Abstract
When investing in cyber security resources, information security managers have to follow effective decision-making strategies. We refer to this as the cyber security investment challenge.In this paper, we consider three possible decision support methodologies for security managers to tackle this challenge. We consider methods based on game theory, combinatorial optimisation, and a hybrid of the two. Our modelling starts by building a framework where we can investigate the effectiveness of a cyber security control regarding the protection of different assets seen as targets in presence of commodity threats. As game theory captures the interaction between the endogenous organisation's and attackers' decisions, we consider a 2-person control game between the security manager who has to choose among different implementation levels of a cyber security control, and a commodity attacker who chooses among different targets to attack. The pure game theoretical methodology consists of a large game including all controls and all threats. In the hybrid methodology the game solutions of individual control-games along with their direct costs (e.g. financial) are combined with a Knapsack algorithm to derive an optimal investment strategy. The combinatorial optimisation technique consists of a multi-objective multiple choice Knapsack based strategy. To compare these approaches we built a decision support tool and a case study regarding current government guidelines. The endeavour of this work is to highlight the weaknesses and strengths of different investment methodologies for cyber security, the benefit of their interaction, and the impact that indirect costs have on cyber security investment. Going a step further in validating our work, we have shown that our decision support tool provides the same advice with the one advocated by the UK government with regard to the requirements for basic technical protection from cyber attacks in SMEs.
Highlights
One of the biggest issues facing organisations today is how they are able to defend themselves from potential cyber attacks
As the purpose of cyber security investments methodologies is to lead to the selection of a set of cyber security controls that maximise the benefit of an organisation with respect to some available budget, we find papers that investigate this optimal selection [8,9,10,11,12] as the most relevant to our work
The results shown here are obtained using an implementation of the hybrid model solved using a genetic algorithm
Summary
One of the biggest issues facing organisations today is how they are able to defend themselves from potential cyber attacks. The range and scope of these unknown attacks create the need for organisations to prioritise the manner in which they defend themselves With this each organisation needs to consider the threats that they are most at risk from and act in such a way so as to reduce the vulnerability across as many relevant vulnerabilities as possible. This is a difficult task that many Chief Information Security Officers (CISOs) are not confident in achieving while in a report published by Deloitte and NASCIO [1], 75.5% of CISOs cited lack of sufficient budget as a top challenge. In this way organisations have to make trade-offs with regard to how they defend their systems
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
