Fast-growing numbers of technologies and devices make cyber security landscape more complicated and require more accurate models. This complexity challenges cyber security experts to devise a better solution to manage cyber risks. One of the promising methods is to find the best distribution of security expenditure for risk mitigation and transfer (i.e. cyber insurance) options. In this work, we propose a solution to find the optimal security investments when there is a cyber insurance option by applying a time-to-compromise metric to the probability of attack computation. In particular, we find the best set of countermeasures which decreases the maximum number of vulnerabilities to increase the required time to compromise a system. Our approach is based on a multiple-objective knapsack problem for the selection of countermeasures and we find the best distribution of security expenditure by computing the time-to-compromise metric which eventually defines the probability of attack.

Cyber insurance and time-to-compromise: An integrated approach

Uuganbayar G;Yautsiukhin A;Martinelli F
2019

Abstract

Fast-growing numbers of technologies and devices make cyber security landscape more complicated and require more accurate models. This complexity challenges cyber security experts to devise a better solution to manage cyber risks. One of the promising methods is to find the best distribution of security expenditure for risk mitigation and transfer (i.e. cyber insurance) options. In this work, we propose a solution to find the optimal security investments when there is a cyber insurance option by applying a time-to-compromise metric to the probability of attack computation. In particular, we find the best set of countermeasures which decreases the maximum number of vulnerabilities to increase the required time to compromise a system. Our approach is based on a multiple-objective knapsack problem for the selection of countermeasures and we find the best distribution of security expenditure by computing the time-to-compromise metric which eventually defines the probability of attack.
2019
Istituto di informatica e telematica - IIT
Sic
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.14243/363381
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 1
  • ???jsp.display-item.citation.isi??? ND
social impact