A multi-objective decision support framework for simulation-based security control selection

Elmar Kiesling; Christine Strauß; Christian Stummer

doi:10.1109/ARES.2012.70

A multi-objective decision support framework for simulation-based security control selection

Elmar Kiesling^*
, Christine Strauß
, Christian Stummer

^*Corresponding author for this work

Publication: Chapter in book/Conference proceeding › Contribution to conference proceedings

Abstract

In this paper, we report on our ongoing research on simulation-based information security risk assessment and multi-objective optimization of investment in security controls. We outline a methodological framework that accounts for characteristics of the organization, its information infrastructure, assets to be protected, the particular threat sources it faces, and the decision-makers' risk preferences. This framework comprises (i) ontological modeling of security knowledge, (ii) dynamic attack graph generation techniques, (iii) probabilistic simulation of attacks by goal-driven threat agents, (iv) meta-heuristic identification of efficient portfolios of information security controls, and (v) interactive decision support. These components facilitate novel techniques to infer possible routes of attacks and generate attack graphs based on attackers' motivation, objectives, capabilities, and available modes of entry and to use this inferred knowledge to simulate attacks on an organization's modeled infrastructure. The method supports decision makers evaluating potential security control investments in striking a balance between monetary and non-monetary criteria regarding risks, costs, and benefits. We are currently in the process of developing a prototypical implementation of the framework that will be used to evaluate the approach through application case studies.

Original language	English
Title of host publication	Proceedings - 2012 7th International Conference on Availability, Reliability and Security (ARES 2012)
Subtitle of host publication	20-24 August 2012, Prague, Czech Republic
Place of Publication	Danvers, MA
Publisher	IEEE
Pages	454-462
Number of pages	9
ISBN (Print)	9780769547756
DOIs	https://doi.org/10.1109/ARES.2012.70
Publication status	Published - 2012
Externally published	Yes
Event	2012 7th International Conference on Availability, Reliability and Security, ARES 2012 - Prague, Czech Republic Duration: 20 Aug 2012 → 24 Aug 2012

Conference

Conference	2012 7th International Conference on Availability, Reliability and Security, ARES 2012
Country/Territory	Czech Republic
City	Prague
Period	20/08/12 → 24/08/12

Keywords

computational modeling
decision support systems
human factors
security and protection
simulation
systems analysis and design

Access to Document

10.1109/ARES.2012.70

Cite this

@inproceedings{32acb465a5524951a2b54ae4e37fd012,

title = "A multi-objective decision support framework for simulation-based security control selection",

abstract = "In this paper, we report on our ongoing research on simulation-based information security risk assessment and multi-objective optimization of investment in security controls. We outline a methodological framework that accounts for characteristics of the organization, its information infrastructure, assets to be protected, the particular threat sources it faces, and the decision-makers' risk preferences. This framework comprises (i) ontological modeling of security knowledge, (ii) dynamic attack graph generation techniques, (iii) probabilistic simulation of attacks by goal-driven threat agents, (iv) meta-heuristic identification of efficient portfolios of information security controls, and (v) interactive decision support. These components facilitate novel techniques to infer possible routes of attacks and generate attack graphs based on attackers' motivation, objectives, capabilities, and available modes of entry and to use this inferred knowledge to simulate attacks on an organization's modeled infrastructure. The method supports decision makers evaluating potential security control investments in striking a balance between monetary and non-monetary criteria regarding risks, costs, and benefits. We are currently in the process of developing a prototypical implementation of the framework that will be used to evaluate the approach through application case studies.",

keywords = "computational modeling, decision support systems, human factors, security and protection, simulation, systems analysis and design",

author = "Elmar Kiesling and Christine Strau{\ss} and Christian Stummer",

year = "2012",

doi = "10.1109/ARES.2012.70",

language = "English",

isbn = "9780769547756",

pages = "454--462",

booktitle = "Proceedings - 2012 7th International Conference on Availability, Reliability and Security (ARES 2012)",

publisher = "IEEE",

note = "2012 7th International Conference on Availability, Reliability and Security, ARES 2012 ; Conference date: 20-08-2012 Through 24-08-2012",

