Optimizing Information Systems Security DesignBased on Existing Security Knowledge
Andreas Schilling Brigitte Werners
Faculty of Management and EconomicsRuhr University Bochum
WISSE 2015 Stockholm—June 08, 2015
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Outline
1. Introduction
2. IT baseline protection catalogues
3. Safeguard selection problem
4. Application example
Schilling (RUB) Optimizing IS Security Design June 08, 2015 2 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Introduction
Goal:Providing decision support for security design of information systems
Requirements:Small data requirements (from decision maker)
Decision:Which security safeguards should be implemented?
Approach:Knowledge/data → optimization → decision
Schilling (RUB) Optimizing IS Security Design June 08, 2015 3 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Related work
Existing models require exact input data likeI exact threat probabilitiesI exact vulnerability probabilitiesI monetary asset valuationsI ...
model first vs. data first
Schilling (RUB) Optimizing IS Security Design June 08, 2015 4 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Outline
1. Introduction
2. IT baseline protection catalogues
3. Safeguard selection problem
4. Application example
Schilling (RUB) Optimizing IS Security Design June 08, 2015 5 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Knowledge base: IT baseline protection catalogues (v2013)German Federal Office for Information Security (BSI)
Extensive repository of IT security knowledge (4482 pages)Safeguards
ThreatsComponents
(1244) (518) (80)
"effectiveness" "criticality"
- databases- web servers- SAP system
- Unauthorised use of IT systems- Denial of services
Examples:
- Change of preset passwords- Use of TLS/SSL
Schilling (RUB) Optimizing IS Security Design June 08, 2015 6 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Data extraction
dataextraction
python sqlitehtml, pdf,spreadsheets
python
solver inputgeneration
.dat
knowledgebase
IT baseline protection catalogues
solverinput
(i) (ii) (iii) (iv) (v)
Schilling (RUB) Optimizing IS Security Design June 08, 2015 7 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Layers of information
IT baseline protection catalogues
security knowledge base
additional information layer(threat criticality, safeguard effectiveness)
optimal solution (combination of safeguards)
"insights"
data extraction
parameter generation
solve
implementation & analyses
feedbackfeedback
Schilling (RUB) Optimizing IS Security Design June 08, 2015 8 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Outline
1. Introduction
2. IT baseline protection catalogues
3. Safeguard selection problem
4. Application example
Schilling (RUB) Optimizing IS Security Design June 08, 2015 9 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Security chain
Idea:Security of a system component depends on its most critical threat
Schilling (RUB) Optimizing IS Security Design June 08, 2015 10 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Safeguard selection
Safeguard should reduce most critical threat first
component p
reduce
thre
at c
ritic
ality
reducereduce
component p component p
reduce
component p
t1
t2
t3
t4
t5
min cp with cp = maxi∈I{ti |Ci ,p = 1}
cp - variable criticality index of component pti - variable criticality index of threat i
C = (Ci,p) - connecting matrix (binary)Schilling (RUB) Optimizing IS Security Design June 08, 2015 11 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Component criticality
Safeguard selection minimizes maximum threat criticality over allcomponents
component 1
objective
thre
at c
ritic
ality
selectingsafeguards
securitygain
objective
component 2 component 1 component 2
SSI
min[
maxp∈P
cp
]with cp = max
i∈I{ti |Ci ,p = 1}
Schilling (RUB) Optimizing IS Security Design June 08, 2015 12 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Reducing threat criticality ti
Given:I threat criticality coefficient γi ≥ 0I safeguard effectiveness σk ∈ [0, 1]I connection matrix T = (Tk,i ) with Tk,i ∈ {0, 1}
Requirements:I safeguards may have an effect on multiple threatsI diminishing marginal utility of effectiveness
ti = γi ·∏k∈K
σksk ·Tk,i ⇒ ln (ti ) = ln (γi ) +
∑k∈K
sk · Tk,i · ln (σk)
Schilling (RUB) Optimizing IS Security Design June 08, 2015 13 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Example: Safeguard effectiveness and threat criticalitythreats componentssafeguards
select second safeguard
add additional safeguard
Schilling (RUB) Optimizing IS Security Design June 08, 2015 14 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Outline
1. Introduction
2. IT baseline protection catalogues
3. Safeguard selection problem
4. Application example
Schilling (RUB) Optimizing IS Security Design June 08, 2015 15 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Application scenario: e-commerce information system
16 components, 190 threats, 337 safeguards
No. Component # Threats # Safeguards
Non-technical1 Security management 4 142 Organisation 18 173 Personnel 21 154 Handling security incidents 3 245 Outsourcing 26 176 Patch and change management 22 187 Internet use 23 16
Technical8 Data protection 13 169 Protection against malware 16 13
10 General server 33 3311 Servers under Unix 7 2612 Internet PCs 20 1713 Client under Windows 7 32 4514 Web servers 27 2715 Databases 23 3216 Web applications 39 38
Schilling (RUB) Optimizing IS Security Design June 08, 2015 16 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Baseline solutions
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Components
-1
0
1
2
3
4
5
6
Log.
com
pone
ntcr
itica
lity
inde
x(C
CI)
Entry level certificate (177 safeguards)Unprotected systemSolution with entrylevel safeguards
Baseline SSIEntry level SSI
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Components
-1
0
1
2
3
4
5
6
Log.
