Risk Assessment and Decision Support for Security Policies and Related Enterprise Operational Processes
Casassa Mont, Marco; Brown, Richard
Keyword(s): Security Policies, Risk Assessment, Decision Support, Access Management, Security Analytics, Modelling, Simulation
Abstract: This paper presents and discusses our work to provide organizations with risk assessment and decision support capabilities when dealing with their strategic security policies. Traditional work in the policy management space primarily focuses on technical languages and frameworks to manage and enforce operational policies. These contributions are important but they do not address strategic decision makers' needs and questions such as: What business and security risks is my organization exposed to, due to the current security policies and related operational processes? How effectively are these policies enforced at the operational level? What is the impact of changing them? We aim at providing strategic decision support in this space by using a rigorous and scientific methodology (and tools) which leverages modeling and simulation techniques. This methodology helps organizations to assess their risk exposure. It factors in policy implementation at the operational level along with relevant threats, processes, interactions and people behaviors. It provides "what- if" analysis by illustrating the consequences of making policy changes and investments. We briefly introduce our methodology and tools and then ground the discussion by illustrating how this approach has been successfully used in a real case study with one of our major customers. This case study focused on the organization's access management processes and related policies: it helped to inform strategic security policies and support changes of current access management processes. Additional work is planned in this space to further validate our approach and build template solutions for different types of organizational policies and processes.
External Posting Date: January 21, 2011 [Fulltext]. Approved for External Publication
Internal Posting Date: January 21, 2011 [Fulltext]