Security Risk Management in Computing Systems with Constraints on Service Disruption

We present a model for keeping track of vulnerabilities in a networked computing system and study the tradeoff between risk mitigation and keeping disruption at an acceptable level. The tradeoff is such that one can either choose to perform maintenance of the computing system very frequently and experience low risk, or disrupt the system with less frequency, but bear more risk. Formally, we suppose there are n types of vulnerabilities, where each type is jointly characterized by (i) maliciousness, as measured by risk per time slot due to its presence and (ii) probability of occurrence. At each time step, at most one new vulnerability appears in the system, a property that follows if we take the discretized time step size to be small compared to the rate of arrivals for vulnerabilities. We consider a finite-horizon framework of duration N in which the number of times the network may be patched is M <; N. This limitation captures the fact that in many engineering systems we would like to limit the number of times processes are interrupted for maintenance. Indeed, service providers may wish to promise clients that service will be disrupted no more than M times so that a certain level of operational continuity can be guaranteed. We develop an optimal policy for mitigating the risk due to exposure from vulnerabilities while obeying the patching constraint.