Dynamic Control and Mitigation of Interdependent IT Security Risks
Source: Stanford University
Security risk management for information technology-based organizations has become increasingly important in recent years. However, the risk assessment and mitigation strategies that these organizations employ have remained relatively ad hoc and qualitative. In this paper, the authors extend a quantitative framework for risk assessment called Risk-Rank to include risk mitigation through Markov Decision Processes. By doing so, they provide an analysis-to-action quantitative approach to security risk management, enabling IT managers to perform more comprehensive evaluations of their risk exposures. They demonstrate the effectiveness of this approach through an example related to the patching of computers in a corporate network.