This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed Budgets
September/October 2007 (vol. 5 no. 5)
pp. 57-60
Jonathan Caulkins, Carnegie Mellon University
Eric D. Hough, Space and Naval Warfare Systems Center San Diego
Nancy R. Mead, Software Engineering Institute
Hassan Osman, Ernst & Young
As a software engineer or client, how much of your budget should you spend on software security mitigation for the applications and networks on which you depend? The authors introduce a novel way to optimize a combination of security countermeasures under fixed resources.

1. D. Verdon and G. McGraw, "Risk Analysis in Software Design," IEEE Security & Privacy, vol. 2, no. 4, 2004, pp. 79–84.
1. D. Verdon and G. McGraw, "Risk Analysis in Software Design," IEEE Security &Privacy, vol. 2, no. 4, 2004, pp. 79–84.
1. D. Verdon and G. McGraw, "Risk Analysis in Software Design," IEEE Security & Privacy, vol. 2, no. 4, 2004, pp. 79–84.
2. D. Kahneman and A. Tversky, eds., Choices, Values and Frames, Cambridge Univ. Press, 2000.
2. D. Kahneman and A. Tversky, eds., Choices, Values and Frames, Cambridge Univ. Press, 2000.
2. D. Kahneman and A. Tversky, eds., Choices, Values and Frames, Cambridge Univ. Press, 2000.
3. D. Kahneman, P. Slovic, and A. Tversky, eds., Judgment under Uncertainty: Heuristics and Biases, Cambridge Univ. Press, 1982.
3. D. Kahneman, P. Slovic, and A. Tversky, eds., Judgment under Uncertainty: Heuristics and Biases, Cambridge Univ. Press, 1982.
3. D. Kahneman, P. Slovic, and A. Tversky, eds., Judgment under Uncertainty: Heuristics and Biases, Cambridge Univ. Press, 1982.
4. L.A. Wolsey, Integer Programming, Wiley & Sons, 1998.
4. L.A. Wolsey, Integer Programming, Wiley &Sons, 1998.
4. L.A. Wolsey, Integer Programming, Wiley & Sons, 1998.
5. C. Albright, "Premium Solver Platform for Excel (Software Review)," OR/MS Today, vol. 28 no. 3, 2001, pp. 58–63.
5. C. Albright, "Premium Solver Platform for Excel (Software Review)," OR/MS Today, vol. 28 no. 3, 2001, pp. 58–63.
5. C. Albright, "Premium Solver Platform for Excel (Software Review)," OR/MS Today, vol. 28 no. 3, 2001, pp. 58–63.
6. D. Fylstra et al., "Design and Use of the Microsoft Excel Solver," Interfaces, vol. 28, no. 5, 1998, pp. 29–55.
6. D. Fylstra et al., "Design and Use of the Microsoft Excel Solver," Interfaces, vol. 28, no. 5, 1998, pp. 29–55.
6. D. Fylstra et al., "Design and Use of the Microsoft Excel Solver," Interfaces, vol. 28, no. 5, 1998, pp. 29–55.
7. H. Osman et al., SQUARE Methodology: Case Study on Asset Management System, tech. report CMU/SEI-2004-SR-015, Software Eng. Inst., Carnegie Mellon Univ., 2004.
7. H. Osman et al., SQUARE Methodology: Case Study on Asset Management System, tech. report CMU/SEI-2004-SR-015, Software Eng. Inst., Carnegie Mellon Univ., 2004.
7. H. Osman et al., SQUARE Methodology: Case Study on Asset Management System, tech. report CMU/SEI-2004-SR-015, Software Eng. Inst., Carnegie Mellon Univ., 2004.
8. N.R. Mead, E. Hough, and T. Stehney II, Security Quality Requirements Engineering, tech. report CMU/SEI-2005-TR-009, Software Eng. Inst., Carnegie Mellon Univ., 2005; www.sei.cmu.edu/publications/documents/05.reports 05tr009.html.
