Skip to main content

Selecting security control portfolios: a multi-objective simulation-optimization approach


Organizations’ information infrastructures are exposed to a large variety of threats. The most complex of these threats unfold in stages, as actors exploit multiple attack vectors in a sequence of calculated steps. Deciding how to respond to such serious threats poses a challenge that is of substantial practical relevance to IT security managers. These critical decisions require an understanding of the threat actors—including their various motivations, resources, capabilities, and points of access—as well as detailed knowledge about the complex interplay of attack vectors at their disposal. In practice, however, security decisions are often made in response to acute short-term requirements, which results in inefficient resource allocations and ineffective overall threat mitigation. The decision support methodology introduced in this paper addresses this issue. By anchoring IT security managers’ decisions in an operational model of the organization’s information infrastructure, we provide the means to develop a better understanding of security problems, improve situational awareness, and bridge the gap between strategic security investment and operational implementation decisions. To this end, we combine conceptual modeling of security knowledge with a simulation-based optimization that hardens a modeled infrastructure against simulated attacks, and provide a decision support component for selecting from efficient combinations of security controls. We describe the prototypical implementation of this approach, demonstrate how it can be applied, and discuss the results of an in-depth expert evaluation.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11


  1. 1.

    The acronym MOSES\(^{3}\) stands for Multi-Objective decision Support in Efficient Security Safeguard Selection.

  2. 2.

  3. 3.

  4. 4.

  5. 5.

  6. 6.

  7. 7.


  1. Ammann P, Wijesekera D, Kaushik S (2002) Scalable, graph-based network vulnerability analysis. In: Proceedings of the conference on computer and communications security, ACM, pp 217–224

  2. Baker WH, Wallace L (2007) Is information security under control? Investigating quality in information security management. IEEE Secur Priv 5(1):36–44

    Article  Google Scholar 

  3. Barlette Y, Fomin VV (2010) The adoption of information security management standards. In: Information resources management: concepts. Methodologies, tools and applications. IGI Global, Pennsylvania, pp 69–90

  4. Bistarelli S, Fioravanti F, Peretti P (2006) Defense trees for economic evaluation of security investments. In: Proceedings of the international conference on availability, reliability and security. IEEE, pp 416–423

  5. BSI (2013) BSI-standards. Tech. Rep, German Federal Office for Information Security

  6. Chi SD, Park JS, Jung KC, Lee JS (2001) Network security modeling and cyber attack simulation methodology. In: Varadharajan V, Mu Y (eds) Information security and practice (LNCS 2119). Springer, Berlin, pp 320–333

    Google Scholar 

  7. Cohen F (1999) Simulating cyber attacks, defences, and consequences. Comput Secur 18(6):479–518

    Article  Google Scholar 

  8. Cook D, Hofman H, Lee EK, Yang H, Nikolau B, Wurtele E (2007) Exploring gene expression data, using plots. J Data Sci 5(2):151–182

    Google Scholar 

  9. Dahl OM, Wolthusen SD (2006) Modeling and execution of complex attack scenarios using interval timed colored petri nets. In: Proceedings of the international workshop on information assurance, IEEE, pp 157–168

  10. Dalton GC, Mills RF, Colombi JM, Raines RA (2006) Analyzing attack trees using generalized stochastic Petri nets. In: Proceedings of the information assurance workshop, IEEE, pp 116–123

  11. Deb K, Pratap A, Agarwal S, Meyarivan T (2000) A fast elitist multi-objective genetic algorithm: NSGA-II. IEEE Trans Evolut Comput 6(2):182–197

    Article  Google Scholar 

  12. Draper MD, Livnat Y, Riesenfeld RF (2009) A survey of radial methods for information visualization. IEEE Trans Vis Comput Gr 15(5):759–776

    Article  Google Scholar 

  13. Economist (2014) Defending the digital frontier: a special report on cyber-security. The Economist, 12 July 2014

  14. Edge KS, Dalton GC, Raines RA, Mills RF (2006) Using attack and protection trees to analyze threats and defenses to homeland security. In: Proceedings of the military communications conference, IEEE, pp 1–7

  15. Ekelhart A, Kiesling E, Grill B, Strauss C, Stummer C (2015) Integrating attacker behavior in IT security analysis: a discrete-event simulation approach. Inf Technol Manag 16(3):221–233

    Article  Google Scholar 

  16. Fenz S, Ekelhart A (2011) Verification, validation, and evaluation in information security risk management. IEEE Secur Priv Mag 9(2):58–65

    Article  Google Scholar 

  17. Fenz S, Ekelhart A, Neubauer T (2011) Information security risk management: in which security solutions is it worth investing? Commun Assoc Inf Syst 28:329–356

