Information Assurance Decision Support and Automation

Abstract

Carnegie Mellon University The US Department of Defense transition to a multi-tier, risk management framework aims to streamline information assurance assessments by promoting alignment with NIST information assurance control sets. While these control sets are broadly applicable and comprehensive, those responsible for accreditation will continue to struggle with assessing security risk in dynamically reconfigurable systems. Security analysts rely largely on background knowledge and experience to make security-related decisions. With increasingly dynamic software, analysts need to resolve dependencies among components and understand how those dependencies affect security requirements. Analysts need new decision-support tools based on models that predict how analysts reason about security in distributed systems. We propose to investigate an approach that formalizes security expert assessments of security requirements nested in scenarios into threat mitigation rules. The assessments will be collected empirically using factorial vignettes, which will be statistically analyzed to yield membership functions for a type-2 fuzzy logic system. The corresponding type-2 fuzzy sets encode the interpersonal and intrapersonal uncertainties among security analysts in their decision-making. This work establishes an early foundation for a digital cyber-security decision-support service where an IT professional with any level of security background can benefit from efficiently receiving security assessments and recommendations.

Document Details

Document Type

DoD Grant Award

Publication Date

Nov 20, 2019

Source ID

HQ00341810014

Entities

Tags