Abstract
Information Security Management is currently guided by process-based standards. Achieving one or some of these standards means deploying their corresponding set of security controls under different constraints on resources, budgets, information assets to protect, and risks to avoid or mitigate, among other factors. This constitutes a complex combinatorial problem in the decision-making process. To select, schedule and deploy these security controls, qualitative approaches have mainly been proposed. Quantitative approaches to information security management are just emerging, and they have been applied only to simplified theoretical cases. The purpose of this paper is to support the notion that the problems of implementing information security controls, in the sense of being put into effect, can be formulated as a family of existing and already solved optimization problems. The main result is a mapping from a set of seven information security management types of problems to their corresponding operational research formulations. A solved case from a governmental institution illustrates the use of the proposed map.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Al-Safwani N, Hassan S, Katuk N (2014) A multiple attribute decision making for improving information security control assessment. Int J Comput App 89:19–24. https://doi.org/10.5120/15482-4222
Allahverdi A, Ng C, Cheng T, Kovalyov M (2008) A survey of scheduling problems with setup times or costs. Eur J Oper Res 187:985–1032
Almeida L, Respício A (2018) Decision support for selecting information security controls. J Decis Syst 0125:1–8. https://doi.org/10.1080/12460125.2018.1468177
Association of European Operational Research Societies (2018) What is operational research? https://www.euro-online.org/web/pages/301/or-and-euro. Accessed 14 Apr 2020
Bistarelli S, Fioravanti F, Peretti P (2007) Using CP-nets as a guide for countermeasure selection. In: Proceedings of the 2007 ACM symposium on applied computing
Blanco C, Lasheras J, Fernández-Medina E et al (2011) Basis for an integrated security ontology according to a systematic review of existing proposals. Comput Stand Interfaces 33:372–388
Bonazzi R, Hussami L, Pigneur Y (2009) Compliance management is becoming a major issue in IS design. In: D'Atri A, Saccà D (eds) Information systems: people, organizations, institutions, and technologies. Physica-Verlag HD, pp 391–398. https://doi.org/10.1007/978-3-7908-2148-2_45
Breier J (2014) Security evaluation model based on the score of security mechanisms. Inf Sci Technol Bull ACM 6:19–27
Breier J, Hudec L (2012) New approach in information system security evaluation. In: IEEE First AESS European conference on satellite telecommunications (ESTEL). IEEE, pp 1–6
Breier J, Hudec L (2013b) On selecting critical security controls. In: International conference on availability, reliability and security. pp 582–588
Breier J, Hudec L (2013a) On identifying proper security mechanisms. In: Mustofa K, Neuhold EJ, Tjoa AM, Weippl E, You I (eds) Information and communication technology. ICT-EurAsia 2013. Lecture notes in computer science, vol 7804. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36818-9_29
Butin D, Chicote M, Le Métayer D (2013) Log design for accountability. Proc IEEE CS Secur Priv Work SPW 2013:1–7. https://doi.org/10.1109/SPW.2013.26
Butler T, McGovern D (2009) A conceptual model and IS framework for the design and adoption of environmental compliance management systems. Inf Syst Front 14:221–235. https://doi.org/10.1007/s10796-009-9197-5
