CIAM: A data-driven approach for selecting and prioritizing security controls

Llansó, Thomas

doi:10.1109/syscon.2012.6189500

Cited by 12 publications

(10 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“… Business impact/disruption, anticipated loss, profit reduction, fines, reputation, decline in stock price, damage [17]- [23]  Risk tolerance [12], [19], [24]; Budget [19]  Legal and regulatory [22]  Self-imposed constraints [22] Asset  Importance/value [13], [24]- [27]  Assessed risk [12], [24]  Probability of breach, event, or successful attack [13], [24], [26], [28], [29] Threat  Anticipated [25], [27], [30], [31]  Most significant [25]  Residual risk [23], [32]; Incident data [17] Control  Cost, general [12], [13], [30], [32], [18], [20]- [23], [26]- [28]  Purchase/setup [17], [24], [25], [33]- [35]  Number of controls as a proxy for cost [36]  Difficulty of implementation [25]  Operation, training, and maintenance cost [17], [24], [25],…”

Section: Organizationalmentioning

confidence: 99%

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Llansó¹,

McNeil²,

Noteboom³

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

Self Cite

View full text Add to dashboard Cite

Given the increasing frequency and severity of cyber attacks on information systems of all kinds, there is interest in rationalized approaches for selecting the "best" set of cybersecurity mitigations. However, what is best for one target environment is not necessarily best for another. This paper examines an approach to selection that uses a set of weighted criteria, where the security engineer sets the weights based on organizational priorities and constraints. The approach is based on a capability-based representation for cybersecurity mitigations. The paper discusses a group of artifacts that compose the approach through the lens of Design Science research and reports performance results of an instantiation artifact.

show abstract

Section: Organizationalmentioning

confidence: 99%

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Llansó¹,

McNeil²,

Noteboom³

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

Self Cite

View full text Add to dashboard Cite

show abstract

“…Table 1 presents the three variants of MBA. The first variant is the cyber investment analysis methodology (CIAM) [5], which considers risk and mitigation actions at the enterprise level by analyzing forensic data on attacks, vulnerabilities, CVSS scores, protection strategies and protection costs to estimate an optimal investment level by protection type. The second is network mission assurance (NMA) [2], which focuses on the availability of network bandwidth and how cyber attacks that impact network capacity can affect mission.…”

Section: Related Workmentioning

confidence: 99%

Mission-Based Analysis for Assessing Cyber Risk in Critical Infrastructure Systems

Llansó

Tally

Silberglitt

et al. 2013

Critical Infrastructure Protection VII

Self Cite

View full text Add to dashboard Cite

Adversaries with the appropriate expertise and access can potentially exploit the large attack surface provided by the cyber component of critical infrastructure assets to target operations across the various sectors and significantly impact society. This paper describes a family of cyber risk methodologies known as "mission-based analysis" (MBA) that assist system designers in identifying the threats that pose the highest risk to mission execution and in prioritizing mitigation actions against the threats. This paper describes our experiences applying MBA and discusses its benefits and limitations. Also, it describes future enhancements of MBA and compares the approach with other assurance methodologies.

show abstract

“…Llanso [9] introduces CIAM -an approach that provides an initial prioritization of security controls. His approach uses data related to security incidents, vulnerabilities, business impact, and security control costs.…”

Section: Related Workmentioning

confidence: 99%

“…Llanso [9] introduces an approach for selecting and prioritizing security controls (in the terminology of this paper, we use the term 'security mechanism' instead of the 'security control' because the latter term could indicate the usage of NIST 800-30 security controls). First, he computes weights of these controls, using three component weights -Prevention, Detection and Response (P/D/R) against an attack.…”

Section: Security Mechanism Weightingmentioning

confidence: 99%

“…Table 1 presents the "Controls against malicious code" control objective from "Communications and operations management" security clause. We assigned five security mechanisms to this control objective and used the same approach for determining weights as Llanso [9] did. We constituted a group of security professionals for this purpose, so they could discuss if the security mechanisms are properly assigned and what values can they achieve in each of three components.…”

Section: Security Mechanism Weightingmentioning

confidence: 99%

See 1 more Smart Citation

On Identifying Proper Security Mechanisms

Breier

Hudec

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Part 2: Asian Conference on Availability, Reliability and Security (AsiaARES)International audienceSelection of proper security mechanisms that will protect the organization’s assets against cyber threats is an important non-trivial problem. This paper introduces the approach based on statistical methods that will help to choose the proper controls with respect to actual security threats. First, we determine security mechanisms that support control objectives from ISO/IEC 27002 standard and assign them meaningful weights. Then we employ a factor analysis to reveal dependencies among control objectives. Then this knowledge can be reflected to security mechanisms, that inherit these dependencies from control objectives

show abstract

CIAM: A data-driven approach for selecting and prioritizing security controls

Cited by 12 publications

References 4 publications

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Mission-Based Analysis for Assessing Cyber Risk in Critical Infrastructure Systems

On Identifying Proper Security Mechanisms

Contact Info

Product

Resources

About