Optimizing the RoI of cyber risk mitigation

Abstract

In this paper, we present a security analytics framework that augments host compliance reports with network configuration to assess the risk globally and devise cost-effective mitigation plans. We define metrics to measure the global enterprise risk based on network assets' vulnerabilities, their inter-dependencies, and network configurations. Our framework takes the decision burden away from administrators by automatically recommending cost-effective mitigation actions that achieve the expected return on investment (RoI). We use XCCDF, a language defined as part of the Security Content Automation Protocol (SCAP), to communicate the compliance benchmarking and scoring reports. In addition, we utilize the basic metrics defined in the standard vulnerability scoring systems, such as CVSS, to accurately assess the global risk. We formalize our proposed mitigation planning solution as a constraints satisfaction problem and we solve it using the Z3 SMT solver.