mellon University
National Bureau of Standards (1979) Guideline for automatic data processing risk analysis. Tech. Rep, Institute for Computer Science and Technology, National Bureau of Standards
NIST (2011) Managing information security risk: Organization, mission, and information system view. Tech. Rep., NIST SP 800-39, National Institute of Standards and Technology, US Department of Commerce
Neubauer S, Stummer C, Weippl E (2006) Workshop-based multiobjective security safeguard selection. Proceedings of the international conference on availability, reliability and security. IEEE, pp 366–373
Ou X, Boyer WF, McQueen MA (2006) A scalable approach to attack graph generation. In: Proceedings of the conference on computer and communications security, ACM, pp 336–345
Panchenko A, L Pimenidis (2006) Towards practical attacker classification for risk analysis in anonymous communication. In: Leitold H, Markatos EP (eds) Communications and multimedia security (LNCS 4237). Springer, Berlin, pp 240–251
Papadaki K, Polemi N (2007) Towards a systematic approach for improving information security risk management methods. Proceedings of the international symposium on personal, indoor and mobile radio communications, IEEE, pp 1–4
Pieters W (2011) Representing humans in system security models: an actor-network approach. J Wirel Mob Netw Ubiquitous Comput Depend Appl 2(1):75–92
Ritchey RW, Ammann P (2000) Using model checking to analyze network vulnerabilities. In: Proceedings of the IEEE symposium on security and privacy, IEEE, pp 156–165
Sawilla RE, Ou X (2008) Identifying critical attack assets in dependency attack graphs. In: Jojadia S, Lopez J (eds) Computer security (LNCS 5283), Springer, Berlin, pp 18–34
Schneier B (2000) Secrets & lies: digital security in a networked world, Wiley, New York
Stoneburner G, Goguen AY, Feringa A (2002) Risk management guide for information technology systems: recommendations of the National Institute of Standards and Technology. Tech. Rep., NIST SP 800-30, National Institute of Standards and Technology, US Department of Commerce
Strauss C, Stummer C (2002) Multiobjective decision support in IT-risk management. Int J Inf Technol Decis Mak 1(2):251–268
Stummer C, Kiesling E, Gutjahr WJ (2009) A multicriteria decision support system for competence-driven project portfolio selection. Int J Inf Technol Decis Mak 8(2):379–401
Tunçalp D (2014) Diffusion and adoption of information security management standards across countries and industries. J Glob Inf Technol Manag 17(4):221–227
Vetschera R (2013) Negotiation processes: an integrated perspective. Eur J Decis Process 1(1–2):135–164
Vincke P (1992) Multicriteria decision-aid, Wiley, New York
Wang J, Chaudhury A, Rao HR (2008) Research note: a value-at-risk approach to information security investment. Inf Syst Res 19(1):106–120
Wang L, Noel S, Jajodia S (2006) Minimum-cost network hardening using attack graphs. Comput Commun 29(18):3812–3824
Wielemaker J, Schrijvers T, Triska M, Lager T (2012) SWI-Prolog. Theory Pract Logic Program 12(1–2):67–96
Zitzler E, Laumanns M, Thiele L (2002) SPEA2: improving the strength pareto evolutionary algorithm for multiobjective optimization. In: Giannakoglou K, Tsahalis D, Periaux J, Papailiou K, Fogarty T (eds) Evolutionary methods for design, optimisation and control. CIMNE, Barcelona, pp 1–6
Acknowledgments
The work presented in this paper has been developed within the project MOSES\(^{3}\), which was funded by the Austrian Science Fund (FWF) under grant P23122-N23. The research was carried out at Secure Business Austria, a COMET K1 program competence center supported by the Austrian Research Promotion Agency (FFG). Computational results have been achieved using the Vienna Scientific Cluster (VSC).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kiesling, E., Ekelhart, A., Grill, B. et al. Selecting security control portfolios: a multi-objective simulation-optimization approach. EURO J Decis Process 4, 85–117 (2016). https://doi.org/10.1007/s40070-016-0055-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s40070-016-0055-7
Keywords
- IT security analysis
- Multi-objective portfolio selection
- Interactive decision support
- Simulation
- Genetic algorithm