Maximizing Security Management Performance and Decisions with the MFC Cyber Security Model: e-learning case study

The Mean failure Cost (MFC) is a cascade of linear models that quantify security threats by taking into consideration the system’s stakeholders, security requirements, architectural components and threats. This quantitative cyber security model monetizes system’s security in terms of cost which may be lost due to security failure. The lack of quantitative security models in security decision making is a way to discover strengths and uniqueness of the MFC cyber security model. This paper intends to extend this measure into a security risk management model for ultra large systems and to exploit the previously presented MFC model’s characteristics in security decision making relying on a rigorous and quantifiable analysis of financial returns. In fact, we intend to provide a possible solution to security problems using the MFC model in order to set the highest security priorities and choose the suitable countermeasures as well as computing the profitability of the proposed security countermeasures through the Return on Investment (ROI) based on the MFC’s values for each stakeholder. This will lead to monitoring the effectiveness of the proposed security countermeasures, ensuring the best solution choice by saving both time and money and providing a security decision maker with adequate justification to perform his security choice. The practical investigation is to be conducted thought the context of e-learning platforms.


Introduction
Security is a serious necessity with a complex property; it needs to implement new strategies of management and assessment in every organization [4].A variety of qualitative and quantitative risk management models, approaches and measures have been proposed in order to analyse security of both existing and potential future threats.As risk management models, we mention, the Single Loss Expectancy (SLE) [6], the Mean Failure Cost (MFC) [1,7] The Bayesian Defense Graphs and Architectural Models [14], the Availability, Integrity, Confidentiality and Authentication (AICA), the improving web application security model (IWAS) and AURUM [5] Ideally, information security will be enhanced by quantitative risk analyses [12,13] in different cases, it is difficult to exclude the risk but it can be reduced, then the assessment result is useful for future business decisions [18].However, quantifying security is a hard task and it is harder when the related system is complex [21].In economic terms, the MFC is a risk management modelfor measuring the system's security through risk assessment and quantification [11,12].If we consider the monetary value per unit of operational time any security breakdown involving the system's stakeholders, security requirements, architectural components and threats will result in a considerable loss for each stakeholder.For instance, it is essential for complex or ultra large systems to guarantee safety, quality and good image which could be made possible with the MFC model as a relevant and suitable device for quantitative decision-making.The MFC is a measure of cyber security suitable for eservices, complex and ultra large systems such a se-Learning, e-Goverenment, it considers variations by stakeholders, security requirements, architectural components, and threats [9,10] to derive 3 matrices and a vector.The result will be a vector of the Mean failure cost per stakeholder.The loss of operation ($/H) for each stakeholder is computed.This quantitative model is a cascade of linear models to quantify security threats in term of loss that results from system vulnerabilities as [9]: The MFC cyber security metric is the product of several factors (the stakes matrix ST, the dependency matrix DP, the impact matrix IM, and the threat vector PT) [11] Where:

 The stakes matrix (ST)
This matrix is composed of the list related to stakeholders and the list of security requirements.Relevant stakeholders who have internal or external usage of the system should fill each row, each cell expressed in dollar and which represents the loss incurred placed on requirement.

 The dependency matrix (DP)
System Architects fill each row for this matrix; each cell represents the probability of failure with respect to the security requirement if a component has failed.
DP (Rj, Ck): The probability that the system fails to meet requirement Rj if component Ck is compromise.

 The impact matrix (IM)
V&V Team fills each row for this matrix; each cell represents the probability of compromising a component given that a threat has materialized, it depends on the target of each threat, likelihood of success of the threat.
IM (Ck, Th): The probability that Component Ck is compromised if Threat Th has materialized.

