1. Introduction

In a globalised and competitive world, it is important to create and maintain a continuous review of policies and controls to ensure the security of services and processes. These security policies and controls must be effectively implemented in order to value the importance of integrity, confidentially and availability of information to all the stakeholders involved in the company business.

This paper proposes a decision support framework to assist managers and security officers to assess and prioritise security controls that can mitigate existing security vulnerabilities and threats (for the sake of simplicity we only refer to as vulnerabilities).

The proposed framework relies on the well-established international standards for information security ISO/IEC 27001:2013 (ISO/IEC, 2013a ISO/IEC . (2013a). ISO/IEC 27001:2013 security technologies – information security management systems – requirements . International Organization for Standardization and International Electrotechnical Commission. [Google Scholar]) and ISO/IEC 27,002:2013 (ISO/IEC, 2013b ISO/IEC . (2013b). ISO/IEC 27002:2013 information technology-security techniques – code of practice for information security controls . International Organization for Standardization and International Electrotechnical Commission. [Google Scholar]) to define the relationship between vulnerabilities/threats and generic security controls. An optimisation model was developed to guide the choice of security products that can mitigate a set of vulnerabilities, which considers two objectives: the minimisation of security investment cost and the minimisation of the expected loss. Besides that, a computational tool has been developed, implementing the decision support framework.

The paper is organised as follows. Section 2 discusses the related work. Section 3 gives an overview of the developed framework, while Section 4 presents the optimisation model. Section 5 describes the tool developed to support decision-making. The paper ends with concluding remarks and perspectives of future work.

2. Related work

The ISO/IEC 27000 family of information security standards is developed and published by the International Organisation for Standardisation (ISO) together with the International Electrotechnical Commission (IEC). These standards have become the de facto guidelines for best practice information security management. The ISO/IEC 27001 establishes a formal specification of the requirements that an organisation’s information security management system (ISMS) can be audited to obtain information security certification. This standard defines how information security is planned, implemented, monitored and improved. While ISO/IEC 27001 defines the mandatory requirements for an ISMS, the ISO/IEC 27002 is generic and advisory and indicates suitable information security controls within the ISMS, being merely a code of practice, containing detailed information of controls and countermeasures.

The optimisation of portfolios of security controls has gained relevance in recent years. Sawik (2013 Sawik, T. (2013). Selection of optimal countermeasure portfolio in IT security planning. Decision Support Systems , 55 (1), 156–164.10.1016/j.dss.2013.01.001 [Crossref], [Web of Science ®] , [Google Scholar]) proposes to elaborate a portfolio containing a set of reactive measures to predict or mitigate computer threats to an organisation, always keeping in mind the level of confidence/preference of risk for different case scenarios. The decision model used is intended to minimise the cost of each measure, while maximising the efficiency of repelling/resisting a set of threats. For a greater effectiveness of the model in question, a multi-objective model is used that allows the decision-maker to assess different cases generated (e.g. expected case and worst case). The author concludes that the model used allows the decision-maker to control the risk of losses resulting from a successful computer attack by selecting a certain level of confidence. The larger the budget available and the level of trust, the more risk-oriented the measures in the portfolio. For a more limited budget and a lower level of confidence, riskier measures that are less likely to occur are rarely present in the portfolio.

According to Yevseyeva, Basto-Fernandes, Emmerich, and van Moorsel (2015 Yevseyeva, I. , Basto-Fernandes, V. , Emmerich, M. , & van Moorsel, A. (2015). Selecting optimal subset of security controls. Procedia Computer Science , 64 , 1035–1042.10.1016/j.procs.2015.08.625 [Crossref] , [Google Scholar]), the easiness with which information is available today allows for possible exposure or even leakage of confidential data and information. In order for this exposure or leakage to be avoided, it is necessary to develop security policies that are adopted by all companies. This proposal is classified as risky due to the objective of each company being different, but also by the complexity that the risk assessment entails to the complexity of idealising all possible risk scenarios. Yevseyeva et al. (2015 Yevseyeva, I. , Basto-Fernandes, V. , Emmerich, M. , & van Moorsel, A. (2015). Selecting optimal subset of security controls. Procedia Computer Science , 64 , 1035–1042.10.1016/j.procs.2015.08.625 [Crossref] , [Google Scholar]) suggest that if uncertainties arise in deciding which security controls a company should choose, the chief information security officer should propose several alternatives for cost reduction and to minimise the risk of possible attacks. More recently, Yevseyeva, Fernandes, van Moorsel, Janicke, and Emmerich (2016 Yevseyeva, I. , Fernandes, V. B. , van Moorsel, A. , Janicke, H. , & Emmerich, M. (2016). Two-stage security controls selection. Procedia Computer Science , 100 , 971–978.10.1016/j.procs.2016.09.261 [Crossref] , [Google Scholar]) argue that to protect a system from attacks and computer crashes, it is necessary to select controls that are able to meet the needs of the company. For this, it is recommended to perform two tasks: firstly, managers should establish a budget, and secondly, the same budget should be distributed among the various types of security controls, so that it is possible to decide which process should be adopted. In addition, it is argued that risk assessment should be based on quantitative and qualitative analyses, based on several standards, such as ISO/IEC 27001: 2013 and ISO/IEC 27002: 2013.

