Decision Model for the Security and Utility Risk Evaluation (SURE) Framework
Article No.: 3, Pages 1 - 11
Abstract
The Security and Utility Risk Evaluation (SURE) framework is a framework for specifying and calculating risk to enable dynamic and autonomous decisions about cyber security and utility risk in generic computer-based systems. The SURE framework's decision model provides the ability to select between multiple alternative mitigation strategies in order to optimise security and utility risk during the operation of a system. This paper presents the decision model of the SURE framework and an example illustrating how the decision model operates in a mobile networking scenario. The example shows that the SURE framework's decision model enables a better fit than existing security decision models between the context of the requested action, security and utility requirements and the selected mitigation strategy, giving greater flexibility to both policy makers and users.
References
[1]
2013. eXtensible Access Control Markup Language (XACML) Version 3.0. OASIS Standard. Burlington, MA. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
[2]
Mohammed Noraden Alsaleh, Saeed Al-Haj, and Ehab Al-Shaer. 2013. Objective metrics for firewall security: A holistic view. In 2013 IEEE Conference on Communications and Network Security (CNS) (CNS 2013). IEEE, New York, NY, USA, 470--477.
[3]
Nadya Bartol, Brian Bates, Karen M. Goertzel, and Theodore Winograd. 2009. Measuring Cyber Security and Information Assurance. Technical Report. Herndon, VA.
[4]
Khalid Zaman Bijon, Ram Krishnan, and Ravi Sandhu. 2013. A framework for risk-aware role based access control. In 2013 IEEE Conference on Communications and Network Security (CNS) (CNS 2013). IEEE, New York, NY, USA, 462--469.
[5]
Alfonso Bilbao and Enrique Bilbao. 2013. Measuring security. In 2013 47th International Carnahan Conference on Security Technology (ICCST) (ICCST 2013). IEEE, New York, NY, USA, 1--5.
[6]
David W. Britton and Ian A. Brown. 2007. A Security Risk Measurement for the RAdAC Model. Master's thesis. Naval Postgraduate School, Monterey, California. www.dtic.mil/dtic/tr/fulltext/u2/a467180.pdf
[7]
Chen Chen, Han Weili, and Yong Jianming. 2010. Specify and enforce the policies of quantified risk adaptive access control. In 2010 14th International Conference on Computer Supported Cooperative Work in Design (CSCWD) (CSCWD 2010). IEEE, New York, NY, USA, 110--115.
[8]
Liang Chen and Jason Crampton. 2012. Risk-Aware Role-Based Access Control. In Security and Trust Management, Catherine Meadows and Carmen Fernandez-Gago (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 140--156.
[9]
Liang Chen, Jason Crampton, Martin J. Kollingbaum, and Timothy J. Norman. 2012. Obligations in Risk-aware Access Control. In Proceedings of the 2012 Tenth Annual International Conference on Privacy, Security and Trust (PST) (PST '12). IEEE Computer Society, Washington, DC, USA, 145--152.
[10]
Liang Chen, Luca Gasparini, and Timothy J. Norman. 2013. XACML and Risk-Aware Access Controls. In Proceedings of the 10th International Workshop on Security in Information Systems (ICEIS 2013). SciTePress, Setúbal, Portugal, 66--75.
[11]
Pau-Chen Cheng, Pankaj Rohatgi, Claudia Keser, Paul A. Karger, Grant M. Wagner, and Angela Schuett Reninger. 2007. Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (SP '07). IEEE Computer Society, Washington, DC, USA, 222--230.
[12]
Savith Kandala, Ravi Sandhu, and Venkata Bhamidipati. 2011. An Attribute Based Framework for Risk-Adaptive Access Control Models. In 2011 Sixth International Conference on Availability, Reliability and Security (ARES) (ARES 2011). IEEE, New York, NY, USA, 236--241.
[13]
Robert W. McGraw. 2004. Securing Content in the Department of Defense's Global Information Grid. In Secure Knowledge Management Workshop. National Security Agency, Fort Meade, MD, 11. http://studylib.net/doc/10492582/securing-content-in-the-department-of-defense%E2%80%99s-global-in...