Cabot J, Gogolla M (2012) Object constraint language (OCL): a definitive guide. Formal methods for model-driven engineering. Springer, Berlin, pp 58–90
Chen J, Askin R (2009) Project selection, scheduling and resource allocation with time dependent returns. Eur J Oper Res 193:23–34
Chen L, Li L, Hu Y, Lian K (2009) Information security solution decision-making based on entropy weight and gray situation decision. In: 2009 fifth international conference on information assurance and security. IEEE, pp 7–10
Cheng T, Ng C, Yuan J, Liu Z (2005) Single machine scheduling to minimize total weighted tardiness. Eur J Oper Res 165:423–443
Choo KK, Mubarak S, Mani D et al (2014) Selection of information security controls based on AHP and GRA. In: Proceedings of the 18th Pacific Asia conference on information systems, pp 1–12
Cuihua X, Jiajun L (2009) An information system security evaluation model based on AHP and GRAP. In: 2009 international conference on web information systems and mining, pp 493–496. https://doi.org/10.1109/wism.2009.105
Edis E, Oguz C, Ozkarahan I (2013) Parallel machine scheduling with additional resources: notation, classification, models and solution methods. Eur J Oper Res 230:449–463
Egeblad J, Pisinger D (2009) Heuristic approaches for the two and three dimensional knapsack packing problem. Comput Oper Res 36:1026–1049
Ejnioui A, Otero A, Tejay G, et al (2012) A multi-attribute evaluation of information security controls in organizations using grey systems theory. In: Proceedings of the international conference on security and management (SAM). p 1
Espinoza D, Goycoolea M, Moreno E (2015) The precedence constrained knapsack problem: separating maximally violated inequalities. Discrete Appl Math 194:65–80. https://doi.org/10.1016/j.dam.2015.05.020
Fenz S, Ekelhart A (2009) Formalizing information security knowledge. In: Proc 4th int symp information, comput commun secur - ASIACCS ’09
Fielder A, Panaousis E, Malacaria P et al (2016) Decision support approaches for cyber security investment. Decis Support Syst 86:13–23
Florios K, Mavrotas G, Diakoulaki D (2010) Solving multiobjective, multiconstraint knapsack problems using mathematical programming and evolutionary algorithms. Eur J Oper Res 203:14–21
GAMS (2018) General algebraic modeling system. https://www.gams.com/. Accessed 20 Apr 2020
Gao C, Li Z, Song H (2009) Security evaluation method based on host resource availability. In: Multimedia and ubiquitous engineering, 2009. MUE’09. Third international conference on. pp 499–504
Garvey P (2009) Analytical methods for risk management. Chapman and Hall/CRC, New York. https://doi.org/10.1201/9781420011395
Gass S, Saaty T (1955) Parametric objective function (part 2)-generalization. J Oper Res Soc Am 3:395–401
Geismar N (2010) Single machine scheduling. Wiley Encycl Oper Res Manag Sci. https://doi.org/10.1002/9780470400531.eorms0786
Ghasemi T, Razzazi M (2011) Development of core to solve the multidimensional multiple-choice knapsack problem. Comput Ind Eng 60:349–360
Gilaninia S, Mousavian S, Taheri O et al (2012) Information security management on performance of information systems management. J Basic Appl Sci Res 2:2582–2588
Gobierno de Chile (2005) Decreto 83: norma técnica para los órganos de la administración del estado sobre seguridad y confidencialidad de los documentos electrónicos. http://bcn.cl/1uw52. Accessed 14 Apr 2020
Gobierno de Chile (2015) Programa de mejoramiento de la gestión sistema de seguridad de la información: versión 2015. http://www.dipres.gob.cl/598/articles-51683_intro_Guia_Metodologica04_2015.pdf. Accessed 14 Apr 2020.
