Show simple item record

dc.contributor.authorHibshi, Hanan
dc.contributor.authorBreaux, Travis D.
dc.date2017-03
dc.date.accessioned2018-06-13T17:11:00Z
dc.date.available2018-06-13T17:11:00Z
dc.date.issued2017-03
dc.identifier.urihttp://hdl.handle.net/10945/58940
dc.description.abstractThe U.S. DoD transition to a multi-tier, risk management framework aims to streamline information assurance assessments by promoting alignment with NIST information assurance control sets. While these control sets are broadly applicable and comprehensive, those responsible for accreditation will continue to struggle with assessing security risk in dynamically reconfigurable systems. Security analysts rely largely on background knowledge and experience to make security-related decisions. With increasingly dynamic software, analysts need to resolve dependencies among components and understand how those dependencies affect security requirements. Analysts need new decision-support tools based on models that predict how analysts reason about security in distributed systems. We present an approach that formalizes security expert assessments of security requirements nested in scenarios into threat mitigation rules. The assessments are collected empirically using factorial vignettes. The vignette results are statistically analyzed to yield membership functions for a type-2 fuzzy logic system. The corresponding type-2 fuzzy sets encode the interpersonal and intrapersonal uncertainties among security analysts in their decision-making. This work establishes an early foundation for a digital cyber-security decision-support service where an IT professional with any level of security background can benefit from efficiently receiving security assessments and recommendations.en_US
dc.description.sponsorshipNaval Postgraduate School Acquisition Research Programen_US
dc.publisherMonterey, California. Naval Postgraduate Schoolen_US
dc.rightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.en_US
dc.titleDecision Support for Cybersecurity Risk Assessmenten_US
dc.typeReporten_US
dc.identifier.npsreportSYM-AM-17-064


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record