Skip to main content
SpringerLink
Log in

RORI-based countermeasure selection using the OrBAC formalism

  • regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Attacks against information systems have grown in sophistication and complexity, making the detection and reaction process a challenging task for security administrators. In reaction to these attacks, the definition of security policies is an effective way to protect information systems from further damages, but it requires a great expertise and knowledge. If stronger security policies can constitute powerful countermeasures, inappropriate policies, on the other hand, may result in disastrous consequences for the organization. The implementation of stronger security policies requires in many cases the evaluation and analysis of multiple countermeasures. Current research promotes the implementation of multiple countermeasures as a strategy to react over complex attacks; however, the methodology is either hardly explained or very complicated to implement. This paper introduces a well-structured approach to evaluate and select optimal countermeasures based on the return on response investment (RORI) index. An implementation of a real case study is provided at the end of the document to show the applicability of the model over a mobile money transfer service. The service, security policies and countermeasures are expressed using the OrBAC formalism.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. Quadrant: The Quick and dirty risk analysis tool, available at: www.qdrnt.com/home.htm.

  2. Monte Carlo simulation for excel featuring distribution strings, available at: http://xlsim.com/xlsim/index.html.

  3. Delay packets that meet certain criteria to optimize performance, improve latency and increase usable bandwidth.

References

  1. Brocke, J., Strauch, G., Buddendick, C.: Return on security investment. In: Design Principles of Measurement System Based on Capital Budgeting, Information Systems Technology and its Applications, pp. 21–32 (2007)

  2. Cremonini, M., Martini, P.: Evaluating information security investment from attackers perspective: the return-on-attack (ROA). In: Proceedings of the 4th Workshop on the Economics on Information Security (2005)

  3. Jeffrey, M.: Return on investment analysis for e-business projects, internet encyclopedia, 1st edn. Hossein Bidgoli Editor, vol. 3, pp. 211–236 (2004)

  4. Kheir, N., Cuppens-Boulahia, N., Cuppens, F., Debar, H.: A service dependency model for cost-sensitive intrusion response. In: 15th European Symposium on Research in Computer Security, pp. 626–642 (2010)

  5. Schmidt, M.: Return on investment (ROI) definition, meaning and use, encyclopedia of business terms and methods. Available at: http://www.business-case-analysis.com/return-on-investment.html. Accessed 15 Aug 2013 (2011)

  6. Sonnenreich, W., Albanese, J., Stout, B.: Return on security investment (ROSI). A practical quantitative model. J. Res. Pract. Inf. Technol. 38(1), 55–56 (2006)

    Google Scholar 

  7. Stakhanova, N., Basu, S., Wong, J.: A cost-sensitive model for preemptive intrusion response systems. In: 21st International Conference on Advanced Networking and Applications (2007)

  8. Kim, D., Lee, T., In, H.: Effective security safeguard selection process for return on security investment. In: Asia-Pacific services computing conference (2008)

  9. Kheir, N.: Response policies and countermeasures: management of service dependencies and intrusion and reaction impacts. PhD Thesis, Ecole Nationale Supérieure des Télécommunications de Bretagne (2010)

  10. Nakatsu, D., Li, Y., Sakijama, K., Ohta, K.: Combination of SW countermeasure and CPU modification on FPGA against power analysis. In: 11th International Conference on Information Security Applications, pp. 258–272 (2011)

  11. Harwood, D., Torbic, D., Richard, K., Meyer, M.: SafetyAnalyst: software tools for safety management of specific highway sites. Federal Highway Administration, Publication No. FHWA-HRT-10-063 (2010)

  12. Duan, C., Cleland-Huang, J.: Automated safeguard selection strategies. CTI Research Symposium (2006)

  13. Tae Hyun, K., Dong-Guk, H., Katsujuki O., Jongin L.: Generic cryptanalysis of combined countermeasures with randomized BSD representations. In: 7th International Federation for Information Processing (IFIP), Smart Card Research and Advanced Applications, pp. 119–134 (2006)

  14. Abou El Kalam, A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., Trouessin, G.: Organization based access control. In: 8th International Workshop on Policies for Distributed Systems and Networks (2003)

  15. Miege, A.: Definition of a formal framework for specifying security policies. The OrBAC model and extensions. PhD Thesis, Ecole Nationale Supérieure des Télécommunications Paris (2005)

  16. Cuppens, F., Cuppens-Boulahia, N., Miege, A.: Inheritance hierarchies in the Or-BAC model and application in a network environment. In: The 2nd Foundation of Computer Security, Workshop (2004)

  17. Cuppens, F., Cuppens-Boulahia, N.: Modelling contextual security policies. Int. J. Inf. Secur. 7(4), 285–305 (2007)

    Article  Google Scholar 

  18. Kosutic, D.: Is it possible to calculate the Return on Security Investment (ROSI)? Available at: http://blog.iso27001standard.com/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/ (2011)

  19. Locher, C.: Methodologies for evaluating information security investments–what basel II can change in the financial industry. In: ECIS Proceedings, Paper 122 (2005)

  20. Lockstep Consulting.: A guide for government agencies calculating return on security investment. Available at: http://lockstep.com.au/library/return_on_investment (2004)

  21. Puangsri, P.: Quantified return on information security investment—a model for cost-benefit analysis. Delf University of Technology, Master Thesis (2009)

  22. Jeffery, M.: Return on Investment Analysis for E-business Projects, The Internet Encyclopedia. Wiley, London (2004)

    Google Scholar 

  23. Halton, J.: A retrospective and prospective survey of the Monte Carlo method. SIAM Rev. 12, 1–63 (1970)

    Article  MATH  MathSciNet  Google Scholar 

  24. Evans, M., Hastings, N., Peacock, B.: Triangular Distribution Ch 40 in Statistical Distributions, 3rd edn, pp. 187–188. Wiley, New York (2000)

