Weitere Artikel dieser Ausgabe durch Wischen aufrufen
Based on given data center network topology and risk-neutral management, this work proposes a simple but efficient probability-based model to calculate the probability of insecurity of each protected resource and the optimal investment on each security protection device when a data center is under security breach. We present two algorithms that calculate the probability of threat and the optimal investment for data center security respectively. Based on the insecurity flow model (Moskowitz and Kang 1997) of analyzing security violations, we first model data center topology using two basic components, namely resources and filters, where resources represent the protected resources and filters represent the security protection devices. Four basic patterns are then identified as the building blocks for the first algorithm, called Accumulative Probability of Insecurity, to calculate the accumulative probability of realized threat (insecurity) on each resource. To calculate the optimal security investment, a risk-neutral based algorithm, called Optimal Security Investment, which maximizes the total expected net benefit is then proposed. Numerical simulations show that the proposed approach coincides with Gordon’s (Gordon and Loeb, ACM Transactions on Information and Systems Security 5(4):438–457, 2002) single-system analytical model. In addition, numerical results on two common data center topologies are analyzed and compared to demonstrate the effectiveness of the proposed approach. The technique proposed here can be used to facilitate the analysis and design of more secured data centers.
Bitte loggen Sie sich ein, um Zugang zu diesem Inhalt zu erhalten
Sie möchten Zugang zu diesem Inhalt erhalten? Dann informieren Sie sich jetzt über unsere Produkte:
Ammann, P., Wijesekera, D., & Kaushik, S. (2002). Scalable, graph-based network vulnerability analysis. Proceedings of the 9th ACM conference of computer and communications security (CCS’02) (pp. 217–224).
Bell, D., & LaPadula, L. (1975). Secure computer systems: Unified exposition and multics interpretation. Bedford: MITRE, Technical Report, MTR-2997.
Bier, V. M., & Abhichandani, V. (2003). Optimal allocation of resources for defense of simple series and parallel systems from determined adversaries. In Risk-based decision making in water resources X (pp. 59–76), Reston, VA: American Society of Civil Engineers.
Bishop, M. (2003). Computer security: Art and science. Boston: Addison-Wesley.
Chen, Y., Boehm, B., & Sheppard, L. (2007). Measuring security investment benefit for off the shelf software systems-a stakeholder value driven approach. The sixth workshop on the economics of information security, Carnegie Mellon University, USA.
Goguen, J. A., & Meseguer, J. (1982). Security policies and security models. Proceeding of the 1982 IEEE symposium on security and privacy (pp. 11–20), Oakland, CA.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and Systems Security, 5(4), 438–457. CrossRef
Grossklags, J., Christin, N., & Chuang, J. (2008). Security investment (Failures) in five economic environments: A comparison of homogeneous and heterogeneous user agents. The seventh workshop on the economics of information security, Dartmouth, USA.
Harmantzis, F., & Malek, M. (2004). Security risk analysis and evaluation. Proceedings of IEEE international conference on communications, Paris, France, 1897–1901.
Hausken, K. (2006). Returns to information security investment: Effect of alternative breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 5(8), 338–349.
Hoo, K. J. S. (2000). How much is enough? A risk-management approach to computer security. Ph.D. thesis, Stanford University.
Huang, C. D., Hu, Q., & Behara, R. S. (2006). Economics of information security investment in the case of simultaneous attacks. The fifth workshop on the economics of information security, University of Cambridge, England.
Hulthén, R. (2008). Communicating the economic value of security investments; value at security risk. The seventh workshop on the economics of information security, Dartmouth, USA.
Kumar, V., Telang, R., & Mukhopadhyay, T. (2007). Optimally securing interconnected information systems and assets. The sixth workshop on the economics of information security, Carnegie Mellon University, USA.
Maloof, M. A. (2006). Machine learning and data mining for computer security. New York: Springer. CrossRef
Matsuura, K. (2008). Productivity space of information security in an extension of the Gordon-Loeb’s investment model. The seventh workshop on the economics of information security, Dartmouth, USA.
Moskowitz, I. S., & Kang, M. H. (1997). An insecurity flow model. In New security paradigms workshop, Langdale, Cumbria, UK.
Ortalo, R., Dewarte, Y., & Kaaniche, M. (1999). Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 25(5), 633–650. CrossRef
Phillips, C., & Swiler, L. P. (1998). A graph-based system for network-vulnerability analysis. In New security paradigms workshop (pp. 71–79).
Rue, R., Pfleeger, S. L., & Ortiz, D. (2007). A framework for classifying and comparing models of cyber security investment to support policy and decision-making. The sixth workshop on the economics of information security, Carnegie Mellon University, USA.
Ryan, J. C. H., & Ryan, D. J. (2006). Expected benefits of information security investments. Computers and Security, 25, 579–588. CrossRef
Schechter, S. E. (2004). Computer security strength and risk: A quantitative approach. Ph.D. thesis, Harvard University DEAS.
Sheyner, O., & Wing, J. (2005). Tools for generating and analyzing attack graphs. Proceedings of formal methods for components and objects, Lecture Notes in Computer Science.
Singhal, A. (2007). Data warehousing and data mining techniques for cyber security. New York: Springer. MATH
Sutherland, D. (1986). A model of information. Proceedings of the 9th national computer security conference, NSA/NIST, Gaithersburg, MD.
Tatsume, K. I., & Goto, M. (2009). Optimal timing of information security investment: A real options approach. The eighth workshop on the economics of information security, University College London, England.
Varian, H. R. (2004). System reliability and free riding. Berkeley: University of California.
Wang, S. L., Stirpe, P. A., & Hong, T. P. (2008). Modeling optimal security investment of information centers. The PAKDD 2008 workshop on data mining for decision making and risk management, Osaka, Japan, 293–304.
Willemson, J. (2006). On the Gordon & Loeb model for information security investment. The fifth workshop on the economics of information security, University of Cambridge, England.
- Risk-neutral evaluation of information security investment on data centers
Paul A. Stirpe
- Springer US
Neuer Inhalt/© ITandMEDIA, Best Practices für die Mitarbeiter-Partizipation in der Produktentwicklung/© astrosystem | stock.adobe.com