8. N.R. Mead, E. Hough, and T. Stehney II, Security Quality Requirements Engineering, tech. report CMU/SEI-2005-TR-009, Software Eng. Inst., Carnegie Mellon Univ., 2005; www.sei.cmu.edu/publications/documents/05.reports 05tr009.html.
8. N.R. Mead, E. Hough, and T. Stehney II, Security Quality Requirements Engineering, tech. report CMU/SEI-2005-TR-009, Software Eng. Inst., Carnegie Mellon Univ., 2005; www.sei.cmu.edu/publications/documents/05.reports 05tr009.html.
9. N.R. Mead, "Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method," Integrating Security and Software Engineering: Advances and Future Visions, H. Mouratidis and P. Giorgini, eds., Idea Group, 2006, pp. 44–69.
9. N.R. Mead, "Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method," Integrating Security and Software Engineering: Advances and Future Visions, H. Mouratidis and P. Giorgini, eds., Idea Group, 2006, pp. 44–69.
9. N.R. Mead, "Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method," Integrating Security and Software Engineering: Advances and Future Visions, H. Mouratidis and P. Giorgini, eds., Idea Group, 2006, pp. 44–69.
10. P. Hope, G. McGraw, and A.I. Antón, "Misuse and Abuse Cases: Getting Past the Positive," IEEE Security & Privacy, vol. 2, no. 3, 2004, pp. 90–92.
10. P. Hope, G. McGraw, and A.I. Antón, "Misuse and Abuse Cases: Getting Past the Positive," IEEE Security &Privacy, vol. 2, no. 3, 2004, pp. 90–92.
10. P. Hope, G. McGraw, and A.I. Antón, "Misuse and Abuse Cases: Getting Past the Positive," IEEE Security & Privacy, vol. 2, no. 3, 2004, pp. 90–92.
11. Statistical Software Engineering Commission on Physical Sciences, Mathematics, and Applications, Nat'l Academies Press, 1996, p. 39.
11. Statistical Software Engineering Commission on Physical Sciences, Mathematics, and Applications, Nat'l Academies Press, 1996, p. 39.
11. Statistical Software Engineering Commission on Physical Sciences, Mathematics, and Applications, Nat'l Academies Press, 1996, p. 39.
12. J. Surowiecki, The Wisdom of Crowds: Why the Many Are Smarter than the Few and How Collective Wisdom Shapes Business, Economies, Societies and Nations, Little, Brown, 2004.
12. J. Surowiecki, The Wisdom of Crowds: Why the Many Are Smarter than the Few and How Collective Wisdom Shapes Business, Economies, Societies and Nations, Little, Brown, 2004.
12. J. Surowiecki, The Wisdom of Crowds: Why the Many Are Smarter than the Few and How Collective Wisdom Shapes Business, Economies, Societies and Nations, Little, Brown, 2004.
13. J. Whittle and I.H. Kruger, "A Methodology for Scenario-Based Requirements Capture," Proc. 3rd Int'l Workshop on Scenarios and State Machines: Models, Algorithms, and Tools (SCESM 04), 2004, pp. 2–7.
13. J. Whittle and I.H. Kruger, "A Methodology for Scenario-Based Requirements Capture," Proc. 3rd Int'l Workshop on Scenarios and State Machines: Models, Algorithms, and Tools (SCESM 04), 2004, pp. 2–7.
13. J. Whittle and I.H. Kruger, "A Methodology for Scenario-Based Requirements Capture," Proc. 3rd Int'l Workshop on Scenarios and State Machines: Models, Algorithms, and Tools (SCESM 04), 2004, pp. 2–7.

Index Terms:
software engineering, requirements engineering, risk management, integer programming
Citation:
Jonathan Caulkins, Eric D. Hough, Nancy R. Mead, Hassan Osman, "Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed Budgets," IEEE Security & Privacy, vol. 5, no. 5, pp. 57-60, Sept.-Oct. 2007, doi:10.1109/MSP.2007.117
Usage of this product signifies your acceptance of the Terms of Use.