On Selecting Critical Security Controls

Breier, Jakub; Hudec, Ladislav

doi:10.1109/ares.2013.77

Cited by 15 publications

(12 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…To address this bias, we test the ATE estimator models with refutation methods to verify the estimated effect and validity of our assumptions. We run three refuting tests using doWhy 4 package to test the robustness of estimates for ATE-(a) replacing treatment variable with noise; (b) Adding an unobserved confounder to the model to test unconfoundedness assumptions; and (c) removing a random subset of data to check the estimator has generalisation property. We observe no change in ATE estimate with the above tests confirming the robustness of estimator.…”

Section: Threats To Validitymentioning

confidence: 99%

Effect of Security Controls on Patching Window: A Causal Inference based Approach

Kuppa

Aouad²,

Le-Khac

2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Section: Threats To Validitymentioning

confidence: 99%

Effect of Security Controls on Patching Window: A Causal Inference based Approach

Kuppa

Aouad²,

Le-Khac

2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

“… Business impact/disruption, anticipated loss, profit reduction, fines, reputation, decline in stock price, damage [17]- [23]  Risk tolerance [12], [19], [24]; Budget [19]  Legal and regulatory [22]  Self-imposed constraints [22] Asset  Importance/value [13], [24]- [27]  Assessed risk [12], [24]  Probability of breach, event, or successful attack [13], [24], [26], [28], [29] Threat  Anticipated [25], [27], [30], [31]  Most significant [25]  Residual risk [23], [32]; Incident data [17] Control  Cost, general [12], [13], [30], [32], [18], [20]- [23], [26]- [28]  Purchase/setup [17], [24], [25], [33]- [35]  Number of controls as a proxy for cost [36]  Difficulty of implementation [25]  Operation, training, and maintenance cost [17], [24], [25],…”

Section: Organizationalmentioning

confidence: 99%

“…It is used to analyze problems where there are some measures of costs and benefits that can be traded off to arrive at the best solution under the given constraints. Researchers investigate a number of MCDM techniques for this problem, some of which include or are based on fuzzy set theory [34], multi-attribute utility theory (i.e., value functions, knapsack strategy) [18], [27], [30], [37], evolutionary multi-objective optimization (EMO) also known as genetic algorithms [13], [20], [23], [26], [32], [35], analytic hierarchy process (AHP) [31], grey relational analysis (GRA) [25], simple additive weighting (SAW) [17], the technique for order preference by similarity to ideal solution (TOP-SIS) [25], and preference ranking organization method for enrichment evaluation (PROMETHEE) [33].…”

Section: Organizationalmentioning

confidence: 99%

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Llansó¹,

McNeil²,

Noteboom³

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Given the increasing frequency and severity of cyber attacks on information systems of all kinds, there is interest in rationalized approaches for selecting the "best" set of cybersecurity mitigations. However, what is best for one target environment is not necessarily best for another. This paper examines an approach to selection that uses a set of weighted criteria, where the security engineer sets the weights based on organizational priorities and constraints. The approach is based on a capability-based representation for cybersecurity mitigations. The paper discusses a group of artifacts that compose the approach through the lens of Design Science research and reports performance results of an instantiation artifact.

show abstract

“…Una solución cuantitativa para la selección de ISC se considera un problema NP-Hard (Tosatto, Governatori, & Kelsen, 2015). Existen propuestas que apuntan al uso de métodos matemáticos para apoyar la selección del ISC -ver por ejemplo (Breier & Hudec, 2013b;Cuihua & Jiajun, 2009;J. Lv, Zhou, & Wang, 2011;Yang, Shieh, Leu, & Tzeng, 2009) -.…”

Section: Introductionunclassified

Comparación de dos enfoques cuantitativos para seleccionar controles de seguridad de la información

Dieguez

Cares

2019

RISTI

View full text Add to dashboard Cite

Resumen: Proporcionar procesos y herramientas sistemáticos para tomar una decisión sobre inversiones en seguridad en un escenario con restricciones presupuestarias, es de suma importancia para asegurar que dichas decisiones se tomen adecuadamente. Presentamos un enfoque de programación de conjunto de respuestas (ASP) para resolver este problema. Nuestra propuesta se compara con el desarrollo del problema utilizando programación lineal (PL). Ilustramos la fase de modelado y el rendimiento computacional de ambas soluciones. El modelo ASP presenta tiempos de resolución del tipo exponencial a medida que aumenta el número de controles sobre los que debe decidirse. Por otro lado, el modelo basado en PL no presenta variaciones importantes en sus tiempos de resolución de problemas. Sin embargo, el problema es más fácil de modelar en ASP. Luego, esta propuesta tiene ventajas para modelar y resolver problemas específicos en los que se requiere una respuesta rápida con una baja cantidad de controles. Palabras-clave:Answer set programming; Programación lineal; Optimización; Controles de seguridad de la información; Sistema de gestión de seguridad de la información. Comparing Two Quantitative Approaches to Select Information Security ControlsAbstract: Provide systematic processes and tools to make a decision about security investments under a scenario of budget constraints, is of paramount importance to assure that such decisions are soundly made. We present a answer set programming (ASP) approach to solve this problem. Our proposal is then compared against a traditional linear programming (LP) operational research technique. We illustrate the modeling phase and computational performance of both solutions. The model based on ASP presents resolution times of the exponential type as the number of controls over which it must be decided increases. On the other hand, the model based on LP does not present important variations in its problem resolution times. RISTI, N.º 32, 06/2019Comparación de dos enfoques cuantitativos para seleccionar controles de seguridad de la información However, the problem is easier to model in ASP. Then, this proposal has advantages for modeling and solving specific problems in which a rapid response is required and which do not require many controls.

show abstract

On Selecting Critical Security Controls

Cited by 15 publications

References 9 publications

Effect of Security Controls on Patching Window: A Causal Inference based Approach

Effect of Security Controls on Patching Window: A Causal Inference based Approach

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Comparación de dos enfoques cuantitativos para seleccionar controles de seguridad de la información

Contact Info

Product

Resources

About