MOSES 3

Most organizations today have become critically dependent on information systems to perform their mission. At the same time, the frequency and sophistication of threats to these systems is growing dramatically as attackers are becoming more goal-driven and criminally inclined. This development leads to an unprecedented potential for information security incidents to negatively impact businesses` reputation, profitability, and customer confidence and to threaten their very existence. It is therefore not surprising that information security has become a major concern among enterprises. However, given the complex nature of information security problems and the vast and diverse array of available means that aim to improve it (e.g. virus scanners, firewalls, encryption, intrusion detection, two-factor authentication, access control systems, security policies, security awareness training etc.), decision makers struggle to identify the best ways to counteract the threats they face and consequently tend to base investment decisions primarily on immediate local needs. This reactive ad-hoc approach to information security typically leads to an inefficient allocation of scarce resources. The proposed project tackles the highly relevant and theoretically challenging problem of strategically selecting an appropriate portfolio (i.e. bundle) of information security safeguards. To this end, we intend to conceptualize and develop a quantitative method that supports decision makers in striking a balance between monetary and non- monetary risk, cost, and benefit criteria. The proposed method is based on a framework that comprises ontological modeling of security knowledge, dynamic attack tree generation techniques, stochastic attack simulation, meta- heuristic identification of efficient portfolios, and interactive decision support. Our approach rests upon a holistic evaluation and optimization of the total effectiveness of all implemented safeguards rather than on an assessment of individual information security investment opportunities (an approach that neglects synergies and complex interactions). Moreover, our approach explicitly takes into account characteristics of the organization, its information infrastructure and information assets and the threat sources it faces by modeling human attackers as rational, goal-oriented agents. We rely on heavyweight ontologies to represent rich security knowledge and harness that knowledge through automated reasoning which enables novel techniques to infer possible routes of attacks and generate individual attack trees based on attackers` motivation, objectives, capabilities, and available entry points. The results of the project should facilitate better information security investment decision-making through multi- criteria decision support. To achieve this objective, we follow an interdisciplinary research approach that draws on a variety of disciplines including Management, Operations Research, Computer Science, and Information Security. The project will yield a prototypical implementation of the method to enable an evaluation of the proposed approach by means of a case study.

Many organizations today struggle to secure their information technology infrastructures and ensure adequate protection of critical data. To this end, decision-makers have a wide array of measures at their disposal, including virus scanners, firewalls, access control, intrusion detection systems, encryption etc. However, deciding which measures to take and where in a complex information system to deploy them, is difficult. Available resources are typically limited and "perfect" security is generally not attainable. It is therefore necessary to strike a balance between cost and adequate protection with respect to the threats that an organization faces.The Moses3 project developed a new approach to optimize the security of IT infrastructures through the identification of efficient combinations of security measures. To this end, it developed methods for the formal modeling and simulation of attacks in order to assess the potential impact that various adversaries may cause. A software prototype developed in the course of the project can test a large number of possible configurations and "breed" efficient designs by means of a genetic algorithm. Decision-makers can then interactively explore the results and trade off high-level objectives such as the cost of security measures and the estimated potential impact on the confidentiality, integrity and availability of information assets. Rather than confronting them with the underlying technical aspects of security measures and the intricacies of how they act in concert, this approach casts the problem in terms that non-expert decision-makers can relate to. On the other hand, the developed method also allows sophisticated users to conduct detailed analyses of simulated attacks in order to identify structural weaknesses and derive general insights about the security of an information system. Thereby, the developed approach helps to bridge the gap between technical and managerial perspectives and contributes towards a better understanding of relevant threats, critical assets that need to be protected, and potential routes of attack. The developed method was validated through extensive interviews with experts from multiple security domains. Research in the project thereby laid the foundation for subsequent development in an applied context.