nach oben

Information Systems and e-Business Management

Erschienen in:

23.04.2020 | Original Article

Mapping the variations for implementing information security controls to their operational research solutions

verfasst von: Mauricio Diéguez, Jaime Bustos, Carlos Cares

Erschienen in: Information Systems and e-Business Management | Ausgabe 2/2020

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Information Security Management is currently guided by process-based standards. Achieving one or some of these standards means deploying their corresponding set of security controls under different constraints on resources, budgets, information assets to protect, and risks to avoid or mitigate, among other factors. This constitutes a complex combinatorial problem in the decision-making process. To select, schedule and deploy these security controls, qualitative approaches have mainly been proposed. Quantitative approaches to information security management are just emerging, and they have been applied only to simplified theoretical cases. The purpose of this paper is to support the notion that the problems of implementing information security controls, in the sense of being put into effect, can be formulated as a family of existing and already solved optimization problems. The main result is a mapping from a set of seven information security management types of problems to their corresponding operational research formulations. A solved case from a governmental institution illustrates the use of the proposed map.

Vorheriger Artikel Multi-grounded action research

Nächster Artikel On the ability of virtual agents to decrease cognitive load: an experimental study

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Al-Safwani N, Hassan S, Katuk N (2014) A multiple attribute decision making for improving information security control assessment. Int J Comput App 89:19–24. https://doi.org/10.5120/15482-4222CrossRef

Allahverdi A, Ng C, Cheng T, Kovalyov M (2008) A survey of scheduling problems with setup times or costs. Eur J Oper Res 187:985–1032CrossRef

Almeida L, Respício A (2018) Decision support for selecting information security controls. J Decis Syst 0125:1–8. https://doi.org/10.1080/12460125.2018.1468177CrossRef

Association of European Operational Research Societies (2018) What is operational research? https://www.euro-online.org/web/pages/301/or-and-euro. Accessed 14 Apr 2020

Bistarelli S, Fioravanti F, Peretti P (2007) Using CP-nets as a guide for countermeasure selection. In: Proceedings of the 2007 ACM symposium on applied computing

Blanco C, Lasheras J, Fernández-Medina E et al (2011) Basis for an integrated security ontology according to a systematic review of existing proposals. Comput Stand Interfaces 33:372–388CrossRef

Bonazzi R, Hussami L, Pigneur Y (2009) Compliance management is becoming a major issue in IS design. In: D'Atri A, Saccà D (eds) Information systems: people, organizations, institutions, and technologies. Physica-Verlag HD, pp 391–398. https://doi.org/10.1007/978-3-7908-2148-2_45

Breier J (2014) Security evaluation model based on the score of security mechanisms. Inf Sci Technol Bull ACM 6:19–27

Breier J, Hudec L (2012) New approach in information system security evaluation. In: IEEE First AESS European conference on satellite telecommunications (ESTEL). IEEE, pp 1–6

Breier J, Hudec L (2013b) On selecting critical security controls. In: International conference on availability, reliability and security. pp 582–588

Breier J, Hudec L (2013a) On identifying proper security mechanisms. In: Mustofa K, Neuhold EJ, Tjoa AM, Weippl E, You I (eds) Information and communication technology. ICT-EurAsia 2013. Lecture notes in computer science, vol 7804. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36818-9_29

Butin D, Chicote M, Le Métayer D (2013) Log design for accountability. Proc IEEE CS Secur Priv Work SPW 2013:1–7. https://doi.org/10.1109/SPW.2013.26CrossRef

Butler T, McGovern D (2009) A conceptual model and IS framework for the design and adoption of environmental compliance management systems. Inf Syst Front 14:221–235. https://doi.org/10.1007/s10796-009-9197-5CrossRef

Cabot J, Gogolla M (2012) Object constraint language (OCL): a definitive guide. Formal methods for model-driven engineering. Springer, Berlin, pp 58–90CrossRef

Chen J, Askin R (2009) Project selection, scheduling and resource allocation with time dependent returns. Eur J Oper Res 193:23–34CrossRef

Chen L, Li L, Hu Y, Lian K (2009) Information security solution decision-making based on entropy weight and gray situation decision. In: 2009 fifth international conference on information assurance and security. IEEE, pp 7–10

