SECAdvisor: A Tool for Cybersecurity Planning using Economic Models
Resumo
Cybersecurity planning is challenging for digitized companies that want adequate protection without overspending money. Currently, the lack of investments and perverse economic incentives may increase the number of cyberattacks, which result in several economic impacts on companies worldwide. Therefore, cybersecurity planning has to consider technical and economic dimensions to help companies achieve a better cybersecurity strategy. This paper introduces SECAdvisor, a tool to support cybersecurity planning using economic models. SECAdvisor allows one to (a) understand the risks and valuation of different businesses’ information, (b) calculate the optimal investment in cybersecurity for a company, (c) receive a recommendation of protections based on the budget available and demands, and (d) compare protection solutions in terms of cost-efficiency. Furthermore, evaluations on usability and real-world training activities performed using SECAdvisor show its efficacy and usability, allowing users to explore economic concepts and models for cybersecurity planning.
Referências
Baryshnikov, Y. (2007). IT Security Investment and Gordon-Loeb’s 1/e rule. Berlin, Germany, June, [link].
Benz, M. and Chatterjee, D. (2020). Calculated Risk? A Cybersecurity Evaluation Tool for SMEs. Business Horizons, 63(4):531–540.
Brooke, J. (1996). SUS: A ’Quick and Dirty‘ Usability Scale, chapter 21, pages 189–194. Taylor & Francis, London.
Corporation, I. (2022). Cost of a Data Breach Report 2022. Available at [link].
Cybersecurity Osservatorio. Self assessment questionnaire. November 2022, Available at [link], last visit November 2022.
European Union Agency for Cybersecurity (ENISA) (2012a). Economics of Security: Facing the Challenges. [link].
European Union Agency for Cybersecurity (ENISA) (2012b). Introduction to Return on Security Investment: Helping CERTs Assessing the Cost of (Lack of) Security. [link].
European Union Agency for Cybersecurity (ENISA) (2021). Cybersecurity for SMEs: Challenges and Recommendations. Available at [link].
Franco, M., Rodrigues, B., Scheid, E. J., Jacobs, A., Killer, C., Granville, L. Z., and Stiller, B. (2020a). SecBot: a Business-Driven Conversational Agent for Cybersecurity Planning and Management. In International Conference on Network and Service Management (CNSM 2020), pages 1–7, Izmir, Turkey.
Franco, M., Rodrigues, B., and Stiller, B. (2019). MENTOR: The Design and Evaluation of a Protection Services Recommender System. In 15th International Conference on Network and Service Management (CNSM 2019), pages 1–7, Halifax, Canada. IEEE.
Franco, M., Sula, E., Rodrigues, B., Scheid, E., and Stiller, B. (2020b). ProtectDDoS: A Platform for Trustworthy Offering and Recommendation of Protections. In Economics of Grids, Clouds, Systems, and Services, Izola, Slovenia. Springer.
Franco, M., von der Assen, J., Boillat, L., Killer, C., Rodrigues, B., Scheid, E. J., Granville, L., and Stiller, B. (2021). SecGrid: A Visual System for the Analysis and ML-Based Classification of Cyberattack Traffic. In IEEE 46th Conference on Local Computer Networks (LCN 2021), pages 1–8, Edmonton, Canada.
Franco, M. F., Granville, L. Z., and Stiller, B. (2023). CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment. In 36th IEEE/IFIP Network Operations and Management Symposium (NOMS 2023), pages 1–6, Miami, USA.
Franco, M. F., Mullick, A. R., and Jha, S. (2024). QBER: Quantifying Cyber Risks for Strategic Decisions. arXiv preprint arXiv:2405.03513.
Gordon, L. A. and Loeb, M. P. (2002a). The Economics of Information Security Investment. Association for Computing Machinery Transactions on Information and System Security (TISSEC), 5(4):438–457. Association for Computing Machinery.
