Return on Security Investment Against Cyber Attacks on Availability
As it is getting more important to support stabilized secure services, many organizations increase the security investment to protect their assets and clients from cyber attacks. The purpose of this paper is to suggest a guideline for security managers to select a set of the security countermeasures that mitigates damages from availability attacks in a cost-effective manner. We present a sys-tematic approach to the risk analysis against availability attacks and demonstrate countermeasure benefit estimations. The risk analysis consists of three procedures: Service Value Analysis, Threat Analysis, and Countermeasure Analysis. As the outcome of the procedures, our approach produces quantitative benefit analysis for each countermeasure against availability attacks. We have applied a simulation tool developed to implement the approach to VoIP(Voice over Internet Protocol) services and the result is also presented.
KeywordsSecurity Model Damage Impact Security Manager Security Investment Mitigation Factor
Unable to display preview. Download preview PDF.
- Congressional Research Service, The Economic Impact of Cyber-Attacks, CRS Report for Congress (April 2004)Google Scholar
- Sahinoglu, M.: Security Meter: A Practical Decision-Tree Model to Quan-tify Risk. In: IEEE Security & Privacy. IEEE Computer Society, Los Alamitos (2005)Google Scholar
- Butler, S.: Security Attribute Evaluation Method: A Cost-Benefit Approach. In: Proceedings of International Conference on Software Engineering (2002)Google Scholar
- Cavusoglu, H., Mishra, B., Raghunathan, S.: A Model for Evaluating IT Security Investments. Communications of the ACM 47(7) (July 2004)Google Scholar
- ITU-T Recommendation X.805 and its application to NGN, ITU/IETF Work- shop on NGN (2005)Google Scholar
- National Institute of Standards and Technology, Special Publications: Risk Management Guide (DRAFT) (June 2001)Google Scholar
- Multiservice Switching Forum, Next-Generation VoIP Network Architecture, MSF Technical Report (March 2003)Google Scholar
- Conrad, J.: Analyzing the Risks of Information Security Investments with Monte-Carlo Simulation. In: Fourth Workshop on the Economics of Information Security (June 2005)Google Scholar