Use and analysis of attack graphs for decision making in a cybersecurity defense plan
View/
Keywords
Attack graphs ; Cybersecurity ; Cybersecurity defense plan ; ISO 27005 ; ISO 27001 ; Control prioritization ; Budget allocation ; Game theory ; Knapsack problem ; Budget prioritization cybersecurityAbstract
Modern information systems tend to encounter threats that evolve and become more sophisticated than someone can keep up to by just knowing their existing vulnerabilities. Attack graphs are the visual display of such potential courses of action an adversary may take in order to lead to a system compromise and this document presents how one may generate a graph, draw results from it, and create a defense based on these conclusions. Then, driven by international standards, we delve through the process of risk management and with the restriction of a network owner’s budget, allocate the existing resources to the best of the business or organization by using various methods including knapsack problem and game theory.