Control priorization model for improving information security risk assessment

Control priorization model for improving information security risk assessment

Evaluating particular assets for information security risk assessment should take into consideration the availability of adequate resources and return on investments (ROI). Despite the need for a good risk assessment framework, many of the existing frameworks lack of granularity guidelines and mostl...

Full description

Saved in:
Bibliographic Details
Main Author: Al-Safwani, Nadher Mohammed Ahmed
Format: Thesis
Language:eng
eng
Published: 2014
Subjects:
QA75 Electronic computers
Computer science
Online Access:https://etd.uum.edu.my/5327/1/s93043.pdf
https://etd.uum.edu.my/5327/2/s93043_abstract.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
id my-uum-etd.5327
record_format uketd_dc
institution Universiti Utara Malaysia
collection UUM ETD
language eng
eng
advisor Hassan, Suhaidi
Katuk, Norliza
topic QA75 Electronic computers
Computer science
spellingShingle QA75 Electronic computers
Computer science
Al-Safwani, Nadher Mohammed Ahmed
Control priorization model for improving information security risk assessment
description Evaluating particular assets for information security risk assessment should take into consideration the availability of adequate resources and return on investments (ROI). Despite the need for a good risk assessment framework, many of the existing frameworks lack of granularity guidelines and mostly depend on qualitative methods. Hence, they require additional time and cost to test all the information security controls. Further, the reliance on human inputs and feedback will increase subjective judgment in organizations. The main goal of this research is to design an efficient Information Security Control Prioritization (ISCP) model in improving the risk assessment process. Case studies based on penetration tests and vulnerability assessments were performed to gather data. Then, Technique for Order Performance by Similarity to Ideal Solution (TOPSIS) was used to prioritize them. A combination of sensitivity analysis and expert interviews were used to test and validate the model. Subsequently, the performance of the model was evaluated by the risk assessment experts. The results demonstrate that ISCP model improved the quality of information security control assessment in the organization. The model plays a significant role in prioritizing the critical security technical controls during the risk assessment process. Furthermore, the model’s output supports ROI by identifying the appropriate controls to mitigate risks to an acceptable level in the organizations. The major contribution of this research is the development of a model which minimizes the uncertainty, cost and time of the information security control assessment. Thus, the clear practical guidelines will help organizations to prioritize important controls reliably and more efficiently. All these contributions will minimize resource utilization and maximize the organization’s information security.
format Thesis
qualification_name Ph.D.
qualification_level Doctorate
author Al-Safwani, Nadher Mohammed Ahmed
author_facet Al-Safwani, Nadher Mohammed Ahmed
author_sort Al-Safwani, Nadher Mohammed Ahmed
title Control priorization model for improving information security risk assessment
title_short Control priorization model for improving information security risk assessment
title_full Control priorization model for improving information security risk assessment
title_fullStr Control priorization model for improving information security risk assessment
title_full_unstemmed Control priorization model for improving information security risk assessment
title_sort control priorization model for improving information security risk assessment
granting_institution Universiti Utara Malaysia
granting_department Awang Had Salleh Graduate School of Arts & Sciences
publishDate 2014
url https://etd.uum.edu.my/5327/1/s93043.pdf
https://etd.uum.edu.my/5327/2/s93043_abstract.pdf
_version_ 1776103676726738944
