期刊
IEEE ACCESS
卷 11, 期 -, 页码 44467-44481出版社
IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
DOI: 10.1109/ACCESS.2023.3272670
关键词
Investment; Uncertainty; Business; Optimization; Risk management; Costs; Measurement uncertainty; Computer security; Software quality; Cybersecurity; operational research; set covering; knapsack; software weaknesses; control optimisation
This paper proposes a cybersecurity decision-support framework called CENSOR for optimal cyber security investment. CENSOR takes into account the continuous nature of cyber attacks, uncertainty in vulnerability exploitation time, and optimization of mitigation measures under a limited budget. It evaluates the cost incurred by an organization due to a cyber security breach and derives an analytical expression for the distribution of present value of the cost. It also compares optimal strategies for investment using Set Covering and Knapsack formulations, validating the effectiveness of CENSOR through a case study.
Assessing and controlling cyber risk is the cornerstone of information security management, but also a formidable challenge for organisations due to the uncertainties associated with attacks, the resulting risk exposure, and the availability of scarce resources for investment in mitigation measures. In this paper, we propose a cybersecurity decision-support framework, called CENSOR, for optimal cyber security investment. CENSOR accounts for the serial nature of a cyber attack, the uncertainty in the time required to exploit a vulnerability, and the optimisation of mitigation measures in the presence of a limited budget. First, we evaluate the cost that an organisation incurs due to a cyber security breach that progresses in stages and derive an analytical expression for the distribution of the present value of the cost. Second, we adopt a Set Covering and a Knapsack formulation to derive and compare optimal strategies for investment in mitigation measures. Third, we validate CENSOR via a case study of a small business (SB) based on: (i) the 2020 Common Weakness Enumeration (CWE) top 25 most dangerous software weaknesses; and (ii) the Center for Internet Security (CIS) Controls. Specifically, we demonstrate how the Knapsack formulation provides solutions that are both more affordable and entail lower risk compared to those of the Set Covering formulation. Interestingly, our results confirm that investing more in cybersecurity does not necessarily lead to an analogous cyber risk reduction, which indicates that the latter decelerates beyond a certain point of security investment intensity.
作者
我是这篇论文的作者
点击您的名字以认领此论文并将其添加到您的个人资料中。
推荐
暂无数据