Decision support for selecting information security controls

Abstract With the emergence of the Internet, the volume of cyberattacks has been progressively growing and, therefore, adequate security of information has a crucial role in IT systems. Organisations face complex decisions regarding the selection of security controls that allow protecting their information assets. The implementation of these controls should ensure an adequate level of protection. However, their selection requires knowledge about the vulnerabilities and threats existing in the organisation, and the investment in security must comply with economic constraints. This work proposes a framework to support an organisation to identify security vulnerabilities and optimise a portfolio of security controls to mitigate them. Those security controls may be of a mixed nature, such as hardware controls, software controls, policies, procedures and training actions. The framework is established using the standards ISO/IEC 27001:2013 and ISO/IEC 27002:2013 to support the identification of vulnerabilities/threats and the choice of controls that can mitigate them. Once the existing vulnerabilities/threats are identified, one has to select the subset of controls to implement, assuring an adequate mitigation at the lowest cost. An integer programming model is used to address this optimisation problem within the framework, which has been implemented as a prototype decision support tool.

[1]  Daniel J. Power,et al.  Supporting Decision-Makers: An Expanded Framework , 2001 .

[2]  Wolfgang Boehmer,et al.  Appraisal of the Effectiveness and Efficiency of an Information Security Management System Based on ISO 27001 , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[3]  Gurpreet Dhillon,et al.  Multi-Objective Decision Model for Information Systems Risk , 2015, UKAIS.

[4]  Ramesh Sharda,et al.  Model-driven decision support systems: Concepts and research directions , 2007, Decis. Support Syst..

[5]  Heru Susanto,et al.  Information Security Challenge and Breaches: Novelty Approach on Measuring ISO 27001 Readiness Level , 2012 .

[6]  Iryna Yevseyeva,et al.  Selecting Optimal Subset of Security Controls , 2015, CENTERIS/ProjMAN/HCist.

[7]  Tadeusz Sawik,et al.  Selection of optimal countermeasure portfolio in IT security planning , 2013, Decis. Support Syst..

[8]  Vladimir Stantchev,et al.  A process framework for information security management , 2022, International Journal of Information Systems and Project Management.

[9]  MalacariaPasquale,et al.  Decision support approaches for cyber security investment , 2016 .

[10]  Helge Janicke,et al.  Two-stage Security Controls Selection ☆ , 2016 .

[11]  Andreas Ekelhart,et al.  Selecting security control portfolios: a multi-objective simulation-optimization approach , 2016 .

[12]  Sérgio Murilo Petri,et al.  SEGURANÇA DA INFORMAÇÃO CONTÁBIL: PROCEDIMENTOS PARA ELABORAÇÃO DE UMA POLÍTICA DE SEGURANÇA COM BASE NA ISO 27001 E ISO 27002 , 2015 .