Show/Hide Menu
Hide/Show Apps
Logout
Türkçe
Türkçe
Search
Search
Login
Login
OpenMETU
OpenMETU
About
About
Open Science Policy
Open Science Policy
Communities & Collections
Communities & Collections
Help
Help
Frequently Asked Questions
Frequently Asked Questions
Guides
Guides
Thesis submission
Thesis submission
MS without thesis term project submission
MS without thesis term project submission
Publication submission with DOI
Publication submission with DOI
Publication submission
Publication submission
Supporting Information
Supporting Information
General Information
General Information
Copyright, Embargo and License
Copyright, Embargo and License
Contact us
Contact us
A Decision Support System for Optimal Selection of Enterprise Information Security Preventative Actions
Date
2021-09-01
Author
Sonmez, Ferda Ozdemir
Günel Kılıç, Banu
Metadata
Show full item record
This work is licensed under a
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License
.
Item Usage Stats
222
views
0
downloads
Cite This
Types and complexity of information security related vulnerabilities are growing rapidly and present numerous challenges to the enterprises. One of the key challenges is to identify the optimal set of precautions with limited budget. Despite the fact that majority of enterprises have a budget constraint for installing and maintaining the protection systems, the majority of the previous work only focus on prioritization of security targets and do not consider the preventative actions and budget constraints. This article presents a decision support system (DSS) based on analytical hierarchical process and mixed integer programming techniques for optimal selection of enterprise information security preventative actions. The proposed approach enables maximizing the amount of risk prevented for a fixed amount of budget by identifying the optimal set of precautions. The new DSS also assists enterprise decision-makers in determining the minimum enterprise information security budget for a given level of risk. The main contribution of the paper is that it provides a risk management method to identify a multi-level threat model and the corresponding optimal combination of preventative actions for an enterprise while considering the budget constraints. The treemap information visualization technique is also integrated into the proposed method to improve information security related management decisions.
Subject Keywords
Security
,
Information security
,
Risk management
,
Visualization
,
Decision support systems
,
Security management
,
Analytical models
,
Enterprise information security
,
security investment
,
analytical hierarchical process (AHP)
,
MIP
,
optimization
,
visualization
,
ANALYTIC HIERARCHY PROCESS
,
MODEL
,
TIME
,
SDN
,
analytical hierarchical process (AHP)
,
Analytical models
,
Decision support systems
,
Enterprise information security
,
Information security
,
MIP
,
optimization
,
Risk management
,
Security
,
security investment
,
Security management
,
Visualization
,
visualization.
URI
https://hdl.handle.net/11511/94753
Journal
IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT
DOI
https://doi.org/10.1109/tnsm.2020.3044865
Collections
Graduate School of Informatics, Article
Suggestions
OpenMETU
Core
A Conceptual Model for a Metric Based Framework for the Monitoring of Information Security Tasks’ Efficiency
Sönmez, Ferda Özdemir (Elsevier BV; 2019)
Information Security Governance Systems are not adequate to measure the effectiveness and efficiency of security tasks for the enterprises. Although some of the systems offer ways for measurement, they still need the definition of measurement objectives and metrics. This study proposes a conceptual framework mode which has human and tool/process related metrics. This system also allows the collection of evidence data for security-related tasks and ways to motivate the security staff to provide a more produc...
Evaluation of Security Information and Event Management Systems for Custom Security Visualization Generation
Sonmez, Ferda Ozdemir; Günel Kılıç, Banu (2018-12-04)
Security Information and Event Management Systems (SIEM) are generally very complex systems encapsulating a large number of functions with different behaviors. Visualization is a common way of data presentation in these systems along with other data presentation ways such as reporting, alerting, text messaging. However, generation of the visualization has different steps. If the data is in a custom format, rather than a predefined format which either obeys a standard or a known file structure, the generatio...
Security Qualitative Metrics for Open Web Application Security Project Compliance
Sönmez, Ferda Özdemir (Elsevier BV; 2019)
The focus of this study is to find out repeatable features for large-scale enterprise web application production process related to based on OWASP security requirement list. As a result of a rigorous work including domain analysis for Java language and development frameworks and the examination of a large set of technical documents, 230 security qualitative metrics are discovered, under six categories. These security qualitative metrics are beneficial for security analysts as well as other parties such as d...
Using operational data for decision making a feasibility study in rail maintenance
Marsh, William; Nur, Khalid; Yet, Barbaros; Majumdar, Arnab (2016-05-01)
In many organisations, large databases are created as part of the business operation: the promise of ‘big data’ is to extract information from these databases to make smarter decisions. We explore the feasibility of this approach for better decision-making for maintenance, specifically for rail infrastructure. We argue that the data should be used within a Bayesian framework with the aim of inferring the underlying state of the system so we can predict future failures and improve decision-making. Within thi...
Increasing trustworthiness of security critical applications using trusted computing
Uzunay, Yusuf; Baykal, Nazife; Bıçakcı, Kemal; Department of Information Systems (2014)
In this thesis work, we aim to increase the trustworthiness of security critical applications by utilizing trusted computing technologies. We focus on two case applications; authentication proxy systems and e-voting systems. Our first case application is authentication proxy systems which store users’ sensitive credentials and submit them to the servers of the service providers on their behalf. To increase the trustworthiness of authentication proxy systems, we propose Trust-in-the-Middle a trusted platform...
Citation Formats
IEEE
ACM
APA
CHICAGO
MLA
BibTeX
F. O. Sonmez and B. Günel Kılıç, “A Decision Support System for Optimal Selection of Enterprise Information Security Preventative Actions,”
IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT
, vol. 18, no. 3, pp. 3260–3279, 2021, Accessed: 00, 2021. [Online]. Available: https://hdl.handle.net/11511/94753.
