Risk management for cyber-infrastructure protection: A bi-objective integer programming approach

•Information and communication technology supply chains present risks that are complex and difficult to manage.•We present new optimization models to support supply chain risk management.•Optimization models with two risk reduction objectives select a portfolio of security controls subject to a budg...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:Reliability engineering & system safety Ročník 205; s. 107093
Hlavní autori: Schmidt, Adam, Albert, Laura A., Zheng, Kaiyue
Médium: Journal Article
Jazyk:English
Vydavateľské údaje: Barking Elsevier Ltd 01.01.2021
Elsevier BV
Predmet:
Bi-objective optimization
Budgets
Computer applications
Cyber-security
Information and communication technology security
Integer programming
Optimization
Reliability engineering
Risk levels
Risk management
Risk reduction
Risk threshold
Security
Stochastic models
Supply chain security
Supply chains
Cyber-security
Supply chain security
Bi-objective optimization
Risk management
Information and communication technology security
Risk threshold
ISSN:0951-8320, 1879-0836
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:•Information and communication technology supply chains present risks that are complex and difficult to manage.•We present new optimization models to support supply chain risk management.•Optimization models with two risk reduction objectives select a portfolio of security controls subject to a budget constraint.•The stochastic model informs security investment decisions under uncertainty.•The computational results highlight how to construct a portfolio of security controls that is effective across multiple criteria. Information and communication technology supply chains present risks that are complex and difficult for organizations to manage. The cost and benefit of proposed security controls must be assessed to best match an organizational risk tolerance and direct the use of security resources. In this paper, we present integer and stochastic optimization models for selecting a portfolio of security controls within an organizational budget. We consider two objectives: to maximize the risk reduction across all potential attacks and to maximize the number of attacks whose risk levels are lower than a risk threshold after security controls are applied. Deterministic and stochastic bi-objective budgeted difficulty-threshold control selection problems are formulated for selecting mitigating controls to reflect an organization’s risk preference. In the stochastic problem, we consider uncertainty as to whether the selected controls can reduce the risks associated with attacks. We demonstrate through a computational study that the trade-off between the two objectives is important to consider for certain risk preferences and budgets. We demonstrate the value of the stochastic model when a relatively high number of attacks are desired to be secured past a risk threshold and show the deterministic solution provides near optimal solutions otherwise. We provide an analysis of model solutions.
Bibliografia:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0951-8320
1879-0836
DOI:10.1016/j.ress.2020.107093