New Publication: A Scalable Game-Theoretic Approach for Selecting Security Controls from Standardized Catalogues
Our latest article published in Logical Methods in Computer Science is now available online. In this paper, we present a game-theoretic approach for selecting effective combinations of security controls based on expected attacker profiles and a set budget. The control selection problem is set up as a two-person zero-sum one-shot game. Valid control combinations for selection are generated using an algebraic formalism to account for dependencies among selected controls. Using a software tool, we apply the approach on a fictional Canadian military system with Canada’s standardized control catalogue, ITSG-33. Through this case study, we demonstrate the approach’s scalability to assist in selecting an effective set of security controls for large systems. The results illustrate how a security analyst can use the proposed approach and supporting tool to guide and support decision-making in the control selection activity when developing secure systems of all sizes. See Publications for more details!