Decision Support for Cybersecurity Risk Assessment
Breaux, Travis D.
MetadataShow full item record
The U.S. DoD transition to a multi-tier, risk management framework aims to streamline information assurance assessments by promoting alignment with NIST information assurance control sets. While these control sets are broadly applicable and comprehensive, those responsible for accreditation will continue to struggle with assessing security risk in dynamically reconfigurable systems. Security analysts rely largely on background knowledge and experience to make security-related decisions. With increasingly dynamic software, analysts need to resolve dependencies among components and understand how those dependencies affect security requirements. Analysts need new decision-support tools based on models that predict how analysts reason about security in distributed systems. We present an approach that formalizes security expert assessments of security requirements nested in scenarios into threat mitigation rules. The assessments are collected empirically using factorial vignettes. The vignette results are statistically analyzed to yield membership functions for a type-2 fuzzy logic system. The corresponding type-2 fuzzy sets encode the interpersonal and intrapersonal uncertainties among security analysts in their decision-making. This work establishes an early foundation for a digital cyber-security decision-support service where an IT professional with any level of security background can benefit from efficiently receiving security assessments and recommendations.
RightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.
NPS Report NumberSYM-AM-17-064
Showing items related by title, author, creator and subject.
Hibshi, Hanan; Breaux, Travis D. (Monterey, California. Naval Postgraduate School, 2017-03); SYM-AM-17-118The U.S. DoD transition to a multi-tier, risk management framework aims to streamline information assurance assessments by promoting alignment with NIST information assurance control sets. While these control sets are ...
Hayden, Casey P. (Monterey, California. Naval Postgraduate School, 2009-03);Characterizing U.S.-Russian relations as a new Cold War is nostalgic for many, but it does not accurately describe Russian motivation behind its current behavior. Abraham Maslow, a prominent behavioral psychologist, ...
E pluribus analysis: applying a "superforecasting" methodology to the detection of homegrown violence Huse, James G. (Monterey, California: Naval Postgraduate School, 2018-03);This thesis examines investigative decision making, cognitive biases, talent sharing, and the relationship between the random nature of lone-actor violence and a set of predefined decision-making protocols. This research ...