nach oben

Journal of Intelligent Information Systems

Erschienen in:

01.06.2011

Risk-neutral evaluation of information security investment on data centers

verfasst von: Shyue-Liang Wang, Jyun-Da Chen, Paul A. Stirpe, Tzung-Pei Hong

Erschienen in: Journal of Intelligent Information Systems | Ausgabe 3/2011

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Based on given data center network topology and risk-neutral management, this work proposes a simple but efficient probability-based model to calculate the probability of insecurity of each protected resource and the optimal investment on each security protection device when a data center is under security breach. We present two algorithms that calculate the probability of threat and the optimal investment for data center security respectively. Based on the insecurity flow model (Moskowitz and Kang 1997) of analyzing security violations, we first model data center topology using two basic components, namely resources and filters, where resources represent the protected resources and filters represent the security protection devices. Four basic patterns are then identified as the building blocks for the first algorithm, called Accumulative Probability of Insecurity, to calculate the accumulative probability of realized threat (insecurity) on each resource. To calculate the optimal security investment, a risk-neutral based algorithm, called Optimal Security Investment, which maximizes the total expected net benefit is then proposed. Numerical simulations show that the proposed approach coincides with Gordon’s (Gordon and Loeb, ACM Transactions on Information and Systems Security 5(4):438–457, 2002) single-system analytical model. In addition, numerical results on two common data center topologies are analyzed and compared to demonstrate the effectiveness of the proposed approach. The technique proposed here can be used to facilitate the analysis and design of more secured data centers.

Vorheriger Artikel Hybrid data mining approaches for prevention of drug dispensing errors

Nächster Artikel Combined rough sets with flow graph and formal concept analysis for business aviation decision-making

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Ammann, P., Wijesekera, D., & Kaushik, S. (2002). Scalable, graph-based network vulnerability analysis. Proceedings of the 9th ACM conference of computer and communications security (CCS’02) (pp. 217–224).

Bell, D., & LaPadula, L. (1975). Secure computer systems: Unified exposition and multics interpretation. Bedford: MITRE, Technical Report, MTR-2997.

Bier, V. M., & Abhichandani, V. (2003). Optimal allocation of resources for defense of simple series and parallel systems from determined adversaries. In Risk-based decision making in water resources X (pp. 59–76), Reston, VA: American Society of Civil Engineers.

Bishop, M. (2003). Computer security: Art and science. Boston: Addison-Wesley.

Chen, Y., Boehm, B., & Sheppard, L. (2007). Measuring security investment benefit for off the shelf software systems-a stakeholder value driven approach. The sixth workshop on the economics of information security, Carnegie Mellon University, USA.

Goguen, J. A., & Meseguer, J. (1982). Security policies and security models. Proceeding of the 1982 IEEE symposium on security and privacy (pp. 11–20), Oakland, CA.

Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and Systems Security, 5(4), 438–457.CrossRef

Grossklags, J., Christin, N., & Chuang, J. (2008). Security investment (Failures) in five economic environments: A comparison of homogeneous and heterogeneous user agents. The seventh workshop on the economics of information security, Dartmouth, USA.

Harmantzis, F., & Malek, M. (2004). Security risk analysis and evaluation. Proceedings of IEEE international conference on communications, Paris, France, 1897–1901.

Hausken, K. (2006). Returns to information security investment: Effect of alternative breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 5(8), 338–349.

Hoo, K. J. S. (2000). How much is enough? A risk-management approach to computer security. Ph.D. thesis, Stanford University.

Huang, C. D., Hu, Q., & Behara, R. S. (2006). Economics of information security investment in the case of simultaneous attacks. The fifth workshop on the economics of information security, University of Cambridge, England.

Hulthén, R. (2008). Communicating the economic value of security investments; value at security risk. The seventh workshop on the economics of information security, Dartmouth, USA.

Kumar, V., Telang, R., & Mukhopadhyay, T. (2007). Optimally securing interconnected information systems and assets. The sixth workshop on the economics of information security, Carnegie Mellon University, USA.

Maloof, M. A. (2006). Machine learning and data mining for computer security. New York: Springer.CrossRef

Matsuura, K. (2008). Productivity space of information security in an extension of the Gordon-Loeb’s investment model. The seventh workshop on the economics of information security, Dartmouth, USA.

Moskowitz, I. S., & Kang, M. H. (1997). An insecurity flow model. In New security paradigms workshop, Langdale, Cumbria, UK.

Ortalo, R., Dewarte, Y., & Kaaniche, M. (1999). Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 25(5), 633–650.CrossRef

Phillips, C., & Swiler, L. P. (1998). A graph-based system for network-vulnerability analysis. In New security paradigms workshop (pp. 71–79).

Rue, R., Pfleeger, S. L., & Ortiz, D. (2007). A framework for classifying and comparing models of cyber security investment to support policy and decision-making. The sixth workshop on the economics of information security, Carnegie Mellon University, USA.

Ryan, J. C. H., & Ryan, D. J. (2006). Expected benefits of information security investments. Computers and Security, 25, 579–588.CrossRef

Schechter, S. E. (2004). Computer security strength and risk: A quantitative approach. Ph.D. thesis, Harvard University DEAS.

Sheyner, O., & Wing, J. (2005). Tools for generating and analyzing attack graphs. Proceedings of formal methods for components and objects, Lecture Notes in Computer Science.

Singhal, A. (2007). Data warehousing and data mining techniques for cyber security. New York: Springer.MATH

Sutherland, D. (1986). A model of information. Proceedings of the 9th national computer security conference, NSA/NIST, Gaithersburg, MD.

Tatsume, K. I., & Goto, M. (2009). Optimal timing of information security investment: A real options approach. The eighth workshop on the economics of information security, University College London, England.

Varian, H. R. (2004). System reliability and free riding. Berkeley: University of California.

Wang, S. L., Stirpe, P. A., & Hong, T. P. (2008). Modeling optimal security investment of information centers. The PAKDD 2008 workshop on data mining for decision making and risk management, Osaka, Japan, 293–304.

Willemson, J. (2006). On the Gordon & Loeb model for information security investment. The fifth workshop on the economics of information security, University of Cambridge, England.

Titel: Risk-neutral evaluation of information security investment on data centers
verfasst von: Shyue-Liang Wang
Jyun-Da Chen
Paul A. Stirpe
Tzung-Pei Hong
Publikationsdatum: 01.06.2011
Verlag: Springer US
Erschienen in: Journal of Intelligent Information Systems / Ausgabe 3/2011
Print ISSN: 0925-9902
Elektronische ISSN: 1573-7675
DOI: https://doi.org/10.1007/s10844-009-0109-4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 3/2011

A new co-training-style random forest for computer aided diagnosis

Special issue on data mining for decision making and risk management

Data augmentation by predicting spending pleasure using commercially available external data

String analysis technique for shopping path in a supermarket

Modeling complex longitudinal consumer behavior with Dynamic Bayesian networks: an Acquisition Pattern Analysis application

Hybrid data mining approaches for prevention of drug dispensing errors