A Decision Support System for Optimal Selection of Enterprise Information Security Preventative Actions

2021-09-01
Sonmez, Ferda Ozdemir
Günel Kılıç, Banu
Types and complexity of information security related vulnerabilities are growing rapidly and present numerous challenges to the enterprises. One of the key challenges is to identify the optimal set of precautions with limited budget. Despite the fact that majority of enterprises have a budget constraint for installing and maintaining the protection systems, the majority of the previous work only focus on prioritization of security targets and do not consider the preventative actions and budget constraints. This article presents a decision support system (DSS) based on analytical hierarchical process and mixed integer programming techniques for optimal selection of enterprise information security preventative actions. The proposed approach enables maximizing the amount of risk prevented for a fixed amount of budget by identifying the optimal set of precautions. The new DSS also assists enterprise decision-makers in determining the minimum enterprise information security budget for a given level of risk. The main contribution of the paper is that it provides a risk management method to identify a multi-level threat model and the corresponding optimal combination of preventative actions for an enterprise while considering the budget constraints. The treemap information visualization technique is also integrated into the proposed method to improve information security related management decisions.
IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT

Suggestions

A Conceptual Model for a Metric Based Framework for the Monitoring of Information Security Tasks’ Efficiency
Sönmez, Ferda Özdemir (Elsevier BV; 2019)
Information Security Governance Systems are not adequate to measure the effectiveness and efficiency of security tasks for the enterprises. Although some of the systems offer ways for measurement, they still need the definition of measurement objectives and metrics. This study proposes a conceptual framework mode which has human and tool/process related metrics. This system also allows the collection of evidence data for security-related tasks and ways to motivate the security staff to provide a more produc...
Evaluation of Security Information and Event Management Systems for Custom Security Visualization Generation
Sonmez, Ferda Ozdemir; Günel Kılıç, Banu (2018-12-04)
Security Information and Event Management Systems (SIEM) are generally very complex systems encapsulating a large number of functions with different behaviors. Visualization is a common way of data presentation in these systems along with other data presentation ways such as reporting, alerting, text messaging. However, generation of the visualization has different steps. If the data is in a custom format, rather than a predefined format which either obeys a standard or a known file structure, the generatio...
Security Qualitative Metrics for Open Web Application Security Project Compliance
Sönmez, Ferda Özdemir (Elsevier BV; 2019)
The focus of this study is to find out repeatable features for large-scale enterprise web application production process related to based on OWASP security requirement list. As a result of a rigorous work including domain analysis for Java language and development frameworks and the examination of a large set of technical documents, 230 security qualitative metrics are discovered, under six categories. These security qualitative metrics are beneficial for security analysts as well as other parties such as d...
Using operational data for decision making a feasibility study in rail maintenance
Marsh, William; Nur, Khalid; Yet, Barbaros; Majumdar, Arnab (2016-05-01)
In many organisations, large databases are created as part of the business operation: the promise of ‘big data’ is to extract information from these databases to make smarter decisions. We explore the feasibility of this approach for better decision-making for maintenance, specifically for rail infrastructure. We argue that the data should be used within a Bayesian framework with the aim of inferring the underlying state of the system so we can predict future failures and improve decision-making. Within thi...
Increasing trustworthiness of security critical applications using trusted computing
Uzunay, Yusuf; Baykal, Nazife; Bıçakcı, Kemal; Department of Information Systems (2014)
In this thesis work, we aim to increase the trustworthiness of security critical applications by utilizing trusted computing technologies. We focus on two case applications; authentication proxy systems and e-voting systems. Our first case application is authentication proxy systems which store users’ sensitive credentials and submit them to the servers of the service providers on their behalf. To increase the trustworthiness of authentication proxy systems, we propose Trust-in-the-Middle a trusted platform...
Citation Formats
F. O. Sonmez and B. Günel Kılıç, “A Decision Support System for Optimal Selection of Enterprise Information Security Preventative Actions,” IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, vol. 18, no. 3, pp. 3260–3279, 2021, Accessed: 00, 2021. [Online]. Available: https://hdl.handle.net/11511/94753.