Fielder, Panaousis, Malacaria, Hankin, and Smeraldi (2016 Fielder, A. , Panaousis, E. , Malacaria, P. , Hankin, C. , & Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision Support Systems , 86 , 13–23.10.1016/j.dss.2016.02.012 [Crossref], [Web of Science ®] , [Google Scholar]) highlight the difficulties on the part of the decision-makers in choosing security controls for an organisation, taking into account a limited budget. In support of this assertion, a survey was conducted in which 75.5% of the respondents indicated that the main limitation for the purchase of computer security products was largely due to budget constraints. After investigating local companies, and complementing with what was previously referred, Fielder et al. (2016 Fielder, A. , Panaousis, E. , Malacaria, P. , Hankin, C. , & Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision Support Systems , 86 , 13–23.10.1016/j.dss.2016.02.012 [Crossref], [Web of Science ®] , [Google Scholar]) indicate that the great restriction is the lack of budget to implement cybersecurity controls that can mitigate the risk in vulnerabilities of the organisation. It adds that the only solution found by these enterprises is the trade-off between the level of cost inherent to the implementation of the security control and the impact that it has in mitigating the identified vulnerabilities.

To Haufe, Colomo-Palacios, Dzombeta, Brandis, and Stantchev (2016 Haufe, K. , Colomo-Palacios, R. , Dzombeta, S. , Brandis, K. , & Stantchev, V. (2016). A process framework for information security management. International Journal of Information Systems and Project Management , 4 (4), 27–47.[Web of Science ®] , [Google Scholar]), organisations must invest in information security, and can rely on ISMS. The authors propose to implement ISMS governed by the ISO/IEC 27000 standards family, Control Objectives for Information and Related Technologies (COBIT) and Information Technology Infrastructure Library (ITIL). Haufe et al. (2016 Haufe, K. , Colomo-Palacios, R. , Dzombeta, S. , Brandis, K. , & Stantchev, V. (2016). A process framework for information security management. International Journal of Information Systems and Project Management , 4 (4), 27–47.[Web of Science ®] , [Google Scholar]) implemented an ISMS process programme so that they could demonstrate that these processes are able to help protect the information assets of the organisation.

Organisations and their infrastructures are exposed to constant threats, and deciding the better way to respond to them is a difficult task for IT security managers (Kiesling, Ekelhart, Grill, Strauss, & Stummer, 2016 Kiesling, E. , Ekelhart, A. , Grill, B. , Strauss, C. , & Stummer, C. (2016). Selecting security control portfolios: A multi-objective simulation-optimization approach. EURO Journal on Decision Processes , 4 (1–2), 85–117.10.1007/s40070-016-0055-7 [Crossref] , [Google Scholar]). For that very reason, the work of Kiesling et al. (2016 Kiesling, E. , Ekelhart, A. , Grill, B. , Strauss, C. , & Stummer, C. (2016). Selecting security control portfolios: A multi-objective simulation-optimization approach. EURO Journal on Decision Processes , 4 (1–2), 85–117.10.1007/s40070-016-0055-7 [Crossref] , [Google Scholar]) aims to combine the concept of security with the simulation of an infrastructure capable of fighting attacks and providing decision support components. As a way of putting the results into practice, interviews were carried out with specialists from various branches of Information Security, who were satisfied with the final result, since the combination of the concept of security with the infrastructure requires the evaluation of the assets of the organisation and the identification of the inherent threats.

