Model-Based Support for Information Technology Security Decision Making

dc.contributor.advisorCukier, Michelen_US
dc.contributor.advisorMosleh, Alien_US
dc.contributor.authorChrun, Danielleen_US
dc.contributor.departmentReliability Engineeringen_US
dc.contributor.publisherDigital Repository at the University of Marylanden_US
dc.contributor.publisherUniversity of Maryland (College Park, Md.)en_US
dc.date.accessioned2011-07-06T05:58:15Z
dc.date.available2011-07-06T05:58:15Z
dc.date.issued2011en_US
dc.description.abstractWith the increase in the number and diversity of attacks, a main concern for organizations is to keep their network and systems secure. Existing frameworks to manage Information Technology (IT) security include empirical evaluations, security risk assessments, cost-benefit analyses, and adversary-based evaluations. These techniques are often not easy to apply and their results are usually difficult to convey. This dissertation presents a model to help reasoning about security and to support communication between IT security experts and managers. The model identifies major components of security: threat, user, organization, asset, and emphasizes the human element. Characteristics for each component are determined and cover the attacker's motivations, the user's risk perception, the IT security team expertise, and the depth of protection of the asset. These characteristics are linked through causal influences that can represent positive or negative relationships and be leveraged to rank alternatives through a set of weights. The described formalism allows IT security officers to brainstorm about IT security issues, to evaluate the impacts of alternative solutions on characteristics of security, and ultimately on the level of security, and to communicate their findings to managers. The contributions of this dissertation are three-fold. First, we introduce an approach to develop and validate a model for IT security decision making, given known issues related to this task: difficulties in sharing security data, lack of accepted security metrics, limitation in available information and use of experts. We propose a development and validation process that relies on two sources of information: experts and data. Second, we provide the results of the model development for academic environments. The resulting model is based on extended discussions with the Director of Security at the University of Maryland (UMD), two interviewed experts, fifteen surveyed experts, and empirical data collected at UMD. Finally, we demonstrate the use of the model to justify IT security decisions and present methodological steps towards measuring various characteristics of the model.en_US
dc.identifier.urihttp://hdl.handle.net/1903/11555
dc.subject.pqcontrolledEngineeringen_US
dc.subject.pqcontrolledInformation Technologyen_US
dc.subject.pquncontrolledDecision makingen_US
dc.subject.pquncontrolledInformation technology securityen_US
dc.subject.pquncontrolledModel developmenten_US
dc.subject.pquncontrolledModel validationen_US
dc.titleModel-Based Support for Information Technology Security Decision Makingen_US
dc.typeDissertationen_US

Files

Original bundle

Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Chrun_umd_0117E_12165.pdf
Size:
5.73 MB
Format:
Adobe Portable Document Format