A Robust Process Model for Calculating Security ROI

1
A Robust Process Model for Calculating Security
ROI

• Ghazy Mahjub
• DePaul University
• M.S Software Engineering

2
Problem Identification

• Justifying investments in software security.
• Quantification tools, if applied prudently, can
  assist in the anticipation, budgeting, and
  control of direct and indirect computer security
  costs. Mercuri, 15

3
Problem Solution

• Provide a statistically valid return on
  investment.
• Integrate security infrastructure rather than
  providing layers of fully independent security
  infrastructure.
• Apply statistical process control.
• Quality rather than quantity.
• INTEGRATE SECURITY SO THAT IT DOES NOT HAMPER THE
  BUSINESS PROCESS.

4
Difficulties in Quantification

• Lack of statistically valid historical data on
  frequency and impact of events.
• Traditional binary view of security should be
  exchanged for the continuous security model where
  multiple levels of probability and impact are
  used to yield an optimal security investment
  strategy.

5
Robust Process Model

• Parameter design.
• Identify ideal function.
• Identify noise factors.
• Identify signal factors.
• Identify control factors for ideal response.

6
Anti-Requirement Integration

• An anti-requirement is a requirement of a
  malicious user that subverts an existing
  requirement.
• They are generated by the malicious user and can
  be generated by developers by front-end threat
  analysis or by post-hoc reaction to an
  operational attack.
• Anti-requirement formulation allows us to view
  our system through the eyes of the malicious user
  to prevent the attack before it happens.
• An anti-requirement maps to one or many risks.

7
Anti-Requirement Integration

• Just as security requirements are integrated into
  a system to establish accepted functionality,
  anti-requirements must be integrated to establish
  unaccepted functionality.
• Role Based Access Control defines requirements
  for users, and yet these roles are often
  insufficient.
• Anti-requirements theory says define roles in the
  context of security as well as functional
  requirements.

8
Risk Assessment

• Risk Probability x Impact
• Risk is a pair made up of a likelihood factor and
  a impact factor.
• Impact can be calculated fairly easily by
  assigning monetary values to assets in terms of
  the business value the asset has.
• Calculating probability is much more difficult!

9
Security ROI Calculator
Noise Factors
Risk Assessment
Risk Assessment
X
Control Factors
Robust Design Method
Z
Controlled Risk Adjusted, Xr
COST-BENEFIT ANALYSIS PROCESS
Noise Factors
Response
Y
X
10
Orthogonal Arrays

• Experimentation tool.
• Depending on the number of factors to test, OAs
  allow us to not have to do exhaustive testing,
  meaning every combination of factors.
• Combination space grows exponentially, e.g.
  threat x vulnerability x safeguard.
• In addition, allows us to test interaction
  effects between factors.

11
Decision Analysis

• Using variable domains and defined rules of
  decision theory, a decision function can be
  formulated for each decision variable.
• Since decisions incorporate uncertainty, a
  decision is a function rather than a binary
  value.
• Minimize Confidence Interval.
• Effectiveness of Probability Reduction
• Effectiveness of Impact Reduction

12
Future Work

• Test, Test, Test.
• Data, Data, Data.
• Develop code to run the calculations
  automatically.