spelling my-uum-etd.53272023-01-08T08:38:43Z Control priorization model for improving information security risk assessment 2014 Al-Safwani, Nadher Mohammed Ahmed Hassan, Suhaidi Katuk, Norliza Awang Had Salleh Graduate School of Arts & Sciences Awang Had Salleh Graduate School of Arts and Sciences QA75 Electronic computers. Computer science Evaluating particular assets for information security risk assessment should take into consideration the availability of adequate resources and return on investments (ROI). Despite the need for a good risk assessment framework, many of the existing frameworks lack of granularity guidelines and mostly depend on qualitative methods. Hence, they require additional time and cost to test all the information security controls. Further, the reliance on human inputs and feedback will increase subjective judgment in organizations. The main goal of this research is to design an efficient Information Security Control Prioritization (ISCP) model in improving the risk assessment process. Case studies based on penetration tests and vulnerability assessments were performed to gather data. Then, Technique for Order Performance by Similarity to Ideal Solution (TOPSIS) was used to prioritize them. A combination of sensitivity analysis and expert interviews were used to test and validate the model. Subsequently, the performance of the model was evaluated by the risk assessment experts. The results demonstrate that ISCP model improved the quality of information security control assessment in the organization. The model plays a significant role in prioritizing the critical security technical controls during the risk assessment process. Furthermore, the model’s output supports ROI by identifying the appropriate controls to mitigate risks to an acceptable level in the organizations. The major contribution of this research is the development of a model which minimizes the uncertainty, cost and time of the information security control assessment. Thus, the clear practical guidelines will help organizations to prioritize important controls reliably and more efficiently. All these contributions will minimize resource utilization and maximize the organization’s information security. 2014 Thesis https://etd.uum.edu.my/5327/ https://etd.uum.edu.my/5327/1/s93043.pdf text eng public https://etd.uum.edu.my/5327/2/s93043_abstract.pdf text eng public Ph.D. doctoral Universiti Utara Malaysia F. T. Sheldon, R. K. Abercrombie, and A. Mili, “Evaluating security controls based on key performance indicators and stakeholder mission,” in 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead. Oak Ridge, Tennessee: ACM, May 2008, pp. 1–11. E. Wheeler, Building an Information Security Risk Management Program from the Ground Up, E. Wheeler, Ed. Waltham, 2011. W. H. Baker and L.Wallace, “Investigating quality in information security management,” IEEE Security & Privacy, vol. 5, pp. 36–44, 2007. T. R. Peltier, Information Security Risk Analysis, Third Edition, Auerbach, Ed. Northwest, USA: Auerbach Publications, 2010. R. Ross, A. Johnson, S. Katzke, P. Toth, G. Stoneburner, and G. Rogers, Guide for Applying the Risk Management Framework to Federal Information Systems, U.S. Department of Commerce Std., 2010. A. Singh, “Improving information security risk management,” PhD, Minnesota University, Saint Paul, Minnesota, December 2009. WASC, “Wasc threat classification,” Web Application Security Consortium, Tech. Rep., 2010. J. Meier, A. Mackman, and B. Wastell, Threat Modeling Web Applications, Microsoft Patterns & Practices Library, May 2005, mSDN. [Online]. Available: http://msdn.microsoft.com/en-us/ library/aa302419.aspx#c03618429_011 ISO/IEC, ISO 27005 Information Technology Security Techniques Information Security Risk Management, BSI Information Security 27 005, Rev. 1, 2008. G. Stoneburner, A. Goguen, and A. Feringa, Risk Management Guide for Information Technology Systems, NIST Std., 2002. ISO/IEC, Risk Management: Risk Assessment Techniques, IEC/FDIS 31010 Std. 31 010, 2009. M. Walker, “Ec-council training ceh v7,” http://www.eccouncil.org/Training, June 2012. M. Karyda, E. Kiountouzis, and S. Kokolakis, “Information systems security policies: A contextual perspective,” Computers & Security, vol. 24, no. 3, pp. 246 – 260, 2005. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0167404804002378 R. L. Winkler, “Uncertainty in probabilistic risk assessment,” Reliability Engineering & System Safety, vol. 54, pp. 127 – 132, 1996, <ce:title>Treatment of Aleatory and Epistemic Uncertainty</ce:title>. [Online]. Available: http://www.sciencedirect.com/science/article/ pii/S0951832096000701 S. P. Bennett and M. P. Kailay, “An application of qualitativerisk analysis to computer security for the commercial sector,” in Computer Security Applications Conference, Eighth Annual. San Antonio, Texas: IEEE, 1992, pp. 64–73. M. Wright, “Third generation risk management practices,” Computer Fraud & Security, vol. 2, pp. 9–12, 1999. T. R. Peltier, Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management, A. Pub, Ed. New York,USA: Auerbach Pub, 2002. S. N. Foley, “Security risk management using internal controls,” in workshop on Information security governance. Chicago, Illinois, USA: ACM, November 2009, pp. 59–63. F. Farahmand, W. J. Malik, S. B. Navathe, and P. H. E. and, “Security tailored to the needs of business,” in The Proceeding of the ACM CCS Workshop on Business Driven Security Engineering. Fairfax, VA: ACM CCS Workshop, 2003. L. A. Gordon and M. P. Loeb, “The economics of information security investment,” ACM Trans. Inf. Syst. Secur., vol. 5, no. 4, pp. 438–457, Nov. 2002. [Online]. Available: http://doi.acm.org/10.1145/581271.581274 N. Honghui and S. Yanling, “Research on risk assessment model of information security based on particle swarm algorithm rbf neural network,” in Circuits, Communications and System (PACCS), 2010 Second Pacific-Asia Conference on, vol. 1, aug. 2010, pp. 479–482. NIST, Minimum Security Requirements for Federal Information and Information Systems, U.S. DEPARTMENT OF COMMERCE Std., 2009. L. A. Gordon and M. P. Loeb, “Budgeting process for information security expenditures,” Commun. ACM, vol. 49, no. 1, pp. 121–125, Jan. 2006. [Online]. Available: http://doi.acm.org/10.1145/ 1107458.1107465 A. Singh and D. Lilja, “Improving risk assessment methodology:a statistical design of experiments approach,” in 4th International Conference Security of Information and Networks (SIN 2011). Sydney, Australia: ACM, October 2009, pp. 21–29. E. Papadaki, D. Polemi, and D. K. Damilos, “A holistic, collaborative, knowledge-sharing approach for information security risk management,” in Proceedings of the 2008 The Third International Conference on Internet Monitoring and Protection, ser. ICIMP ’08. Washington, DC, USA: IEEE Computer Society, 2008, pp. 125–130. [Online]. Available: http://dx.doi.org/10.1109/ICIMP.2008.19 J. Breier and L. Hudec, “Risk analysis supported by information security metrics,” in 12th International Conference on Computer Systems and Technologies. Vienna, Austria: ACM, 2011, pp. 393–398. S. Lauesen and H. Younessi, “Six styles for usability requirements,” in Proceedings of the Fourth International Workshop on Requirements Engineering: Foundation for Software Quality: REFSQ’98. Pisa, Italy: Presses Universitaires de Namur, 1998, pp. 155–166. K. Papadaki and N. Polemi, “Towards a systematic approach for improving information security risk management methods,” in Personal, Indoor and Mobile Radio Communications, 2007. PIMRC 2007. IEEE 18th International Symposium. Athens, Greece: IEEE, 2007, pp. 1–4. A. Ekelhart, S. Fenz, and T. Neubauer, “Aurum: A framework for information security risk management,” in System Sciences, 2009. HICSS ’09. 42nd Hawaii International Conference on, jan. 2009, pp. 1–10. J. Mounzer, T. Alpcan, and N. Bambos, “A quantitative model for security risk management in information technology intensive organizations,” Standford University, Stanford, California, Tech. Rep., 2007. I. G. Institute, COBIT4.1, ISACA, Ed. Rolling Meadows,USA: IT Governance Institute (ISACA), 2007. A. D. Veiga and J. H. P. Eloff, “An information security governance framework,” Information Systems Management, vol. 24, no. 4, pp. 361–372, 2007. [Online]. Available: http://www.tandfonline.com/doi/abs/10.1080/ 10580530701586136 SANS, “Twenty critical security controls for effective cyber defense: Consensus audit guidelines,” SANS, Tech. Rep., 2011. R. M. Schneider, “A comparison of information security risk analysis in the context of e-government to criminological threat assessment techniques,” in 2010 Information Security Curriculum Development Conference, ser. InfoSecCD ’10. New York, NY, USA: ACM, 2010, pp. 107–116. [Online]. Available: http://doi.acm.org/10.1145/1940941.1940966 W. Dariusz, “Information security risk assessment model for risk management,” in Trust and Privacy in Digital Business, ser. Lecture Notes in Computer Science, S. Fischer-HAbner, S. Furnell, and C. Lambrinoudakis, Eds. Springer Berlin/Heidelberg, 2006, vol. 4083, pp. 21–30. [Online]. Available: http://dx.doi.org/10.1007/11824633_3 [36] A Reuse-Based Approach to Determining Security Requirements. Citeseer, 2003. G. Locke, Recommended Security Controls for Federal Information Systems and Organizations, NIST Std., Rev. NIST 800-53, 2009. Y. Beres, A. Baldwin, and S. Shiu, “Model-based assurance of security controls,” in 2007 ACM workshop on Quality of protection. Alexandria, Virginia, USA: ACM, 2007. C. Andersen, “Successful security control selection using nist sp 800-53,” ISSA Journal, vol. 1, pp. 12–17, 2009. F. Farahmand, S. B. Navathe, G. P. Sharp, and P. H. Enslow, “Assessing damages of information security incidents and selecting control measures, a case study approach,” in Fourth Workshop on the Economics of Information Security, WEIS05. Kennedy School of Government, Harvard University: Citeseer, 2005. K. Stolen, F. den Braber, T. Dimitrakos, R. Fredriken, B. A. Gran, S. hilde Houmb, M. S. Lund, Y. C. Stamatio, and J. O. Aagedal, “Model-based risk assessment: The coras approach,” in Citeseer, 2002. H. van der Haar and R. von Solms, “A model for deriving information security control attribute profiles,” Computers & Security, vol. 22, no. 3, pp. 233–244, 2003. [Online]. Available: http://www.sciencedirect.com/science/article/ pii/S0167404803003110 A. Kankanhalli, H.