}

Kiesling, E, Strauß, C & Stummer, C 2012, A multi-objective decision support framework for simulation-based security control selection. in Proceedings - 2012 7th International Conference on Availability, Reliability and Security (ARES 2012): 20-24 August 2012, Prague, Czech Republic., 6329217, IEEE, Danvers, MA, pp. 454-462, 2012 7th International Conference on Availability, Reliability and Security, ARES 2012, Prague, Czech Republic, 20/08/12. https://doi.org/10.1109/ARES.2012.70

A multi-objective decision support framework for simulation-based security control selection. / Kiesling, Elmar; Strauß, Christine; Stummer, Christian.
Proceedings - 2012 7th International Conference on Availability, Reliability and Security (ARES 2012): 20-24 August 2012, Prague, Czech Republic. Danvers, MA: IEEE, 2012. p. 454-462 6329217.

Publication: Chapter in book/Conference proceeding › Contribution to conference proceedings

TY - GEN

T1 - A multi-objective decision support framework for simulation-based security control selection

AU - Kiesling, Elmar

AU - Strauß, Christine

AU - Stummer, Christian

PY - 2012

Y1 - 2012

N2 - In this paper, we report on our ongoing research on simulation-based information security risk assessment and multi-objective optimization of investment in security controls. We outline a methodological framework that accounts for characteristics of the organization, its information infrastructure, assets to be protected, the particular threat sources it faces, and the decision-makers' risk preferences. This framework comprises (i) ontological modeling of security knowledge, (ii) dynamic attack graph generation techniques, (iii) probabilistic simulation of attacks by goal-driven threat agents, (iv) meta-heuristic identification of efficient portfolios of information security controls, and (v) interactive decision support. These components facilitate novel techniques to infer possible routes of attacks and generate attack graphs based on attackers' motivation, objectives, capabilities, and available modes of entry and to use this inferred knowledge to simulate attacks on an organization's modeled infrastructure. The method supports decision makers evaluating potential security control investments in striking a balance between monetary and non-monetary criteria regarding risks, costs, and benefits. We are currently in the process of developing a prototypical implementation of the framework that will be used to evaluate the approach through application case studies.

AB - In this paper, we report on our ongoing research on simulation-based information security risk assessment and multi-objective optimization of investment in security controls. We outline a methodological framework that accounts for characteristics of the organization, its information infrastructure, assets to be protected, the particular threat sources it faces, and the decision-makers' risk preferences. This framework comprises (i) ontological modeling of security knowledge, (ii) dynamic attack graph generation techniques, (iii) probabilistic simulation of attacks by goal-driven threat agents, (iv) meta-heuristic identification of efficient portfolios of information security controls, and (v) interactive decision support. These components facilitate novel techniques to infer possible routes of attacks and generate attack graphs based on attackers' motivation, objectives, capabilities, and available modes of entry and to use this inferred knowledge to simulate attacks on an organization's modeled infrastructure. The method supports decision makers evaluating potential security control investments in striking a balance between monetary and non-monetary criteria regarding risks, costs, and benefits. We are currently in the process of developing a prototypical implementation of the framework that will be used to evaluate the approach through application case studies.

KW - computational modeling

KW - decision support systems

KW - human factors

KW - security and protection

KW - simulation

KW - systems analysis and design

UR - https://www.scopus.com/pages/publications/84869379874

U2 - 10.1109/ARES.2012.70

DO - 10.1109/ARES.2012.70

M3 - Contribution to conference proceedings

SN - 9780769547756

SP - 454

EP - 462

BT - Proceedings - 2012 7th International Conference on Availability, Reliability and Security (ARES 2012)

PB - IEEE

CY - Danvers, MA

T2 - 2012 7th International Conference on Availability, Reliability and Security, ARES 2012

Y2 - 20 August 2012 through 24 August 2012

ER -

A multi-objective decision support framework for simulation-based security control selection

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this