Guizzardi G, Herre H, Wagner G (2002) Towards ontological foundations for UML conceptual models. In: Meersman R, Tari Z (eds) On the move to meaningful internet systems 2002: CoopIS, DOA, and ODBASE. OTM 2002. Lecture notes in computer science, vol 2519. Springer, Berlin, Heidelberg, pp 1100–1117. https://doi.org/10.1007/3-540-36124-3_70
Hartmann S, Briskorn D (2010) A survey of variants and extensions of the resource-constrained project scheduling problem. Eur J Oper Res 207:1–14
Herath T, Rao HR (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur J Inf Syst 18:106–125. https://doi.org/10.1057/ejis.2009.6
Herroelen W, Leus R (2005) Project scheduling under uncertainty: Survey and research potentials. Eur J Oper Res 165:289–306
Hoogeveen H (2005) Multicriteria scheduling. Eur J Oper Res 167:592–623
Humphreys E (2011) Information security management system standards. Datenschutz und Datensicherheit DuD 35:7–11. https://doi.org/10.1007/s11623-011-0004-3
International Organization for Standardization (2018) ISO 19011:2018—Guidelines for auditing management systems. https://www.iso.org/standard/70017.html. Accessed 14 April 2020
Janak S, Floudas C (2005) Advances in robust optimization approaches for scheduling under uncertainty. Comput Aided Chem Eng 20:1051–1056. https://doi.org/10.1016/S1570-7946(05)80017-3
Janak S, Lin X, Floudas C (2007) A new robust optimization approach for scheduling under uncertainty. Comput Chem Eng 31:171–195
Kawasaki R, Hiromatsu T (2014) Proposal of a model supporting decision-making on information security risk treatment. Int J Comput Electr Autom Control Inf Eng 8:583–589
Khajouei H, Kazemi M, Moosavirad SH (2017) Ranking information security controls by using fuzzy analytic hierarchy process. Inf Syst E-bus Manag 15:1–19. https://doi.org/10.1007/s10257-016-0306-y
Kiesling E, Ekelhart A, Grill B, et al (2013a) Simulation-based optimization of IT security controls: initial experiences with meta-heuristic solution procedures. In: Fink A, Geiger M (eds) Proceedings of the workshop of the EURO working group on metaheuristics, pp 18–20
Kiesling E, Strauss C, Ekelhart A, et al (2013b) Simulation-based optimization of information security controls: an adversary-centric approach. In: Pasupathy R, Kim SH, Tolk A, Hill R, Kuhl ME (eds) Proceedings of the winter simulation conference. IEEE, pp 2054–2065. https://doi.org/10.1109/wsc.2013.6721583
Kiesling E, Strausss C, Stummer C (2012) A multi-objective decision support framework for simulation-based security control selection. In: Proceedings seventh international conference on availability, reliability and security, pp 454–462. https://doi.org/10.1109/ares.2012.70
Kolisch R, Meyer K (2006) Selection and scheduling of pharmaceutical research projects. Int Ser Oper Res Manag Sci 92:321–344
Kolkowska E, Dhillon G (2013) Organizational power and information security rule compliance. Comput Secur 33:3–11. https://doi.org/10.1016/j.cose.2012.07.001
Kolliopoulos S, Steiner G (2007) Partially ordered knapsack and applications to scheduling. Discret Appl Math 155:889–897
Koulamas C (2010) The single-machine total tardiness scheduling problem: Review and extensions. Eur J Oper Res 202:1–7
Liu F, Lee W (2010) Constructing enterprise information network security risk management mechanism by ontology. Tamkang J Sci Eng 13:79–87
Lopes YG, Teixeira A (2015) Assessment of synergies for selecting a project portfolio in the petroleum industry based on a multi-attribute utility function. J Pet Sci Eng 126:131–140. https://doi.org/10.1016/j.petrol.2014.12.012
Lv J-J, Wang Y-Z (2010) A ranking method for information security risk management based on ahp and promethee. In: Management and service science (MASS), 2010 international conference on. pp 1–4
Lv J, Zhou Y, Wang Y (2011) A Multi-criteria evaluation method of information security controls. In: Proceedings fourth International joint conference on computational sciences and optimization, pp 190–194. https://doi.org/10.1109/cso.2011.43
