A comprehensive security control selection model for inter-dependent organizational assets structure. (8th June 2015)
- Record Type:
- Journal Article
- Title:
- A comprehensive security control selection model for inter-dependent organizational assets structure. (8th June 2015)
- Main Title:
- A comprehensive security control selection model for inter-dependent organizational assets structure
- Authors:
- Shahpasand, Maryam
Shajari, Mehdi
Hashemi Golpaygani, Seyed Alireza
Ghavamipoor, Hoda - Abstract:
- <abstract> <title> <x content-type="archive" xml:space="preserve">Abstract</x> </title> <sec> <title content-type="abstract-heading">Purpose</title> <p> – This paper aims to propose a comprehensive model to find out the most preventive subset of security controls against potential security attacks inside the limited budget. Deploying the appropriate collection of information security controls, especially in information system-dependent organizations, ensures their businesses' continuity alongside with their effectiveness and efficiency. </p> </sec> <sec> <title content-type="abstract-heading">Design/methodology/approach</title> <p> – Impacts of security attacks are measured based on interdependent asset structure. Regarding this objective, the asset operational dependency graph is mapped to the security attack graph to assess the risks of attacks. This mapping enables us to measure the effectiveness of security controls against attacks. The most effective subset is found by mapping its features (cost and effectiveness) to items' features in a binary knapsack problem, and then solving the problem by a modified version of the classic dynamic programming algorithm. </p> </sec> <sec> <title content-type="abstract-heading">Findings</title> <p> – Exact solutions are achieved using the dynamic programming algorithm approach in the proposed model. Optimal security control subset is selected based on its implementation cost, its effectiveness and the limited budget. </p> </sec> <sec><abstract> <title> <x content-type="archive" xml:space="preserve">Abstract</x> </title> <sec> <title content-type="abstract-heading">Purpose</title> <p> – This paper aims to propose a comprehensive model to find out the most preventive subset of security controls against potential security attacks inside the limited budget. Deploying the appropriate collection of information security controls, especially in information system-dependent organizations, ensures their businesses' continuity alongside with their effectiveness and efficiency. </p> </sec> <sec> <title content-type="abstract-heading">Design/methodology/approach</title> <p> – Impacts of security attacks are measured based on interdependent asset structure. Regarding this objective, the asset operational dependency graph is mapped to the security attack graph to assess the risks of attacks. This mapping enables us to measure the effectiveness of security controls against attacks. The most effective subset is found by mapping its features (cost and effectiveness) to items' features in a binary knapsack problem, and then solving the problem by a modified version of the classic dynamic programming algorithm. </p> </sec> <sec> <title content-type="abstract-heading">Findings</title> <p> – Exact solutions are achieved using the dynamic programming algorithm approach in the proposed model. Optimal security control subset is selected based on its implementation cost, its effectiveness and the limited budget. </p> </sec> <sec> <title content-type="abstract-heading">Research limitations/implications</title> <p> – Estimation of control effectiveness is the most significant limitation of the proposed model utilization. This is caused by lack of experience in risk management in organizations, which forces them to rely on reports and simulation results. </p> </sec> <sec> <title content-type="abstract-heading">Originality/value</title> <p> – So far, cost-benefit approaches in security investments are followed only based on vulnerability assessment results. Moreover, dependency weights and types in interdependent structure of assets have been taken into account by a limited number of models. In the proposed model, a three-dimensional graph is used to capture the dependencies in risk assessment and optimal control subset selection, through a holistic approach.</p> </sec> </abstract> … (more)
- Is Part Of:
- Information and computer security. Volume 23:Number 2(2015)
- Journal:
- Information and computer security
- Issue:
- Volume 23:Number 2(2015)
- Issue Display:
- Volume 23, Issue 2 (2015)
- Year:
- 2015
- Volume:
- 23
- Issue:
- 2
- Issue Sort Value:
- 2015-0023-0002-0000
- Page Start:
- 218
- Page End:
- 242
- Publication Date:
- 2015-06-08
- Subjects:
- Computer security -- Management -- Periodicals
Computer networks -- Security measures -- Periodicals
Data protection -- Management -- Periodicals
658.47 - Journal URLs:
- http://www.emeraldinsight.com/loi/ics ↗
http://www.emeraldinsight.com/ ↗ - DOI:
- 10.1108/ICS-12-2013-0090 ↗
- Languages:
- English
- ISSNs:
- 2056-4961
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 4481.796000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 3977.xml