 The threat vector (PT)
Security Team fills each row for this vector; each cell represents probability of realization of each threat, it depends on perpetrator models, empirical data, known vulnerabilities, known counter-measures, etc.
PT (Ti): The probability that threat Ti materialized for a unit of operation time (one hour of operation).
Using this data, we compute the vector of mean failure costs using the formula: MFC = ST • DP • IM • PT To understand the risk analysis provided by the MFC model, we need first to understand its conceptual logic; it reflects:  Independence with respect to stakeholders : varies from a stakeholder to another,  Independence with respect to security requirements clauses,  Independence with likelihood of failing distinct components,  Independence with likelihood of materializing a threat.
Our focus is to control the MFC matrices in order to minimize loss for a stakeholder which is due to security failure.Similarly, we intend to provide a security decision maker with the adequate measures and a clear justification to perform his choice.Therefore, we need to answer these questions: what is the critical security MFC's matrix, and what security measures should be adopted?Then, how can we ensure our good choice to attenuate security failure?
This paper intends to exploit the previously presented MFC model's characteristics in security decision making to provide a technical idea in monitoring the effectiveness of security countermeasures and ensuring a better choice.From a practical side, the aim is to experiment on a theoretical solution by detailing an example of an ultra large system, which is the elearning environment [15].Hence the focus is on: 1. Diagnosing and Setting the critical security priorities in the MFC matrices 2. Choosing the suitable security solutions 3. Ensuring a better security solution.This paper is organised as follows: In section 2, we will try to present a brief description of our earlier works about quantifying security threats within e-learning platforms.In section 3, the focus is on the security problems diagnostic in the MFC matrices for the sake of identifying the main problems.Section 4presents the approach of computing the return on investment (ROI) of the proposed solution based on the MFC model.In section 5 we will finish with presenting the computational steps to make an appropriate security choice, which is, the calculation of the profitability through the return on investment; we will try to answer the questions: is the duplication of the web server or the DB server profitable?, what are the benefits of the system's stakeholders?Finally we conclude by summarizing our results, and sketching directions for further research.

3
In previous works, we have defined and computed a value based cyber security metric that is the Mean Failure Cost (MFC) model.This quantitative cyber security metric was applied in a practical case study to the quantification of the security of e-learning standard platforms and applications [11].
To reach to a rigorous analysis of the system's risk with a financial measure through MFC Model we need to answer these questions:  What is the list of stakeholders of such system? Which security requirement does it need? What is its architecture (components)? What are the threats?
For standard e-learning systems, we have considered [16,17,20] 1.Four stakeholders [19,22,23 The Mean failure Cost computes for each stakeholder of the given system his loss of operation ($/H).This quantitative model is a cascade of linear models to quantify security threats in term of loss that results from system's vulnerabilities by taking into consideration the system's stakeholders, security requirements, architectural components and threats as: The MFC cyber security metric is the product of several factors: the stakes matrix (ST), the dependency matrix (DP), the impact matrix (IM) and the threat vector (PT).Where ST, DP and IM are three matrixes, PT is a vector.
To compute the MFC we can use four steps: Step 1: Elaborate the stake matrix (ST): it is composed with the list of stakeholders and the list of security requirements.It Maximizing Security Management Performance and Decisions with the MFC Cyber Security Model: e-learning case study is filled by stakeholders according to the stakes they have in satisfying individual requirements; each cell expressed in dollars monetary terms and it represents loss incurred and/or premium placed on requirement.
ST (Hi, Rj): is the stake that stakeholders Hi has in meeting requirement Rj.
Step 2: Elaborate the dependency matrix (DP): each cell represents probability of failure with respect to a requirement given that a component has failed.It is filled by the system architect (i.e., cyber security operations and system administrators) according to how each component contributes to meet each requirement; DP (Rj, Ck): The probability that the system fails to meet requirement Rj if component Ck is compromise.
Step 3: Elaborate the impact matrix (IM): each cell represents probability of compromising a component given that a threat has materialized, it is filled by analysts according to how each component is affected by each threat, it depends on the target of each threat, likelihood of success of the threat.
IM (Ck, Th): The probability that Component Ck is compromised if Threat Th has materialized.
Step 4: Elaborate the vector of threat emergences probabilities (PT) that represents the probability of emergence of the various threats, it is done empirically by simulating and/or operating the system for some length of time and estimating the number of threats that have emerged during that time.Each cell represents the probability of realization of each threat; it depends on perpetrator models, empirical data, known vulnerabilities, known countermeasures, etc.

