Browse by author
Lookup NU author(s): Dr Iryna Yevseyeva,
Professor Vitor Fernandes,
Professor Aad van Moorsel
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND).
To protect a system from potential cyber security breaches and attacks, one needs to select efficient security controls, taking into account technical and institutional goals and constraints, such as available budget, enterprise activity, internal and external environment. Here we model the security controls selection problem as a two-stage decision making: First, managers and information security officers defme the size of security budget. Second, the budget is distributed between various types of security controls. By viewing loss prevention with security controls measured as gains relative to a baseline (losses without applying security controls), we formulate the decision making process as a classical portfolio selection problem. The model assumes security budget allocation as a two objective problem, balancing risk and return, given a budget constraint. The Sharpe ratio is used to identify an optimal point on the Pareto front to spend the budget. At the management level the budget size is chosen by computing the tradeoffs between Sharpe ratios and budget sizes. It is shown that the proposed two-stage decision making model can be solved by quadratic programming techniques, which is shown for a test case scenario with realistic data. (C) 2016 The Authors. Published by Elsevier B.V.
Author(s): Yevseyeva I, Fernandes VB, van Moorsel A, Janicke H, Emmerich M
Publication type: Conference Proceedings (inc. Abstract)
Publication status: Published
Conference Name: International Conference on ENTERprise Information Systems/International Conference on Project MANagement/International Conference on Health and Social Care Information Systems and Technologies, CENTERIS/ProjMAN / HCist 2016
Year of Conference: 2016
Online publication date: 04/10/2016
Acceptance date: 02/04/2016
Date deposited: 10/04/2017
Publisher: Elsevier BV
Series Title: Procedia Computer Science