    Google Scholar 

  18. Franqueira VNL, Lopes RHC, van Eck P (2009) Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients. In: Proceedings of the symposium on applied computing, ACM, pp 66–73

  19. Gettinger J, Kiesling E, Stummer C, Vetschera R (2013) A comparison of representations for discrete multi-criteria decision problems. Decis Support Syst 54(2):976–985

    Article  Google Scholar 

  20. Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans Inf Syst Secur 5(4):438–457

    Article  Google Scholar 

  21. Gupta M, Rees J, Chaturvedi A, Chi J (2006) Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decis Support Syst 41(3):592–603

    Article  Google Scholar 

  22. Hoo S (2000) How much is enough: a risk management approach to computer security. PhD Thesis, Consortium for research on information security and policy (CRISP), Stanford University

  23. Inselberg A (2009) Parallel coordinates: visual multidimensional geometry and its applications. Springer, Berlin

    Book  Google Scholar 

  24. Islam T, Wang L (2008) A heuristic approach to minimum-cost network hardening using attack graph. Proceedings of the conference on new technologies, mobility and security, IEEE, pp 1–5

  25. ISO (2013) ISO/IEC 27001:2013: Information technology, security techniques, information management systems, requirements. Tech. Rep, International Organization for Standardization/International Electrotechnical Commission

  26. Jaisingh J, Rees J (2001) Value at risk: a methodology for information security risk assessment. In: Proceedings of the conference on information systems and technology, INFORMS, pp 3–4

  27. Kaspersky (2014) IT security risks survey 2014: a business approach to managing data security threats. Accessed 11 July 2015

  28. Keeney RL (2013) Identifying, prioritizing, and using multiple objectives. Eur J Decis Process 1(1–2):45–67

    Article  Google Scholar 

  29. Kiesling E, Ekelhart A, Grill B, Strauss C, Stummer C (2013a) Simulation-based optimization of information security controls: an adversary-centric approach. In: Pasupathy R, Kim SH, Tolk A, Hill R, Kuhl ME (eds) Proceedings of the winter simulation conference. IEEE, pp 2054–2065

  30. Kiesling E, Ekelhart A, Grill B, Strauss C, Stummer C (2013b) Simulation based optimization of IT security controls: Initial experiences with metaheuristic solution procedures. In: Fink A, Geiger M (eds) Proceedings of the workshop of the EURO working group on metaheuristics, pp 18–20

  31. Kiesling E, Ekelhart A, Grill B, Stummer C, Strauss C (2014) Evolving secure information systems through attack simulation. In: Proceedings of the Hawaii international conference on system science, IEEE computer society, pp 4868–4877

  32. Kiesling E, Ekelhart A, Grill B, Stummer C, Strauss C (2015) Multi-objective evolutionary optimization of computation-intensive simulations: the case of security control selection. In: Proceedings of the 11th metaheuristics international conference, pp 1–3

  33. Lotov A, Miettinen K (2008) Visualizing the Pareto frontier. In: Branke J, Deb K, Miettinen K, Slowinski R (eds) Multiobjective optimization (LNCS 5252). Springer, Berlin, pp 213–243

    Chapter  Google Scholar 

  34. Lukasiewycz M, Glaß M, Reimann F, Teich J (2011) Opt4J: a modular framework for meta-heuristic optimization. In: Proceedings of the conference on genetic and evolutionary computation, ACM, pp 1723–1730

  35. Luke S, Cioffi-Revilla C, Panait L, Sullivan K, Balan G (2005) MASON: a multiagent simulation environment. Simulation 81(7):517–527

    Article  Google Scholar 

  36. Ma Z, Smith P (2013) Determining risks from advanced multi-step attacks to critical information infrastructures. In: Luiijf E, Hartel P (eds) Critical information infrastructures security (LNCS 8328). Springer, Berlin, pp 142–154

    Chapter  Google Scholar 

  37. Mauw S, Oostdijk M (2006) Foundations of attack trees. In: Won D, Kim S (eds) Information security and cryptology (LNCS 3935). Springer, Berlin, pp 186–198

    Google Scholar 

  38. McAfee (2014) Net losses: estimating the global cost of cybercrime 2014. Accessed 11 July 2015

  39. Mizzi A (2005) Return on information security investment. Are you spending enough? Are you spending too much? Accessed 11 July 2015

  40. Moore A (2001) Attack modeling for information security and survivability. Tech. Rep., Software Engineering Institute, Carnegie Mellon University

  41. National Bureau of Standards (1979) Guideline for automatic data processing risk analysis. Tech. Rep, Institute for Computer Science and Technology, National Bureau of Standards