Cheng T, Ng C, Yuan J, Liu Z (2005) Single machine scheduling to minimize total weighted tardiness. Eur J Oper Res 165:423–443CrossRef

Choo KK, Mubarak S, Mani D et al (2014) Selection of information security controls based on AHP and GRA. In: Proceedings of the 18th Pacific Asia conference on information systems, pp 1–12

Cuihua X, Jiajun L (2009) An information system security evaluation model based on AHP and GRAP. In: 2009 international conference on web information systems and mining, pp 493–496. https://doi.org/10.1109/wism.2009.105

Edis E, Oguz C, Ozkarahan I (2013) Parallel machine scheduling with additional resources: notation, classification, models and solution methods. Eur J Oper Res 230:449–463CrossRef

Egeblad J, Pisinger D (2009) Heuristic approaches for the two and three dimensional knapsack packing problem. Comput Oper Res 36:1026–1049CrossRef

Ejnioui A, Otero A, Tejay G, et al (2012) A multi-attribute evaluation of information security controls in organizations using grey systems theory. In: Proceedings of the international conference on security and management (SAM). p 1

Espinoza D, Goycoolea M, Moreno E (2015) The precedence constrained knapsack problem: separating maximally violated inequalities. Discrete Appl Math 194:65–80. https://doi.org/10.1016/j.dam.2015.05.020CrossRef

Fenz S, Ekelhart A (2009) Formalizing information security knowledge. In: Proc 4th int symp information, comput commun secur - ASIACCS ’09

Fielder A, Panaousis E, Malacaria P et al (2016) Decision support approaches for cyber security investment. Decis Support Syst 86:13–23CrossRef

Florios K, Mavrotas G, Diakoulaki D (2010) Solving multiobjective, multiconstraint knapsack problems using mathematical programming and evolutionary algorithms. Eur J Oper Res 203:14–21CrossRef

GAMS (2018) General algebraic modeling system. https://www.gams.com/. Accessed 20 Apr 2020

Gao C, Li Z, Song H (2009) Security evaluation method based on host resource availability. In: Multimedia and ubiquitous engineering, 2009. MUE’09. Third international conference on. pp 499–504

Garvey P (2009) Analytical methods for risk management. Chapman and Hall/CRC, New York. https://doi.org/10.1201/9781420011395

Gass S, Saaty T (1955) Parametric objective function (part 2)-generalization. J Oper Res Soc Am 3:395–401

Geismar N (2010) Single machine scheduling. Wiley Encycl Oper Res Manag Sci. https://doi.org/10.1002/9780470400531.eorms0786CrossRef

Ghasemi T, Razzazi M (2011) Development of core to solve the multidimensional multiple-choice knapsack problem. Comput Ind Eng 60:349–360CrossRef

Gilaninia S, Mousavian S, Taheri O et al (2012) Information security management on performance of information systems management. J Basic Appl Sci Res 2:2582–2588

Gobierno de Chile (2005) Decreto 83: norma técnica para los órganos de la administración del estado sobre seguridad y confidencialidad de los documentos electrónicos. http://bcn.cl/1uw52. Accessed 14 Apr 2020

Gobierno de Chile (2015) Programa de mejoramiento de la gestión sistema de seguridad de la información: versión 2015. http://www.dipres.gob.cl/598/articles-51683_intro_Guia_Metodologica04_2015.pdf. Accessed 14 Apr 2020.

Guizzardi G, Herre H, Wagner G (2002) Towards ontological foundations for UML conceptual models. In: Meersman R, Tari Z (eds) On the move to meaningful internet systems 2002: CoopIS, DOA, and ODBASE. OTM 2002. Lecture notes in computer science, vol 2519. Springer, Berlin, Heidelberg, pp 1100–1117. https://doi.org/10.1007/3-540-36124-3_70

Hartmann S, Briskorn D (2010) A survey of variants and extensions of the resource-constrained project scheduling problem. Eur J Oper Res 207:1–14CrossRef

Herath T, Rao HR (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur J Inf Syst 18:106–125. https://doi.org/10.1057/ejis.2009.6CrossRef

Herroelen W, Leus R (2005) Project scheduling under uncertainty: Survey and research potentials. Eur J Oper Res 165:289–306CrossRef

