Los puntos clave no están disponibles para este artículo en este momento.
When investing in cyber security resources, information security managers have to follow effective decisionmaking. We refer to this as the cyber security investment challenge. In this paper, we consider possible decision support methodologies for security managers to tackle this challenge. We consider based on game theory, combinatorial optimisation, and a hybrid of the two. Our modelling starts building a framework where we can investigate the effectiveness of a cyber security control regarding protection of different assets seen as targets in presence of commodity threats. As game theory captures interaction between the endogenous organisation’s and attackers’ decisions, we consider a 2-person game between the security manager who has to choose among different implementation levels of a security control, and a commodity attacker who chooses among different targets to attack. The pure theoretical methodology consists of a large game including all controls and all threats. In the hybrid the game solutions of individual control-games along with their direct costs (e. g. financial) are with a Knapsack algorithm to derive an optimal investment strategy. The combinatorial optimisation consists of a multi-objective multiple choice Knapsack based strategy. To compare these we built a decision support tool and a case study regarding current government guidelines. The of this work is to highlight the weaknesses and strengths of different investment methodologies cyber security, the benefit of their interaction, and the impact that indirect costs have on cyber security. Going a step further in validating our work, we have shown that our decision support tool provides same advice with the one advocated by the UK government with regard to the requirements for technical protection from cyber attacks in SMEs.
Fielder et al. (Sat,) studied this question.