Dottorato in INGEGNERIA INFORMATICA

Titolo della tesi: Lowering the Boundaries of Information Security Governance: a Multi-Perspective Quantitative Viewpoint

Information Security Governance is the discipline made of a set of processes to control an organization’s approach to information security and design appropriate security strategies. The current state of the art of Information Security Governance presents three main boundaries that hinder the discipline from achieving its full impact on cybersecurity protection: (i) poor quantitative assessment, (ii) lack of multi-perspective assessment, and (iii) limited support for decision-making. In fact, information security assessments are too often performed qualitatively with the consequence that bias is possible during the evaluation due to the different expertise of different assessors. Similarly, different assessments of the same scenario may lead to different results, without objective solutions to identify the most appropriate one. This results in the poor quantitative assessment boundary. Additionally, current assessment methodologies focus mainly on specific aspects of information security, such as specific cyber attacks, environments, or single metrics. However, there is a need to integrate multiple perspectives within the assessment, otherwise, the exposure to cyber attacks may not be reduced. For example, if information assets are perfectly protected but incidents are managed badly by an organization, then even little unexpected events may have negative effects on the organization, thus making useless the high investment in information asset protection. This results in the lack of multi-perspective assessment boundary. A consequence of these two current boundaries in Information Security Governance is that all its processes are mostly human-based. While humans are capable of very complex decision-making process that benefits the design of sophisticated security strategies, on the other hand too much effort is required for them to manage heterogeneous large-scale knowledge and make decisions accordingly. This may lead to possible errors and misinterpretations during the assessment that revolve around poor protection as a cascade effect. This indicates there is a limited decision support boundary. This dissertation contributes to lowering these boundaries within a risk-centric model for Information Security Governance. It is based on security assessors who control the incident management process, that governs the information and network assets of an organization. In this context, such a model comprises cyber risk assessment and incident management process compliance assessment as its core components. Each of the three boundaries introduces research challenges for both cyber risk assessment and incident management process compliance assessment. This dissertation investigates, analyzes, and presents contributions to address these research challenges, providing a multi-perspective quantitative viewpoint in Information Security Governance, with proper decision support. In the context of cyber risk assessment, we explore Attack Graph as a valuable solution to quantitatively assess cyber risks of network assets. They are graph-based representations of the possible ways via which an attacker can intrude on a computer network or system. The first research challenge contributing to the poor quantitative assessment boundary is the poor Attack Graph scalability, which hinders their employment in real environments, thus causing security assessors to prefer qualitative evaluations. To support this challenge, we introduce a dataset generator resembling real network settings that we use to perform an in-depth scalability analysis highlighting the root causes behind the performance degradation of Attack Graphs. Informed by such a quantitative analysis, we contribute a novel Attack Graph generation and analysis framework that leverages progressive data analysis for prompt assessment. This enables the analysis of cyber risk-related queries in interactive times and consideration of multiple network and security perspectives, thus approaching the second boundary of Information Security Governance. After assessing cyber risks, security assessors must implement mitigation actions. To support their decision-making process, we combine the proposed framework with a trust computation model that informs the automatic protection and response to cyber attacks in the context of the Internet of Things, where the device constraints aggravate the complex decisions in charge of security assessors. This lowers the third boundary of limited decision support for cyber risk assessment with Attack Graphs. Complementary, we handle the Information Security Governance boundaries for the process compliance assessment of Incident Management as part of the risk-centric model considered in this dissertation. To do this, we contribute a formal model for process compliance assessment by leveraging process mining techniques. We employ the model for a compliance assessment system for Incident Management that considers multiple perspectives beyond the cost of incidents, including the process information. To quantitatively measure the performance of this assessment, we introduce a novel benchmark for Incident Management process assessment, that provides measures of performance and robustness. Finally, we design a Visual Analytics system that guides security assessors during the Incident Management process compliance assessment, supporting their decision-making by correlating large-scale heterogeneous data and providing interactive visual analyses. Together, the contributions to cyber risk assessment through Attack Graphs and process compliance assessment for Incident Management lower the boundaries of the risk-centric model of Information Security Governance. We discuss the research opportunities opened by this dissertation such as the integrated model for a unique assessment and the application to other governance processes towards a quantitative multi-perspective viewpoint of Information Security Governance.