Selecting optimal countermeasures for attacks against critical systems using the attack volume model and the RORI index

The impact quantification of attacks and security countermeasures is an active research in the information and communications technology domain. Supporters of the Return On Investment (ROI), and all its variants, propose quantitative models that estimate their parameters based on expert knowledge, statistical data, simulation and risk assessment tools. Although results are used for relative comparisons, a great level of subjectivity is considered while estimating each parameter composing the model. In single attack scenarios, the use of cost sensitive metrics allows the evaluation and selection of security countermeasures. However, for attack attacks against critical infrastructures, this approach is not accurate enough to determine the impact of the equipment(s), subject(s), and/or action(s) that take part in a security incident. This paper proposes, therefore, a geometrical model that represents the volume of systems, attacks and countermeasures based on a three-dimensional coordinate system (i.e., user, channel, and resource). As a result, volumes are related to risks, making it possible to select optimal countermeasures against complex attacks based on a cost-sensitive metric. A case study on a critical infrastructure control process is provided at the end of the paper to show the applicability of our model in a scenario with two attacks.