PT (Ti): The probability that threat Ti materialized for a unit of operation time (one hour of operation).
Using these e-learning features and their empirical values, we have computed the mean failure cost using the MFC formula: MFC = ST • DP • IM • PT

Table 2: The initial MFC application for elearning systems
We can show now: 1. Who is the big loser (stakeholder)? 2. How many he/she can lose (Cost $)?
The big loser in this case study is the system administrator who lost 643,357 $/hour as shown in Table 2.
Because of our ever-increasing dependency on distance learning and its lack of a scientific and quantitative basis measure for cyber security.The MFC measure can underline security risk assessment of large scale systems and consider all its security sub specifications such as stakeholders, requirements, threats, and components.Quantifying security risk with a financial measure is very interesting in computing and interpretation.When we measure in a structured way the risk regarding the dimensions of the considered system, we need to consider a variety of empirical works in the quantification process.
It highlights the definition of current e-learning security attributes.It analyzes its respective stakeholders, security requirements, decomposition of the architectural component and common potential threats.Then, it presents the quantification of the e-learning system's using the computing of the mean failure cost metric and through an empirical study.
Our contribution can be generalized to other practical esystems because according to [18] an E-learning systems share similar characteristics with other e-services.These are the accessibility of service via the internet, the consumption of services by a person via the internet and the payment of a service by the consumer.Therefore, management security approaches to quantify security in e-learning are common with other e-services.
Next sections study practical ways to manage and reduce risk.It is possible to control the MFC through its factors in order to minimize and reduce its values.We need to choose the right measures for security priority and decide whether the considered solution is profitable or not.

Problems Diagnostic in the MFC matrices: e-learning application case study
After computing the Mean Failure Cost, our aim is to reduce the cost that each stakeholder may lose because of security failure.It forms the control of the MFC matrices in order to minimize its quantitative values using the security measures classification [2]:  Controlling the stakes matrix: Using the measure of mitigation, which enables to reduce the impact of failures on costs incurred by users. Controlling the dependency matrix: Using the measure of immunity, which enables to reduce probability of nonsatisfaction of safety requirements even if a component fails. Controlling the impact matrix: Using the measure of reinforcement, which enables to reduce the probability of failure of one or more components if threats occur.This can be done by duplicating architectural components. Controlling the threat vector: Using the preventive measure, which enables to reduce the likelihood when a threat materializes.This type of measurement is provided by a set of actions as (the daily update antivirus, access control by a firewall, authentication words, changing the password periodically).To maximize the security management performance and decisions of the considered system in the appropriate time and without wasting the budget, we focus on diagnosing and setting the main security priorities of the MFC's matrices, in particular its probabilities matrices namely the dependency matrix (DP) and the impact matrix (IM).

Stakeholders
Therefore, we intend to select the critical matrix between IM and DP that contains the highest probabilities and thereby focusing on causes increasing the MFC values adopting the following computing steps:  Compute the MFC assuming that the DP matrix is perfect, that is to say no component fails for each security requirement. Compute the MFC assuming that the IM matrix is perfect, that is to say no threat has materialized for each component. Focus on the critical matrix, which has the highest MFC values, then search the suitable security solutions using the security measures classification.This is to reduce its probabilities values, and then reduce the MFC vector.
Table 3 illustrates the preceding steps.

