Shawn A. Butler

Security Attribute Evaluation Method Degree Type: Ph.D. in Computer Science
Advisor(s): Mary Shaw
Graduated: May 2003

Abstract:

A security manager's selection of risk-mitigation controls for an information system's security architecture depends on the organizations risk-management process. Current security risk-management processes require security managers to thoroughly analyze their organization's threats, vulnerabilities, and assets before selecting cost-effective risk-mitigation controls. The most common risk-management method, Annualized Loss Expectancy (ALE), expects security managers to assess the probabilistic damage from different types of attacks, investing only in those risk-mitigation controls that cost less than the anticipated loss in asset value.

The problem with current risk-mitigation-control cost-benefit analysis methods is that they attempt to give security managers the ability to make precise security investment recommendations or decisions based on imprecise information, such as estimated probabilities or expected economic loss in asset value. This thesis proposes the Security Attribute Evaluation Method (SAEM) as an alternative to current risk-mitigation-control cost-benefit analysis methods. SAEM uses multi-attribute decision analysis techniques from the field of Decision Sciences to guide a security manager in his or her selection of risk-mitigation controls for the organization s information system security architecture. In contrast with current cost-benefit analysis methods, SAEM focuses on the relative benefit of risk-mitigation controls rather than the economic net value of the information system with and without the risk-mitigation control. In addition, SAEM integrates a new coverage-analysis model that allows security mangers to evaluate how a risk-mitigation control contributes to the security architecture's defense-in-depth design, a fundamental security engineering design principle.

In this thesis, I present the results of using SAEM with the security managers of three different organizations a large commercial company, a large government organization, and a small hospital. SAEM provided these security managers with insight into their risk priorities and, in two organizations, SAEM highlighted weaknesses in their security architectures. Overall, the security managers felt that SAEM s coverage-analysis model was very helpful in assessing how risk-mitigation controls support the organization's defense-in-depth security strategy.

Thesis Committee:
Mary Shaw (Chair)
Bill Scherlis
Jeannette Wing
Paul Fischbeck

Randy Bryant, Head, Computer Science Department
James Morris, Dean, School of Computer Science

Keywords:
Security, cost-benefit, multi-attribute, risk management, security architecture

CMU-CS-03-132.pdf (1.42 MB) ( 182 pages)
Copyright Notice