  42. NIST (2011) Managing information security risk: Organization, mission, and information system view. Tech. Rep., NIST SP 800-39, National Institute of Standards and Technology, US Department of Commerce

  43. Neubauer S, Stummer C, Weippl E (2006) Workshop-based multiobjective security safeguard selection. Proceedings of the international conference on availability, reliability and security. IEEE, pp 366–373

  44. Ou X, Boyer WF, McQueen MA (2006) A scalable approach to attack graph generation. In: Proceedings of the conference on computer and communications security, ACM, pp 336–345

  45. Panchenko A, L Pimenidis (2006) Towards practical attacker classification for risk analysis in anonymous communication. In: Leitold H, Markatos EP (eds) Communications and multimedia security (LNCS 4237). Springer, Berlin, pp 240–251

    Chapter  Google Scholar 

  46. Papadaki K, Polemi N (2007) Towards a systematic approach for improving information security risk management methods. Proceedings of the international symposium on personal, indoor and mobile radio communications, IEEE, pp 1–4

  47. Pieters W (2011) Representing humans in system security models: an actor-network approach. J Wirel Mob Netw Ubiquitous Comput Depend Appl 2(1):75–92

    Google Scholar 

  48. Ritchey RW, Ammann P (2000) Using model checking to analyze network vulnerabilities. In: Proceedings of the IEEE symposium on security and privacy, IEEE, pp 156–165

  49. Sawilla RE, Ou X (2008) Identifying critical attack assets in dependency attack graphs. In: Jojadia S, Lopez J (eds) Computer security (LNCS 5283), Springer, Berlin, pp 18–34

  50. Schneier B (2000) Secrets & lies: digital security in a networked world, Wiley, New York

  51. Stoneburner G, Goguen AY, Feringa A (2002) Risk management guide for information technology systems: recommendations of the National Institute of Standards and Technology. Tech. Rep., NIST SP 800-30, National Institute of Standards and Technology, US Department of Commerce

  52. Strauss C, Stummer C (2002) Multiobjective decision support in IT-risk management. Int J Inf Technol Decis Mak 1(2):251–268

    Article  Google Scholar 

  53. Stummer C, Kiesling E, Gutjahr WJ (2009) A multicriteria decision support system for competence-driven project portfolio selection. Int J Inf Technol Decis Mak 8(2):379–401

    Article  Google Scholar 

  54. Tunçalp D (2014) Diffusion and adoption of information security management standards across countries and industries. J Glob Inf Technol Manag 17(4):221–227

    Google Scholar 

  55. Vetschera R (2013) Negotiation processes: an integrated perspective. Eur J Decis Process 1(1–2):135–164

    Article  Google Scholar 

  56. Vincke P (1992) Multicriteria decision-aid, Wiley, New York

  57. Wang J, Chaudhury A, Rao HR (2008) Research note: a value-at-risk approach to information security investment. Inf Syst Res 19(1):106–120

    Article  Google Scholar 

  58. Wang L, Noel S, Jajodia S (2006) Minimum-cost network hardening using attack graphs. Comput Commun 29(18):3812–3824

    Article  Google Scholar 

  59. Wielemaker J, Schrijvers T, Triska M, Lager T (2012) SWI-Prolog. Theory Pract Logic Program 12(1–2):67–96

    Article  Google Scholar 

  60. Zitzler E, Laumanns M, Thiele L (2002) SPEA2: improving the strength pareto evolutionary algorithm for multiobjective optimization. In: Giannakoglou K, Tsahalis D, Periaux J, Papailiou K, Fogarty T (eds) Evolutionary methods for design, optimisation and control. CIMNE, Barcelona, pp 1–6

    Google Scholar 

Download references


The work presented in this paper has been developed within the project MOSES\(^{3}\), which was funded by the Austrian Science Fund (FWF) under grant P23122-N23. The research was carried out at Secure Business Austria, a COMET K1 program competence center supported by the Austrian Research Promotion Agency (FFG). Computational results have been achieved using the Vienna Scientific Cluster (VSC).

Author information



Corresponding author

Correspondence to Christian Stummer.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kiesling, E., Ekelhart, A., Grill, B. et al. Selecting security control portfolios: a multi-objective simulation-optimization approach. EURO J Decis Process 4, 85–117 (2016).

Download citation


  • IT security analysis
  • Multi-objective portfolio selection
  • Interactive decision support
  • Simulation
  • Genetic algorithm

Mathematics Subject Classification

  • 68U20
  • 68U35
  • 90B50
  • 90C27
  • 91B32