Author: Tadeusz Sawik Decision Support Systems Volume 55, Issue 1, April 2013, Pages 156–164 Adviser: Frank, Yeong-Sung Lin Presenter: Yi-Cin Lin

Selection of optimal countermeasure portfolio in

IT security planning

Author: Tadeusz SawikDecision Support Systems Volume 55, Issue 1, April 2013, Pages 156–164

Adviser: Frank, Yeong-Sung LinPresenter: Yi-Cin Lin

Introduction

Problem description

ModelSingle-objective approachBi-objective approach

Computational examples

Conclusion

Agenda

Introduction

Problem description



Conclusion

Agenda

The various actions developed to prevent intrusions or to mitigate the impact of successful breaches are called controls or countermeasures.

Introduction

Countermeasures

Limit physical access

Block access or protect privacy over networks

Recovery

In practice, even the most sophisticated countermeasures cannot be expected to completely block attacks.

This paper deals with the optimal selection of countermeasures in IT security planning to prevent or mitigate cyber-threats and a mixed integer programming approach is proposed for the decision making.

Introduction

The problem is formulated as a single- or bi-objective mixed integer program

Introduction

Single-objective

Risk-neutral Minimize expected cost

Risk-averse Minimization of expected worst-

case cost

The bi-objective trade-off model provides the decision maker with a simple tool for balancing expected and worst-case losses and for shaping of the resulting cost distribution through the selection of optimal subset of countermeasures.

Introduction

Introduction

Problem description

ModelsSingle-objective approachBi-objective approach


Conclusion

Agenda

The blocking effectiveness of each countermeasure is assumed to be independent whether or not it is used alone or together with other countermeasures.

Problem description

Notation

Total of potential scenarios.

Problem description

Denote by the probability of threat .

Notation

The probability of attack scenario inthe presence of independent threat events is

Problem description

Notation

indicates that countermeasure

totally prevents successful attacks of threat .

denotes that countermeasure is totally incapable of mitigating threat .

Problem description

The proportion of successful attacks of threats type that survive all

countermeasures in the subset of selected countermeasures is

The expected proportion of successful attacks of threat type for the subset of selected countermeasures is

Problem description

Notation

The subset of selected countermeasures must satisfy the available budget

constraint

Problem description

The decision maker needs to decide which countermeasures to select to minimize losses from surviving occurrences of threats under limited budget for countermeasures implementation.

Problem description

Introduction

Problem description



Conclusion

Agenda

In a risk-neutral operating condition the overall quality of the selected countermeasure portfolio can be measured by the expected cost of losses from successful attacks.

Model

Single-objective


SP_E SP_E+B


case cost

SP_CVSP_CV+B

Notation

Countermeasure is selected for implementation if , otherwise .

Minimization of expected cost- NSP_E

Countermeasure is selected at exactly one level i.e.,

Notation


The proportion of successful attacks of threats type that survive all selected countermeasures is

As a result, the expected cost of losses from successful attacks is given by a nonlinear formula


Model NSP_E: Minimize Expected Cost (1)

Subject to1. Countermeasure selection

constraints


Subject to 2.Integrality conditions:

The nonlinear integer program NSP_E is computationally hard for solving, even for small size instances of the problem.


Computing the nonlinear objective

function

Recursive procedure by using a set of linear

equations

The nonlinear objective function (1) can be replaced with a formula

Minimization of expected cost- SP_E

In order to compute for each threat , a recursive procedure is proposed below.


For each threat and countermeasure

can be calculated recursively as follows.

The initial condition is

The remaining terms


In order to eliminate nonlinear terms in the right-hand side of Eq. (10), define an auxiliary variable


and, in particular, for




Comparison of Eqs. (12) and (15) produces to the following relation



The above procedure eliminates all variables for each .

Summarizing, the proportion of successful attacks = in For each threat can be calculated recursively, using Eqs. (17), (16) and (13) with replaced by .


Model SP_E:Minimize Expected Cost (5)

subject to 1. Countermeasure selection

constraints Eqs. (2) and (3).


Subject to 2. Surviving threats balance

constraints


(17)

(16)

(15)

Subject to 3. Non-negativity and integrality

conditions:


(4)

Selection of optimal countermeasure portfolio in

IT security planningAdviser: Frank, Yeong-Sung Lin

Presenter: Yi-Cin Lin

In a risk-neutral operating condition the overall quality of the selected countermeasure portfolio can be measured by the expected cost of losses from successful attacks.

Model

Single-objective


SP_E SP_E+B


case cost

SP_CVSP_CV+B

Notation

Model SP_CV:Minimize

Minimize conditional value-at-risk

Subject to1. Countermeasure selection

constraints: Eqs. (2)–(3).2. Surviving threats balance

constraints: Eqs. (18)–(21).3. Risk constraints:

4. Non-negativity and integrality conditions: Eqs. (22)–(24)


Models SP_E and SP_CV can be enhanced for simultaneous optimization of the expenditures on countermeasures and the cost of losses from successful attacks.

Removed constraints (3)


Model SP_E+BMinimize Required Budget and Expected Cost

subject to Eqs. (2), (18)–(24) and (28)


Model SP_CV+BMinimize Required Budget and CVaR

subject to Eqs. (2) and (18)–(28)


Introduction

Problem description



Conclusion

Agenda

In the single objective approach the countermeasure portfolio is selected by minimizing either the expected loss (plus the required budget) or the expected worst-case loss (plus the required budget).

Bi-objective approach

Model WSPMinimize

Subject to

Eqs. (2), (5) and (18)–(28)


Decision maker controls Risk of high losses by choosing the

confidence level αtrade-off between expected and worst-

case losses by choosing the trade-off parameter λ.


Introduction

Problem description



Conclusion

Agenda

The data set is similar to the one presented in [20], which was based on the threat set reported on IT security forum EndpointSecurity.org


= , the number of threats and the number of countermeasures, were equal to 10, and the corresponding number

of potential attack scenarios, was equal to 1024.









For the bi-objective approach, the subsets of nondominated solutions were computed by parameterization on λ∈{0.01,0.10,0.25,0.50,0.75,0.90,0.99} the weighted-sum program WSP.




The computational experiments prove that for a limited number of attack scenarios considered, the optimal risk-averse portfolio can be found within CPU seconds, using the Gurobi solver for mixed integer programming.

Conclusion

A critical issue that needs to be considered before any practical application of the proposed models is attempted, however, is the estimation of probabilities and the resulting losses associated with each type of threats and countermeasures.

Conclusion

In practice, threat likelihood estimates are provided by security experts (e.g., [24]) and complete distributional information is not available.

However, the proposed scenario-based approach does not require such a complete information to be available and only assumes independence of differentthreat events.

Conclusion

Thanks for your listening!

Documents

Author: Tadeusz Sawik Decision Support Systems Volume 55, Issue 1, April 2013, Pages 156–164 Adviser: Frank, Yeong-Sung Lin Presenter: Yi-Cin Lin