Loading...
Publication
Two-stage Security Controls Selection
| Name: | Description: | Size: | Format: | |
|---|---|---|---|---|
| 187.09 KB | Adobe PDF |
Advisor(s)
Abstract(s)
o protect a system from potential cyber security breaches and attacks, one needs to select efficient security controls, taking into account technical and institutional goals and constraints, such as available budget, enterprise activity, internal and external environment. Here we model the security controls selection problem as a two-stage decision making: First, managers and information security officers define the size of security budget. Second, the budget is distributed between various types of security controls. By viewing loss prevention with security controls measured as gains relative to a baseline (losses without applying security controls), we formulate the decision making process as a classical portfolio selection problem. The model assumes security budget allocation as a two objective problem, balancing risk and return, given a budget constraint. The Sharpe ratio is used to identify an optimal point on the Pareto front to spend the budget. At the management level the budget size is chosen by computing the trade-offs between Sharpe ratios and budget sizes. It is shown that the proposed two-stage decision making model can be solved by quadratic programming techniques, which is shown for a test case scenario with realistic data.
Description
Keywords
Multicriteria optimisation Security Subset selection Security budget Portfolio optimization Sharpe ratio
Citation
Iryna Yevseyeva, Vitor Basto Fernandes, Aad van Moorsel, Helge Janicke, Michael Emmerich, Two-stage Security Controls Selection, Procedia Computer Science, Volume 100, 2016, Pages 971-978, ISSN 1877-0509, https://doi.org/10.1016/j.procs.2016.09.261
Publisher
Elsevier BV