Hoogeveen H (2005) Multicriteria scheduling. Eur J Oper Res 167:592–623CrossRef

Humphreys E (2011) Information security management system standards. Datenschutz und Datensicherheit DuD 35:7–11. https://doi.org/10.1007/s11623-011-0004-3CrossRef

International Organization for Standardization (2018) ISO 19011:2018—Guidelines for auditing management systems. https://www.iso.org/standard/70017.html. Accessed 14 April 2020

Janak S, Floudas C (2005) Advances in robust optimization approaches for scheduling under uncertainty. Comput Aided Chem Eng 20:1051–1056. https://doi.org/10.1016/S1570-7946(05)80017-3CrossRef

Janak S, Lin X, Floudas C (2007) A new robust optimization approach for scheduling under uncertainty. Comput Chem Eng 31:171–195CrossRef

Kawasaki R, Hiromatsu T (2014) Proposal of a model supporting decision-making on information security risk treatment. Int J Comput Electr Autom Control Inf Eng 8:583–589

Khajouei H, Kazemi M, Moosavirad SH (2017) Ranking information security controls by using fuzzy analytic hierarchy process. Inf Syst E-bus Manag 15:1–19. https://doi.org/10.1007/s10257-016-0306-yCrossRef

Kiesling E, Ekelhart A, Grill B, et al (2013a) Simulation-based optimization of IT security controls: initial experiences with meta-heuristic solution procedures. In: Fink A, Geiger M (eds) Proceedings of the workshop of the EURO working group on metaheuristics, pp 18–20

Kiesling E, Strauss C, Ekelhart A, et al (2013b) Simulation-based optimization of information security controls: an adversary-centric approach. In: Pasupathy R, Kim SH, Tolk A, Hill R, Kuhl ME (eds) Proceedings of the winter simulation conference. IEEE, pp 2054–2065. https://doi.org/10.1109/wsc.2013.6721583

Kiesling E, Strausss C, Stummer C (2012) A multi-objective decision support framework for simulation-based security control selection. In: Proceedings seventh international conference on availability, reliability and security, pp 454–462. https://doi.org/10.1109/ares.2012.70

Kolisch R, Meyer K (2006) Selection and scheduling of pharmaceutical research projects. Int Ser Oper Res Manag Sci 92:321–344

Kolkowska E, Dhillon G (2013) Organizational power and information security rule compliance. Comput Secur 33:3–11. https://doi.org/10.1016/j.cose.2012.07.001CrossRef

Kolliopoulos S, Steiner G (2007) Partially ordered knapsack and applications to scheduling. Discret Appl Math 155:889–897CrossRef

Koulamas C (2010) The single-machine total tardiness scheduling problem: Review and extensions. Eur J Oper Res 202:1–7CrossRef

Liu F, Lee W (2010) Constructing enterprise information network security risk management mechanism by ontology. Tamkang J Sci Eng 13:79–87

Lopes YG, Teixeira A (2015) Assessment of synergies for selecting a project portfolio in the petroleum industry based on a multi-attribute utility function. J Pet Sci Eng 126:131–140. https://doi.org/10.1016/j.petrol.2014.12.012CrossRef

Lv J-J, Wang Y-Z (2010) A ranking method for information security risk management based on ahp and promethee. In: Management and service science (MASS), 2010 international conference on. pp 1–4

Lv J, Zhou Y, Wang Y (2011) A Multi-criteria evaluation method of information security controls. In: Proceedings fourth International joint conference on computational sciences and optimization, pp 190–194. https://doi.org/10.1109/cso.2011.43

Ma Q, Johnston A, Pearson J (2008) Information security management objectives and practices: a parsimonious framework. Inf Manag Comput Secur 16:251–270. https://doi.org/10.1108/09685220810893207CrossRef

Mauergauz, Y. (2016) Multi-criteria models and decision-making. In: Advanced planning and scheduling in manufacturing and supply chains, pp 127–162. https://doi.org/10.1007/978-3-319-27523-9_4

Masmoudi M, Haït A (2013) Project scheduling under uncertainty using fuzzy modelling and solving techniques. Eng Appl Artif Intell 26:135–149CrossRef

Meng M, Liu E (2015) The application research of information security risk assessment model based on AHP method. J Adv Inf Technol 6:201–206. https://doi.org/10.12720/jait.6.4.201-206CrossRef