3. Framework overview

A representation of the framework proposed is depicted in Figure 1. The framework relies on the standards ISO/IEC 27001:2013 (ISO/IEC, 2013a ISO/IEC . (2013b). ISO/IEC 27002:2013 information technology-security techniques – code of practice for information security controls . International Organization for Standardization and International Electrotechnical Commission. [Google Scholar]) and ISO/IEC 27002:2013 (ISO/IEC, 2013b ISO/IEC . (2013a). ISO/IEC 27001:2013 security technologies – information security management systems – requirements . International Organization for Standardization and International Electrotechnical Commission. [Google Scholar]) for information security to establish a many-to-many mapping of controls to vulnerabilities: each control can mitigate one or several vulnerabilities; each vulnerability can be mitigated by one or several controls.

Decision support for selecting information security controls

All authors

Luís Almeida & Ana Respício http://orcid.org/0000-0003-2758-7035

https://doi.org/10.1080/12460125.2018.1468177

Published online:

10 May 2018

Figure 1. Framework to optimise portfolio of security controls.

Display full size

Once the vulnerabilities existing in the organisation are identified, the controls able to mitigate those are chosen as candidates to be integrated into the security portfolio. Then these candidates are assessed on their capacity of mitigation and their implementation cost by an optimisation model. This model is presented in the next section.

The framework has been implemented as a decision support tool that integrates a database of controls (such as software products, policies or education), the controls to vulnerabilities mapping and the optimisation model.

4. A model to optimise security portfolios

The optimisation model aims at determining a set of security controls ensuring mitigation of a set of vulnerabilities considering two objectives: (1) the minimisation of the investment in the implementation of the controls, and (2) the minimisation of the total expected loss after the implementation of the controls. While the first objective uses a simple economic function, easy to compute, the second objective is more complex as it relies on estimations of other metrics.

In general, a security control is not able to completely eliminate a vulnerability, assuring a specific percentage of mitigation coverage. In addition, each vulnerability has been associated with an expected loss value, which represents the economic impact of its eventual exploitation. This expected loss is calculated using the likelihood of the vulnerability exploitation, as well as the economic value of assets it can compromise. Appropriate controls are implemented to reduce at least one of these values and consequently reduce the corresponding expected loss.

The model considers that there are available n different controls, of which control j has as implementation cost c _j monetary units, . The number of possible vulnerabilities is m and the parameter b _i takes value 1, if vulnerability i is identified as existing or 0, otherwise, . The exploitation of vulnerability i has associated an impact loss of , which is measured in terms of monetary units. Each control may mitigate one or several vulnerabilities and the parameter a _ij indicates if control j mitigates vulnerability i, a _ij  = 1, or not a _ij  = 0. The efficacy of mitigation of vulnerability i by control j is given by and therefore the proportion of vulnerability unprotected is 1 − p _ij .

To combine the two objectives into a single one, the model considers two parameters w ₁ and w ₂, where is the weight given to the minimisation of the investment cost and is the weight of the expected loss in the objective function. These weights belong to [0,1] and sum up to 1.

The decision variables are

Optimisation model:(1) (2) (3)

The objective function in Equation (1) is the minimisation of the weighted sum of the total investment cost in security controls and the expected loss associated with the implementation of the selected controls. Constraints (2) ensure that all the vulnerabilities identified are mitigated by at least one control, while constraints (3) guarantee that the decision variables are binary.

5. A tool to support selection of security controls

The decision support tool that is integrated in our framework was implemented in Microsoft Excel as this software provides freely, as an add-in, a solver for linear programming models. In addition, our tool is to be used by managers (IT or security managers), who are, in general, quite proficient in Excel.

The tool is composed of several spreadsheets containing: (1) information about vulnerabilities according to the standards; (2) information about commercial and in-house developed security appliances, such as price, maintenance, vulnerabilities mitigated, percentage of mitigation coverage assured and other features; (3) a main spreadsheet implementing the model. For prototyping purposes, only three sections of the standards were considered: the 9th, the 12th and the 13th, which are ‘Access Control’, ‘Operations Security’, ‘Communications Security’, respectively. These sections were chosen for our prototype because they are convenient for recognising specific related controls such as software commercial products.