[14]
Robert W. McGraw. 2009. Risk Adaptable Access Control (RAdAC). In NIST Privilege Management Workshop, Sheldon A. Durrant, Tanya Brewer, and Annie Sokol (Eds.). NIST, Gaithersburg, MD, 10. https://csrc.nist.gov/csrc/media/events/privilege-management-workshop/documents/radac-paper0001.pdf
[15]
Rodrigo Sanches Miani, Michel Cukier, Bruno Bogaz Zarpelão, and Leonardo de Souza Mendes. 2013. Relationships Between Information Security Metrics: An Empirical Study. In Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop (CSIIRW '13). ACM, New York, NY, USA, Article 22, 4 pages.
[16]
Ian Molloy, Pau-Chen Cheng, and Pankaj Rohatgi. 2008. Trading in Risk: Using Markets to Improve Access Control. In Proceedings of the 2008 New Security Paradigms Workshop (NSPW '08). ACM, New York, NY, USA, 107--125.
[17]
Qun Ni, Elisa Bertino, and Jorge Lobo. 2010. Risk-based Access Control Systems Built on Fuzzy Inferences. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS '10). ACM, New York, NY, USA, 250--260.
[18]
NIST. 2012. Guide for Conducting Risk Assessments. NIST Pubs. Gaithersburg, MD.
[19]
JASON Program Office. 2004. HORIZONTAL INTEGRATION: Broader Access Models for Realizing Information Dominance. Technical Report. McLean, VA.
[20]
Juan E. Sandoval and Suzanne P. Hassell. 2010. Measurement, identification and calculation of cyber defense metrics. In 2010 - MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE (MILCOM 2010). IEEE, New York, NY, USA, 2174--2179.
[21]
Mudhakar Srivatsa, Dakshi Agrawal, and Steffen Reidt. 2009. A Metadata Calculus for Secure Information Sharing. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS '09). ACM, New York, NY, USA, 488--499.
[22]
Mudhakar Srivatsa, Shane Balfe, Kenneth G. Paterson, and Pankaj Rohatgi. 2008. Trust Management for Secure Information Flows. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS '08). ACM, New York, NY, USA, 175--188.
[23]
Mudhakar Srivatsa, Pankaj Rohatg, and Shane Balfe. 2008. Securing information flows: A quantitative risk analysis approach. In MILCOM 2008 - 2008 IEEE Military Communications Conference (MILCOM 2008). IEEE, New York, NY, USA, 1--7.
Index Terms
- Decision Model for the Security and Utility Risk Evaluation (SURE) Framework
Recommendations
Risk, Ambiguity, and the Separation of Utility and Beliefs
We introduce a general model of static choice under uncertainty, arguably the weakest model achieving a separation of cardinal utility and a unique representation of beliefs. Most of the nonexpected utility models existing in the literature are special ...
The Respective Roles of Risk and Decision Analyses in Decision Support
Decision support models help structure and inform complex choices under uncertainty. Two classic models are risk analysis and decision analysis. Risk analysis is understood here as risk characterization, and in some cases, the identification and benefit ...
Risk, Return, and Utility
<P>Expected utility theory is widely acknowledged to be a rational approach to making decisions involving risk. Yet the methodology gives no explicit role to measures of risk and return. In this paper we identify those families of utility functions that ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
January 2019
486 pages
ISBN:9781450366038
DOI:10.1145/3290688
Copyright © 2019 ACM.
Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.
In-Cooperation
- CORE - Computing Research and Education
- Macquarie University-Sydney
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 29 January 2019
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ACSW 2019
Acceptance Rates
ACSW '19 Paper Acceptance Rate 61 of 141 submissions, 43%;
Overall Acceptance Rate 61 of 141 submissions, 43%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 165Total Downloads
- Downloads (Last 12 months)22
- Downloads (Last 6 weeks)0
Reflects downloads up to 14 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in