    Google Scholar 

  25. National Institute of Standards and Technologies: Guide for conducting risk assessment. Available at: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf (2012)

  26. International Standard ISO/IEC 27005: Information Technology—Security Techniques—Information Security Risk Management (2008)

  27. Clusif: MEHARI 2010—risk analysis and treatment guide. Available at: http://www.clusif.asso.fr/fr/production/ouvrages/pdf/MEHARI-2010-Risk-Analysis-and-Treatment-Guide.pdf (2010)

  28. ANSSI: EBIOS 2010—expression of needs and identification of security objectives. Available at: http://www.ssi.gouv.fr/en/the-anssi/publications-109/methods-to-achieve-iss/ebios-2010-expression-of-needs-and-identification-of-security-objectives.html (2010)

  29. Siemens Enterprise: The logic behind CRAMM’s assessment of measures of risk and determination of appropriate countermeasures. Technical Report. Available at: http://www.cramm.com/downloads/techpapers.htm (2005)

  30. SDL Team Microsoft: Attack surface analyzer 1.0 released. Available at: http://blogs.msdn.com/b/sdl/archive/2012/08/02/attack-surface-analyzer-1-0-released.aspx (2012)

  31. Norman, T.: Risk Analysis and Security Countermeasure Selection. CRC Press, Taylor & Francis Group, London (2010)

    Google Scholar 

  32. Swiler, L., Paez, T., Mayes, R.: Epistemic uncertainty quantification tutorial. In: Conference and Exposition on Structural Dynamics—Model Verification and Validation, IMAC XXVII (2009)

  33. Sandia National Laboratories: DAKOTA, A multilevel parallel object-oriented framework for design optimization, parameter estimation, uncertainty quantification and sensitivity analysis. Available at: http://dakota.sandia.gov/index.html

  34. MASSIF Deliverable D5.2.1: Decision support, simulation, and deployment software components. Available at: http://www.massifproject.eu/list_deliverables (2012)

  35. Manadhata, P.: An attack surface metric. PhD Thesis, School of Computer Science, Carnegie Mellon University (2008)

  36. Manadhata, P., Wing, J., Flynn, M., McQueen, M.: Measuring the attack surfaces of tWO FTP Deamons. In: Proceedings of the 2nd ACM Workshop on Wuality of Protection, pp. 3–10 (2006)

  37. Manadhata, P., Karabulut, Y., Wing, J.: Measuring the attack surfaces of SAP business applications. In: IEEE International Symposium on Software Reliability Engineering (2008)

  38. Manadhata, P., Wing, J.: An attack surface metric. IEEE Trans. Softw. Eng. 37(3), 371–386 (2010)

    Google Scholar 

  39. Howard, M., Wing, J.: Measuring relative attack surfaces. In: Computer Security in the 21st Century, pp. 109–137 (2005)

  40. Gonzalez Granadillo, G., Debar, H., Jacob, G., Gaber, C., Achemlal, M.: Individual countermeasure selection based on the return on response investment index. In: International Conference Mathematical Methods, Models and Architectures for Computer Network Security, LNCS 7531, pp. 156–170 (2012)

  41. Grimaldit, R.: Discrete and Combinatorial Mathematics. An Applied Introduction. Addison-Wesley, Reading, MA (1985)

    Google Scholar 

  42. Flajolet, P., Sedgewick, R.: Analytic Combinatorics. Cambridge University Press, Cambridge (2009)

    Book  MATH  Google Scholar 

  43. Olofsson, P.: Probability, Statistics, and Stochastic Processes. Wiley, London (2005)

    Book  MATH  Google Scholar 

  44. Rheinfurth, M.H., Howell, L.W.: Probability and statistics in aerospace engineering. NASA Center for AeroSpace Information (1998)

  45. Rosen, K.: Discrete Mathematics and its Applications. McGraw Hill, New York (1994)

    Google Scholar 

  46. Granadillo, G.G., Debar, H., Jacob, G., Coppolino, L.: Combination approach to select optimal countermeasures based on the RORI Index. In: Second International Conference on the Innovative Computing Technology (2012)

  47. Horrocks, I., Patel-Schneider, P., Boley, H., Tabet, S., Grosof, B., Dean, M.: SWRL: A semantic web rule language combining OWL and RuleML, W3C member submission. Available at: http://www.w3.org/Submission/SWRL (2004)

  48. Gonzalez, Granadillo G., Mustapha, Y.B.: An ontology-driven approach to model SIEM information and operations using the SWRL formalism. Int. J. Electron. Secur. Digit. Forensics 4(2/3), 104–123 (2012)

    Google Scholar 

Download references

Acknowledgments

The research leading to these results has received funding from the European Commission within the context of the Seventh Framework Programme (FP7-ICT-2009-5) under Grant Agreement No. 257644 (MAnagement of Security information and events in Service Infrastructures, MASSIF Project).

Author information

Authors and Affiliations

  1. SAMOVAR, CNRS, UMR 5157, Telecom Sudparis, 9 rue Charles Fourier, 91011 , Evry, France

    Gustavo Gonzalez Granadillo, Malek Belhaouane, Hervé Debar & Grégoire Jacob

Authors
  1. Gustavo Gonzalez Granadillo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Malek Belhaouane
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hervé Debar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Grégoire Jacob
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gustavo Gonzalez Granadillo.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Gonzalez Granadillo, G., Belhaouane, M., Debar, H. et al. RORI-based countermeasure selection using the OrBAC formalism. Int. J. Inf. Secur. 13, 63–79 (2014). https://doi.org/10.1007/s10207-013-0207-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-013-0207-8

Keywords

Search

Navigation