Decision support approaches for cyber security investment 论文

摘要

When investing in cyber security resources, information security managers have to follow effective decisionmaking
\nstrategies. We refer to this as the cyber security investment challenge.In this paper, we consider
\nthree possible decision support methodologies for security managers to tackle this challenge. We consider
\nmethods based on game theory, combinatorial optimisation, and a hybrid of the two. Our modelling starts
\nby building a framework where we can investigate the effectiveness of a cyber security control regarding
\nthe protection of different assets seen as targets in presence of commodity threats. As game theory captures
\nthe interaction between the endogenous organisation’s and attackers’ decisions, we consider a 2-person
\ncontrol game between the security manager who has to choose among different implementation levels of a
\ncyber security control, and a commodity attacker who chooses among different targets to attack. The pure
\ngame theoretical methodology consists of a large game including all controls and all threats. In the hybrid
\nmethodology the game solutions of individual control-games along with their direct costs (e.g. financial) are
\ncombined with a Knapsack algorithm to derive an optimal investment strategy. The combinatorial optimisation
\ntechnique consists of a multi-objective multiple choice Knapsack based strategy. To compare these
\napproaches we built a decision support tool and a case study regarding current government guidelines. The
\nendeavour of this work is to highlight the weaknesses and strengths of different investment methodologies
\nfor cyber security, the benefit of their interaction, and the impact that indirect costs have on cyber security
\ninvestment. Going a step further in validating our work, we have shown that our decision support tool provides
\nthe same advice with the one advocated by the UK government with regard to the requirements for
\nbasic technical protection from cyber attacks in SMEs.