IT security planning under uncertainty for high-impact events

While many IT security incidents result in relatively minor operational disruptions or minimal recovery costs, occasionally high-impact security breaches can have catastrophic effects on the firm. Unfortunately, measuring security risk and planning for countermeasures or mitigation is a difficult ta...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Omega (Oxford) 2012, Vol.40 (1), p.79-88
Hauptverfasser: Rakes, Terry R., Deane, Jason K., Paul Rees, Loren
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 88
container_issue 1
container_start_page 79
container_title Omega (Oxford)
container_volume 40
creator Rakes, Terry R.
Deane, Jason K.
Paul Rees, Loren
description While many IT security incidents result in relatively minor operational disruptions or minimal recovery costs, occasionally high-impact security breaches can have catastrophic effects on the firm. Unfortunately, measuring security risk and planning for countermeasures or mitigation is a difficult task. Past research has suggested risk metrics which may be beneficial in understanding and planning for security incidents, but most of these metrics are aimed at identifying expected overall loss and do not directly address the identification of, or planning for, sparse events which might result in high-impact loss. The use of an upper percentile value or some other worst-case measure has been widely discussed in the literature as a means of stochastic optimization, but has not been applied to this decision domain. A key requirement in security planning for any threat scenario, expected or otherwise, is the ability to choose countermeasures optimally with regard to tradeoffs between countermeasure cost and remaining risk. Most of the planning models in the literature are qualitative, and none that we are aware of allow for the optimal determination of these tradeoffs. Therefore, we develop a model for optimally choosing countermeasures to block or mitigate security attacks in the presence of a given threat level profile. We utilize this model to examine scenarios under both expected threat levels and worst-case levels, and develop budget-dependent risk curves. These curves demonstrate the tradeoffs which occur if decision makers divert budgets away from planning for ordinary risk in an effort to mitigate the effects of potential high-impact outcomes. ► We model risk of financial loss resulting from IT security attacks. ► Risk varies based on countermeasure expenditures. ► Planning based on expected threat levels often results in underestimation of risk. ► Worst-case planning requires diverting budget from more likely, less costly events. ► We demonstrate planning tradeoffs between expected and worst-cases using a risk gap.
doi_str_mv 10.1016/j.omega.2011.03.008
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_874340003</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0305048311000582</els_id><sourcerecordid>2388745321</sourcerecordid><originalsourceid>FETCH-LOGICAL-c456t-8757cb1cd5389d1cd784c3eaf429d45ab9037e2bf09dc739cea487e7bfd7589f3</originalsourceid><addsrcrecordid>eNp9UMtOwzAQtBBIlMcXcImQOCasYxs7Bw6o4lEJiQucLdfZtI7aJNhppf49C0EcOczOwTOz62HsikPBgd_dtkW_xZUrSuC8AFEAmCM240aLXJVaHrMZCFA5SCNO2VlKLQBwA2LG7hfvWUK_i2E8ZMPGdV3oVtmuqzHS9BhHFzp6avqYrcNqnYft4PyY4R67MV2wk8ZtEl7-8jn7eHp8n7_kr2_Pi_nDa-6luhtzo5X2S-5rJUxVE2sjvUDXyLKqpXLLCoTGctlAVXstKo9OGo162dRamaoR5-x6yh1i_7nDNNq238WOVlqjpZD0HUEiMYl87FOK2Nghhq2LB8vBftdkW_tTk_2uyYKwVBO5XiZXxAH9nwUR20m8t8JJoHEgkLMkCgROGAi6ssbY9bilqJvfK13ybtNE1_mQ_iJLWarKKEW6-0mHVNk-YLTJB6Sy6xDRj7buw78nfwFE55c4</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>874340003</pqid></control><display><type>article</type><title>IT security planning under uncertainty for high-impact events</title><source>RePEc</source><source>Elsevier ScienceDirect Journals</source><creator>Rakes, Terry R. ; Deane, Jason K. ; Paul Rees, Loren</creator><creatorcontrib>Rakes, Terry R. ; Deane, Jason K. ; Paul Rees, Loren</creatorcontrib><description>While many IT security incidents result in relatively minor operational disruptions or minimal recovery costs, occasionally high-impact security breaches can have catastrophic effects on the firm. Unfortunately, measuring security risk and planning for countermeasures