Decision support for the optimal allocation of security controls

摘要

We present constrained optimization models that could be used in a decision support system for configuring security solutions for an information systems infrastructure. We begin with a deterministic model that uses security breach probabilities as parameters. Since security breach data is not easily available, breach probabilities are often estimated via surveys, which could lead to estimation errors. To develop robust solutions in the presence of estimation errors, we then present a stochastic optimization model that handles uncertainties in breach probability estimations. Our model solutions incorporate quantifiable security risk and business impact as the models are detailed enough to capture various categories of security attacks, and different levels of security protection and loss values for data and applications. We demonstrate the utility of our models by proposing security solutions for a realistic IT infrastructure using breach probability estimates derived from surveys.