Please use this identifier to cite or link to this item:
https://dair.nps.edu/handle/123456789/1442
Full metadata record
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Hanan Hibshi | |
dc.contributor.author | Travis D. Breaux | |
dc.date.accessioned | 2020-03-16T17:58:52Z | - |
dc.date.available | 2020-03-16T17:58:52Z | - |
dc.date.issued | 2017-03-30 | |
dc.identifier.citation | Published--Unlimited Distribution | |
dc.identifier.uri | https://dair.nps.edu/handle/123456789/1442 | - |
dc.description | Acquisition Management / Defense Acquisition Community Contributor | |
dc.description.abstract | The U.S. DoD transition to a multi-tier, risk management framework aims to streamline information assurance assessments by promoting alignment with NIST information assurance control sets. While these control sets are broadly applicable and comprehensive, those responsible for accreditation will continue to struggle with assessing security risk in dynamically reconfigurable systems. Security analysts rely largely on background knowledge and experience to make security-related decisions. With increasingly dynamic software, analysts need to resolve dependencies among components and understand how those dependencies affect security requirements. Analysts need new decision-support tools based on models that predict how analysts reason about security in distributed systems. We present an approach that formalizes security expert assessments of security requirements nested in scenarios into threat mitigation rules. The assessments are collected empirically using factorial vignettes. The vignette results are statistically analyzed to yield membership functions for a type-2 fuzzy logic system. The corresponding type-2 fuzzy sets encode the interpersonal and intrapersonal uncertainties among security analysts in their decision-making. This work establishes an early foundation for a digital cyber-security decision-support service where an IT professional with any level of security background can benefit from efficiently receiving security assessments and recommendations. | |
dc.description.sponsorship | Acquisition Research Program | |
dc.language | English (United States) | |
dc.publisher | Acquisition Research Program | |
dc.relation.ispartofseries | Risk Management | |
dc.relation.ispartofseries | SYM-AM-17-064 | |
dc.subject | Cybersecurity | |
dc.subject | Risk | |
dc.subject | IT | |
dc.subject | Software | |
dc.title | Decision Support for Cybersecurity Risk Assessment | |
dc.type | Article | |
Appears in Collections: | Annual Acquisition Research Symposium Proceedings & Presentations |
Files in This Item:
File | Size | Format | |
---|---|---|---|
SYM-AM-17-064.pdf | 417.82 kB | Adobe PDF | View/Open |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.