Abstract
Identifying security risks in organizations and also determining their severity in order to select appropriate security countermeasures is of great importance in organizations. In the last two decades, a lot of work has been done to increase the accuracy of risk impact calculation as well as the right selection of countermeasures. Also, a variety of work has been proposed to select combined countermeasures instead of single ones. So there is a challenge to balance the cost of security with the improvement of the defense system. In this paper, a dataset that includes the organization business processes, security data, assets, vulnerabilities, and related security countermeasures is suggested for the first time. In the previous work, this chain of information from the content of the organization, which is definitely different from another organization, has not been considered for the analysis of the performance of countermeasures (success or failure). Based on the results of the countermeasures during the organization’s lifetime, more efficient countermeasures can be suggested for new or existing risks. Therefore, by intelligently selecting the security countermeasures presented in this paper, organizations will be able to identify ineffective countermeasures and prevent them from being re-selected to counter attackers. In this way, we can make our organization more resilient to attackers over time.
Similar content being viewed by others
Notes
Common Vulnerability Scoring System (CVSS).
Open Web Application Security Project.
References
Baskerville, R., Rowe, F., Wolff, F.C.: Integration of information systems and cybersecurity countermeasures: an exposure to risk perspective. ACM SIGMIS Database DATABASE Adv. Inf. Syst. 49(1), 33–52 (2018)
Schmitz, C., Sekula, A., Pape, S., Pipek, V., Rannenberg, K.: Easing the burden of security self-assessments. In: 12th International Symposium on Human Aspects of Information Security & Assurance, pp. 29–31 (2018)
Manna, A., Sengupta, A., Mazumdar, C.: A quantitative methodology for business process-based data privacy risk computation. In: Advanced Computing and Systems for Security, pp. 17–33 (2020)
Varela-Vaca, A.J., Parody, L., Gasca, R.M., Gomez-Lopez, M.T.: Automatic verification and diagnosis of security risk assessments in business process models. IEEE Access 7, 26448–26465 (2019)
Xue, B., Krishnan, R., Padman, R., Wang, H.J.: On risk management with information flows in business processes. Inf. Syst. Res. 12, 1–19 (2012)
Lambert, J.H., Jennings, R.K., Joshi, N.N.: Integration of risk identification with business process models. Syst. Eng. 9(3), 187–198 (2006)
Ganin, A.A., Quach, P., Panwar, M., Collier, Z.A., Keisler, J.M., Marchese, D., Linkov, I.: Multicriteria decision framework for cybersecurity risk assessment and management. Risk Anal. 40(1), 183–199 (2020)
Doynikova, E., Kotenko, I.: CVSS-based probabilistic risk assessment for cyber situational awareness and countermeasure selection. In: 2017 25th Euromicro International Conference on Parallel, Distributed and Network-based Processing, pp. 346–353 (2017)
Chung, C.-J., Khatkar, P., Xing, T., Lee, J., Huang, D.: NICE: network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans. Depend. Secure Comput. TDSC 5(4), 198–211 (2013)
Granadillo, G.G., Belhaouane, M., Debar, H., Jacob, G.: RORI-based countermeasure selection using the OrBAC formalism. Int. J. Inf. Secur. 13(1), 63–79 (2014)
Li, F., Li, Y., Leng, S., Guo, Y., Geng, K., Wang, Z., Fang, L.: Dynamic countermeasures selection for multi-path attacks. Comput. Secur. 97, 101927 (2020)
Allodi, L., Banescu, S., Femmer, H., Beckers, K.: Identifying relevant information cues for vulnerability assessment using CVSS. In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pp. 119–126 (2018)
Shedden, P., Ahmad, A., Smith, W., Tscherning, H., Scheepers, R.: Asset identification in information security risk assessment: a business practice approach. Commun. Assoc. Inf. Syst. 39(1), 15 (2016)
Labda, W., Mehandjiev, N., Sampaio, P.: Modeling of privacy-aware business processes in BPMN to protect personal data. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1399–1405 (2014)
Ahmed, N., Matulevicius, R.: Securing business processes using security risk-oriented patterns. Comput. Stand. Interfaces 36(4), 723–733 (2014)
Altuhhova, O., Matulevicius, R., Ahmed, N.: Towards definition of secure business processes. Lect. Notes Bus. Inf. Process. 112, 1–15 (2012)
Cope, E.W., Kuster, J.M., Etzweiler, D., Deleris, L.A., Ray, B.: Incorporating risk into business process models. IBM J. Res. Dev. 54(3), 1–13 (2010)
Herrmann, P., Herrmann, G.: Security requirement analysis of business processes. Electron. Commer. Res. 6(3–4), 305–335 (2006)
Jurjens, J.: UMLSEC: extending UML for secure systems development. In: International Conference on the Unified Modeling Language, pp. 412–425 (2002)
Soomro, I., Ahmed, N.: Towards security risk-oriented misuse cases. In: International Conference on Business Process Management, vol. 132, pp. 689–700 (2013)
Cha, S.C., Yeh, K.H.: A data-driven security risk assessment scheme for personal data protection. IEEE Access 52, 50510–50517 (2018)
Kheir, N., Debar, H., Cuppens-Boulahia, N., Cuppens, F., Viinikka, J.: Cost evaluation for intrusion response using dependency graphs. In: IFIP International Conference on Network and Service Security, pp. 1–6 (2009)
Kaynar, K.: A taxonomy for attack graph generation and usage in network security. J. Inf. Secur. Appl. 29, 27–56 (2016)
Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012)
Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012)
Foo, B., Wu, Y.S., Mao, Y.C., Bagchi, S., Spafford, E.: ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment. In: International Conference on Dependable Systems and Networks, pp. 508–517 (2005)
Shameli-Sendi, A.: An efficient security data-driven approach for implementing risk assessment. J. Inf. Secur. Appl. 54, 102593 (2020)
Gonzalez-Granadillo, G., Doynikova, E., Garcia-Alfaro, J., Kotenko, I., Fedorchenko, A.: Stateful RORI-based countermeasure selection using hypergraphs. J. Inf. Secur. Appl. 54, 102562 (2020)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Tamjidi, S., Shameli-Sendi, A. Intelligence in security countermeasures selection. J Comput Virol Hack Tech 19, 137–148 (2023). https://doi.org/10.1007/s11416-022-00439-w
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-022-00439-w