Usability Aware Secret Protection with Minimum Cost

TL;DR

This paper addresses the challenge of protecting system secrets efficiently by balancing security levels, usability, and costs using discrete-event system models and supervisory control theory, including extensions for heterogeneous secrets.

Contribution

It introduces a usability-aware cost model for secret protection, formulates a security problem with minimum cost constraints, and provides algorithms for both homogeneous and heterogeneous secret scenarios.

Findings

Proposed a necessary and sufficient condition for problem solvability.

Developed algorithms based on supervisory control theory for optimal protection.

Validated solutions with a network security example.

Abstract

In this paper we study a cybersecurity problem of protecting system's secrets with multiple protections and a required security level, while minimizing the associated cost due to implementation/maintenance of these protections as well as the affected system usability. The target system is modeled as a discrete-event system (DES) in which there are a subset of marker states denoting the services/functions provided to regular users, a subset of secret states, and multiple subsets of protectable events with different security levels. We first introduce usability-aware cost levels for the protectable events, and then formulate the security problem as to ensure that every system trajectory that reaches a secret state contains a specified number of protectable events with at least a certain security level, and the highest usability-aware cost level of these events is minimum. We first provide a necessary and sufficient condition under which this security problem is solvable, and when this condition holds we propose an algorithm to solve the problem based on the supervisory control theory of DES. Moreover, we extend the problem to the case of heterogeneous secrets with different levels of importance, and develop an algorithm to solve this extended problem. Finally, we demonstrate the effectiveness of our solutions with a network security example.