Individual Countermeasure Selection Based on the Return On Response Investment Index

  • Gustavo Gonzalez Granadillo
  • Hervé Débar
  • Grégoire Jacob
  • Chrystel Gaber
  • Mohammed Achemlal
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7531)


As the number of attacks, and thus the number of alerts received by Security Information and Event Management Systems (SIEMs) increases, the need for appropriate treatment of these alerts has become essential. The new generation of SIEMs focuses on the response ability to automate the process of selecting and deploying countermeasures. However, current response systems select and deploy security measures without performing a comprehensive impact analysis of attacks and response scenarios. This paper addresses this limitation by proposing a model for the automated selection of optimal security countermeasures. In addition, the paper compares previous mathematical models and studies their limitations, which lead to the creation of a new model that evaluates, ranks and selects optimal countermeasures. The model relies on the optimization of cost sensitive metrics based on the Return On Response Investment (RORI) index. The optimization compares the expected impact of the attacks when doing nothing with the expected impact after applying countermeasures. A case study of a real infrastructure is deployed at the end of the document to show the applicability of the model over a Mobile Money Transfer Service.


Impact Analysis Countermeasure Selection Risk Mitigation Return On Response Investment Mobile Money Transfer Service 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Debar, H., Thomas, Y., Cuppens, F., Cuppens-Boulahia, N.: Enabling Automated Threat Response through the Use of Dynamic Security Policy. Journal in Computer Virology 3(3), 195–210 (2007)CrossRefGoogle Scholar
  2. 2.
    Riveiro de Azevedo, R., Galvao Dantas, E., Freitas, F., Rodriguez, C., Siqueira de Almeida, M., Campos Veras, W., Santos, R.: An Automatic Ontology-Based Multiagent System for Intrusion Detection in Computing Environments. International Journal for Informatics (IJI) 3(1) (2010)Google Scholar
  3. 3.
    Jeffrey, M.: Return on Investment Analysis for e-Business Projects. In: Bidgoli, H. (ed.) Internet Encyclopedia, 1st edn., vol. 3, pp. 211–236 (2004)Google Scholar
  4. 4.
    Schmidt, M.: Return on Investment (ROI): Meaning and Use. Encyclopedia of Business Terms and Methods (2011),
  5. 5.
    Cremonini, M., Martini, P.: Evaluating Information Security Investment from Attackers Perspective: the Return-On-Attack (ROA). In: Proceedings of the 4th Workshop on the Economics on Information Security (2005)Google Scholar
  6. 6.
    Brocke, J., Strauch, G., Buddendick, C.: Return on Security Investment - Design Principles of Measurement System Based on Capital Budgeting. In: The 6th International Conference of Information Systems Technology and its Applications (ISTA), vol. 107, pp. 21–32 (2007)Google Scholar
  7. 7.
    Sonnenreich, W., Albanese, J., Stout, B.: Return On Security Investment (ROSI) A Practical Quantitative Model. Journal of Research and Practice in Information Technology 38(1) (2006)Google Scholar
  8. 8.
    Stakhanova, N., Basu, S., Wong, J.: A Cost-Sensitive Model for Preemptive Intrusion Response Systems. In: Proceedings of the 21st International Conference on Advanced Networking and Applications (2007)Google Scholar
  9. 9.
    Kim, D., Lee, T., In, H.: Effective Security Safeguard Selection Process for Return on Security Investment. In: IEEE Asia-Pacific Services Computing Conference (2008)Google Scholar
  10. 10.
    Kheir, N., Cuppens-Boulahia, N., Cuppens, F., Debar, H.: A Service Dependency Model for Cost-Sensitive Intrusion Response. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 626–642. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Kheir, N.: Response policies and countermeasures: Management of service dependencies and intrusion and reaction impacts, PhD Thesis, Ecole Nationale Superieure des Telecommunications de Bretagne (2010)Google Scholar
  12. 12.
    Lockstep Consulting.: A Guide for Government Agencies Calculating ROSI (2004),
  13. 13.
    Norman, T.: Risk Analysis and Security Countermeasure Selection. CRC Press, Taylor & Francis Group (2010)Google Scholar
  14. 14.
    Pukkawanna, S., Visoottiviseth, V., Pongpaibool, P.: Lightweight Detection of DoS Attacks. In: 15th International Conference on Networks (ICON), pp. 72–82 (2007)Google Scholar
  15. 15.
    Cavusoglu, H., Mishra, B., Raghunathan, S.: A Model for Evaluating IT Security Investment. Communications of the AMC 47(7), 87–92 (2004)CrossRefGoogle Scholar
  16. 16.
    Duan, C., Cleland-Huang, J.: Automated Safeguard Selection Strategies, CTI Research Symposium (2006)Google Scholar
  17. 17.
    Neubauer, T., Stummer, C., Weippl, E.: Workshop-based Multiobjective Security Safeguard Selection. In: First International Conference on Availability, Reliability and Security (ARES), pp. 1–8 (2006)Google Scholar
  18. 18.
    Bistarelli, S., Fioravanti, F., Peretti, P.: Using CP-nets as a guide for countermeasure selection. In: ACM Symposium on Applied Computing, pp. 300–3048 (2007)Google Scholar
  19. 19.
    Zonouz, A., Khurana, H., Sanders, W., Yardley, T.: A Game-Theoretic Intrusion Response and Recovery Engine. In: International Conference on Dependable Systems and Networks (2009)Google Scholar
  20. 20.
    Bedi, P., Gandotra, V., Singhal, A., Narang, H., Sharma, S.: Optimal Countermeasures Identification Method: A New Approach in Secure Software Engineering. European Journal of Scientific Research 55(4), 527–537 (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Gustavo Gonzalez Granadillo
    • 1
  • Hervé Débar
    • 1
  • Grégoire Jacob
    • 1
  • Chrystel Gaber
    • 2
  • Mohammed Achemlal
    • 2
  1. 1.Telecom Sudparis, SAMOVAR UMR 5157EvryFrance
  2. 2.Orange LabsCaenFrance

Personalised recommendations