Table 3: Security problems diagnostic of the MFC for e-learning systems case study
We note that the highest values of the MFC are observed when the DP matrix is perfect; we conclude that in this practical case study, the critical level's problem resides on the impact matrix (IM) and this forms the most critical matrix.
According to the security measures classification [2], we choose as a solution: the duplication of the architectural hardware components to reduce the MFC values to the half.This technique is known as the redundancy technique, it is the duplication of critical components or functions of a system, in order to increase the system's reliability.In general, it takes the forms of backup.The redundant elements work in parallel.This is recommended for complex computer systems and for ultra large systems with a great number of stakeholders.
At this stage, we set the critical security priorities in the MFC matrices and consequently choose the suitable security solutions.Our next step is to focus on the relevance and pertinence of the e-learning architectural components redundancy as a security solution before wasting the budget; we must strengthen the right decision and justify it.We should ensure the best choice of the proposed security solution and indicate the gain for all the system's stakeholders.
However, the problem confronting such a solution is how we can ensure a proper choice.The only remedy to the judgment of the good choice is the calculation of profitability through the return on investment (ROI) of the proposed security solution.

Computing the return on investment (ROI) of the proposed solution based on the MFC model: the Approach
The return on investment (ROI) is the measure to evaluate the efficiency of an investment [3].The ROI is the benefit (return) of an investment divided by the cost of the investment; the result is expressed as a percentage or a ratio.The return on investment formula (ROI) is: To explore in depth equation 2, we need to calculate the gain / period in order to define, for a given period, the sum of discounted profits (gain) of the project [3], as shown in equation ( 3).The return on investment formula (ROI): If we consider the factor money value in the time, the equation of the ROI is (4): The main problem in decision making is how to calculate periodically (period w) the gain: which is the gain of the proposed solution for a given stakeholder: B (w)?
The Mean failure cost is a solution to the problem; the MFC is the monetary value of a failure during a period generally 1 hour.If we implement a solution for a period w, the income generated by this solution is: ( Maximizing Security Management Performance and Decisions with the MFC Cyber Security Model: e-learning case study  Bi (w): the benefit of the stakeholder i in period w.  Nbh: the number of hours when the system is functional. W j : this is the period number j.  W j+1 : this is the period number j+1. MFC i (w j ): is the mean failure cost of the stakeholder i occurring during period wj.
We adopt equation (4) and equation ( 5) to compute the ROI.

Computing the return on investment (ROI) of the proposed solution based on the MFC model: An E-learning context case study
In this section, we calculate the profitability of the proposed security solution namely the duplication of the architectural hardware components to reduce the MFC values to half.This is done through the computing of the return on investment (ROI) based on the MFC's values for all the system's stakeholders.We can then answer and justify the question for an e-learning systems case study: how can we ensure the proper choice of the security solution?

5.1Defining the Security Solution
The purpose of defining the security solution is to duplicate one of the considered e-learning system components in order to strengthen the security of such a system.According to thee-learning system architecture, we need to choose between the DB server and the Web server as the main components, for further architectural components duplication.
We consider 3hypotheses in order to compute the gain of the security  DB server and Web server have the same price ( = 3338 euro/ 4606,139 $)  The amortization rate of a component is 3 years  The gain per component is computed by semester.
Second years Third years We compute, then the ROI / component, and decide which component among DB server or the Web server is subject to for duplication according to the defined budget.
In this case, the proposed security solution is facing a comparison between the DB server and the Web server duplication; one must assume that we can invest the same purchasing budget, since in the ROI calculation is taken into account that C (0) is the amount originally invested.Then we compare their profitability.
In case we have different prices, each case is verified separately.Then the decision maker chooses very sure the most profitable solution if he can meet the budget.

The Architectural Components Prices And The Amortization Period
The standard architecture of an e-learning system includes six linked components namely: the browser, the web server, the application server, the Db server, the firewall server and the mail server.Table 4 shows details about the architectural components prices and the amortization period of current and standard e-learning systems.We adopt the Ldlc study [7] in order to fill the concrete data of table 4.
Table 4: The architectural components prices and the amortization period for an e-learning system case study Given the variety of the architectural components prices in the conducted study, we tried to take into consideration an average price ($) by assuming that the DB server and Web server have the same price to measure the profitability of the security solution properly.