Montanari M, Chan E, Larson K et al (2013) Distributed security policy conformance. Comput Secur 33:28–40. https://doi.org/10.1016/j.cose.2012.11.007CrossRef

Mouratidis H (2007) Secure information systems engineering: a manifesto. Int J Electron Secur Digit Forensics 1:27–41CrossRef

Nagata K, Amagasa M, Kigawa Y, Cui D (2009) Method to select effective risk mitigation controls using fuzzy outranking. In: 2009 ninth international conference on intelligent systems design and applications

NEOS (2018) NEOS server web portal. https://neos-server.org/neos/. Accessed 20 Apr 2020

Van Niekerk J, Von Solms R (2010) Information security culture: a management perspective. Comput Secur 29:476–486. https://doi.org/10.1016/j.cose.2009.10.005CrossRef

Ojamaa A, Tyugu E, Kivimaa J (2008) Pareto-optimal situaton analysis for selection of security measures. In: MILCOM 2008—2008 IEEE military communications conference. IEEE

Otero A, Ejnioui A, Otero C, Tejay G (2011) Evaluation of information security controls in organizations by grey relational analysis. Int J Dependable Trust Inf Syst 2:36–54CrossRef

Otero A, Otero C, Qureshi A (2010) A multi-criteria evaluation of information security controls using boolean features. Int J Netw Secur Its Appl 2:1–11. https://doi.org/10.5121/ijnsa.2010.2401CrossRef

Otero A, Tejay G, Otero D, Ruiz-Torres A (2012) A fuzzy logic-based information security control assessment for organizations. In: Open systems (ICOS), 2012 IEEE conference, pp 1–6

Parkin S, van Moorsel A, Coles R (2009) An information security ontology incorporating human-behavioural implications. In: Proceedings of the 2nd international conference on Security of information and networks, pp 46–55

Pereira T, Santos H (2014) Challenges in information security protection. In: Proceedings 13th European conference on cyber warfare and security, pp 160–166

Petersen K, Vakkalanka S, Kuzniarz L (2015) Guidelines for conducting systematic mapping studies in software engineering: an update. Inf Softw Technol 64:1–18. https://doi.org/10.1016/j.infsof.2015.03.007CrossRef

Rees LP, Deane JK, Rakes TR, Baker WH (2011) Decision support for cybersecurity risk planning. Decis Support Syst 51:493–505. https://doi.org/10.1016/j.dss.2011.02.013CrossRef

Saleh M (2011) Information security maturity model. Int J Comput Sci Secur 5:316–337

Samavati M, Essam D, Nehring M, Sarker R (2017) A methodology for the large-scale multi-period precedence-constrained knapsack problem: an application in the mining industry. Int J Prod Econ 193:12–20. https://doi.org/10.1016/j.ijpe.2017.06.025CrossRef

Samphaiboon N, Yamada T (2002) Heuristic and exact algorithms for the precedence-constrained knapsack problem. J Optim Theory Appl 105:659–676CrossRef

Sánchez L, Villafranca D, Fernandez-Medina E, Piattini M (2009) MGSM-PYME: Metodología para la gestión de la seguridad y su madurez en las PYMES. In: Proceedings V Congreso Iberoamericano de Seguridad Informática, pp 452–466

Sarala R, Zayaraz G, Vijayalakshmi V (2015) Optimal selection of security countermeasures for effective information security. In: Proceedings of the international conference on soft computing systems. Springer, pp 345–353

Sawik T (2013) Selection of optimal countermeasure portfolio in IT security planning. Decis Support Syst 55:156–164. https://doi.org/10.1016/j.dss.2013.01.001CrossRef

Shahpasand M, Shajari M, Golpaygani SAH, Ghavamipoor H (2015) A comprehensive security control selection model for inter-dependent organizational assets structure. Inf Comput Secur 23:218–242. https://doi.org/10.1108/ics-12-2013-0090CrossRef

Siponen M, Willison (2009) Information security management standards: problems and solutions. Inf Manag 46:267–270. https://doi.org/10.1016/j.im.2008.12.007CrossRef