or mitigation is a difficult task. Past research has suggested risk metrics which may be beneficial in understanding and planning for security incidents, but most of these metrics are aimed at identifying expected overall loss and do not directly address the identification of, or planning for, sparse events which might result in high-impact loss. The use of an upper percentile value or some other worst-case measure has been widely discussed in the literature as a means of stochastic optimization, but has not been applied to this decision domain. A key requirement in security planning for any threat scenario, expected or otherwise, is the ability to choose countermeasures optimally with regard to tradeoffs between countermeasure cost and remaining risk. Most of the planning models in the literature are qualitative, and none that we are aware of allow for the optimal determination of these tradeoffs. Therefore, we develop a model for optimally choosing countermeasures to block or mitigate security attacks in the presence of a given threat level profile. We utilize this model to examine scenarios under both expected threat levels and worst-case levels, and develop budget-dependent risk curves. These curves demonstrate the tradeoffs which occur if decision makers divert budgets away from planning for ordinary risk in an effort to mitigate the effects of potential high-impact outcomes. ► We model risk of financial loss resulting from IT security attacks. ► Risk varies based on countermeasure expenditures. ► Planning based on expected threat levels often results in underestimation of risk. ► Worst-case planning requires diverting budget from more likely, less costly events. ► We demonstrate planning tradeoffs between expected and worst-cases using a risk gap.</description><identifier>ISSN: 0305-0483</identifier><identifier>EISSN: 1873-5274</identifier><identifier>DOI: 10.1016/j.omega.2011.03.008</identifier><identifier>CODEN: OMEGA6</identifier><language>eng</language><publisher>Kidlington: Elsevier Ltd</publisher><subject>Applied sciences ; Decision making ; Decision making models ; Decision making/process ; Decision theory. Utility theory ; Exact sciences and technology ; Information systems ; Information technology ; Integer programming ; Mathematical programming ; Operational research and scientific management ; Operational research. Management science ; process Integer programming Risk Information systems ; Risk ; Risk management ; Security management ; Studies</subject><ispartof>Omega (Oxford), 2012, Vol.40 (1), p.79-88</ispartof><rights>2011 Elsevier Ltd</rights><rights>2015 INIST-CNRS</rights><rights>Copyright Pergamon Press Inc. Jan 2012</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c456t-8757cb1cd5389d1cd784c3eaf429d45ab9037e2bf09dc739cea487e7bfd7589f3</citedby><cites>FETCH-LOGICAL-c456t-8757cb1cd5389d1cd784c3eaf429d45ab9037e2bf09dc739cea487e7bfd7589f3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://dx.doi.org/10.1016/j.omega.2011.03.008$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,776,780,3536,3993,4009,27902,27903,27904,45974</link.rule.ids><backlink>$$Uhttp://pascal-francis.inist.fr/vibad/index.php?action=getRecordDetail&amp;idt=24259855$$DView record in Pascal Francis$$Hfree_for_read</backlink><backlink>$$Uhttp://econpapers.repec.org/article/eeejomega/v_3a40_3ay_3a2012_3ai_3a1_3ap_3a79-88.htm$$DView record in RePEc$$Hfree_for_read</backlink></links><search><creatorcontrib>Rakes, Terry R.</creatorcontrib><creatorcontrib>Deane, Jason K.</creatorcontrib><creatorcontrib>Paul Rees, Loren</creatorcontrib><title>IT security planning under uncertainty for high-impact events</title><title>Omega (Oxford)</title><description>While many IT security incidents result in relatively minor operational disruptions or minimal recovery costs, occasionally high-impact security breaches can have catastrophic effects on the firm. Unfortunately, measuring security risk and planning for countermeasures or mitigation is a difficult task. Past research has suggested risk metrics which may be beneficial in understanding and planning for security incidents, but most of these metrics are aimed at identifying expected overall loss and do not directly address the identification of, or planning for, sparse events which might result in high-impact