Abstract
This chapter deals with the optimal selection of countermeasures in IT security planning to prevent or mitigate cyber-threats and a stochastic MIP approach is proposed for the decision-making. Given a set of potential threats and a set of available countermeasures, the decision maker needs to decide which countermeasure to implement under limited budget to minimize potential losses from successful cyber-attacks and mitigate the impact of disruptions caused by IT security incidents. The selection of countermeasures is based on their effectiveness of blocking different threats, implementation costs and probability of potential attack scenarios. The problem is formulated as a single- or bi-objective stochastic mixed integer program and a conditional value-at-risk approach combined with scenario-based analysis is applied to control the risk of high losses due to operational disruptions and optimize worst-case performance of an IT system. The bi-objective trade-off model provides the decision maker with a simple tool for balancing expected and worst-case losses and for shaping of the resulting cost distribution through the selection of optimal subset of countermeasures for implementation, i.e., the selection of optimal countermeasure portfolio. The selected portfolio explicitly depends on preferred confidence level and cost/risk preference of the decision maker. Numerical examples are presented and some computational results are reported to compare the risk-averse solutions that minimize conditional value-at-risk with the risk-neutral ones that minimize expected cost. The major managerial insights are provided at the end of this chapter.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bojanc, R., Jerman-Blazic, B.: An economic modelling approach to information security risk management. Int. J. Inf. Manag. 28, 413–422 (2008)
Boyson, S.: Cyber supply chain risk management: revolutionizing the strategic control of critical IT systems. Technovation 34, 342–353 (2014)
Chahara, K., Taaffe, K.: Risk averse demand selection with all-or-nothing orders. OMEGA Int. J. Manag. Sci. 37(5), 996–1006 (2009)
Deane, J.K., Ragsdale, C.T., Rakes, T.R., Rees, L.P.: Managing supply chain risk and disruption from IT security incidents. Oper. Manag. Res. 2(1), 4–12 (2009)
Egan, M.: The Executive Guide to Information Security. Symantec Press, Indianapolis (2005)
Falco, G., Eling, M., Jablanski, D., Weber, M., Miller, V., Gordon, L. A., Wang, S. S., Schmit, J., Thomas, R., Elvedi, M., Maillart, T., Donavan, E., Dejung, S., Durand, E., Nutter, F., Scheffer, U., Arazi, G., Ohana, G., Lin, H.: Cyber risk research impeded by disciplinary barriers. Sci. 366(6469), 1066–1069 (2019)
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Decision support approaches for cyber security investment. Decis. Support. Syst. 86, 13–23 (2016)
Gordon, L. A., Loeb, M. P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5, 438–457 (2002)
Hausken, K.: Returns to information security investment: the effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Inf. Syst. Front. 8, 338–349 (2006)
Lee, H., Kim, M.S., Kim, K.K.: Interorganizational information systems visibility and supply chain performance. Int. J. Inf. Manag. 34, 285–295 (2014)
Pereira, J.V.: The new supply chains frontier: Information management. Int. J. Inf. Manag. 29, 372–379 (2009)
Rakes, T.R., Deane, J.K., Rees, L.P.: IT security planning under uncertainty for high-impact events. OMEGA Int. J. Manag. Sci. 40(1), 79–88 (2012)
Rees, L.P., Deane, J.K., Rakes, T.R., Baker, W.H.: Decision support for cybersecurity risk planning. Decis. Support. Syst. 51, 493–505 (2011)
Rockafellar, R.T., Uryasev, S.: Optimization of conditional value-at-risk. J. Risk 2(3), 21–41 (2000)
Ryan, J.J.C.H., Mazzuchi, T.A., Ryan, D.J., de la Cruz, J.L., Cooke, R.: Quantifying information security risks using expert judgment elicitation. Comput. Oper. Res. 39, 774–784 (2012)
Sawik, T.: Selection of optimal countermeasure portfolio in IT security planning. Decis. Support. Syst. 55, 156–164 (2013f)
Schilling, A., Werners, B.: Optimal selection of IT security safeguards from an existing knowledge base. Eur. J. Oper. Res. 248(1), 318–327 (2016)
Viduto, V., Maple, C., Huang, W., Lopez-Perez, D.: A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decis. Support. Syst. 53, 599–610 (2012)
Wang, J., Chaudhury, A., Rao, H. R.: A value-at-risk approach to information security investment. Inform. Syst. Res. 19, 106–120 (2008)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2020 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Sawik, T. (2020). Selection of Cybersecurity Safequards Portfolio. In: Supply Chain Disruption Management. International Series in Operations Research & Management Science, vol 291. Springer, Cham. https://doi.org/10.1007/978-3-030-44814-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-44814-1_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-44813-4
Online ISBN: 978-3-030-44814-1
eBook Packages: Business and ManagementBusiness and Management (R0)