Tipo
Artigos em Conferência
Tipo de Documento
Artigo Completo
Título
Decision support for selecting information security controls
Participantes na publicação
Luís Almeida (Author)
Ana Respício (Author)
Dep. Informática
CMAFcIO
Resumo
With the emergence of the Internet, the volume of cyberattacks has been progressively growing and, therefore, adequate security of information has a crucial role in IT systems. Organisations face complex decisions regarding the selection of security controls that allow protecting their information assets. The implementation of these controls should ensure an adequate level of protection. However, their selection requires knowledge about the vulnerabilities and threats existing in the organisation, and the investment in security must comply with economic constraints. This work proposes a framework to support an organisation to identify security vulnerabilities and optimise a portfolio of security controls to mitigate them. Those security controls may be of a mixed nature, such as hardware controls, software controls, policies, procedures and training actions. The framework is established using the standards ISO/IEC 27001:2013 and ISO/IEC 27002:2013 to support the identification of vulnerabilities/threats and the choice of controls that can mitigate them. Once the existing vulnerabilities/threats are identified, one has to select the subset of controls to implement, assuring an adequate mitigation at the lowest cost. An integer programming model is used to address this optimisation problem within the framework, which has been implemented as a prototype decision support tool.
Data de Publicação
2018-05-10
Evento
Journal of Decision Systems
Identificadores da Publicação
ISSN - 1246-0125
Editora
Informa UK Limited
Página Inicial
173
Página Final
180
Identificadores do Documento
URL -
http://dx.doi.org/10.1080/12460125.2018.1468177
DOI -
https://doi.org/10.1080/12460125.2018.1468177
Identificadores de Qualidade
SCIMAGO Q2 (2017) - 0.339 - Management Information Systems
SCIMAGO Q2 (2017) - 0.339 - Software
Keywords
Information security
decision support
vulnerabilities
security controls
optimisation of security portfolio
Tags
#isoiec27001
#decisionsupport
#27001
#informationsecurity
#vulnerabilities
#infosec
#security
#controls
#portfoliooptimization