Gordon, L. A. and Loeb, M. P. (2002b). The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5(4):438–457.
H. R.K. Skeoch (2021). Expanding the Gordon-Loeb Model to Cyber-Insurance. Computers & Security, page 102533.
Hallman, R., Major, M., Romero-Mariona., J., Phipps, R., Romero, E., and Miguel, J. (2020). Return on Cybersecurity Investment in Operational Technology Systems: Quantifying the Value That Cybersecurity Technologies Provide after Integration. In 5th International Conference on Complexity, Future Information Systems and Risk (COMPLEXIS 2020), pages 43–52, Prague, Malta.
Huang, Y., Debnath, J., Iorga, M., Kumar, A., and Xie, B. (2019). CSAT: A User-interactive Cyber Security Architecture Tool based on NIST-compliance Security Controls for Risk Management. In IEEE 10th Annual Ubiquitous Computing, Electronics Mobile Communication Conference (UEMCON), pages 0697–0707, New York, USA.
Huff, P., McClanahan, K., Le, T., and Li, Q. (2021). A Recommender System for Tracking Vulnerabilities. In 16th International Conference on Availability, Reliability and Security (ARES 2021), pages 1–7, Vienna, Austria.
Kianpour, M., Kowalski, S. J., and Øverby, H. (2021). Systematically Understanding Cybersecurity Economics: A Survey. Sustainability, 13(24).
L. A. Gordon, M. P. Loeb, L. Zhou (2021). Information Segmentation and Investing in Cybersecurity. Journal of Information Security, 12:115–136.
Li, T., Convertino, G., Tayi, R. K., and Kazerooni, S. (2019). What Data Should I Protect? Recommender and Planning Support for Data Security Analysts. In 24th International Conference on Intelligent User Interfaces (IUI ’19), page 286–297, California, USA.
Rea-Guaman, M., Calvo-Manzano, J. A., and Feliu, T. S. (2018). A Prototype to Manage Cybersecurity in Small Companies. In 13th Iberian Conference on Information Systems and Technologies (CISTI), pages 1–6, Caceres, Spain.
Sonnenreich, W., Albanese, J., and Stout, B. (2005). Return On Security Investment (ROSI): A Practical Quantitative Model. Journal of Research and Practice in Information Technology, pages 239–252.
Benz, M. and Chatterjee, D. (2020). Calculated Risk? A Cybersecurity Evaluation Tool for SMEs. Business Horizons, 63(4):531–540.
Brooke, J. (1996). SUS: A ’Quick and Dirty‘ Usability Scale, chapter 21, pages 189–194. Taylor & Francis, London.
Corporation, I. (2022). Cost of a Data Breach Report 2022. Available at [link].
Cybersecurity Osservatorio. Self assessment questionnaire. November 2022, Available at [link], last visit November 2022.
European Union Agency for Cybersecurity (ENISA) (2012a). Economics of Security: Facing the Challenges. [link].
European Union Agency for Cybersecurity (ENISA) (2012b). Introduction to Return on Security Investment: Helping CERTs Assessing the Cost of (Lack of) Security. [link].
European Union Agency for Cybersecurity (ENISA) (2021). Cybersecurity for SMEs: Challenges and Recommendations. Available at [link].
Franco, M., Rodrigues, B., Scheid, E. J., Jacobs, A., Killer, C., Granville, L. Z., and Stiller, B. (2020a). SecBot: a Business-Driven Conversational Agent for Cybersecurity Planning and Management. In International Conference on Network and Service Management (CNSM 2020), pages 1–7, Izmir, Turkey.
Franco, M., Rodrigues, B., and Stiller, B. (2019). MENTOR: The Design and Evaluation of a Protection Services Recommender System. In 15th International Conference on Network and Service Management (CNSM 2019), pages 1–7, Halifax, Canada. IEEE.