loss. The use of an upper percentile value or some other worst-case measure has been widely discussed in the literature as a means of stochastic optimization, but has not been applied to this decision domain. A key requirement in security planning for any threat scenario, expected or otherwise, is the ability to choose countermeasures optimally with regard to tradeoffs between countermeasure cost and remaining risk. Most of the planning models in the literature are qualitative, and none that we are aware of allow for the optimal determination of these tradeoffs. Therefore, we develop a model for optimally choosing countermeasures to block or mitigate security attacks in the presence of a given threat level profile. We utilize this model to examine scenarios under both expected threat levels and worst-case levels, and develop budget-dependent risk curves. These curves demonstrate the tradeoffs which occur if decision makers divert budgets away from planning for ordinary risk in an effort to mitigate the effects of potential high-impact outcomes. ► We model risk of financial loss resulting from IT security attacks. ► Risk varies based on countermeasure expenditures. ► Planning based on expected threat levels often results in underestimation of risk. ► Worst-case planning requires diverting budget from more likely, less costly events. ► We demonstrate planning tradeoffs between expected and worst-cases using a risk gap.</description><subject>Applied sciences</subject><subject>Decision making</subject><subject>Decision making models</subject><subject>Decision making/process</subject><subject>Decision theory. Utility theory</subject><subject>Exact sciences and technology</subject><subject>Information systems</subject><subject>Information technology</subject><subject>Integer programming</subject><subject>Mathematical programming</subject><subject>Operational research and scientific management</subject><subject>Operational research. Management science</subject><subject>process Integer programming Risk Information systems</subject><subject>Risk</subject><subject>Risk management</subject><subject>Security management</subject><subject>Studies</subject><issn>0305-0483</issn><issn>1873-5274</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2012</creationdate><recordtype>article</recordtype><sourceid>X2L</sourceid><recordid>eNp9UMtOwzAQtBBIlMcXcImQOCasYxs7Bw6o4lEJiQucLdfZtI7aJNhppf49C0EcOczOwTOz62HsikPBgd_dtkW_xZUrSuC8AFEAmCM240aLXJVaHrMZCFA5SCNO2VlKLQBwA2LG7hfvWUK_i2E8ZMPGdV3oVtmuqzHS9BhHFzp6avqYrcNqnYft4PyY4R67MV2wk8ZtEl7-8jn7eHp8n7_kr2_Pi_nDa-6luhtzo5X2S-5rJUxVE2sjvUDXyLKqpXLLCoTGctlAVXstKo9OGo162dRamaoR5-x6yh1i_7nDNNq238WOVlqjpZD0HUEiMYl87FOK2Nghhq2LB8vBftdkW_tTk_2uyYKwVBO5XiZXxAH9nwUR20m8t8JJoHEgkLMkCgROGAi6ssbY9bilqJvfK13ybtNE1_mQ_iJLWarKKEW6-0mHVNk-YLTJB6Sy6xDRj7buw78nfwFE55c4</recordid><startdate>2012</startdate><enddate>2012</enddate><creator>Rakes, Terry R.</creator><creator>Deane, Jason K.</creator><creator>Paul Rees, Loren</creator><general>Elsevier Ltd</general><general>Elsevier</general><general>Pergamon Press Inc</general><scope>IQODW</scope><scope>DKI</scope><scope>X2L</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>K9.</scope></search><sort><creationdate>2012</creationdate><title>IT security planning under uncertainty for high-impact events</title><author>Rakes, Terry R. ; Deane, Jason K. ; Paul Rees, Loren</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c456t-8757cb1cd5389d1cd784c3eaf429d45ab9037e2bf09dc739cea487e7bfd7589f3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2012</creationdate><topic>Applied sciences</topic><topic>Decision making</topic><topic>Decision making models</topic><topic>Decision making/process</topic><topic>Decision theory. Utility theory</topic><topic>Exact sciences and technology</topic><topic>Information systems</topic><topic>Information technology</topic><topic>Integer programming</topic><topic>Mathematical programming</topic><topic>Operational research and scientific management</topic><topic>Operational research. Management science</topic><topic>process Integer programming Risk Information systems</topic><topic>Risk</topic><topic>Risk management</topic><topic>Security management</topic><topic>Studies</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Rakes, Terry R.