Predictive Modelling for Meaningful Security SLAs
Mike Yearworth, Brian Monahan, David Pym
Keyword(s): service level agreements, demos2k, simulation, analtics, security, mathematical models
Abstract: A meaningful Service Level Agreement (SLA) is defined as a contractual agreement between a service provider and customer that is valuable, measurable, predictable, understandable, and affordable. In a previous paper we discuss the development of the concept of a meaningful security SLA; that is an SLA focussed on the security properties of an information system arising from the interrelation of the infrastructure, processes and security operations staff. In this paper, we focus specifically on the development of a security operations model suitable for predicting performance against possible security SLAs. Although consequential financial losses can arise from lack of availability, confidentiality and integrity of an information system we specifically focus on a model that addresses lack of availability; that is, sources of downtime arising from security vulnerabilities and misalignment. We have introduced misalignment as a catch-all term to describe all change management tasks arising from staff not being able to complete tasks, leading to downtime and consequential financial losses, arising from access control problems; the information system infrastructure is available but is inaccessible due to mis-configuration. Whilst security vulnerabilities are the usual motivation driving security costs, the impact of misalignment is important in understanding the overall cost of security operations.
External Posting Date: October 10, 2008 [Fulltext]. Approved for External Publication
Internal Posting Date: October 10, 2008 [Fulltext]