Ma Q, Johnston A, Pearson J (2008) Information security management objectives and practices: a parsimonious framework. Inf Manag Comput Secur 16:251–270. https://doi.org/10.1108/09685220810893207
Mauergauz, Y. (2016) Multi-criteria models and decision-making. In: Advanced planning and scheduling in manufacturing and supply chains, pp 127–162. https://doi.org/10.1007/978-3-319-27523-9_4
Masmoudi M, Haït A (2013) Project scheduling under uncertainty using fuzzy modelling and solving techniques. Eng Appl Artif Intell 26:135–149
Meng M, Liu E (2015) The application research of information security risk assessment model based on AHP method. J Adv Inf Technol 6:201–206. https://doi.org/10.12720/jait.6.4.201-206
Montanari M, Chan E, Larson K et al (2013) Distributed security policy conformance. Comput Secur 33:28–40. https://doi.org/10.1016/j.cose.2012.11.007
Mouratidis H (2007) Secure information systems engineering: a manifesto. Int J Electron Secur Digit Forensics 1:27–41
Nagata K, Amagasa M, Kigawa Y, Cui D (2009) Method to select effective risk mitigation controls using fuzzy outranking. In: 2009 ninth international conference on intelligent systems design and applications
NEOS (2018) NEOS server web portal. https://neos-server.org/neos/. Accessed 20 Apr 2020
Van Niekerk J, Von Solms R (2010) Information security culture: a management perspective. Comput Secur 29:476–486. https://doi.org/10.1016/j.cose.2009.10.005
Ojamaa A, Tyugu E, Kivimaa J (2008) Pareto-optimal situaton analysis for selection of security measures. In: MILCOM 2008—2008 IEEE military communications conference. IEEE
Otero A, Ejnioui A, Otero C, Tejay G (2011) Evaluation of information security controls in organizations by grey relational analysis. Int J Dependable Trust Inf Syst 2:36–54
Otero A, Otero C, Qureshi A (2010) A multi-criteria evaluation of information security controls using boolean features. Int J Netw Secur Its Appl 2:1–11. https://doi.org/10.5121/ijnsa.2010.2401
Otero A, Tejay G, Otero D, Ruiz-Torres A (2012) A fuzzy logic-based information security control assessment for organizations. In: Open systems (ICOS), 2012 IEEE conference, pp 1–6
Parkin S, van Moorsel A, Coles R (2009) An information security ontology incorporating human-behavioural implications. In: Proceedings of the 2nd international conference on Security of information and networks, pp 46–55
Pereira T, Santos H (2014) Challenges in information security protection. In: Proceedings 13th European conference on cyber warfare and security, pp 160–166
Petersen K, Vakkalanka S, Kuzniarz L (2015) Guidelines for conducting systematic mapping studies in software engineering: an update. Inf Softw Technol 64:1–18. https://doi.org/10.1016/j.infsof.2015.03.007
Rees LP, Deane JK, Rakes TR, Baker WH (2011) Decision support for cybersecurity risk planning. Decis Support Syst 51:493–505. https://doi.org/10.1016/j.dss.2011.02.013
Saleh M (2011) Information security maturity model. Int J Comput Sci Secur 5:316–337
Samavati M, Essam D, Nehring M, Sarker R (2017) A methodology for the large-scale multi-period precedence-constrained knapsack problem: an application in the mining industry. Int J Prod Econ 193:12–20. https://doi.org/10.1016/j.ijpe.2017.06.025
Samphaiboon N, Yamada T (2002) Heuristic and exact algorithms for the precedence-constrained knapsack problem. J Optim Theory Appl 105:659–676
Sánchez L, Villafranca D, Fernandez-Medina E, Piattini M (2009) MGSM-PYME: Metodología para la gestión de la seguridad y su madurez en las PYMES. In: Proceedings V Congreso Iberoamericano de Seguridad Informática, pp 452–466
Sarala R, Zayaraz G, Vijayalakshmi V (2015) Optimal selection of security countermeasures for effective information security. In: Proceedings of the international conference on soft computing systems. Springer, pp 345–353
Sawik T (2013) Selection of optimal countermeasure portfolio in IT security planning. Decis Support Syst 55:156–164. https://doi.org/10.1016/j.dss.2013.01.001