-H. Teo, B. C. Tan, and K.-K. Wei, “An integrative study of information systems security effectiveness,” International Journal of Information Management, vol. 23, no. 2, pp. 139 – 154, 2003. [Online]. Available: http://www.sciencedirect.com/science/article/ pii/S0268401202001056 D. W. Straub and R. J. Welke, “Coping with systems risk: Security planning models for management decision making,” MIS Q., vol. 22, no. 4, pp. 441–469, Dec. 1998. [Online]. Available: http://dx.doi.org/10.2307/249551 J. Allen, “Mastering the risk/reward equation: Optimizing information risks to maximize business innovation rewards,” RSA, USA, Industry Report, 2008. N. Feng and M. Li, “An information systems security risk assessment model under uncertain environment,” Applied Soft Computing, vol. 11, no. 7, pp. 4332 – 4340, 2011, soft Computing for Information System Security. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S1568494610001419 H. Armstrong, “Managing information security in healthcare - an action research experience,” in Proceedings of the IFIP TC11 Fifteenth Annual Working Conference on Information Security for Global Information Infrastructures. Deventer, The Netherlands, The Netherlands: Kluwer, B.V., 2000, pp. 19–28. [Online]. Available: http://dl.acm.org/citation.cfm?id=647183.719513 S. A. Butler and P. Fischbeck, “Multi-attribute risk assessment,” Proceedings of SREIS, Tech. Rep., 2001. L. Sun, R. P. Srivastava, and T. J. Mock, “An information systems security risk assessment model under the dempster-shafer theory of belief functions,” J. Manage. Inf. Syst., vol. 22, no. 4, pp. 109–142, Apr. 2006. [Online]. Available: http://dx.doi.org/10.2753/MIS0742- 1222220405 S. Bistarelli, F. Fioravanti, and P. Peretti, “Defense trees for economic evaluation of security investments,” in Availability, Reliability and Security, 2006. ARES 2006. The First International Conference on, 2006, p. 8 pp. ISO, Information Technology- Security techniques- Code of practice for imformation security managment, ISO/IEC Std. 27 002, 2005. G. Hardy and E. Guldentops, “Cobit 4.0: The new face of cobit,” Information Systems Control Journal, vol. 6, pp. 1–36, 2005. C. J. Alberts and A. J. Dorofee, “Octave sm criteria,” Carnegie Mellon University, Software Engineering, Tech. Rep., 2001. EBIOS, “Ebios : Expression of needs and identification of security objectives.” 2004. [Online]. Available: http://www.ssi.gouv.fr IRAM, “Iram risk assessment process,” Internet, 2008, 22 Dec 2010. [Online]. Available: https://www.securityforum.org/services/public tools/publiciram/ A. Asosheh, B. Dehmoubed, and A. Khani, “A new quantitative approach for information security risk assessment,” in Computer Science and Information Technology, 2009. ICCSIT 2009. 2nd IEEE International Conference on, 2009, pp. 222–227. E. Kiesling, C. Strausss, and C. Stummer, “A multi-objective decision support framework for simulation-based security control selection,” in Availability, Reliability and Security (ARES), 2012 Seventh International Conference on, a, Ed., 2012, pp. 454–462. K. J. Soo Hoo, “How much is enough: A risk management approach to computer security,” Ph.D. dissertation, 2000, copyright - Copyright UMI - Dissertations Publishing 2000; Last updated - 2010-08-07; First page - n/a; M3: Ph.D. [Online]. Available: http://eserv.uum.edu.my/docview/304627006? accountid=42599 A. Jrgenson and J. Willemson, “Processing multi-parameter attacktrees with estimated parameter values,” in Proceedings of the Security 2nd international conference on Advances in information and computer security, ser. IWSEC’07. Berlin, Heidelberg: Springer-Verlag, 2007, pp. 308–319. [Online]. Available: http:// dl.acm.org/citation.cfm?id=1778902.1778930 J. J. Ryan, T. A. Mazzuchi, D. J. Ryan, J. L. de la Cruz, and R. Cooke, “Quantifying information security risks using expert judgment elicitation,” Computers and Operations Research, vol. 39, no. 4, pp. 774–784, 2012, special Issue on Operational Research in Risk Management. [Online]. Available: http://www.sciencedirect.com/science/article/ pii/S0305054810002893 E. Piatyszek and G. Karagiannis, “A model-based approach for a systematic risk analysis of