Selecting security control portfolios: a multi-objective simulation-optimization approach
Tóm tắt
Từ khóa
Tài liệu tham khảo
Ammann P, Wijesekera D, Kaushik S (2002) Scalable, graph-based network vulnerability analysis. In: Proceedings of the conference on computer and communications security, ACM, pp 217–224
Baker, 2007, Is information security under control? Investigating quality in information security management, IEEE Secur Priv, 5, 36, 10.1109/MSP.2007.11
Barlette Y, Fomin VV (2010) The adoption of information security management standards. In: Information resources management: concepts. Methodologies, tools and applications. IGI Global, Pennsylvania, pp 69–90
Bistarelli S, Fioravanti F, Peretti P (2006) Defense trees for economic evaluation of security investments. In: Proceedings of the international conference on availability, reliability and security. IEEE, pp 416–423
BSI (2013) BSI-standards. Tech. Rep, German Federal Office for Information Security
Chi, 2001, Network security modeling and cyber attack simulation methodology, 320
Cohen, 1999, Simulating cyber attacks, defences, and consequences, Comput Secur, 18, 479, 10.1016/S0167-4048(99)80115-1
Cook, 2007, Exploring gene expression data, using plots, J Data Sci, 5, 151, 10.6339/JDS.2007.05(2).307
Dahl OM, Wolthusen SD (2006) Modeling and execution of complex attack scenarios using interval timed colored petri nets. In: Proceedings of the international workshop on information assurance, IEEE, pp 157–168
Dalton GC, Mills RF, Colombi JM, Raines RA (2006) Analyzing attack trees using generalized stochastic Petri nets. In: Proceedings of the information assurance workshop, IEEE, pp 116–123
Deb, 2000, A fast elitist multi-objective genetic algorithm: NSGA-II, IEEE Trans Evolut Comput, 6, 182, 10.1109/4235.996017
Draper, 2009, A survey of radial methods for information visualization, IEEE Trans Vis Comput Gr, 15, 759, 10.1109/TVCG.2009.23
Economist (2014) Defending the digital frontier: a special report on cyber-security. The Economist, 12 July 2014
Edge KS, Dalton GC, Raines RA, Mills RF (2006) Using attack and protection trees to analyze threats and defenses to homeland security. In: Proceedings of the military communications conference, IEEE, pp 1–7
Ekelhart, 2015, Integrating attacker behavior in IT security analysis: a discrete-event simulation approach, Inf Technol Manag, 16, 221, 10.1007/s10799-015-0232-6
Fenz, 2011, Verification, validation, and evaluation in information security risk management, IEEE Secur Priv Mag, 9, 58, 10.1109/MSP.2010.117
Fenz, 2011, Information security risk management: in which security solutions is it worth investing?, Commun Assoc Inf Syst, 28, 329
Franqueira VNL, Lopes RHC, van Eck P (2009) Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients. In: Proceedings of the symposium on applied computing, ACM, pp 66–73
Gettinger, 2013, A comparison of representations for discrete multi-criteria decision problems, Decis Support Syst, 54, 976, 10.1016/j.dss.2012.10.023
Gordon, 2002, The economics of information security investment, ACM Trans Inf Syst Secur, 5, 438, 10.1145/581271.581274
Gupta, 2006, Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach, Decis Support Syst, 41, 592, 10.1016/j.dss.2004.06.004
Hoo S (2000) How much is enough: a risk management approach to computer security. PhD Thesis, Consortium for research on information security and policy (CRISP), Stanford University
Inselberg, 2009
Islam T, Wang L (2008) A heuristic approach to minimum-cost network hardening using attack graph. Proceedings of the conference on new technologies, mobility and security, IEEE, pp 1–5
ISO (2013) ISO/IEC 27001:2013: Information technology, security techniques, information management systems, requirements. Tech. Rep, International Organization for Standardization/International Electrotechnical Commission
Jaisingh J, Rees J (2001) Value at risk: a methodology for information security risk assessment. In: Proceedings of the conference on information systems and technology, INFORMS, pp 3–4
Kaspersky (2014) IT security risks survey 2014: a business approach to managing data security threats. http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report. Accessed 11 July 2015
Keeney, 2013, Identifying, prioritizing, and using multiple objectives, Eur J Decis Process, 1, 45, 10.1007/s40070-013-0002-9
Kiesling E, Ekelhart A, Grill B, Strauss C, Stummer C (2013a) Simulation-based optimization of information security controls: an adversary-centric approach. In: Pasupathy R, Kim SH, Tolk A, Hill R, Kuhl ME (eds) Proceedings of the winter simulation conference. IEEE, pp 2054–2065
