A Robust Process Model
for Calculating Security
ROI
Ghazy Mahjub
DePaul University
M.S Software Engineering
Problem Identification
• Justifying investments in
software security.
• “Quantification tools, if applied
prudently, can assist in the
anticipation, budgeting, and
control of direct and indirect
computer security costs.
[Mercuri, 15]”
Problem Solution
• Provide a statistically valid return on
investment.
• Integrate security infrastructure
rather than providing layers of fully
independent security infrastructure.
• Apply statistical process control.
• Quality rather than quantity.
• INTEGRATE SECURITY SO THAT IT
DOES NOT HAMPER THE BUSINESS
PROCESS.
Difficulties in
Quantification
• Lack of statistically valid historical
data on frequency and impact of
events.
• Traditional binary view of security
should be exchanged for the
continuous security model where
multiple levels of probability and
impact are used to yield an optimal
security investment strategy.
Robust Process Model
• Parameter design.
• Identify ideal
function.
• Identify noise
M
factors.
Signal Factors
• Identify signal
factors.
• Identify control
factors for ideal
response.
X
Noise Factors
PRODUCT PROCESS
SYSTEM
Z Control Factors
Y
Response
Anti-Requirement
Integration
• An anti-requirement is a requirement of a
malicious user that subverts an existing
requirement.
• They are generated by the malicious user
and can be generated by developers by
front-end threat analysis or by post-hoc
reaction to an operational attack.
• Anti-requirement formulation allows us to
view our system through the eyes of the
malicious user to prevent the attack before
it happens.
• An anti-requirement maps to one or many
risks.
Anti-Requirement
Integration
• Just as security requirements are
integrated into a system to establish
accepted functionality, antirequirements must be integrated to
establish unaccepted functionality.
• Role Based Access Control defines
requirements for users, and yet
these roles are often insufficient.
• Anti-requirements theory says define
roles in the context of security as
well as functional requirements.
Risk Assessment
• Risk = Probability x Impact
• Risk is a pair made up of a likelihood
factor and a impact factor.
• Impact can be calculated fairly
easily by assigning monetary values
to assets in terms of the business
value the asset has.
• Calculating probability is much more
difficult!
Security ROI Calculator
Noise Factors
Risk Assessment
Assessment
Risk
X
Control Factors
Z
Controlled
Risk Adjusted, Xr
Noise Factors
X
Robust Design Method
Response
COST-BENEFIT ANALYSIS
PROCESS
Y
Orthogonal Arrays
• Experimentation tool.
• Depending on the number of factors
to test, OA’s allow us to not have to
do exhaustive testing, meaning
every combination of factors.
• Combination space grows
exponentially, e.g. threat x
vulnerability x safeguard.
• In addition, allows us to test
interaction effects between factors.
Decision Analysis
• Using variable domains and defined rules
of decision theory, a decision function can
be formulated for each decision variable.
• Since decisions incorporate uncertainty, a
decision is a function rather than a binary
value.
• Minimize Confidence Interval.
• Effectiveness of Probability Reduction
• Effectiveness of Impact Reduction
Future Work
• Test, Test, Test.
• Data, Data, Data.
• Develop code to run the
calculations automatically.