local flood emergency operation plans: A first step toward a decision support system,” Natural Hazards, vol. 61, pp. 1443–1462, 2012, 10.1007/s11069-011-0079-z. [Online]. Available: http://dx.doi.org/10.1007/s11069-011-0079-z M. S. B. Mahmoud, N. Larrieu, and A. Pirovano, “A risk propagation based quantitative assessment methodology for network security - aeronautical network case study,” in Network and Information Systems Security (SAR-SSI). La Rochelle, France: IEEE, 2011, pp. 1–9. G. Koschorreck, “Automated audit of compliance and security controls,” in IT Security Incident Management and IT Forensics (IMF), 2011 Sixth International Conference on, may 2011, pp. 137 –148. A. R. Otero, C. E. Otero, and A. Qureshi, “A multi criteria evaluation of information security controls using boolean features,” Network Security and Its Applications (IJNSA), vol. 2, no. 4, pp. 1–11, October 2010. D. W. Hubbard, The Failure of Risk Management : Why It is Broken and How to Fix It, J. Wiley, Ed. New Jeresy,USA: Willy, 2009. C. Yu and X. Bi, “Survival analysis on information technology adoption of chinese enterprises,” in Wireless Communications, Networking and Mobile Computing, 2008. WiCOM ’08. 4th International Conference on, 2008, pp. 1–5. C. Otero, E. Dell, A. Qureshi, and L. Otero, “A quality-based requirement prioritization framework using binary inputs,” in Mathematical/Analytical Modelling and Computer Simulation (AMS), 2010 Fourth Asia International Conference on, 2010, pp. 187–192. G. Samy, R. Ahmad, and Z. Ismail, “A framework for integrated risk management process using survival analysis approach in information security,” in Information Assurance and Security (IAS), 2010 Sixth International Conference on, aug. 2010, pp. 185–190. B. von Solms, “Information security governance: Cobit or iso17799 or both?” Computers & Security, vol. 24, no. 2, pp. 99 – 104, 2005. [Online]. Available: http://www.sciencedirect. com/science/article/pii/S0167404805000210 J. Stevens, R. A. Caralli, and B. J.Willke, “Information asset profiling,” Defense Technical Information Center(DTIC), Tech. Rep., 2005. L. D. Bodin, L. A. Gordon, and M. P. Loeb, “Evaluating information security investments using the analytic hierarchy process,” Commun. ACM, vol. 48, no. 2, pp. 78–83, Feb. 2005. [Online]. Available: http://doi.acm.org/10.1145/ 1042091.1042094 W. Sonnenreich, J. Albanese, and B. Stout, “Return on security investment (rosi): A practical quantitative model,” Journal of Research and Practice in Information Technology, vol. 38, pp. 45–56, 2006. R. Matulevicius, N. Mayer, and P. Heymans, “Alignment of misuse cases with security risk management,” in Proceedings of the 2008 Third International Conference on Availability, Reliability and Security, ser. ARES ’08. Washington, DC, USA: IEEE Computer Society, 2008, pp. 1397–1404. [Online]. Available: http://dx.doi.org/10.1109/ARES.2008.88 ENISA, “Risk management: Implementation principles and inventories for risk management and risk assessment methods and tools,” ENISA, Paris, France, Technical Report 18062006, June 2006. A. Tarantino, Governance, Risk, And Compliance Handbook, A. Tarantino, Ed. John Wiley and Sons, Inc., 2008. C. Alberts, A. Dorofee, J. Stevens, and C. Woody, “Introduction to the octave approach,” Carnegie Mellon University, Pittsburgh,USA, TECHNICAL REPORT 15213-3890, August 2003. IRAM. (2011, June) Iram:control selection. https://www.securityforum.org/. InformatinSecurity Forum. [Online]. Available: https://www.securityforum.org R. Baskerville, “Information systems security design methods: Implications for information systems development,” ACM Comput. Surv., vol. 25, no. 4, pp. 375–414, Dec. 1993. [Online]. Available: http://doi.acm.org/10.1145/162124. 162127 K. shing Hong, Y.-P. Chi, L. R. Chi, and J.-H. Tang, “An integrated system theory of information security management,” Information Management & Computer Security, vol. 11, pp. 243–248, 2003. E. Humphreys, “Information security management standards: Compliance, governance and risk management,” XiSEC, Suffolk, Tech. Rep., November 2008, pages 247-255. R. C. Reid and S. A. Floyd, “Extending the risk analysis model to include market-insurance,” Computers & Security, vol. 20, no. 4, pp. 331–339, 2001. [Online]. Available: http://www.sciencedirect.com/science/article/ pii/S0167404801004114 R. A. Weber, Information Systems Control and Audit, 1st ed. Pearson Education, 1998. S. Senft and F. Gallegos, Information Technology Control and Audit, Third Edition, 3rd ed. Boston, MA, USA: Auerbach Publications, 2008. T. A. Zia, “An analytical study of it security governance and its adoption on australian organisations,” in