Defining the Evolution of the Impact Matrix for 3 Years
Only the impact matrix varies according to the MFC security problems diagnostic.The impact matrix IM of the MFC model can be filled by analyzing which threats affect which components, and assessing the likelihood of success of each threat.The initial empirical data shown in table 5forms the Probability that Component Ck fails once threat Tq has materialized [11].
IM(Ck, Th): The probability that Component Ck is compromised if Threat Th has materialized.
Only the impact matrix (table 5) varies according to the MFC security problems diagnostic.It forms the critical level's problem.Using the security measures classification [2], we choose as a solution to duplicate the architectural hardware components to reduce the MFC values to the half.
Therefore the probability of the IM matrix decreases in half every period of time (6 periods) as shown in six tables: Tables (6)(7)(8)(9)(10)(11).They show the probabilities evolution of the impact matrix for the web server and the DB server during six periods of time.

Monitoring the Effectiveness of the Web Server Duplication
 Computing The Mfc Si For The Web Server / Period Using the new impact matrix for the web server, we can now compute the resulting vector of Mean Failure Costs using the formula: MFC' = ST • DP • IM' • PT Given the initial MFC values (MFC 0 $ /hour) calculated in the quantitative risk management process initially.We intend to compute the MFC'Si for the web server for six semesters taking into consideration the modified impact matrix from tables (6, 7, 8, 9, 10 and 11) for every semester.We apply the above formula: MFC' Si (Web server) = ST * DP* IM Si * PT The results are shown in Table 12.Table 12, shows that the MFC' Si decreases in time, this implies that the amount of loss (cost $/hour) that results from security breakdown caused by threats and vulnerabilities decreases for each stakeholder.A strong justification will be added when we evaluate the profitability or the financial efficiency for each stakeholder using the ROI formula.

 Computing The Gain For The Web Server / Period
To compute the gain for the web server / semester we refer to the idea of using the difference between two MFC values: Gain Si = the initial MFC -MFC' Si (Web server) * Nbh Table 13, shows the gain for the web server duplication in six semesters, Nbh forms the number of hours when the system is functional, in our case of e-learning systems, the platforms should be available throughout the 24 hours.We note also that the gain increases in time and it is significant especially for the system administrator and the teacher.

 The Return On Investment Of The Web Server
We compute now the return on investment of the Web server architectural component using the equation ( 4) Table 14: The return on investment of the Web server According to the ROI analysis presented in table 14which forms a positive financial term for all stakeholders, we can affirm that is a good solution to adopt the duplication of the Web server.All stakeholders are winners: the student and the system administrator are big winners.It is a meaningful justification for security business decisions for e-learning systems.

Monitoring the Effectiveness Of The DB Server Duplication
 Computing the MFCSi for the DB server Using the new impact matrix for the DB server from tables (6, 7, 8, 9, 10 and 11) for every semester, we can now compute the resulting vector of Mean Failure Cost using the formula: MFC' = ST • DP • IM' • PT The Mean Failure Cost for e-learning Systems/ semester: MFC' Si (DB server) = ST * DP* IM Si * PT The results are shown in Table 15: Table 15, shows that the MFC' Si decreases in time, it reflects the decrease of the loss for each stakeholder as a monetary value per unit of operational time (cost $/hour/semester).Now we need to compute the ROI for all the system's stakeholders and then deduce if we can adopt the proposed solution or not.

 Computing the gain for the DB server
Using the new values of the MFC vector of table The overall gains of all stakeholders of the web server presented in table 16 are positive by considering the number of usage hours of the e-learning system which is 24hours.By comparing the four stakeholders we note that the system administrator is still winner in terms of time, also the teacher and technician are winners, nevertheless a student is indifferent (Gain =0), the proposed solution of the DB server duplication is not profitable to him/her.This affirmation can be strongly justified by computing the ROI.

 The return on investment of the DB server
Using previous data and equation (4), we derive the ROI of DB server for the four stakeholders; the results are presented in table 17 and are non-significant.Nevertheless, they are sufficient for the stakeholders to justify the investment.We note that the ROI values presented in table 17 are positive for all stakeholders.Therefore, it is a good solution to adopt the duplication of the DB server.All stakeholders are winner: the system administrator is the big winner but the student is not.Making decision on the hardware acquisition depends now on the financial return of the Web server and the budget to be invested.