One starts identifying which objectives of the ISO/IEC 27001:2013 the organisation is not complying with, thus determining existing vulnerabilities. The list of controls covering them is automatically filled, together with their attributes. The vulnerabilities impact needs to be set, as it depends on the value of the corresponding assets. The values of the weights for the objectives also need to be introduced. In addition, despite not being a model parameter, the available budget is also specified.

Figure 2 illustrates a section of the spreadsheet considering a scenario with three vulnerabilities after running the solver and reaching a solution. Only a few controls are displayed, the real commercial names are omitted and the attributes were set for the sake of explanation. In this case, controls of one category mitigate the first vulnerability ‘9.2.3 Disclosure of generic administration user IDs’: FM-A, FM-F, with a trust of 90% and 92%, and prices of 6035 and 30,000, respectively; Controls of two categories mitigate ‘12.4.1 Lack of monitoring for user activities’: FA-H, FAA-K and FAA-P; and controls of the G category mitigate ‘13.1.3 Inadequate segregation of networks’. The vulnerabilities have associated impact values of 12,000, 15,000 and 11,000, respectively. The lines in section ‘Identification of vulnerabilities’ contain the implementation of coverage constraints of the model (Constraints (2)). The section ‘Expected loss computation’ contains information for computing the respective expected loss function. For each vulnerability, an estimative value for the individual loss associated with its exploitation should be introduced in the corresponding cell of the column ‘Impact (estimated loss)’.

Decision support for selecting information security controls

All authors

Luís Almeida & Ana Respício http://orcid.org/0000-0003-2758-7035

https://doi.org/10.1080/12460125.2018.1468177

Published online:

10 May 2018

Figure 2. An example of part of the model spreadsheet.

Display full size

The solution is represented in the row ‘Chosen products’: the products that form the portfolio are those with value ‘1’ in the corresponding cells; all the coverage constraints are satisfied (a feasible solution was reached) as can be seen in column ‘Coverage constraints’, which displays the number of products in the solution that cover the vulnerability in each of the lines.

Figure 3 displays another section of the model spreadsheet showing several metrics related with the obtained solution. The available budget is specified by the user and it is only used for assessment of the solution. The information representing the values of the objectives is presented in the corresponding lines: the total cost of the portfolio, the value of the total expected loss and the value of the objective function. In this case, a weight of 0.9 was given the minimisation of the expected loss, while the counterpart weight of portfolio cost minimisation was set to 0.1. Other metrics are: the percentage of the available budget used by the portfolio, the average coverage by the controls in the solution and its counterpart and the value of the cost–benefit analysis (CBA) for one year.

Decision support for selecting information security controls

All authors

Luís Almeida & Ana Respício http://orcid.org/0000-0003-2758-7035

https://doi.org/10.1080/12460125.2018.1468177

Published online:

10 May 2018

Figure 3. Metrics for portfolio assessment.

Display full size

The CBA metric is closely related with the objectives of the model as it is obtained by comparing the costs of implementing, or not, the security controls, considering annualised values. By doing nothing, we do not have implementation costs but the total expected loss is kept the same (, using our notation). The implementation of controls reduces the expected loss (to in our notation because the model ensures that all vulnerabilities are mitigated but has costs (given by ). The CBA value is given by and a positive CBA value indicates that the associated portfolio has more gains than costs.

6. Conclusions and future work

This paper presented a framework to support decisions concerning the implementation of a set of security controls to mitigate vulnerabilities existing in an organisation, based on the standards ISO/IEC 27001:2013 and ISO/IEC 27002:2013. This framework has been implemented as a prototype tool including an optimisation model with two objectives: the minimisation of the portfolio cost and the minimisation of the expected loss. This tool, conveniently customised, can provide a valuable support in two relevant security problems organisations face nowadays: (1) the identification of vulnerabilities and controls able to mitigate them; and (2) the optimisation of a security portfolio. In addition, security managers can use this tool to rehearse different scenarios and evaluate those using different metrics.

As future work, we intend to expand our tool to integrate more sections of the standards and to allow evaluating and optimising other metrics for security investments assessment, such are the Net Present Value (NPV) model and the Return On Security Investment (ROSI) model. The validation of the utility of our approach by security managers is also envisaged.

Funding

This work was supported by FCT – Fundação para a Ciência e a Tecnologia [project number PTDC/EEI-ESS/5863/2014], [project number UID/MAT/04561/2013].

Disclosure statement

No potential conflict of interest was reported by the authors.