ISCP: In-depth model for selecting critical security controls

Abstract

The primary goal of all organizations worldwide is to reduce potential threats and vulnerabilities. An information security control assessment is a far-reaching way to deal with control analysis that can help organizations to measure the adequacy and effectiveness of their present and planned security controls. Availability of adequate resources and proper risk analysis practices should be considered in preventing security breaches in order to achieve returns on security investments. Nonetheless, and despite the necessity for a competent security analysis framework, present frameworks and methodologies for security control analysis lack practical guidelines and mostly depend on subjective judgment and qualitative approaches. This paper proposes an information security control prioritization (ISCP) model that can determine the critical vulnerable controls based on a number of assessment criteria. The model uses techniques from the Order Performance by Similarity to Ideal Solution (TOPSIS) method, which is a sub-method of multiple attribute decision making. The proposed model provides clear guidelines on how to accomplish control analysis in a structured, self-organizing and constituent manner, with minimal overlap. Evaluation of information security controls using TOPSIS as the prioritization method involves a cost-effectiveness analysis, an effective and efficient assessment in terms of testing and selecting information security controls in organizations.