Selecting security control portfolios: a multi-objective simulation-optimization approach

Kiesling, Elmar; Ekelhart, Andreas; Grill, Bernhard; Strauß, Christine; Stummer, Christian

doi:10.1007/s40070-016-0055-7

Cited by 11 publications

(7 citation statements)

References 42 publications

(40 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“… Business impact/disruption, anticipated loss, profit reduction, fines, reputation, decline in stock price, damage [17]- [23]  Risk tolerance [12], [19], [24]; Budget [19]  Legal and regulatory [22]  Self-imposed constraints [22] Asset  Importance/value [13], [24]- [27]  Assessed risk [12], [24]  Probability of breach, event, or successful attack [13], [24], [26], [28], [29] Threat  Anticipated [25], [27], [30], [31]  Most significant [25]  Residual risk [23], [32]; Incident data [17] Control  Cost, general [12], [13], [30], [32], [18], [20]- [23], [26]- [28]  Purchase/setup [17], [24], [25], [33]- [35]  Number of controls as a proxy for cost [36]  Difficulty of implementation [25]  Operation, training, and maintenance cost [17], [24], [25],…”

Section: Organizationalmentioning

confidence: 99%

“…These decisions are complex, inexact, and involve multiple stakeholders with diverse interests. Moreover, there is no "one size fits all" approach because, for example, information environments, business dependence on those environments, relevant cyber threats, risk tolerance levels, and security budgets vary from one organization to the next [13].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Llansó¹,

McNeil²,

Noteboom³

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Given the increasing frequency and severity of cyber attacks on information systems of all kinds, there is interest in rationalized approaches for selecting the "best" set of cybersecurity mitigations. However, what is best for one target environment is not necessarily best for another. This paper examines an approach to selection that uses a set of weighted criteria, where the security engineer sets the weights based on organizational priorities and constraints. The approach is based on a capability-based representation for cybersecurity mitigations. The paper discusses a group of artifacts that compose the approach through the lens of Design Science research and reports performance results of an instantiation artifact.

show abstract

Section: Organizationalmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Llansó¹,

McNeil²,

Noteboom³

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

show abstract

“…According to the article (Kiesling et al, 2016), organizations and their infrastructures are exposed to constant threats, and deciding the better way to respond to them is a difficult task for IT security managers. For that very reason, the work aims to combine the concept of security with a simulation of an infrastructure capable of fighting attacks and providing decision support components.…”

Section: Security Controls Selectionmentioning

confidence: 99%

“…In order to create a model capable of dealing with attacks, it is necessary to have knowledge beyond technology, because psychological, sociological or economic parameters should not be forgotten. To conclude, Kiesling et al (2016) argue that in the future a method must be integrated that simulates the impact of attacks on an organization's business process.…”

Section: Security Controls Selectionmentioning

confidence: 99%

Decision support for selecting information security controls

Almeida

Respício

2018

Journal of Decision Systems

View full text Add to dashboard Cite

“…Huang (2007) treats the project parameters as uncertain and combines a genetic algorithm with random fuzzy simulation in order to account for this. An interesting application combining discrete-event simulation with a genetic algorithm to select security control portfolios is discussed in Kiesling et al (2016). In the context of an IT infrastructure subject to a number of threats, the authors focus on selecting the best policy from efficient combinations of security controls.…”

Section: Introductionmentioning

confidence: 99%

A variable neighborhood search simheuristic for project portfolio selection under uncertainty

et al. 2018

View full text Add to dashboard Cite

With limited financial resources, decision-makers in firms and governments face the task of selecting the best portfolio of projects to invest in. As the pool of project proposals increases and more realistic constraints are considered, the problem becomes NP-hard. Thus, metaheuristics have been employed for solving large instances of the project portfolio selection problem (PPSP). However, most of the existing works do not account for uncertainty. This paper contributes to close this gap by analyzing a stochastic version of the PPSP: the goal is to maximize the expected net present value of the inversion, while considering random cash flows and discount rates in future periods, as well as a rich set of constraints including the maximum risk allowed. To solve this stochastic PPSP, a simulation-optimization algorithm is introduced. Our approach integrates a variable neighborhood search metaheuristic with Monte Carlo simulation. A series of computational experiments contribute to validate our approach and illustrate how the solutions vary as the level of uncertainty increases.

show abstract

Selecting security control portfolios: a multi-objective simulation-optimization approach

Cited by 11 publications

References 42 publications

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Decision support for selecting information security controls

A variable neighborhood search simheuristic for project portfolio selection under uncertainty

Contact Info

Product

Resources

About