Mission-Oriented Security Model, Incorporating Security Risk, Cost and Payout

  • Sayed M. Saghaian N. E.Email author
  • Tom La Porta
  • Trent Jaeger
  • Z. Berkay Celik
  • Patrick McDaniel
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 255)


One of the most difficult challenges facing network operators is to estimate risk and allocate resources in adversarial environments. Failure to properly allocate resources leads to failed activities, poor utilization, and insecure environments. In this paper, we explore an optimization-based approach to allocating resources called a mission-oriented security model. This model integrates security risk, cost and payout metrics to optimally allocate constrained secure resources to discrete actions called missions. We model this operation as a Mixed Integer Linear Program (MILP) which can be solved efficiently by different optimization solvers such as MATLAB MILP solver, IBM-CPLEX optimizer or CVX solver. We further introduce and explore a novel method to evaluate security risk in resource planning using two datasets—the Ponemon Institute cost of breach survey and CSI/FBI surveys of security events. Data driven simulations are used to validate the model robustness and uncover a number of insights on the importance of risk valuation in resource allocation.



Research was sponsored by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation herein.


  1. 1.
    Anderson, R., Moore, T.: The economics of information security. Science 314, 610–613 (2006)CrossRefGoogle Scholar
  2. 2.
    Anderson, R., Moore, T.: Information security economics – and beyond. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 68–91. Springer, Heidelberg (2007). Scholar
  3. 3.
    Celik, Z.B., et al.: Mapping sample scenarios to operational models. In: Military Communications Conference (MILCOM) (2016)Google Scholar
  4. 4.
    Cherdantseva, Y., et al.: A review of cyber security risk assessment methods for SCADA systems. Comput. secur. 56, 1–27 (2016)CrossRefGoogle Scholar
  5. 5.
    Dekker, M., Liveri, D.: Cloud security guide for SMEs-cloud computing security risks and opportunities for SMEs. European Union Agency for Network and Information Security (ENISA) (2015)Google Scholar
  6. 6.
    Floudas, C.A.: Nonlinear and Mixed-Integer Optimization: Fundamentals and Applications. Oxford University Press, Oxford (1995)zbMATHGoogle Scholar
  7. 7.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. (TISSEC) 5, 438–457 (2002)CrossRefGoogle Scholar
  8. 8.
    Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R.: 2006 CSI/FBI computer crime and security survey (2006). Documents/2006CSI-FBI Survey.pdf. Accessed 11 Jan 2018
  9. 9.
    Holm, H.: A large-scale study of the time required to compromise a computer system. IEEE Trans. Dependable Secur. Comput. 11, 2–15 (2014)CrossRefGoogle Scholar
  10. 10.
    Hoo, K.J.S.: How Much is Enough? A Risk Management Approach to Computer Security. Stanford University, Stanford (2000). Consortium for Research on Information Security and PolicyGoogle Scholar
  11. 11.
    Hu, N., La Porta, T., Bartolini, N.: Self-adaptive resource allocation for event monitoring with uncertainty in sensor networks. In: IEEE Mobile Ad Hoc and Sensor Systems (MASS) (2015)Google Scholar
  12. 12.
    Information technology - Security techniques - Information security risk management (2017). Accessed 11 Jan 2018
  13. 13.
    Jajodia, S., Ghosh, A.K., Swarup, V., Wang, C., Wang, X.S.: Moving tArget Defense: Creating Asymmetric Uncertainty for Cyber Threats, vol. 54. Springer, New York (2011). Scholar
  14. 14.
    Kaplan, S., Garrick, B.J.: On the quantitative definition of risk. Risk Anal. 1, 11–27 (1981)CrossRefGoogle Scholar
  15. 15.
    McDaniel, P., et al.: Security and science of agility. In: ACM Workshop on Moving Target Defense (2014)Google Scholar
  16. 16.
    Nicol, D.M., Sanders, W.H., Trivedi, K.S.: Model-based evaluation: from dependability to security. IEEE Trans. Dependable Secur. Comput. 1, 48–65 (2004)CrossRefGoogle Scholar
  17. 17.
    Papoulis, A., Pillai, S.U.: Probability, Random Variables, and Stochastic Processes. Tata McGraw-Hill Education, New York City (2002)Google Scholar
  18. 18.
    Ponemon Institute: Cost of cyber crime study and the risk of business innovation (2016). Accessed 11 Jan 2018
  19. 19.
    Richardson, R.: Issues and trends: 2003 CSI/FBI computer crime and security survey (2003). Documents/2003-CSI-FBI-Survey.pdf. Accessed 11 Jan 2018
  20. 20.
    Richardson, R.: 2010/2011 computer crime and security survey (2010)Google Scholar
  21. 21.
    Schneidewind, N.F.: Cyber security prediction models. In: Systems and Software Engineering with Applications (2005)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Sayed M. Saghaian N. E.
    • 1
    Email author
  • Tom La Porta
    • 1
  • Trent Jaeger
    • 1
  • Z. Berkay Celik
    • 1
  • Patrick McDaniel
    • 1
  1. 1.Department of Computer Science and EngineeringThe Pennsylvania State UniversityUniversity ParkUSA

Personalised recommendations