A More Rigorous Framework for Security-in-Depth

“…The SiD framework [32,46] is a systematic approach to risk analysis, which links risks to organisational objectives, in our case insider threats to information security. The framework is consistent with the ISO 31000:2009 Risk Management Standard [50] and can be used both qualitatively and quantitatively to inform investment decisions by prioritising controls that have the greatest potential for risk reduction.…”

“…The framework is consistent with the ISO 31000:2009 Risk Management Standard [50] and can be used both qualitatively and quantitatively to inform investment decisions by prioritising controls that have the greatest potential for risk reduction. Central to the framework is the concept of a security layer which is defined as an integrated set of controls that can potentially stop a defined event from occurring, or reduce the consequences when an event has occurred [46]. The key to this definition of a security layer is that the layer contains all the controls needed to reduce the likelihood or consequences of a risk event independent of other control measures.…”

“…For those perpetrators not deterred, the prevent layer is a collection of controls and functions, which act to identify and monitor activities to prompt interventions that stop the risk event before the breach occurs. Both the shape and prevent layers are made up of three interlinked generic functions; detect, alert, and respond [31,46]. As an example, for the prevent layer, the three functions are needed to generate awareness of the perpetrator's actions (detect), raise an alarm and undertake decision making (alert), and execute an intervention to stop the risk event from occurring (response).…”

“…In the remainder of the paper, we address these issues using a risk-based framework which we have called Security-in-Depth (SiD) [46]. SiD was originally developed to support investment decisions in the physical security domain [47,48], but was then extended and applied to address all national security threat types [32] and to explore Defence's needs in building cyber security capabilities [49].…”

A Risk-Based Framework to Inform Prioritisation of Security Investment for Insider Threats

“…The SiD framework [32,46] is a systematic approach to risk analysis, which links risks to organisational objectives, in our case insider threats to information security. The framework is consistent with the ISO 31000:2009 Risk Management Standard [50] and can be used both qualitatively and quantitatively to inform investment decisions by prioritising controls that have the greatest potential for risk reduction.…”

“…The framework is consistent with the ISO 31000:2009 Risk Management Standard [50] and can be used both qualitatively and quantitatively to inform investment decisions by prioritising controls that have the greatest potential for risk reduction. Central to the framework is the concept of a security layer which is defined as an integrated set of controls that can potentially stop a defined event from occurring, or reduce the consequences when an event has occurred [46]. The key to this definition of a security layer is that the layer contains all the controls needed to reduce the likelihood or consequences of a risk event independent of other control measures.…”

“…For those perpetrators not deterred, the prevent layer is a collection of controls and functions, which act to identify and monitor activities to prompt interventions that stop the risk event before the breach occurs. Both the shape and prevent layers are made up of three interlinked generic functions; detect, alert, and respond [31,46]. As an example, for the prevent layer, the three functions are needed to generate awareness of the perpetrator's actions (detect), raise an alarm and undertake decision making (alert), and execute an intervention to stop the risk event from occurring (response).…”

“…In the remainder of the paper, we address these issues using a risk-based framework which we have called Security-in-Depth (SiD) [46]. SiD was originally developed to support investment decisions in the physical security domain [47,48], but was then extended and applied to address all national security threat types [32] and to explore Defence's needs in building cyber security capabilities [49].…”

A Risk-Based Framework to Inform Prioritisation of Security Investment for Insider Threats

“…Lamsweerde assessed the relation between requirements options and leaves goals in goal graphs to improve decision-making process [9]. Nunes-Vaz, Lord, and Ciuk introduced a framework that can be used to relate the security measures to the desired security performance [10]. Le Sage, Toubaline, and Borrion discussed how security risk scenarios should be formulated [11] to make the relation between offender's actions, offender's goals and the system's antigoals more explicit.…”

Improving security decision under uncertainty: A multidisciplinary approach

Bibliography