Security Research Centre Conferences, 2010. A. L. Nnolim, “A framework and methodology for information security management,” Ph.D. dissertation, University at Buffalo, 2007. G. A. Stout, “Improving the decision making process for information security through a pre-implementation impact review of security countermeasures,” Ph.D. dissertation, Nova Southeastern University, 2006. B. Blakley, E. McDermott, and D. Geer, “Information security and risk management,” Communications of the ACM, vol. 51, pp. 64–68, 2008. G. Zhi andW. ShengYuan, “Survey of information security risk assessment,” in International Conference on Electrical and Control Engineering, 2010. L. Dong-liang and Y. Shi-song, “An information system security risk assessment model based on fuzzy analytic hierarchy process,” in E-Business and Information System Security, 2009. EBISS ’09. International Conference on, may 2009, pp. 1–4. UWS, “Hazard identification, risk assessment and control procedure,” University of western sydeny, Tech. Rep., 2003. W. Qiangmin, L. Mengquan, and L. Jianhua, “Method on network information system security assessment based on rough set,” in SITIS ’07. Third International IEEE Conference on Signal-Image Technologies and Internet-Based System. IEEE, 2007, pp. 1041–1046. X. Zhang, N. Wuwong, H. Li, and X. Zhang, “Information security risk management framework for the cloud computing environments,” in Computer and Information Technology (CIT), 2010 IEEE 10th International Conference on, 29 2010-july 1 2010, pp. 1328 –1334. D. Feng, Y. Zhang, and Y. Zhang, “Survey of information security risk assessment,” China Institute of Communication, vol. 25, pp. 10–18, 2004. Z. I. Saleh, H. Refai, and A. Mashhour, “Proposed framework for security risk assessment,” Information Security, 2011, vol. 2, pp. 85–90, 2011. V. K. Krishnan, “Efficient processing of system scenarios in statistical and machine learning studies for power system operational and investment planning,” Ph.D. dissertation, Iowa State University, 2010. Y. Zhuang, X. Li, B. Xu, and B. Zhou, “Information security risk assessment based on artificial immune danger theory,” in Computing in the Global Information Technology, 2009. ICCGI ’09. Fourth International Multi-Conference on, aug. 2009, pp. 169–174. S. Kondakci, “A causal model for information security risk assessment,” in Information Assurance and Security (IAS), 2010 Sixth International Conference on, aug. 2010, pp. 143–148. D. V. Bernardo, B. B. Chua, and D. Hoang, “Quantitative security risk assessment (sra) method: An empirical case study,” in World congress on Nature and Biologically Inspired Computing, Coimbatore, India, 2009, pp. 972–977. S. Fenz, “An ontology and bayesian-based approach for determining threat probabilities,” in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ser. ASIACCS ’11. New York, NY, USA: ACM, 2011, pp. 344–354. [Online]. Available: http://doi.acm.org/10.1145/1966913.1966958 [100] J. A. Jones, “An introduction to factor analysis of information risk (fair),” Norwich Journal of Information Assurance, vol. 2, p. 67, 2006. R. Ross, Security and Privacy Controls for Federal Information Systems and Organizations, U.S. Department of Commerce Report NIST Special Publication 800-53, 2011. I. Mkpong-Ruffin, “Quantitave risk assessment model for software in the design phase of software development,” Ph.D. dissertation, Auburn University, 2009. L. Barnard and R. von Solms, “A formalized approach to the effective selection and evaluation of information security controls,” Computers & Security, vol. 19, no. 2, pp. 185 – 194, 2000. [Online]. Available: http://www.sciencedirect.com/science/article/ pii/S0167404800878293 T. Llanso, “Ciam: A data-driven approach for selecting and prioritizing security controls,” in Systems Conference (SysCon), 2012 IEEE International, 2012, pp. 1–8. J. Hosey and R. Gamble, “Extracting security control requirements,” in Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, ser. CSIIRW’10. New York, NY, USA: ACM, 2010, pp. 44:1–44:4. [Online]. Available: http://doi.acm.org/10.1145/1852666.1852715 W. A. Al-Hamdani, “Non risk assessment information security assurance model,” in 2009 Information Security Curriculum Development Conference, ser. InfoSecCD ’09. New York, NY, USA: ACM, 2009, pp. 84–90. [Online]. Available: http://doi.acm.org/10.1145/1940976.1940993 A. Singh and D. Lilja, “Starts: A decision support architecture for dynamic security configuration management,” in Industrial Engineering and Engineering Management, 2009. IEEM 2009. IEEE International Conference on, dec. 2009, pp. 2185–2191. S. Bandopadhyay, A. Sengupta, and C. Mazumdar, “A quantitative