Computer Science Department
School of Computer Science, Carnegie Mellon University
Security Attribute Evaluation Method
Shawn A. Butler
The problem with current risk-mitigation-control cost-benefit analysis methods is that they attempt to give security managers the ability to make precise security investment recommendations or decisions based on imprecise information, such as estimated probabilities or expected economic loss in asset value. This thesis proposes the Security Attribute Evaluation Method (SAEM) as an alternative to current risk-mitigation-control cost-benefit analysis methods. SAEM uses multi-attribute decision analysis techniques from the field of Decision Sciences to guide a security manager in his or her selection of risk-mitigation controls for the organization s information system security architecture. In contrast with current cost-benefit analysis methods, SAEM focuses on the relative benefit of risk-mitigation controls rather than the economic net value of the information system with and without the risk-mitigation control. In addition, SAEM integrates a new coverage-analysis model that allows security mangers to evaluate how a risk-mitigation control contributes to the security architecture's defense-in-depth design, a fundamental security engineering design principle.
In this thesis, I present the results of using SAEM with the security managers of three different organizations a large commercial company, a large government organization, and a small hospital. SAEM provided these security managers with insight into their risk priorities and, in two organizations, SAEM highlighted weaknesses in their security architectures. Overall, the security managers felt that SAEM s coverage-analysis model was very helpful in assessing how risk-mitigation controls support the organization's defense-in-depth security strategy.