Risk Management and Information Assurance Decision Support

Abstract

The DoD often requires a high degree of information assurance and risk management. The DoD IT acquisition process remains controlled by complex information assurance (IA) certification processes. In March 2014, the DoDD 8500.1 was reissued to require a multi-tier, risk management process as embodied in the CNSSP No. 22 and NIST Special Publication 800-39, which promotes alignment with NIST IA control sets to mitigate security risk. This strategy was in use as early as 2006 by some stakeholders, including the Department of Navy Chief Information Officer (DONCIO). Despite these improvements, those responsible for accreditation will continue to struggle with assessing security risk in dynamically reconfigurable systems that change at runtime. The combination of changing users, changing applications, and changing locations is characteristic of modern IT and, consequently, requires a modern solution. Like any organization, the DoD relies on security analysts who can assure that security requirements are satisfied. Relying on one expert's opinion can be risky, because the degree of uncertainty involved in a single person's decision could increase with time, memory failure or inexperience. In this technical report, we show to automate scenario generation where less experienced IT personnel can create scenarios that correspond to their own system architecture using our tool. The automation allows to crowdsource security assessments from experts. The tool will collect and analyze the expert ratings and return the results to the original requestor. In this paper, we propose our designed prototype for the tool, and we share the results of evaluating the prototype on 30 students who are completing a master's degree in cybersecurity at a US institution. Based on the qualitative and usability analysis of responses, our proposed method is shown effective in systematic scenario elicitation. Participants had a 100% task completion rate with 57% of participants achieving complete task-success, and the remaining 43% of participants achieving partial task-success. Finally, we discuss our findings and future directions for this research in systematic scenario elicitation.

This research will yield important public benefits to private sector companies who supply and consume the dual-purpose information technology (IT) used by the DoD and who are frequently subject to security threats from organized crime, foreign governments and stateless hackers.