Wilamowski, George Christopher. (The George Washington University), “Using Analytical Network Processes to Create Authorization, Authentication, and Accounting Cyber Security Metrics” (2017)

Wilamowski, George Christopher. (The George Washington University), “Using Analytical Network Processes to Create Authorization, Authentication, and Accounting Cyber Security Metrics” (2017) Advisor: Sarkani, Shahram and Mazzuchi, Thomas

Cyber-attacks have escalated, causing decision makers to assess the trade-offs required to protect their organizations from such attacks. The use of benchmarking techniques to reduce cyber security risks would allow decision makers to use both qualitative and quantitative analyses. Systems engineering provides unique insights into the validation of an organization’s criteria for operational objectives through measures of effectiveness for cyber-security decisions.

Decision makers can create cyber-defense strategies by using benchmarking to assess the effectiveness of Authentication, Authorization, and Accounting (AAA) access controls. This dissertation explores the use of the Analytical Network Process (ANP) Multi-Criteria Decision Making (MCDM) model to derive those strategies. A network/access mobile security use case was developed in a generalized application- benchmarking framework. Three communities of interest, the local area network (LAN), wide area network (WAN), and Remote Users, were referenced while demonstrating how to prioritize alternatives within weighted rankings. Subjective judgments carry tremendous weight in the minds of cyber-security decision makers.

Over 500 cyber security Subject Matter Experts (SMEs) completed a survey, giving insights into their expertise and seasoned judgement. They came from a broad cross-section of environments including Military, Government, Nonprofit, and Commercial industries. Using their responses, a generalized application-benchmarking framework was developed that shows how leaders can connect to their technical staffs, thus instantiating cyber defenses that hold the most promise.

The framework consists of four functional areas: (1) Hierarchical Structure; (2) Judgment Dominance with Alternatives; (3) Measures, and (4) Analysis. These four functional areas allow for three composite types: Form, Fit-For-Purpose, and Function to initiate processes and procedures in developing a measure of effectiveness for cyber-security controls. Within the Form composite type, a data parser was used to break the collected raw data into multiple tabulated forms for continued analysis to include an ANP cyber-security controls diagram. The Fit-For-Purpose composite analyzed the data in relation to data normalization, chi-square test for independence, residual plotting, the general linear model (GLM), geometric mean, and Cronbach’s alpha. Once the data were analyzed, the information was refined within the Function composite and subjected to pairwise comparisons within the ANP models for continued development of benchmarking scorecards. The result of that process was a security rating for LAN, WAN, and remote-user configurations.

In the final analysis, it was determined that a generalized application-benchmarking framework can be employed to derive Measures of Effectiveness (MOEs) based on SME preferences for security controls. The security measures formulated from the model allowed them to be given weighted scores and to be ranked from the development of ANP scorecards for each industry type. The scorecards and rankings allow industry security managers to compare their own rankings against the benchmarked scorecards to increase the effectiveness of cyber-security controls within their organizations.