Dealing with uncertainty in cybersecurity decision support

被引:0
作者
Zhang, Yunxiao [1 ]
Malacaria, Pasquale [2 ]
机构
[1] Univ Exeter, Exeter, England
[2] Queen Mary Univ London, London, England
基金
英国工程与自然科学研究理事会;
关键词
Robust optimization; Decision support; Uncertainty; Cyber-security; Stackelberg games; Security games; Attack graphs; OPTIMIZATION; ALGORITHM;
D O I
10.1016/j.cose.2024.104153
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
The mathematical modeling of cybersecurity decision-making heavily relies on cybersecurity metrics. However, achieving precision in these metrics is notoriously challenging, and their inaccuracies can significantly influence model outcomes. This paper explores resilience to uncertainties in the effectiveness of security controls. We employ probabilistic attack graphs to model threats and introduce two resilient models: minmax regret and min-product of risks, comparing their performance. Building on previous Stackelberg game models for cybersecurity, our approach leverages totally unimodular matrices and linear programming (LP) duality to provide efficient solutions. While minmax regret is a well-known approach in robust optimization, our extensive simulations indicate that, in this context, the lesser-known min-product of risks offers superior resilience. To demonstrate the practical utility and robustness of our framework, we include a multi-dimensional decision support case study focused on home IoT cybersecurity investments, highlighting specific insights and outcomes. This study illustrates the framework's effectiveness in real-world settings.
引用
收藏
页数:11
相关论文
共 49 条
  • [1] MORSHED: Guiding Behavioral Decision-Makers towards Better Security Investment in Interdependent Systems
    Abdallah, Mustafa
    Woods, Daniel
    Naghizadeh, Parinaz
    Khalil, Issa
    Cason, Timothy
    Sundaram, Shreyas
    Bagchi, Saurabh
    [J]. ASIA CCS'21: PROCEEDINGS OF THE 2021 ACM ASIA CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2021, : 378 - 392
  • [2] Why Is Cybersecurity Not a Human-Scale Problem Anymore?
    Banga, Gaurav
    [J]. COMMUNICATIONS OF THE ACM, 2020, 63 (04) : 30 - 34
  • [3] Ben-Tal A, 2009, PRINC SER APPL MATH, P3
  • [4] Bhuiyan TH, 2016, 2016 IEEE SYMPOSIUM ON TECHNOLOGIES FOR HOMELAND SECURITY (HST)
  • [5] Decision-theoretic and game-theoretic approaches to IT security investment
    Cavusoglu, Huseyin
    Raghunathan, Srinivasan
    Yue, Wei T.
    [J]. JOURNAL OF MANAGEMENT INFORMATION SYSTEMS, 2008, 25 (02) : 281 - 304
  • [6] ALGORITHM FOR SOLVING INTERVAL LINEAR-PROGRAMMING PROBLEMS
    CHARNES, A
    GRANOT, F
    PHILLIPS, F
    [J]. OPERATIONS RESEARCH, 1977, 25 (04) : 688 - 695
  • [7] An Options Approach to Cybersecurity Investment
    Chronopoulos, Michail
    Panaousis, Emmanouil
    Grossklags, Jens
    [J]. IEEE ACCESS, 2018, 6 : 12175 - 12186
  • [8] Durkota K., 2015, Database, V20
  • [9] Fang F, 2016, AAAI CONF ARTIF INTE, P3966
  • [10] Fielder A., 2018, Games, V9, P34, DOI DOI 10.3390/G9020034