Proposal of a Model Supporting Decision-Making on Information Security Risk Treatment
Authors: Ritsuko Kawasaki (Aiba), Takeshi Hiromatsu
Abstract:
Management is required to understand all information security risks within an organization, and to make decisions on which information security risks should be treated in what level by allocating how much amount of cost. However, such decision-making is not usually easy, because various measures for risk treatment must be selected with the suitable application levels. In addition, some measures may have objectives conflicting with each other. It also makes the selection difficult. Therefore, this paper provides a model which supports the selection of measures by applying multi-objective analysis to find an optimal solution. Additionally, a list of measures is also provided to make the selection easier and more effective without any leakage of measures.
Keywords: Information security risk treatment, Selection of risk measures, Risk acceptance and Multi-objective optimization.
Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1092042
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 2048References:
[1] Hyodo, T., Nakamura, I., Nishigaki M., Soga, M. (2003). A modeling of security measure selection problem, The Special Interest Group (SIG) Technical Reports (TR) of Information Processing Society of Japan (IPSJ), Computer Security (CSEC) Group, 74, 249-256. (Japanese document).
[2] Nakamura, I., Hyodo, T., Soga, M., Mizuno, T., &Nishigaki, M. (2004). A Practical Approach for Security Measure Selection Problem and Its Availability. IPSJ Journal, 45(8), 2022-2033. (Japanese document).
[3] ISO/IEC 27001:2005 Information technology -- Security techniques -- Information security management system – Requirement.
[4] ISO/IEC TR 13335-3:1998Information technology - Guidelines for the management of IT Security - Part3: Techniques for the management of IT Security.
[5] ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management system – Requirement.
[6] Next Generation Electronic Commerce Promotion Council of Japan (ECOM) (2002). Explanations of information security management standard (JIS X 5080:ISO/IEC 17799). From http://www.jipdec.or.jp/ archives/ecom/results/h13seika/h13results-10.pdf (Japanese document).
[7] Nagai Y., Fujiyama T., & Sasaki R. (2000). An Optimal Decision Method for Establishment of Security Objectives. IPSJ Journal, 41(8), 2264-2271. (Japanese document).
[8] Sasaki R., Yoshiura H., &Itoh S. (2002). Consideration on Combinatorial Optimization of Illegal Copy Countermeasures. IPSJ Journal, 43(8), 2435-2446. (Japanese document) .
[9] Usui, Y., Yamamoto, T., Magata, F., Teshigawara, Y., Sasaki, & R., Nishigaki, M. (2009). A case study of a security measure selection scheme with consideration of potential lawsuit. In Proceedings of the Computer Security Symposium 2009, IPSJ, 105-110. (Japanese document).
[10] Nishigaki, M., Usui, Y., Yamamoto, T., Magata, F., Teshigawara, Y., & Sasaki, R. (2011). A Case Study of a Security Measure Selection Scheme with Consideration of Potential Lawsuit. IPSC Journal 52(3), 1173-1184 (Japanese document).
[11] Otero, A. R., Otero, C. E., &Qureshi, A. (2010), A Multi-Criteria Evaluation of Information Security Controls Using Boolean Features. International Journal of Network Security & Its Applications (IJNSA), 2(4). doi:10.5121/ijnsa.2010.2401 1.
[12] ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls.
[13] ISO 31000:2009, Risk management – Principles and guidelines.
[14] Barnard, L., &Solms, R. V., (2000). A Formalized Approach to the Effective Selection and Evaluation of Information Security Controls. Computers & Security, 19(2), 185-194.
[15] ISO/IEC 27005:2011 Information technology -- Security techniques -- Information security risk management.
[16] Japan Institute for Promotion of Digital Economy and Community (JIPDEC) (2008), Guideline for ISMS users - correspond to JIS Q 27001:2006 (ISO/IEC 27001:2005) - Risk management edition -.from http://www.isms.jipdec.or.jp/doc/JIP-ISMS113-21.pdf (Japanese document).
[17] National Information Security Center (NISC)(2000), Guideline for information security policy. From http://www.kantei.go.jp/jp/it/security/ taisaku/guideline.html (Japanese document).