An approach to measure effectiveness of control for risk analysis with game theory

Security managers are facing problems choosing effective controls (countermeasures), as there is large number of controls at their disposal. Although the existing standards and methods provide guidance, they are not sufficiently comprehensive when it comes to deciding what attributes to look for and how to use them for determining the effectiveness of controls. The purpose of this paper is twofold: first we determine the attributes of controls and its measurement functions, in order to measure its effectiveness by means of Analytic Hierarchy Process (AHP). Secondly, we show how control metrics can be used by the analyst to make deployment decisions by means of Risk Analysis Using Game Theory (RAUGT). The approach is further validated by using a case study between a system owner who wants to determine the effectiveness of using the Password Testing System (PTS) to raise the bar for the attacker.