1. A Robust Process Model for Calculating Security ROI Ghazy Mahjub DePaul University M.S Software Engineering

2. Problem Identification Justifying investments in software security. “Quantification tools, if applied prudently, can assist in the anticipation, budgeting, and control of direct and indirect computer security costs. [Mercuri, 15]”

3. Problem Solution Provide a statistically valid return on investment. Integrate security infrastructure rather than providing layers of fully independent security infrastructure. Apply statistical process control. Quality rather than quantity. INTEGRATE SECURITY SO THAT IT DOES NOT HAMPER THE BUSINESS PROCESS.

4. Difficulties in Quantification Lack of statistically valid historical data on frequency and impact of events. Traditional binary view of security should be exchanged for the continuous security model where multiple levels of probability and impact are used to yield an optimal security investment strategy.

5. Robust Process Model Parameter design. Identify ideal function. Identify noise factors. Identify signal factors. Identify control factors for ideal response.

6. Anti-Requirement Integration An anti-requirement is a requirement of a malicious user that subverts an existing requirement. They are generated by the malicious user and can be generated by developers by front-end threat analysis or by post-hoc reaction to an operational attack. Anti-requirement formulation allows us to view our system through the eyes of the malicious user to prevent the attack before it happens. An anti-requirement maps to one or many risks.

7. Anti-Requirement Integration Just as security requirements are integrated into a system to establish accepted functionality, anti- requirements must be integrated to establish unaccepted functionality. Role Based Access Control defines requirements for users, and yet these roles are often insufficient. Anti-requirements theory says define roles in the context of security as well as functional requirements.

8. Risk Assessment Risk = Probability x Impact Risk is a pair made up of a likelihood factor and a impact factor. Impact can be calculated fairly easily by assigning monetary values to assets in terms of the business value the asset has. Calculating probability is much more difficult!

9. Security ROI Calculator COST-BENEFIT ANALYSIS PROCESS Noise Factors Control Factors Z Response YX Risk Assessment Robust Design Method Noise Factors X Controlled Risk Adjusted, Xr Risk Assessment

10. Orthogonal Arrays Experimentation tool. Depending on the number of factors to test, OA’s allow us to not have to do exhaustive testing, meaning every combination of factors. Combination space grows exponentially, e.g. threat x vulnerability x safeguard. In addition, allows us to test interaction effects between factors.

11. Decision Analysis Using variable domains and defined rules of decision theory, a decision function can be formulated for each decision variable. Since decisions incorporate uncertainty, a decision is a function rather than a binary value. Minimize Confidence Interval. Effectiveness of Probability Reduction Effectiveness of Impact Reduction

12. Future Work Test, Test, Test. Data, Data, Data. Develop code to run the calculations automatically.