methodology for information security control gap analysis,” in Proceedings of the 2011 International Conference on Communication, Computing. Rourkela, Odisha, India: ACM, February 2011, pp. 537–540. F. M. Idris, “E-government technical security controls taxonomy for information assurance contractors: A relational approach,” Ph.D. dissertation, University of Maryland, Maryland, 2010, pages 120. C. Davis, M. Schiller, and K. Wheeler, IT auditing: Using Controls to Protect Information Assets, M. Cox, M. Curry, and V. Mehra, Eds. McGraw-Hill Osborne Media, 2006. V. Verendel, “Quantified security is a weak hypothesis: A critical survey of results and assumptions,” in workshop on New security paradigms workshop. Oxford, United Kingdom: ACM, 2009, pp. 37–50. S. A. Butler, “Security attribute evaluation method: a cost-benefit approach,” in Proceedings of the 24rd International Conference on Software Engineering, ICSE 2002, 2002. D.-M. Zhao, J.-H. Wang, and J.-F. Ma, “Fuzzy risk assessment of the network security,” in International Conference on Machine Learning and Cybernetics, 2006. R. Cambra, “Metrics for operational security control,” SANS, Tech. Rep., 2004. E. A. Fischer, “Creating a national framework for cybersecurity: An analysis of issues and options,” Science and Technology Resources, Science, and Industry Division, The Library of Congress, Tech. Rep. RL32777, February 2005. ISO, Information Technology- Security techniques- Information security management system- requirements, ISO/IEC Std. 27 002, 2005. J. Hagerty, K. Verma, and D. Gaughan, “The governance, risk management, and compliance (grc) landscape,” AMR, Boston,USA„ Tech. Rep., 2008. G. Chacko, P. Tufano, and G. Verter, “Taking risk management theory seriously,” Journal of Financial Economics, vol. 60, pp. 449 – 485, 2001, complementary Research Methodologies: The InterPlay of Theoretical, Empirical and Field-Based Research in Finance. [Online]. Available: http://www.sciencedirect.com/science/ article/pii/S0304405X01000502 S. R. Ashmore, M. Castillo, and B. Gavric, Guide for Assessing the Security Controls in Federal Information Systems, NIST Std., 2008. V. Vidutoa, C. Maplea, W. Huanga, and D. Lopez-Perezb, “A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem,” Decision Support Systems, vol. 1, p. 37, 2012. A. Singh and D. J. Lilja, “Criteria and methodology for grc platform selection,” ISACA (Information System Audit and Control Association) Journal, vol. 1, p. 6, 2010. C. Woody, “Applying octave:practitioners report,” Carnegie Mellon University, Tech. Rep. CMU/SEI-2006-TN-010, 2006. C. J. Alberts, A. J. Dorofee, and J. H. Allen, “Octave sm catalog of practices,” Carnegie Mellon University,Software Engineering, Technical Report, 2001. C. Alberts and A. Dorofee, Managing Information Security Risks: The OCTAVE Approach, L. Pesante, Ed. New York: Addison-Wesley Professional, 2009. R. A. Caralli, J. F. Stevens, L. R. Young, andW. R.Wilson, “Introducing octave allegro: improving the information security risk assessment process,” Carnegie Mellon University, Pittsburgh,USA, Tech. Rep., 2007. A. Otero, G. Tejay, L. Otero, and A. Ruiz-Torres, “A fuzzy logic-based information security control assessment for organizations,” in Open Systems (ICOS), 2012 IEEE Conference on, 2012, pp. 1–6. P. Bilski, “An unsupervised learning method for comparing the quality of the soft computing algorithms in analog systems diagnostics,” in Mixed Design of Integrated Circuits Systems, 2009. MIXDES ’09. MIXDES-16th International Conference, june 2009, pp. 499–504. A. H. Phyo and S. M. Furnell, “A detection-oriented classification of insider it misuse,” in in Third Security Conference, 2004. CRIMM. (2011) Cramm. CRAMM. http://www.cramm.com/. [Online]. Available: http://www.cramm.com/ R. Plackett and J. Burman, “The design of optimum multifactorial experiments,” Biometrika, vol. 33, pp. 305–325, 1946. J.-J. Lv, Y.-S. Zhou, and Y.-Z. Wang, “A multi-criteria evaluation method of information security controls,” in Computational Sciences and Optimization (CSO), 2011 Fourth International Joint Conference on, 2011, pp. 190–194. H. Ogut, “Information technology security risk management,” Ph.D. dissertation, The University of Texas at Dallas, 2006. M. Krey, “Information technology governance, risk and compliance in health care - a management approach,” in Developments in E-systems Engineering (DESE), 2010, pp. 7–11. L. T. M. Blessing and A. Chakrabarti, DRM, a Design Research Methodology, 1st ed., Springer, Ed. Springer Publishing Company, Incorporated, 2009. A. Habbal, “Tcp sintok: Transmission control protocol with delay-based loss detection and contention avoidance mechanisms