com
pone
ntcr
itica
lity
inde
x(C
CI)
ISO 27001 certificate (270 safeguards)Unprotected systemSolution with ISO 27001safeguards
Baseline SSIISO 27001 SSI
BSI entry level certificate ISO 27001 certificate
Schilling (RUB) Optimizing IS Security Design June 08, 2015 17 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Increasing security
0 10 20 30 40 50 60 70 80 90 100
# Safeguards (N)
-1
0
1
2
3
4
5
Log.
syst
emse
curit
yin
dex
(SS
I)
SSI comparisonOptimal SSIEntry level SSIISO 27001 SSI
Schilling (RUB) Optimizing IS Security Design June 08, 2015 18 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Entry level certificate vs. optimal solutions
75 safeguards 100 safeguards
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Components
-1
0
1
2
3
4
5
6
Log.
com
pone
ntcr
itica
lity
inde
x(C
CI)
Entry level certificate (177 vs. 75 safeguards)Solution with entrylevel safeguardsOptimal solution with75 safeguards
Entry level SSIOptimal SSI with75 safeguards
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Components
-1
0
1
2
3
4
5
6
Log.
com
pone
ntcr
itica
lity
inde
x(C
CI)
Entry level certificate (177 vs. 100 safeguards)Solution with entrylevel safeguardsOptimal solution with100 safeguards
Entry level SSIOptimal SSI with100 safeguards
All optimized CCIs with 75 safeguards ≤ entry level CCIs⇒ 102 less safeguards (≈ 57 % less)
Schilling (RUB) Optimizing IS Security Design June 08, 2015 19 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Outlook
Future research:
I Integrating uncertainty (robust approach)I Extending the scope (e.g., multi-period, adaptive)I Prototype (decision support system)
Schilling (RUB) Optimizing IS Security Design June 08, 2015 20 / 21
Introduction IT baseline protection catalogues Safeguard selection problem Application example
Contact
Andreas Schilling, M.Sc.Chair of Operations Research and Accounting
Ruhr University BochumFaculty of Management and EconomicsUniversitaetsstrasse 15044780 BochumGermany
Schilling (RUB) Optimizing IS Security Design June 08, 2015 21 / 21
Appendix
Schilling (RUB) Optimizing IS Security Design June 08, 2015 1 / 7
Additional information layer (1)Threat criticality γ
Safeguard qualification levelsImportance for security (high to low):
A - B - C - Z - W
Generate threat criticality based on existing data
If a threat has more and higher qualified safeguards associated with it, thisis an indicator that it is more critical.
γi =∑k∈K
Tk,i · g(σk) with g(x) =√
x
Schilling (RUB) Optimizing IS Security Design June 08, 2015 2 / 7
Additional information layer (2)Safeguard effectiveness σ
Safeguard qualification levelsImportance for security (high to low):
A - B - C - Z - WHigher qualified safeguards are more effective
σk =
0.5 if qualification level = A
0.6 if qualification level = B
0.7 if qualification level = C
0.8 if qualification level = Z
0.9 if qualification level = W
Schilling (RUB) Optimizing IS Security Design June 08, 2015 3 / 7
Parameters and decision variables
Indices and setsP Index set of components (indexed by p)I Index set of threats (indexed by i)K Index set of safeguards (indexed by k)Parametersσk Effectiveness coefficient of a safeguardγi Criticality coefficient of a threatCi,p Connection between component and threat, Ci,p ∈ {0, 1}Tk,i Connection between threat and safeguard, Tk,i ∈ {0, 1}N Maximum number of safeguardsDecision variablessk Selection of safeguards, sk ∈ {0, 1}ti Threat criticality indexcp Component criticality index
Schilling (RUB) Optimizing IS Security Design June 08, 2015 4 / 7
Nonlinear Model
min[
maxp∈P
cp
](1)
s.t. cp = maxi∈I{ti |Ci ,p = 1} ∀ p ∈ P (2)
ti = γi ·∏k∈K
σksk ·Tk,i ∀ i ∈ I (3)
∑k∈K
sk ≤ N (4)
sk ∈ {0, 1} ∀ k ∈ K (5)
ti ≥ 0 ∀ i ∈ I (6)
Schilling (RUB) Optimizing IS Security Design June 08, 2015 5 / 7
MILP Model
min[
maxp∈P
ln (cp)]
(7)
s.t. ln (cp) = maxi∈I{ln (ti )|Ci ,p = 1} ∀ p ∈ P (8)
ln (ti ) = ln (γi ) +∑k∈K
sk · Tk,i · ln (σk) ∀ i ∈ I (9)
∑k∈K
sk ≤ N (10)
sk ∈ {0, 1} ∀ k ∈ K (11)
Schilling (RUB) Optimizing IS Security Design June 08, 2015 6 / 7
Exemplary e-commerce information system
exte
rnal
ly h
oste
d
VM VM VM
relational database instance
shop application
Internet attackers
editorialstaff
administrativestaff
warehousestaff
customers
PC PC PC
Schilling (RUB) Optimizing IS Security Design June 08, 2015 7 / 7