'What', 'Where', and 'Why' Cybersecurity Controls to Enforce for Optimal Risk Mitigation

Most enterprises depend on information security standards and guidelines such as CIS Critical Security Controls (CIS CSC)to adopt and manage cybersecurity controls. With the escalation and diversity of cyber attacks, hundreds of cybersecurity controls have been defined to implement NIST Cybersecurity Framework (i.e., Identify, Detect, Protect, Respond, and Recover)[1]. However, the selection of the most appropriate set of security controls to optimize cyber defense Return on Investment (ROI)is still a highly complex and error-prone task due to the large number of security controls, the consideration of various risk factors (such as vulnerabilities and attack incidents), and budget constraints. Moreover, the complexity exacerbates due to the presence of various enterprise-oriented usability requirements. In this paper, we present a novel model and optimization techniques to select the most cost-effective set of Critical Security Controls (CSC) for optimal risk mitigation planning considering affordable residual risk, budget, and usability constraints. We developed Cyber Defense Matrix (CDM), that our automated approach uses to determine 'what' security controls are needed at a particular enterprise for security function (Identify, Protect, Detect, Respond, and Recover), 'where' to enforce in the cyber environment (Network, Device, People, Application, and Data), and 'why' it is effective in the cyber attack kill chain phases. We formulate the CDM decision-making problem using SMT constraints and developed a tool, called CyberARM, that computes correct-by-construction planning to satisfy cybersecurity ROI with bounded residual risk under specific budget constraints.