3rd International ICST Symposium on Information Assurance and Security

Research Article

Dynamic Risk Mitigation in Computing Infrastructures

  • @INPROCEEDINGS{10.1109/IAS.2007.91,
        author={R. Ann Miura-Ko and Nicholas  Bambos},
        title={Dynamic Risk Mitigation in Computing Infrastructures},
        proceedings={3rd International ICST Symposium on  Information Assurance and Security},
        publisher={IEEE},
        proceedings_a={IAS},
        year={2007},
        month={9},
        keywords={Analytical models  Data security  Databases  Information analysis  Information security  Management information systems  Network servers  Resource management  Risk analysis  Risk management},
        doi={10.1109/IAS.2007.91}
    }
    
  • R. Ann Miura-Ko
    Nicholas Bambos
    Year: 2007
    Dynamic Risk Mitigation in Computing Infrastructures
    IAS
    IEEE
    DOI: 10.1109/IAS.2007.91
R. Ann Miura-Ko1,*, Nicholas Bambos2,*
  • 1: Department of Management Science and Engineering Stanford University Stanford, California 94305–4026
  • 2: Department of Electrical Engineering and Management Science and Engineering Stanford University Stanford, California 94305–9505
*Contact email: amiura@stanford.edu, bambos@stanford.edu

Abstract

In this brief paper, we formulate a novel analytical framework for modeling and mitigation of dynamically changing security risk profiles in information systems and networks. Risk accumulates at components/nodes (hosts, servers, databases, etc.) due to risk shocks hitting them (virus, worm attacks, etc.) and is monitored by risk indicators. The risk manager dynamically chooses defenses by reconfiguring and allocating available protection resources to various infrastructure components/nodes. The issue is to dynamically control risk by (re)deploying defenses on the spot in response to changing risk indicators. The framework is designed to parallel queuing modeling ones, mapping backlog/congestion to risk level/stress. This exposes interesting connections between dynamic risk management and queueing systems. It also allows for leveraging some results of congestion management for risk mitigation, as well as developing new ones to capture risk management performance tradeoffs.