Search results

Measurement of information security assurance (ISA) is an important but difficult task. This paper aims to propose a framework, which helps in refining information security requirements into controls whose effectiveness can be measured. This work also provides aggregation techniques to combine these measurements so as to obtain an indicator for ISA at the organizational level.

A top-down approach of refining security objectives to measurable independent tasks is carried out using assign graph as the model. This captures the various objectives and their interrelationships whose initial values and relative impacts are obtained from experts. Using fuzzy cognitive model (FCM), these initial values are combined together to obtain an indicator for ISA at the firm's level.

The two applications of the framework revealed that interrelationships do exist between the different controls employed in actual security implementations and that these dependencies are seldom accounted for. When those few controls that are to be measured are clearly identified, the security experts can focus their attention on them and ensure their correct implementation and appropriate measurement. The extent of impact of a single control on the overall security picture of the firm can also be found using this approach.

While the framework is generic, the assurance values obtained are context-sensitive. This is primarily because of the subjectivity involved in assigning impact measures and initial values.

This work helps in answering two difficult questions in information security management: “what to measure?” and “how to quantify the overall security assurance of the organization?” This assists the information security team in identifying and refining those controls that needs to be appropriately emphasized. The proposed framework helps the top management in doing “what-if” analysis, thereby aiding their decision-making for information security investments.

The novel framework proposes a top-down approach for security control refinement and a bottom-up approach for combining the confidence values to obtain an indicator for ISA. This work identifies and accommodates the possibilities of having interdependencies between security controls. The proposed aggregation method using FCM is being applied for the first time in information security context and provides convergence even in the presence of cyclic dependencies amongst the controls.

The information security policy document of an organization needs to be translated into controls and procedures at the implementation level. The technical and business personnel in‐charge of implementing the controls and procedures need to consider a large number of security‐related statements from a heterogeneous pool of security documentation and decide on the implementation plan. The purpose of this paper is to propose an approach to analyze a set of security statements to establish an implicit hierarchy and relative importance among them.

A set of statements relevant to e‐mail service security is chosen from the classified documentation of an IT firm. The authors contacted the technical person who was the owner of this service to obtain a one‐on‐one comparison between the policies. These policies and their inter‐relationships are represented as a graph. Centrality measures based on the in and out degrees of a node are used to calculate the relative importance of a policy. The authors present an improved approach based on DEMATEL, which considers the level of influence of one policy on another.

Security statements fall into different categories based on their relative intensity and nature. They could be of high importance or low on one axis and of driving or receiving nature on the other. The driver policies are the action items that could be implemented to satisfy a large number of other security requirements. The policies that are predominantly receiver in nature, for their fulfillment, need many other requirements to be satisfied.

The intense driver policies are the ones to be considered for immediate implementation so as to achieve maximum benefits. If such an action item cannot be implemented at the level of consideration, it needs to be communicated to the appropriate level where it could be addressed effectively. An orphaned policy statement can indicate to a high‐level requirement left without any action plan or an unnecessary control. Establishing clear linkages between the implemented controls and the organization's security policy document could be very effective in convincing the employees to adhere to security practices.

Analyzing a set of informal security statements to identify the linkages between them is a novel idea. While other works establish the need for translating the security policy to lower levels of implementation, the authors propose an approach to identify the existence or absence of an effective translation. The graph representation with associated centrality measures, and the application of DEMATEL technique to deduce the nature and intensity of security statements are not yet found in literature.