Evolutionary Algorithms for Optimal Selection of Security Measures Jüri Kivimaa 1 and Toomas Kirt 2 1 Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia 2 University of Tartu, Tallinn, Estonia, Jyri.Kivimaa@mil.ee Toomas.Kirt@ut.ee Abstract: A very important issue in IT Security or Cyber Security management is to provide cost-efficient security measures to achieve needed or required security goals (mainly CIA - Confidentiality, Integrity, Availability levels). For providing an optimal solution an optimization task with two goals have to be solved – to minimize needed resources and to maximize achievable security. The computational complexity of the optimization task is very high. In previous work a matrix based security model and an optimization framework based on the Pareto optimality and the discrete dynamic programming method has been used. But that solution has a quite important imperfection – there was required independence between security activity areas. That is not appropriate for IT security, as this solution does not follow the quite important principle in IT security – security is like a chain that is only as strong as the weakest link of layered security or defence in depth. The evolutionary optimization, as an alternative optimization tool, removed the independence restriction of the matrix based security model and the dynamic optimization method, but the first implementation of it was slightly slower than the other methods. For improving the performance of the evolutionary optimization we have performed a meta-level optimization of parameters of the algorithm and as a result the speed of optimization is comparable to other optimization techniques. As the evolutionary optimization is independent for all possible budget levels it lead to possibility to use a graph based security model. The graph based security model is a new and dynamical framework for security management. This paper presents how implementation of an evolutionary optimization technique removed the restrictions of independence of security measures and lead to implementation of an efficient graph based security model. Keywords: graded security model, information security metrics, evolutionary optimization 1. Introduction One of the most important tasks for IT security management is the optimal use of existing resources and the main idea for our R&D work is to propose to IT Security decision-makers a Graded Security Model (GSM) and a decision support system for this. In papers (Kivimaa, 2009; Kivimaa, Ojamaa, and Tyugu, 2009; Ojamaa, Tyugu, and Kivimaa, 2008) it was shown how to use the GSM for finding optimal solutions based on the Pareto-optimal situation analysis, the discrete dynamic programming method for optimization calculations and weighted average confidence of security activities areas was used as optimization criteria. As it turned out the computational complexity of the optimization task is very high. For example, if to consider that an IT security model has 30-40 activity areas and in each of them has 4 possible implementation levels then there are 4 30 ÷ 4 40 possible solutions within to select an optimum. The Brute Force optimization technique requires a couple of years to calculate even one possible budget point. In (Kivimaa 2009) was also brought up some weaknesses caused from the dynamic programming method. Namely, using dynamic programming in optimization of security activities areas must not be dependent from each other and their levels must be additive. To achieve better solutions in the future it is reasonable to continue GSM development – mainly to collect expert knowledge for the up-to-date model – that is, up-to-date information about security goals, their levels and information security activities areas and their realization levels dependency matrix and up-to-date theirs levels realization costs and effectiveness’s. And, as independent IT security activities is source for quite serious problems, to cover IT security problems in more detail and correct way we have to accept dependencies between lines in Dependencies Matrix - to describe these dependencies in addition to Dependencies Matrix use (find or work out) the IT security or IT security activities areas Dependencies Graph. Because the independence of security activity areas was required by the Dynamic Programming (DP) method our aim was to apply an alternative method for optimization and we decided to use an evolutionary algorithm as a universal method for complex optimization in many fields. The evolutionary algorithm starts each optimization process from the beginning and therefore it does not have any problems related to independence and additivity. 172