Graded Security Expert System
Abstract. A method for modeling graded security is presented and its
application in the form of a hybrid expert system is described. The expert
system enables a user to select security measures in a rational way based
on the Pareto optimality computation using the dynamic programming
for finding points of Pareto optimality curve. The expert system provides
a rapid and fair security solution for a class of known information systems
at a high comfort level.
Key words: Graded security, coarse-grained security analysis, Pareto
optimal security evaluation
1 Introduction
Graded security measures have been in use for a long time in the high-risk areas
like nuclear waste depositories, radiation control etc. [1]. Also in cyber security,
it is reasonable to apply a methodology that enables one to select rational se-
curity measures based on graded security, and taking into account the available
resources, instead of using only hard security constraints prescribed by stan-
dards.
It is well known that complete (100%) security of an information system is
impossible to achieve even with high costs. A common practice is to prescribe the
security requirements that have to be guaranteed with a sufficiently high degree
of confidence for various classes of information systems. This is the approach
of most security standards, e.g. [2]. However, a different approach is possible
when protecting a critical information infrastructure against the cyber attacks
– one may have a goal to provide the best possible defense with given amount
of resources (at the same time considering the standard requirements). This
approach requires a considerable amount of data that connects security measures
with required resources and security measures with provided degree of security.
Practically, only a coarse-grained security can be analyzed in such a way
at present, using a finite number of levels (security classes) as security metrics.
This is a basis of the graded security methodology. This approach has been
successfully applied in the banking security practice and included at least in
one security standard [3]. The ideas of graded security are based on the US
Department of Energy security model from 1999 [4] and its updated version
from 2006 [5].
The graded security model itself is intended for helping to determine a rea-
sonable set of needed security measures according to security requirements levels.
However, in practice it can be the case that there are not enough resources to
achieve the baseline. In this case it is still desirable to invest the limited amount