 Discussion and decision
A summary of the ROI's values for all the system's stakeholders of the proposed security solution which is the choice between the duplication of the web server or the DB server are given in Table 18.Given that all the presented ROIs of table 18 are positive, the duplication of the web server and/or the DB server is worthwhile for the four stakeholders.
The ROI values are all significant except for the student; he is not winner when we adopt the DB server acquisition.The student is the core stakeholder for elearning systems and must gain considerably from the duplication solution.
We can affirm that the duplication of the web server component is a good solution rather than the duplication of the DB server.We can duplicate both according to the invested budget.In case of choosing between them, we choose the web server because its ROI's values seem more significant for all stakeholders.

Conclusions
This paper focuses on the management of security measures priorities and the diagnostic of the suitable ways to control the MFC matrices in order to implement the most appropriate countermeasures for a practical case study of e-learning systems.
The MFC cyber security metric is the product of several factors (the stakes matrix ST, the dependency matrix DP, the impact matrix IM, and the threat vector PT).It is possible to control the MFC through its factors in order to minimize and reduce its values.We need to choose the right measures for security priority and decide whether the considered solution is profitable or not.This would lead to maximize the security management performance and decisions of the considered system in the appropriate time and without wasting the budget.
To implement the proposed countermeasures we must invest through software and / or hardware solutions but we need to ensure the proper choice of the considered solution through the computing of the return on investment (ROI) based on the MFC's values.We recall that the MFC's values represent for each stakeholder the amount of loss that results from security breakdown caused by threats and vulnerabilities.That's why it is useful to deduce the gain /period, which is the difference between two successive values of the MFC.Finally we compute the ROI for all the system's stakeholders and we deduce if we can adopt the proposed solution or not.
The calculation of the return on investment based on the MFC values is a good solution for decision making for the system's stakeholders.It is an optimal solution for simple and complex systems in which users/ stakeholders have different benefit.In these cases, security management decisions can be easily, quickly managed and justified.

Future Works
Since our approach provided encouraging results, this work can be extended and completed to study and monitor the effectiveness of security countermeasures of the other remaining architectural components like the firewall components.This is a good way to ensure quantitatively the proper choice of the security solution without wasting the budget.
Next future plans are to explore such opportunities to control the other factors of the MFC model in order to minimize its values, therefore, leading to more secure and safe e-systems.This helps us in monitoring the effectiveness of security countermeasures, maximizing management performance and supporting the most suitable decisions in business analysis.

EAI
Endorsed Transactions on e-Learning 07 2017 -11 2017 | Volume 4 | Issue 15 | e2 The total number of discount periods. w: The number of the period  B (w): (Revenue -Cost) during the period w.  d: The amortization period (discount rate)  C(0): Amount originally invested Endorsed Transactions on e-Learning 07 2017 -11 2017 | Volume 4 | Issue 15 | e2 Maximizing Security Management Performance and Decisions with the MFC Cyber Security Model: e-learning case study

Table 2
addresses the first security quantification of e-learning systems in the open literature.

Table 5 :
The initial Impact Matrix (IM)

Table 12 :
MFC'Si application for e-learning systems for the web server

Table 13 :
Gain for the web server

Table 15 :
MFC'Si application for e-learning systems for the DB server EAI Endorsed Transactions on e-Learning 07 2017 -11 2017 | Volume 4 | Issue 15 | e2

=The initial MFC (MFC 0 $/h) -MFC' Si (DB
15, we can now compute the gain for the DB server for each Maximizing Security Management Performance and Decisions with the MFC Cyber Security Model: e-learning case study stakeholder as presented in table 16.The gain for the DB server / semester is: Gain Si EAI Endorsed Transactions on e-Learning 07 2017 -11 2017 | Volume 4 | Issue 15 | e2

Table 16 :
Gain for the web server

Table 17 :
The return on investment of the DB server

Table 18 :
The return on investment of the DB server and the Web server