Information Security Management is currently guided by process-based standards. Achieving one or some of these standards means deploying their corresponding set of security controls under different constraints on resources, budgets, information assets to protect, and risks to avoid or mitigate, among other factors. This constitutes a complex combinatorial problem in the decision-making process. To select, schedule and deploy these security controls, qualitative approaches have mainly been proposed. Quantitative approaches to information security management are just emerging, and they have been applied only to simplified theoretical cases. The purpose of this paper is to support the notion that the problems of implementing information security controls, in the sense of being put into effect, can be formulated as a family of existing and already solved optimization problems. The main result is a mapping from a set of seven information security management types of problems to their corresponding operational research formulations. A solved case from a governmental institution illustrates the use of the proposed map.

中文翻译：

---

将实施信息安全控制的变体映射到其运营研究解决方案

信息安全管理目前以基于流程的标准为指导。实现其中一个或某些标准意味着在资源，预算，要保护的信息资产以及要避免或减轻的风险等不同约束条件下部署它们相应的安全控制集。这在决策过程中构成了一个复杂的组合问题。为了选择，安排和部署这些安全控制，主要提出了定性方法。信息安全管理的定量方法才刚刚出现，它们仅用于简化的理论案例。本文的目的是支持以下观点：从生效的意义上讲，实施信息安全控制的问题是，可以表述为一系列现有的且已解决的优化问题。主要结果是将问题的七个信息安全管理类型集合映射到其相应的运筹学公式。政府机构解决的案例说明了拟议地图的使用。