IT security planning under uncertainty for high-impact events
While many IT security incidents result in relatively minor operational disruptions or minimal recovery costs, occasionally high-impact security breaches can have catastrophic effects on the firm. Unfortunately, measuring security risk and planning for countermeasures or mitigation is a difficult task. Past research has suggested risk metrics which may be beneficial in understanding and planning for security incidents, but most of these metrics are aimed at identifying expected overall loss and do not directly address the identification of, or planning for, sparse events which might result in high-impact loss. The use of an upper percentile value or some other worst-case measure has been widely discussed in the literature as a means of stochastic optimization, but has not been applied to this decision domain. A key requirement in security planning for any threat scenario, expected or otherwise, is the ability to choose countermeasures optimally with regard to tradeoffs between countermeasure cost and remaining risk. Most of the planning models in the literature are qualitative, and none that we are aware of allow for the optimal determination of these tradeoffs. Therefore, we develop a model for optimally choosing countermeasures to block or mitigate security attacks in the presence of a given threat level profile. We utilize this model to examine scenarios under both expected threat levels and worst-case levels, and develop budget-dependent risk curves. These curves demonstrate the tradeoffs which occur if decision makers divert budgets away from planning for ordinary risk in an effort to mitigate the effects of potential high-impact outcomes.
If you experience problems downloading a file, check if you have the proper application to view it first. In case of further problems read the IDEAS help page. Note that these files are not on the IDEAS site. Please be patient as the files may be large.
As the access to this document is restricted, you may want to look for a different version under "Related research" (further below) or search for a different version of it.
Volume (Year): 40 (2012)
Issue (Month): 1 (January)
|Contact details of provider:|| Web page: http://www.elsevier.com/wps/find/journaldescription.cws_home/375/description#description|
|Order Information:|| Postal: http://www.elsevier.com/wps/find/supportfaq.cws_home/regional|
References listed on IDEAS
Please report citation or reference errors to , or , if you are the registered author of the cited work, log in to your RePEc Author Service profile, click on "citations" and make appropriate adjustments.:
- Cha, Young-Ho & Kim, Yeong-Dae, 2010. "Fire scheduling for planned artillery attack operations under time-dependent destruction probabilities," Omega, Elsevier, vol. 38(5), pages 383-392, October.
- Sawik, Tadeusz, 2010. "An integer programming approach to scheduling in a contaminated area," Omega, Elsevier, vol. 38(3-4), pages 179-191, June.
- Liu, Zugang & Nagurney, Anna, 2011. "Supply chain outsourcing under exchange rate risk and competition," Omega, Elsevier, vol. 39(5), pages 539-549, October.
- Sawik, Tadeusz, 2011. "Selection of supply portfolio under disruption risks," Omega, Elsevier, vol. 39(2), pages 194-208, April.
- Rockafellar, R. Tyrrell & Uryasev, Stanislav, 2002. "Conditional value-at-risk for general loss distributions," Journal of Banking & Finance, Elsevier, vol. 26(7), pages 1443-1471, July.