Decision Support For Selecting Information Security Controls

With the emergence of the Internet, the volume of cyberattacks has been progressively growing and, therefore, adequate security of information has a crucial role in IT systems. Organisations face complex decisions regarding the selection of security controls that allow protecting their information assets. The implementation of these controls should ensure an adequate level of protection. However, their selection requires knowledge about the vulnerabilities and threats existing in the organisation, and the investment in security must comply with economic constraints. This work proposes a framework to support an organisation to identify security vulnerabilities and optimise a portfolio of security controls to mitigate them. Those security controls may be of a mixed nature, such as hardware controls, software controls, policies, procedures and training actions. The framework is established using the standards ISO/IEC 27001:2013 and ISO/IEC 27002: 2013 to support the identification of vulnerabilities/threats and the choice of controls that can mitigate them. Once the existing vulnerabilities/threats are identified, one has to select the subset of controls to implement, assuring an adequate mitigation at the lowest cost. An integer programming model is used to address this optimisation problem within the framework, which has been implemented as a prototype decision support tool.