Managing Information Security Risks: The Octave Approach
Managing Information Security Risks: The Octave Approach
Dual Stochastic Dominance and Related Mean-Risk Models
SIAM Journal on Optimization
Price-at-Risk: A methodology for pricing utility computing services
IBM Systems Journal
The Executive Guide to Information Security: Threats, Challenges, and Solutions
The Executive Guide to Information Security: Threats, Challenges, and Solutions
Managing Cyber Threats: Issues, Approaches, and Challenges (Massive Computing)
Managing Cyber Threats: Issues, Approaches, and Challenges (Massive Computing)
Using CP-nets as a guide for countermeasure selection
Proceedings of the 2007 ACM symposium on Applied computing
Necessary measures: metric-driven information security risk assessment and decision making
Communications of the ACM
Risk Management of Contract Portfolios in IT Services: The Profit-at-Risk Approach
Journal of Management Information Systems
Research Note---A Value-at-Risk Approach to Information Security Investment
Information Systems Research
Decision Support Systems - Special issue: Intelligence and security informatics
Enterprise risk and security management: Data, text and Web mining
Decision Support Systems
Decision support for Cybersecurity risk planning
Decision Support Systems
An economic modelling approach to information security risk management
International Journal of Information Management: The Journal for Information Professionals
Profit-maximizing firm investments in customer information security
Decision Support Systems
| Hi-index | 0.00 |
This paper deals with the optimal selection of countermeasures in IT security planning to prevent or mitigate cyber-threats and a mixed integer programming approach is proposed for the decision making. Given a set of potential threats and a set of available countermeasures, the decision maker needs to decide which countermeasure to implement under limited budget to minimize potential losses from successful cyber-attacks and mitigate the impact of disruptions caused by IT security incidents. The selection of countermeasures is based on their effectiveness of blocking different threats, implementation costs and probability of potential attack scenarios. The problem is formulated as a single- or bi-objective mixed integer program and a conditional value-at-risk approach combined with scenario-based analysis is applied to control the risk of high losses due to operational disruptions and optimize worst-case performance of an IT system. The bi-objective trade-off model provides the decision maker with a simple tool for balancing expected and worst-case losses and for shaping of the resulting cost distribution through the selection of optimal subset of countermeasures for implementation, i.e., the selection of optimal countermeasure portfolio. The selected portfolio explicitly depends on preferred confidence level and cost/risk preference of the decision maker. Numerical examples are presented and some computational results are reported to compare the risk-averse solutions that minimize conditional value-at-risk with the risk-neutral ones that minimize expected cost.