Shahpasand M, Shajari M, Golpaygani SAH, Ghavamipoor H (2015) A comprehensive security control selection model for inter-dependent organizational assets structure. Inf Comput Secur 23:218–242. https://doi.org/10.1108/ics-12-2013-0090
Siponen M, Willison (2009) Information security management standards: problems and solutions. Inf Manag 46:267–270. https://doi.org/10.1016/j.im.2008.12.007
Staab S, Studer R (2009) Handbook on ontologies, Springer Sci Bus Media
Susanto H, Almunawar M, Tuan Y (2012) Information security challenge and breaches: novelty approach on measuring ISO 27001 readiness level. Int J Eng Technol 2:67–75
Susanto H, Almunawar MN, Tuan YC (2011) Information security management system standards: a comparative study of the big five. Int J Electr Comput Sci IJECSIJENS 11:23–29
Tasan S, Gen M (2013) An integrated selection and scheduling for disjunctive network problems. Comput Ind Eng 65:6–76
Teixeira A, Duarte MDO (2011) A multi-criteria decision model for selecting project portfolio with consideration being given to a new concept for synergies. Pesqui Operacional 31:301–318. https://doi.org/10.1590/S0101-74382011000200006
Tofan D (2011) Information security standards. J Mobile Embed Distrib Syst 3:128–135
Tosatto SC, Governatori G, Kelsen P (2015) Business process regulatory compliance is hard. IEEE Trans Serv Comput 8:958–970. https://doi.org/10.1109/TSC.2014.2341236
Viduto V, Maple C, Huang W, López-Peréz D (2012) A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decis Support Syst 53:599–610. https://doi.org/10.1016/j.dss.2012.04.001
Von Solms SH (2005) Information security governance—compliance management vs operational management. Comput Secur 24:443–447. https://doi.org/10.1016/j.cose.2005.07.003
Wang L, Wang S, Xu Y (2012) An effective hybrid EDA-based algorithm for solving multidimensional knapsack problem. Expert Syst Appl 39:5593–5599
Wäscher G, Haubner H, Schumann H (2007) An improved typology of cutting and packing problems. Eur J Oper Res 183:1109–1130
Weglarz J, Józefowska J, Mika M, Waligóra G (2011) Project scheduling with finite or infinite number of activity processing modes—a survey. Eur J Oper Res 208:177–205
Weitzner DJ, Abelson H, Berners-Lee T et al (2008) Information accountability. Commun ACM 51:82–87. https://doi.org/10.1145/1349026.1349043
Wierzbicki AP (1980) The use of reference objectives in multiobjective optimization. In: Fandel G, Gal T (eds) Multiple criteria decision making theory and application. Lecture notes in economics and mathematical systems, vol 177. Springer, Berlin, Heidelberg, pp 468–486. https://doi.org/10.1007/978-3-642-48782-8_32
Yameng C, Yulong S, Jianfeng M, et al (2011) AHP-GRAP based security evaluation method for MILS System within CC framework. In: Proceedings seventh international conference on computational intelligence and security, pp 635–639. https://doi.org/10.1109/cis.2011.145
Yang Y, Shieh H, Leu J, Tzeng G (2009) A VIKOR-based multiple criteria decision method for improving information security risk. Int J Inf Technol Decis Mak 8:267–287
Yang Y, Shieh H, Tzeng G (2013) A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Inf Sci (Ny) 232:482–500
Yau H (2014) Information security controls. Adv Robot Autom 3:e118. https://doi.org/10.4172/2168-9695.1000e118
Yevseyeva I, Basto-Fernandes V, Emmerich M, van Moorsel A (2015) Selecting optimal subset of security controls. Procedia Comput Sci 64:1035–1042. https://doi.org/10.1016/j.procs.2015.08.625
You B, Yamada T (2007) ). A pegging approach to the precedence-constrained knapsack problem. Eur J Oper Res 183:618–632
Acknowledgements
This research is funded by the Universidad de La Frontera, through DIUFRO Research Project # DI19-0116
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Diéguez, M., Bustos, J. & Cares, C. Mapping the variations for implementing information security controls to their operational research solutions. Inf Syst E-Bus Manage 18, 157–186 (2020). https://doi.org/10.1007/s10257-020-00470-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10257-020-00470-8