E. Kiesling, C. Strauss, C. Stummer:
"A multi-objective decision support framework for simulation-based security control selection
in:"2012 Seventh International Conference on Availability, Reliability and Security
", IEEE Computer Society, Los Alamitos, CA, USA, 2012, ISBN: 978-1-4673-2244-7, S. 454 - 462.
[ Publication Database
In this paper, we report on our ongoing research on simulation-based information security risk assessment and multi-objective optimization of investment in security controls. We outline a methodological framework that accounts for characteristics of the organization, its information infrastructure, assets to be protected, the particular threat sources it faces, and the decision-makers'risk preferences. This framework comprises (i) ontological modeling of security knowledge, (ii) dynamic attack graph generation techniques, (iii) probabilistic simulation of attacks by goal-driven threat agents, (iv) meta-heuristic identification of efficient portfolios of information security controls, and (v) interactive decision support. These components facilitate novel techniques to infer possible routes of attacks and generate attack graphs based on attackers'motivation, objectives, capabilities, and available modes of entry and to use this inferred knowledge to simulate attacks on an organization's modeled infrastructure. The method supports decision makers evaluating potential security control investments in striking a balance between monetary and non-monetary criteria regarding risks, costs, and benefits. We are currently in the process of developing a prototypical implementation of the framework that will be used to evaluate the approach through application case studies.