Description

ABSTRACT

In organizations implement security standards to be competitive and trustworthy parties that run highly integrated and secure businesses. However, despite regulations, laws and awareness of security measures, data breaches continue to grow and evolve. When an organization performs regular risk assessments of assets and services, the risk of experiencing a data breach may decrease. However, decisions on the type of security measures to be implemented are frequently made based on the personal experiences of decision makers, who may be unaware of specific system weaknesses and new threats. In order to solve this issue, researchers have proposed a number of models relating to qualitative and quantitative risk assessment approaches, where attack trees and attack graphs are used to estimate the shortest attack paths and related security costs. Budget cuts and the high demand in strengthening the security of computer systems and services constitute a challenge. This paper proposes a novel Risk Assessment and Optimization Model (RAOM) to solve a security countermeasure selection problem, where variables such as financial cost and risk may affect a final decision. A Multi-Objective Tabu Search (MOTS) algorithm has been developed to construct an efficient frontier of non-dominated solutions, which can satisfy organizational security needs in a cost-effective manner.