安全投资经济评价的防御树

First International Conference on Availability, Reliability and Security (ARES'06) Pub Date : 2006-04-20 DOI:10.1109/ARES.2006.46

Stefano Bistarelli, F. Fioravanti, Pamela Peretti

{"title":"安全投资经济评价的防御树","authors":"Stefano Bistarelli, F. Fioravanti, Pamela Peretti","doi":"10.1109/ARES.2006.46","DOIUrl":null,"url":null,"abstract":"In this paper we present a mixed qualitative and quantitative approach for evaluation of information technology (IT) security investments. For this purpose, we model security scenarios by using defense trees, an extension of attack trees with attack countermeasures and we use economic quantitative indexes for computing the defender's return on security investment and the attacker's return on attack. We show how our approach can be used to evaluate effectiveness and economic profitability of countermeasures as well as their deterrent effect on attackers, thus providing decision makers with a useful tool for performing better evaluation of IT security investments during the risk management process.","PeriodicalId":106780,"journal":{"name":"First International Conference on Availability, Reliability and Security (ARES'06)","volume":"19 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-04-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"173","resultStr":"{\"title\":\"Defense trees for economic evaluation of security investments\",\"authors\":\"Stefano Bistarelli, F. Fioravanti, Pamela Peretti\",\"doi\":\"10.1109/ARES.2006.46\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this paper we present a mixed qualitative and quantitative approach for evaluation of information technology (IT) security investments. For this purpose, we model security scenarios by using defense trees, an extension of attack trees with attack countermeasures and we use economic quantitative indexes for computing the defender's return on security investment and the attacker's return on attack. We show how our approach can be used to evaluate effectiveness and economic profitability of countermeasures as well as their deterrent effect on attackers, thus providing decision makers with a useful tool for performing better evaluation of IT security investments during the risk management process.\",\"PeriodicalId\":106780,\"journal\":{\"name\":\"First International Conference on Availability, Reliability and Security (ARES'06)\",\"volume\":\"19 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2006-04-20\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"173\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"First International Conference on Availability, Reliability and Security (ARES'06)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ARES.2006.46\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"First International Conference on Availability, Reliability and Security (ARES'06)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ARES.2006.46","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 173

摘要

在本文中，我们提出了一种混合定性和定量的方法来评估信息技术(IT)安全投资。为此，我们使用防御树(一种带有攻击对策的攻击树的扩展)对安全场景进行建模，并使用经济量化指标计算防御者的安全投资回报和攻击者的攻击回报。我们展示了如何使用我们的方法来评估对策的有效性和经济效益，以及它们对攻击者的威慑作用，从而为决策者提供了一个有用的工具，以便在风险管理过程中更好地评估IT安全投资。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Defense trees for economic evaluation of security investments

In this paper we present a mixed qualitative and quantitative approach for evaluation of information technology (IT) security investments. For this purpose, we model security scenarios by using defense trees, an extension of attack trees with attack countermeasures and we use economic quantitative indexes for computing the defender's return on security investment and the attacker's return on attack. We show how our approach can be used to evaluate effectiveness and economic profitability of countermeasures as well as their deterrent effect on attackers, thus providing decision makers with a useful tool for performing better evaluation of IT security investments during the risk management process.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

First International Conference on Availability, Reliability and Security (ARES'06)

自引率

0.00%

发文量