[Back]


Talks and Poster Presentations (without Proceedings-Entry):

E. Kiesling, A. Ekelhart, B. Grill, C. Strauss, C. Stummer:
"A simulation-optimization approach for information security risk management";
Talk: International Conference on Operations Research (OR 2013), Rotterdam; 2013-09-03 - 2013-09-06.



English abstract:
Most enterprises have implemented measures to protect their critical information systems from security threats. Such measures have been relatively effective in coping with random, opportunistic attacks (e.g., worms and viruses not directed at a particular target). Attacks by motivated threat agents, however, are much more difficult to deal with because these adversaries differ in resources, capabilities, as well as points of access, and they exploit multiple attack vectors to achieve their particular goals - frequently in unforeseen ways. We introduce a simulation-based optimization approach that addresses the problem of assessing and improving the security of complex information systems, particularly against the latter type of attacks. To this end, we have designed and prototypically implemented a framework that integrates conceptual modeling of security knowledge, behavioral modeling of threat agents, discrete event simulation of attacks, and genetic algorithms to identify efficient portfolios of security measures. Based on a general model of security knowledge and a model of the information system to be protected, our approach simulates a large number of attacks on different system configurations and records various outcome metrics. Based on these metrics, we optimize the system with respect to multiple cost and benefit objectives (e.g., minimize cost, maximize detection of attacks, minimize expected impact on availability, integrity, and confidentiality of data etc.). Finally, we provide interactive decision support for the selection of a proposed efficient portfolio of security measures to implement. We describe a prototypical implementation of our approach and illustrate its applicability by means of an exemplary application scenario.

Keywords:
Risk Analysis and Management, Combinatorial Optimization, Multi-Objective Decision Making

Created from the Publication Database of the Vienna University of Technology.