IDEAS home Printed from https://ideas.repec.org/a/spr/eurjdp/v4y2016i1d10.1007_s40070-016-0055-7.html
   My bibliography  Save this article

Selecting security control portfolios: a multi-objective simulation-optimization approach

Author

Listed:
  • Elmar Kiesling

    (Vienna University of Technology)

  • Andreas Ekelhart

    (Secure Business Austria)

  • Bernhard Grill

    (Secure Business Austria)

  • Christine Strauss

    (University of Vienna)

  • Christian Stummer

    (Bielefeld University)

Abstract

Organizations’ information infrastructures are exposed to a large variety of threats. The most complex of these threats unfold in stages, as actors exploit multiple attack vectors in a sequence of calculated steps. Deciding how to respond to such serious threats poses a challenge that is of substantial practical relevance to IT security managers. These critical decisions require an understanding of the threat actors—including their various motivations, resources, capabilities, and points of access—as well as detailed knowledge about the complex interplay of attack vectors at their disposal. In practice, however, security decisions are often made in response to acute short-term requirements, which results in inefficient resource allocations and ineffective overall threat mitigation. The decision support methodology introduced in this paper addresses this issue. By anchoring IT security managers’ decisions in an operational model of the organization’s information infrastructure, we provide the means to develop a better understanding of security problems, improve situational awareness, and bridge the gap between strategic security investment and operational implementation decisions. To this end, we combine conceptual modeling of security knowledge with a simulation-based optimization that hardens a modeled infrastructure against simulated attacks, and provide a decision support component for selecting from efficient combinations of security controls. We describe the prototypical implementation of this approach, demonstrate how it can be applied, and discuss the results of an in-depth expert evaluation.

Suggested Citation

  • Elmar Kiesling & Andreas Ekelhart & Bernhard Grill & Christine Strauss & Christian Stummer, 2016. "Selecting security control portfolios: a multi-objective simulation-optimization approach," EURO Journal on Decision Processes, Springer;EURO - The Association of European Operational Research Societies, vol. 4(1), pages 85-117, June.
    • Handle: RePEc:spr:eurjdp:v:4:y:2016:i:1:d:10.1007_s40070-016-0055-7
    DOI: 10.1007/s40070-016-0055-7
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s40070-016-0055-7
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1007/s40070-016-0055-7?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Christine Strauss & Christian Stummer, 2002. "Multiobjective Decision Support In It-Risk Management," International Journal of Information Technology & Decision Making (IJITDM), World Scientific Publishing Co. Pte. Ltd., vol. 1(02), pages 251-268.
    2. Christian Stummer & Elmar Kiesling & Walter J. Gutjahr, 2009. "A Multicriteria Decision Support System For Competence-Driven Project Portfolio Selection," International Journal of Information Technology & Decision Making (IJITDM), World Scientific Publishing Co. Pte. Ltd., vol. 8(02), pages 379-401.
    3. Jingguo Wang & Aby Chaudhury & H. Raghav Rao, 2008. "Research Note ---A Value-at-Risk Approach to Information Security Investment," Information Systems Research, INFORMS, vol. 19(1), pages 106-120, March.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Javier Panadero & Jana Doering & Renatas Kizys & Angel A. Juan & Angels Fito, 2020. "A variable neighborhood search simheuristic for project portfolio selection under uncertainty," Journal of Heuristics, Springer, vol. 26(3), pages 353-375, June.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Nicole L. Beebe & Diana K. Young & Frederick R. Chang, 2013. "Framing Information Security Budget Requests to Maximize Investments," Working Papers 0217is, College of Business, University of Texas at San Antonio.
    2. Wang, Xiong & Ferreira, Fernando A.F. & Chang, Ching-Ter, 2022. "Multi-objective competency-based approach to project scheduling and staff assignment: Case study of an internal audit project," Socio-Economic Planning Sciences, Elsevier, vol. 81(C).
    3. Lean Yu & Shouyang Wang & Fenghua Wen & Kin Lai, 2012. "Genetic algorithm-based multi-criteria project portfolio selection," Annals of Operations Research, Springer, vol. 197(1), pages 71-86, August.
    4. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    5. Margareta Heidt & Jin P. Gerlach & Peter Buxmann, 2019. "Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments," Information Systems Frontiers, Springer, vol. 21(6), pages 1285-1305, December.
    6. Bahram Alidaee & Haibo Wang & Jun Huang & Lutfu S. Sua, 2023. "Integrating Statistical Simulation and Optimization for Redundancy Allocation in Smart Grid Infrastructure," Energies, MDPI, vol. 17(1), pages 1-13, December.
    7. Tawei Wang & Karthik N. Kannan & Jackie Rees Ulmer, 2013. "The Association Between the Disclosure and the Realization of Information Security Risk Factors," Information Systems Research, INFORMS, vol. 24(2), pages 201-218, June.
    8. Stoel, M. Dale & Muhanna, Waleed A., 2011. "IT internal control weaknesses and firm performance: An organizational liability lens," International Journal of Accounting Information Systems, Elsevier, vol. 12(4), pages 280-304.
    9. Loic Mar'echal & Alain Mermoud & Dimitri Percia David & Mathias Humbert, 2024. "Measuring the performance of investments in information security startups: An empirical analysis by cybersecurity sectors using Crunchbase data," Papers 2402.04765, arXiv.org, revised Feb 2024.
    10. Karl F. Doerner & Vittorio Maniezzo, 2018. "Metaheuristic search techniques for multi-objective and stochastic problems: a history of the inventions of Walter J. Gutjahr in the past 22 years," Central European Journal of Operations Research, Springer;Slovak Society for Operations Research;Hungarian Operational Research Society;Czech Society for Operations Research;Österr. Gesellschaft für Operations Research (ÖGOR);Slovenian Society Informatika - Section for Operational Research;Croatian Operational Research Society, vol. 26(2), pages 331-356, June.
    11. Xue Bai & Ramayya Krishnan & Rema Padman & Harry Jiannan Wang, 2013. "On Risk Management with Information Flows in Business Processes," Information Systems Research, INFORMS, vol. 24(3), pages 731-749, September.
    12. Andreja Abina & Tanja Batkovič & Bojan Cestnik & Adem Kikaj & Rebeka Kovačič Lukman & Maja Kurbus & Aleksander Zidanšek, 2022. "Decision Support Concept for Improvement of Sustainability-Related Competences," Sustainability, MDPI, vol. 14(14), pages 1-21, July.
    13. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    14. Gwo-Hshiung Tzeng & Chi-Yo Huang, 2012. "Combined DEMATEL technique with hybrid MCDM methods for creating the aspired intelligent global manufacturing & logistics systems," Annals of Operations Research, Springer, vol. 197(1), pages 159-190, August.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:eurjdp:v:4:y:2016:i:1:d:10.1007_s40070-016-0055-7. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.