Staab S, Studer R (2009) Handbook on ontologies, Springer Sci Bus Media

Susanto H, Almunawar M, Tuan Y (2012) Information security challenge and breaches: novelty approach on measuring ISO 27001 readiness level. Int J Eng Technol 2:67–75

Susanto H, Almunawar MN, Tuan YC (2011) Information security management system standards: a comparative study of the big five. Int J Electr Comput Sci IJECSIJENS 11:23–29

Tasan S, Gen M (2013) An integrated selection and scheduling for disjunctive network problems. Comput Ind Eng 65:6–76

Teixeira A, Duarte MDO (2011) A multi-criteria decision model for selecting project portfolio with consideration being given to a new concept for synergies. Pesqui Operacional 31:301–318. https://doi.org/10.1590/S0101-74382011000200006CrossRef

Tofan D (2011) Information security standards. J Mobile Embed Distrib Syst 3:128–135

Tosatto SC, Governatori G, Kelsen P (2015) Business process regulatory compliance is hard. IEEE Trans Serv Comput 8:958–970. https://doi.org/10.1109/TSC.2014.2341236CrossRef

Viduto V, Maple C, Huang W, López-Peréz D (2012) A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decis Support Syst 53:599–610. https://doi.org/10.1016/j.dss.2012.04.001CrossRef

Von Solms SH (2005) Information security governance—compliance management vs operational management. Comput Secur 24:443–447. https://doi.org/10.1016/j.cose.2005.07.003CrossRef

Wang L, Wang S, Xu Y (2012) An effective hybrid EDA-based algorithm for solving multidimensional knapsack problem. Expert Syst Appl 39:5593–5599CrossRef

Wäscher G, Haubner H, Schumann H (2007) An improved typology of cutting and packing problems. Eur J Oper Res 183:1109–1130CrossRef

Weglarz J, Józefowska J, Mika M, Waligóra G (2011) Project scheduling with finite or infinite number of activity processing modes—a survey. Eur J Oper Res 208:177–205CrossRef

Weitzner DJ, Abelson H, Berners-Lee T et al (2008) Information accountability. Commun ACM 51:82–87. https://doi.org/10.1145/1349026.1349043CrossRef

Wierzbicki AP (1980) The use of reference objectives in multiobjective optimization. In: Fandel G, Gal T (eds) Multiple criteria decision making theory and application. Lecture notes in economics and mathematical systems, vol 177. Springer, Berlin, Heidelberg, pp 468–486. https://doi.org/10.1007/978-3-642-48782-8_32

Yameng C, Yulong S, Jianfeng M, et al (2011) AHP-GRAP based security evaluation method for MILS System within CC framework. In: Proceedings seventh international conference on computational intelligence and security, pp 635–639. https://doi.org/10.1109/cis.2011.145

Yang Y, Shieh H, Leu J, Tzeng G (2009) A VIKOR-based multiple criteria decision method for improving information security risk. Int J Inf Technol Decis Mak 8:267–287CrossRef

Yang Y, Shieh H, Tzeng G (2013) A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Inf Sci (Ny) 232:482–500CrossRef

Yau H (2014) Information security controls. Adv Robot Autom 3:e118. https://doi.org/10.4172/2168-9695.1000e118CrossRef

Yevseyeva I, Basto-Fernandes V, Emmerich M, van Moorsel A (2015) Selecting optimal subset of security controls. Procedia Comput Sci 64:1035–1042. https://doi.org/10.1016/j.procs.2015.08.625CrossRef

You B, Yamada T (2007) ). A pegging approach to the precedence-constrained knapsack problem. Eur J Oper Res 183:618–632CrossRef

Titel: Mapping the variations for implementing information security controls to their operational research solutions
verfasst von: Mauricio Diéguez
Jaime Bustos
Carlos Cares
Publikationsdatum: 23.04.2020
Verlag: Springer Berlin Heidelberg
Erschienen in: Information Systems and e-Business Management / Ausgabe 2/2020
Print ISSN: 1617-9846
Elektronische ISSN: 1617-9854
DOI: https://doi.org/10.1007/s10257-020-00470-8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2020

The problem of shelf-warmers in electronic commerce: a proposed solution

Multi-grounded action research

From Shadow IT to Business-managed IT: a qualitative comparative analysis to determine configurations for successful management of IT by business entities

On the ability of virtual agents to decrease cognitive load: an experimental study