CMU-CS-03-132
Computer Science Department
School of Computer Science, Carnegie Mellon University



CMU-CS-03-132

Security Attribute Evaluation Method

Shawn A. Butler

May 2003

Ph.D. Thesis

CMU-CS-03-132.ps
CMU-CS-03-132.pdf (Color images)


Keywords: Security, cost-benefit, multi-attribute, risk management, security architecture


A security manager s selection of risk-mitigation controls for an information system's security architecture depends on the organizations risk-management process. Current security risk-management processes require security managers to thoroughly analyze their organization's threats, vulnerabilities, and assets before selecting cost-effective risk-mitigation controls. The most common risk-management method, Annualized Loss Expectancy (ALE), expects security managers to assess the probabilistic damage from different types of attacks, investing only in those risk-mitigation controls that cost less than the anticipated loss in asset value.

The problem with current risk-mitigation-control cost-benefit analysis methods is that they attempt to give security managers the ability to make precise security investment recommendations or decisions based on imprecise information, such as estimated probabilities or expected economic loss in asset value. This thesis proposes the Security Attribute Evaluation Method (SAEM) as an alternative to current risk-mitigation-control cost-benefit analysis methods. SAEM uses multi-attribute decision analysis techniques from the field of Decision Sciences to guide a security manager in his or her selection of risk-mitigation controls for the organization s information system security architecture. In contrast with current cost-benefit analysis methods, SAEM focuses on the relative benefit of risk-mitigation controls rather than the economic net value of the information system with and without the risk-mitigation control. In addition, SAEM integrates a new coverage-analysis model that allows security mangers to evaluate how a risk-mitigation control contributes to the security architecture's defense-in-depth design, a fundamental security engineering design principle.

In this thesis, I present the results of using SAEM with the security managers of three different organizations a large commercial company, a large government organization, and a small hospital. SAEM provided these security managers with insight into their risk priorities and, in two organizations, SAEM highlighted weaknesses in their security architectures. Overall, the security managers felt that SAEM s coverage-analysis model was very helpful in assessing how risk-mitigation controls support the organization's defense-in-depth security strategy.

182 pages


Return to: SCS Technical Report Collection
School of Computer Science homepage

This page maintained by reports@cs.cmu.edu