Decision Model for the Security and Utility Risk Evaluation (SURE) Framework

The Security and Utility Risk Evaluation (SURE) framework is a framework for specifying and calculating risk to enable dynamic and autonomous decisions about cyber security and utility risk in generic computer-based systems. The SURE framework's decision model provides the ability to select between multiple alternative mitigation strategies in order to optimise security and utility risk during the operation of a system. This paper presents the decision model of the SURE framework and an example illustrating how the decision model operates in a mobile networking scenario. The example shows that the SURE framework's decision model enables a better fit than existing security decision models between the context of the requested action, security and utility requirements and the selected mitigation strategy, giving greater flexibility to both policy makers and users.