Article: A Layered Decision Model for cost-effective system security Journal: International Journal of Information and Computer Security (IJICS) 2008 Vol.2 No.3 pp.297 - 324 Abstract: System security involves decisions in at least three areas: identification of well-defined security policies, selection of cost-effective defence strategies, and implementation of real-time defence tactics. Although choices made in each of these areas affect the others, existing decision models typically handle these three decision areas in isolation. There is no comprehensive tool that can integrate them to provide a single efficient model for safeguarding a network. In addition, there is no clear way to determine which particular combinations of defence decisions result in cost-effective solutions. To address these problems, this paper introduces a Layered Decision Model (LDM) for use in deciding how to address defence decisions based on their cost-effectiveness. To validate the LDM and illustrate how it is used, we used simulation to test model rationality and applied the LDM to the design of system security for an e-commercial business case. Inderscience Publishers - linking academia, business and industry through research

Title: A Layered Decision Model for cost-effective system security

Authors: Huaqiang Wei, Jim Alves-Foss, Terrence Soule, Hugh Pforsich, Du Zhang, Deborah Frincke

Addresses: Department of Computer Science, University of Idaho, Moscow, ID 83844-1010, USA. ' Department of Computer Science, University of Idaho, Moscow, ID 83844-1010, USA. ' Department of Computer Science, University of Idaho, Moscow, ID 83844-1010, USA. ' Department of Accountancy, California State University, Sacramento, 6000 J Street, Sacramento, CA 95819, USA. ' Department of Computer Science, California State University, Sacramento, 6000 J Street Sacramento, CA 95819, USA. ' National Security Directorate, Pacific Northwest National Laboratory, Richland, WA, 99352, USA

Abstract: System security involves decisions in at least three areas: identification of well-defined security policies, selection of cost-effective defence strategies, and implementation of real-time defence tactics. Although choices made in each of these areas affect the others, existing decision models typically handle these three decision areas in isolation. There is no comprehensive tool that can integrate them to provide a single efficient model for safeguarding a network. In addition, there is no clear way to determine which particular combinations of defence decisions result in cost-effective solutions. To address these problems, this paper introduces a Layered Decision Model (LDM) for use in deciding how to address defence decisions based on their cost-effectiveness. To validate the LDM and illustrate how it is used, we used simulation to test model rationality and applied the LDM to the design of system security for an e-commercial business case.

Keywords: LDM; layered decision models; system security; cost-benefit analysis; model validation; e-commerce; information security; computer security; security policies; defence strategies; real-time defence tactics; electronic commerce; simulation.

DOI: 10.1504/IJICS.2008.020607

International Journal of Information and Computer Security, 2008 Vol.2 No.3, pp.297 - 324

Published online: 01 Oct 2008 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: A Layered Decision Model for cost-effective system security

Keep up-to-date