Kiesling E, Ekelhart A, Grill B, Strauss C, Stummer C (2013b) Simulation based optimization of IT security controls: Initial experiences with metaheuristic solution procedures. In: Fink A, Geiger M (eds) Proceedings of the workshop of the EURO working group on metaheuristics, pp 18–20
Kiesling E, Ekelhart A, Grill B, Stummer C, Strauss C (2014) Evolving secure information systems through attack simulation. In: Proceedings of the Hawaii international conference on system science, IEEE computer society, pp 4868–4877
Kiesling E, Ekelhart A, Grill B, Stummer C, Strauss C (2015) Multi-objective evolutionary optimization of computation-intensive simulations: the case of security control selection. In: Proceedings of the 11th metaheuristics international conference, pp 1–3
Lotov, 2008, Visualizing the Pareto frontier, 213
Lukasiewycz M, Glaß M, Reimann F, Teich J (2011) Opt4J: a modular framework for meta-heuristic optimization. In: Proceedings of the conference on genetic and evolutionary computation, ACM, pp 1723–1730
Luke, 2005, MASON: a multiagent simulation environment, Simulation, 81, 517, 10.1177/0037549705058073
Ma, 2013, Determining risks from advanced multi-step attacks to critical information infrastructures, 142
Mauw, 2006, Foundations of attack trees, 186
McAfee (2014) Net losses: estimating the global cost of cybercrime 2014. http://www.mcafee.com/de/resources/reports/rp-economic-impact-cybercrime2. Accessed 11 July 2015
Mizzi A (2005) Return on information security investment. Are you spending enough? Are you spending too much? http://security.ittoolbox.com/documents/return-on-information-security-investment-14513. Accessed 11 July 2015
Moore A (2001) Attack modeling for information security and survivability. Tech. Rep., Software Engineering Institute, Carnegie Mellon University
National Bureau of Standards (1979) Guideline for automatic data processing risk analysis. Tech. Rep, Institute for Computer Science and Technology, National Bureau of Standards
NIST (2011) Managing information security risk: Organization, mission, and information system view. Tech. Rep., NIST SP 800-39, National Institute of Standards and Technology, US Department of Commerce
Neubauer S, Stummer C, Weippl E (2006) Workshop-based multiobjective security safeguard selection. Proceedings of the international conference on availability, reliability and security. IEEE, pp 366–373
Ou X, Boyer WF, McQueen MA (2006) A scalable approach to attack graph generation. In: Proceedings of the conference on computer and communications security, ACM, pp 336–345
Panchenko, 2006, Towards practical attacker classification for risk analysis in anonymous communication, 240
Papadaki K, Polemi N (2007) Towards a systematic approach for improving information security risk management methods. Proceedings of the international symposium on personal, indoor and mobile radio communications, IEEE, pp 1–4
Pieters, 2011, Representing humans in system security models: an actor-network approach, J Wirel Mob Netw Ubiquitous Comput Depend Appl, 2, 75
Ritchey RW, Ammann P (2000) Using model checking to analyze network vulnerabilities. In: Proceedings of the IEEE symposium on security and privacy, IEEE, pp 156–165
Sawilla RE, Ou X (2008) Identifying critical attack assets in dependency attack graphs. In: Jojadia S, Lopez J (eds) Computer security (LNCS 5283), Springer, Berlin, pp 18–34
Schneier B (2000) Secrets & lies: digital security in a networked world, Wiley, New York
Stoneburner G, Goguen AY, Feringa A (2002) Risk management guide for information technology systems: recommendations of the National Institute of Standards and Technology. Tech. Rep., NIST SP 800-30, National Institute of Standards and Technology, US Department of Commerce
Strauss, 2002, Multiobjective decision support in IT-risk management, Int J Inf Technol Decis Mak, 1, 251, 10.1142/S0219622002000154
Stummer, 2009, A multicriteria decision support system for competence-driven project portfolio selection, Int J Inf Technol Decis Mak, 8, 379, 10.1142/S0219622009003429
Tunçalp, 2014, Diffusion and adoption of information security management standards across countries and industries, J Glob Inf Technol Manag, 17, 221
Vetschera, 2013, Negotiation processes: an integrated perspective, Eur J Decis Process, 1, 135, 10.1007/s40070-013-0006-5
Vincke P (1992) Multicriteria decision-aid, Wiley, New York
Wang, 2008, Research note: a value-at-risk approach to information security investment, Inf Syst Res, 19, 106, 10.1287/isre.1070.0143
Wang, 2006, Minimum-cost network hardening using attack graphs, Comput Commun, 29, 3812, 10.1016/j.comcom.2006.06.018
Zitzler, 2002, SPEA2: improving the strength pareto evolutionary algorithm for multiobjective optimization, 1