Franco, M., Sula, E., Rodrigues, B., Scheid, E., and Stiller, B. (2020b). ProtectDDoS: A Platform for Trustworthy Offering and Recommendation of Protections. In Economics of Grids, Clouds, Systems, and Services, Izola, Slovenia. Springer.
Franco, M., von der Assen, J., Boillat, L., Killer, C., Rodrigues, B., Scheid, E. J., Granville, L., and Stiller, B. (2021). SecGrid: A Visual System for the Analysis and ML-Based Classification of Cyberattack Traffic. In IEEE 46th Conference on Local Computer Networks (LCN 2021), pages 1–8, Edmonton, Canada.
Franco, M. F., Granville, L. Z., and Stiller, B. (2023). CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment. In 36th IEEE/IFIP Network Operations and Management Symposium (NOMS 2023), pages 1–6, Miami, USA.
Franco, M. F., Mullick, A. R., and Jha, S. (2024). QBER: Quantifying Cyber Risks for Strategic Decisions. arXiv preprint arXiv:2405.03513.
Gordon, L. A. and Loeb, M. P. (2002a). The Economics of Information Security Investment. Association for Computing Machinery Transactions on Information and System Security (TISSEC), 5(4):438–457. Association for Computing Machinery.
Gordon, L. A. and Loeb, M. P. (2002b). The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5(4):438–457.
H. R.K. Skeoch (2021). Expanding the Gordon-Loeb Model to Cyber-Insurance. Computers & Security, page 102533.
Hallman, R., Major, M., Romero-Mariona., J., Phipps, R., Romero, E., and Miguel, J. (2020). Return on Cybersecurity Investment in Operational Technology Systems: Quantifying the Value That Cybersecurity Technologies Provide after Integration. In 5th International Conference on Complexity, Future Information Systems and Risk (COMPLEXIS 2020), pages 43–52, Prague, Malta.
Huang, Y., Debnath, J., Iorga, M., Kumar, A., and Xie, B. (2019). CSAT: A User-interactive Cyber Security Architecture Tool based on NIST-compliance Security Controls for Risk Management. In IEEE 10th Annual Ubiquitous Computing, Electronics Mobile Communication Conference (UEMCON), pages 0697–0707, New York, USA.
Huff, P., McClanahan, K., Le, T., and Li, Q. (2021). A Recommender System for Tracking Vulnerabilities. In 16th International Conference on Availability, Reliability and Security (ARES 2021), pages 1–7, Vienna, Austria.
Kianpour, M., Kowalski, S. J., and Øverby, H. (2021). Systematically Understanding Cybersecurity Economics: A Survey. Sustainability, 13(24).
L. A. Gordon, M. P. Loeb, L. Zhou (2021). Information Segmentation and Investing in Cybersecurity. Journal of Information Security, 12:115–136.
Li, T., Convertino, G., Tayi, R. K., and Kazerooni, S. (2019). What Data Should I Protect? Recommender and Planning Support for Data Security Analysts. In 24th International Conference on Intelligent User Interfaces (IUI ’19), page 286–297, California, USA.
Rea-Guaman, M., Calvo-Manzano, J. A., and Feliu, T. S. (2018). A Prototype to Manage Cybersecurity in Small Companies. In 13th Iberian Conference on Information Systems and Technologies (CISTI), pages 1–6, Caceres, Spain.
Sonnenreich, W., Albanese, J., and Stout, B. (2005). Return On Security Investment (ROSI): A Practical Quantitative Model. Journal of Research and Practice in Information Technology, pages 239–252.
Publicado
16/09/2024
Como Citar
FRANCO, Muriel Figueredo; OMLIN, Christian; KAMER, Oliver; SCHEID, Eder John; GRANVILLE, Lisandro Zambenedetti; STILLER, Burkhard.
SECAdvisor: A Tool for Cybersecurity Planning using Economic Models. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 554-569.
DOI: https://doi.org/10.5753/sbseg.2024.240810.