</creatorcontrib><creatorcontrib>Deane, Jason K.</creatorcontrib><creatorcontrib>Paul Rees, Loren</creatorcontrib><collection>Pascal-Francis</collection><collection>RePEc IDEAS</collection><collection>RePEc</collection><collection>CrossRef</collection><collection>ProQuest Health &amp; Medical Complete (Alumni)</collection><jtitle>Omega (Oxford)</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Rakes, Terry R.</au><au>Deane, Jason K.</au><au>Paul Rees, Loren</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>IT security planning under uncertainty for high-impact events</atitle><jtitle>Omega (Oxford)</jtitle><date>2012</date><risdate>2012</risdate><volume>40</volume><issue>1</issue><spage>79</spage><epage>88</epage><pages>79-88</pages><issn>0305-0483</issn><eissn>1873-5274</eissn><coden>OMEGA6</coden><abstract>While many IT security incidents result in relatively minor operational disruptions or minimal recovery costs, occasionally high-impact security breaches can have catastrophic effects on the firm. Unfortunately, measuring security risk and planning for countermeasures or mitigation is a difficult task. Past research has suggested risk metrics which may be beneficial in understanding and planning for security incidents, but most of these metrics are aimed at identifying expected overall loss and do not directly address the identification of, or planning for, sparse events which might result in high-impact loss. The use of an upper percentile value or some other worst-case measure has been widely discussed in the literature as a means of stochastic optimization, but has not been applied to this decision domain. A key requirement in security planning for any threat scenario, expected or otherwise, is the ability to choose countermeasures optimally with regard to tradeoffs between countermeasure cost and remaining risk. Most of the planning models in the literature are qualitative, and none that we are aware of allow for the optimal determination of these tradeoffs. Therefore, we develop a model for optimally choosing countermeasures to block or mitigate security attacks in the presence of a given threat level profile. We utilize this model to examine scenarios under both expected threat levels and worst-case levels, and develop budget-dependent risk curves. These curves demonstrate the tradeoffs which occur if decision makers divert budgets away from planning for ordinary risk in an effort to mitigate the effects of potential high-impact outcomes. ► We model risk of financial loss resulting from IT security attacks. ► Risk varies based on countermeasure expenditures. ► Planning based on expected threat levels often results in underestimation of risk. ► Worst-case planning requires diverting budget from more likely, less costly events. ► We demonstrate planning tradeoffs between expected and worst-cases using a risk gap.</abstract><cop>Kidlington</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.omega.2011.03.008</doi><tpages>10</tpages></addata></record>
fulltext fulltext
identifier ISSN: 0305-0483
ispartof Omega (Oxford), 2012, Vol.40 (1), p.79-88
issn 0305-0483
1873-5274
language eng
recordid cdi_proquest_journals_874340003
source RePEc; Elsevier ScienceDirect Journals
subjects Applied sciences
Decision making
Decision making models
Decision making/process
Decision theory. Utility theory
Exact sciences and technology
Information systems
Information technology
Integer programming
Mathematical programming
Operational research and scientific management
Operational research. Management science
process Integer programming Risk Information systems
Risk
Risk management
Security management
Studies
title IT security planning under uncertainty for high-impact events
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-21T18%3A33%3A19IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=IT%20security%20planning%20under%20uncertainty%20for%20high-impact%20events&rft.jtitle=Omega%20(Oxford)&rft.au=Rakes,%20Terry%20R.&rft.date=2012&rft.volume=40&rft.issue=1&rft.spage=79&rft.epage=88&rft.pages=79-88&rft.issn=0305-0483&rft.eissn=1873-5274&rft.coden=OMEGA6&rft_id=info:doi/10.1016/j.omega.2011.03.008&rft_dat=%3Cproquest_cross%3E2388745321%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=874340003&rft_id=info:pmid/&rft_els_id=S0305048311000582&rfr_iscdi=true