Cybersecurity decision support model to designing information technology security system based on risk analysis and cybersecurity framework

Abstract

The proposed work was a recommendation model for designing cyber security decision support, in building an information technology security system based on risk analysis and the ISO/IEC 27001 cybersecurity framework. The proposed model aimed to obtain the best security system in mitigating security threats. This paper contributed to strategic policymakers in designing cyber security decision support recommendations to determine the best steps in designing information technology security systems. The model built can map the priority value of threat mitigation based on the relative threat score against the relative evaluation score of the implementation of ISO/IEC 27001 compliance. The mitigation priority value is the key in determining priority recommendations for building an information technology security system based on the ISO/IEC 27001 framework. Furthermore, the results implementation of information technology security system recommendations is tested by carrying out security attacks directly on the system being built. The work ends by conducting a statistical evaluation of the system built based on the recommendations of the information technology security system. The results achieved indicate an increase in the average value of the evaluation of ISO/IEC 27001 compliance from 36.27 to 82.37 with the p-value of Paired T-Test being 0.002138 < 0.05, meaning that there is a significant influence between threats to information technology security systems that implement and do not apply the recommendations of information technology security systems to the ISO/IEC 27001 compliance evaluation index value. Furthermore, based on 12 types of threat samples, it shows a decrease in the average threat criticality level from 8.75 to 4.00 with the p-value of the chi-square test being 0.0006605 < 0.05 and Fisher Test's p-value is 0.000008284 < 0.05, meaning that there is an association relationship between threats to information technology security systems that apply recommendations and do not apply recommendations to the criticality level of information technology security threats. While the results of the evaluation of the relationship between the implementation of security system recommendations on cybersecurity attack mitigation showed an increase in the effectiveness of cyber-attack mitigation from an average rating of 18.32 to 40.74 with the p-value of the chi-square test being 0.000005221 < 0.05 and the Fisher Test being 0.00000005658 < 0.05 means that there is an association relationship between systems that implement and do not implement recommendations based on ISO/IEC 27001 for cybersecurity attack mitigation.