Most organizations today have become critically dependent on information systems to perform their mission. At the same time, the frequency and sophistication of threats to these systems is growing dramatically as attackers are becoming more goal-driven and criminally inclined. This development leads to an unprecedented potential for information security incidents to negatively impact businesses’ reputation, profitability, and customer confidence and to threaten their very existence. It is therefore not surprising that information security has become a major concern among enterprises. However, given the complex nature of information security problems and the vast and diverse array of available means that aim to improve it (e.g. virus scanners, firewalls, encryption, intrusion detection, two-factor authentication, access control systems, security policies, security awareness training etc.), decision makers struggle to identify the best ways to counteract the threats they face and consequently tend to base investment decisions primarily on immediate local needs. This reactive ad-hoc approach to information security typically leads to an inefficient allocation of scarce resources.
The proposed project tackles the highly relevant and theoretically challenging problem of strategically selecting an appropriate portfolio (i.e. bundle) of information security safeguards. To this end, we intend to conceptualize and develop a quantitative method that supports decision makers in striking a balance between monetary and non-monetary risk, cost, and benefit criteria. The proposed method is based on a framework that comprises ontological modeling of security knowledge, dynamic attack tree generation techniques, stochastic attack simulation, meta-heuristic identification of efficient portfolios, and interactive decision support. Our approach rests upon a holistic evaluation and optimization of the total effectiveness of all implemented safeguards rather than on an assessment of individual information security investment opportunities (an approach that neglects synergies and complex interactions). Moreover, our approach explicitly takes into account characteristics of the organization, its information infrastructure and information assets and the threat sources it faces by modeling human attackers as rational, goal-oriented agents. We rely on heavyweight ontologies to represent rich security knowledge and harness that knowledge through automated reasoning which enables novel techniques to infer possible routes of attacks and generate individual attack trees based on attackers’ motivation, objectives, capabilities, and available entry points.
The results of the project should facilitate better information security investment decision-making through multi-criteria decision support. To achieve this objective, we follow an interdisciplinary research approach that draws on a variety of disciplines including Management, Operations Research, Computer Science, and Information Security. The project will yield a prototypical implementation of the method to enable an evaluation of the proposed approach by means of a case study.
09.2011 - 08.2015