Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Risk Mitigation Decisions for IT Security

Risk Mitigation Decisions for IT Security Risk Mitigation Decisions for IT Security M. LISA YEO, Loyola University Maryland ERIK ROLLAND, University of California, Merced JACKIE REES ULMER, Purdue University RAYMOND A. PATTERSON, University of Alberta Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png ACM Transactions on Management Information Systems (TMIS) Association for Computing Machinery

Loading next page...
 
/lp/association-for-computing-machinery/risk-mitigation-decisions-for-it-security-BFhOPnevvW
Publisher
Association for Computing Machinery
Copyright
Copyright © 2014 by ACM Inc.
ISSN
2158-656X
DOI
10.1145/2576757
Publisher site
See Article on Publisher Site

Abstract

Risk Mitigation Decisions for IT Security M. LISA YEO, Loyola University Maryland ERIK ROLLAND, University of California, Merced JACKIE REES ULMER, Purdue University RAYMOND A. PATTERSON, University of Alberta Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is

Journal

ACM Transactions on Management Information Systems (TMIS)Association for Computing Machinery

Published: Apr 1, 2014

There are no references for this article.