for mobile ad hoc networks,” Networked Computing, School of Computing, Universiti Utara Malaysia, 2014. S. Fenz and A. Ekelhart, “Verification, validation, and evaluation in information security risk management,” IEEE Security and Privacy, vol. 9, no. 2, pp. 58–65, Mar. 2011. [Online]. Available: http://dx.doi.org/10.1109/ MSP.2010.117 M. S. Feather, S. E. Cornford, K. A. Hicks, and K. R. Johnson, “Applications of tool support for risk-informed requirements reasoning,” International Journal of Computer Systems Science & Engineering, vol. 20, no. 1, pp. 5–18, 2005. G. Dhillon and G. Torkzadeh, “Value-focused assessment of information system security in organizations,” Information Systems Journal, vol. 16, no. 3, pp. 293–314, 2006. [Online]. Available: http://dx.doi.org/10.1111/j.1365- 2575.2006.00219.x N. Feng and J. Xie, “A hybrid approach of evidence theory and rough sets for iss risk assessment,” JOURNAL OF NETWORKS, vol. 7, p. 8, 2012. Nessus, “Nessus,” http://www.tenable.com/ products/nessus/select-youroperating-system, 2014. Nmap, “Nmap tool,” http://nmap.org/, 2014. Netstumbler, “Wi-fi security,” http://www.netstumbler.com/, 2013. Wireshark, “Wireshark,” http://www.wireshark.org/about.html, 2013. kismet, “Kismet wireless,” https://www.kismetwireless.net/, 2014. Metasploit, “Metasploit tool,” http://www.metasploit.com/, 2013. Airsnort, “Airsnort advanced tool,” http://airsnort.shmoo.com/, 2012. N-Stealth, “N-stealth http security scanner,” http://www.securityfocus.com/tools/2109, 2013. ACUNETIX. (2006) Acunetix web vulnerability scanner. https://www.cccure.org/Documents/ acunetix/acunetix.pdf. C. Kahraman and S. Ceb, “A new multi-attribute decision making method: Hierarchical fuzzy axiomatic design,” Expert Syst Appl., vol. 36, no. 3, pp. 4848–4861, 2009. [Online]. Available: http://dx.doi.org/10.1016/j.eswa. 2008.05.041 E. K. Zavadskas, A. Kaklauskas, Z. Turskis, and J. Tamošaitien˙e, “Multiattribute decision-making model by applying grey numbers,” Informatica, vol. 20, no. 2, pp. 305–320, Apr. 2009. [Online]. Available: http://dl.acm.org/ citation.cfm?id=1576292.1576302 A. S. B. Inglesant, “Trust economics: A systematic approach to information security decision-making,” Dept. of Computer Science in University College London, Tech. Rep., 2010. C. Hwang and K. Yoon, Multiple Attribute Decision Making Methods and Applications: A State-of-the Art Survey, ser. Lecture Notes in Economics and Mathematical Systems Series. Springer London, Limited, 1981. [Online]. Available: http://books.google.com.my/books?id= 4Z67QgAACAAJ K. P. Yoon and C. L. Hwang, Multiple Attribute Decision Making: An Introduction (Quantitative Applications in the Social Sciences. USA, SAGE Publications, Inc., 1995, vol. 104:83. S.-Y. Chou, Y.-H. Chang, and C.-Y. Shen, “A fuzzy simple additive weighting system under group decision-making for facility location selection with objective or subjective attributes,” European Journal of Operational Research, vol. 189, no. 1, pp. 132–145, 2008. [Online]. Available: http://www.sciencedirect. com/science/article/pii/S0377221707004754 H.-S. Shih, H.-J. Shyur, and E. S. Lee, “An extension of topsis for group decision making,” Mathematical and Computer Modelling, vol. 45, pp. 801–813, 2007. [Online]. Available: http://www.sciencedirect.com/science/article/ pii/S0895717706003025 Y.-H. Chang and C.-H. Yeh, “Evaluating airline competitiveness using multiattribute decision making,” Omega, vol. 29, no. 5, pp. 405–415, 2001. [Online]. Available: http://www.science direct.com/science/article/pii/S0305048301000329 S. Opricovic and G.-H. Tzeng, “Compromise solution by mcdm methods: A comparative analysis of vikor and topsis,” European Journal of Operational Research, vol. 156, no. 2, pp. 445–455, 2004. [Online]. Available: http://www.sciencedirect.com/science/article/ pii/S0377221703000201 G. H. Tzeng and J.-J. Huang, Multiple Attribute Decision Making: Methods and Applications, C. Press, Ed. CRC Press, 2011. F. T. Sheldon and R. K. Abercrombie, “Methodology for evaluating security controls based on key performance indicators and stakeholder mission,” in Proceedings of the 42nd Hawaii International Conference on System Sciences, ser. HICSS ’09. Washington, DC, USA: IEEE Computer Society, 2009, pp. 1–10. [Online]. Available: http://dx.doi.org/10.1109/ HICSS.2009.308 D. J. Lilja, Measuring Computer Performance, C. University, Ed. Cambridge University Press United Kingdom, 2000. A. B. Knol, P. Slottje, J. P. van der Sluijs, and E. Lebret, “The use of expert elicitation in environmental health impact assessment: a seven step procedure,” Environmental Health, vol. 9, no. 1, p. 19, 2010.

Similar Items