Abstract
Selection of proper security mechanisms that will protect the organization’s assets against cyber threats is an important non-trivial problem. This paper introduces the approach based on statistical methods that will help to choose the proper controls with respect to actual security threats. First, we determine security mechanisms that support control objectives from ISO/IEC 27002 standard and assign them meaningful weights. Then we employ a factor analysis to reveal dependencies among control objectives. Then this knowledge can be reflected to security mechanisms, that inherit these dependencies from control objectives.
Chapter PDF
References
Baker, W., Hutton, A., Hylender, D., Pamula, J., Porter, C., Spitler, M.: 2012 Data Breach Investigations Report. Technical report, Verizon (2012)
Baker, W., Wallace, L.: Is information security under control?: Investigating quality in information security management. IEEE Security and Privacy 5(1), 36–44 (2007)
Castiglione, A., De Santis, A., Fiore, U., Palmieri, F.: An enhanced firewall scheme for dynamic and adaptive containment of emerging security threats. In: 2010 International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA), pp. 475–481 (November 2010)
Cybenko, G., Landwehr, C.E.: Security analytics and measurements. IEEE Security & Privacy 10, 5–8 (2012)
De Santis, A., Castiglione, A., Fiore, U., Palmieri, F.: An intelligent security architecture for distributed firewalling environments. Journal of Ambient Intelligence and Humanized Computing, 1–12 (2011)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)
ISO. ISO/IEC Std. ISO 27001:2005, Information Technology - Security Techniques - Information security management systems - Requirements. ISO (2005)
ISO. ISO/IEC Std. ISO 27002:2005, Information Technology - Security Techniques - Code of Practice for Information Security Management. ISO (2005)
Llanso, T.: CIAM: A data-driven approach for selecting and prioritizing security controls. In: 2012 IEEE International Systems Conference (SysCon), pp. 1–8 (March 2012)
Plackett, R.L., Burman, J.P.: The design of optimum multifactorial experiments. Biometrika 33(4), 305–325 (1946)
Singh, A., Lilja, D.: Improving risk assessment methodology: a statistical design of experiments approach. In: Proceedings of the 2nd International Conference on Security of Information and Network (SIN 2009), pp. 21–29. ACM, New York (2009)
Stoneburner, G., Goguen, A., Feringa, A.: NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. In: NIST (2002)
Verendel, V.: Quantified security is a weak hypothesis: a critical survey of results and assumptions. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop (NSPW 2009), pp. 37–50. ACM, New York (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Breier, J., Hudec, L. (2013). On Identifying Proper Security Mechanisms. In: Mustofa, K., Neuhold, E.J., Tjoa, A.M., Weippl, E., You, I. (eds) Information and Communication Technology. ICT-EurAsia 2013. Lecture Notes in Computer Science, vol 7804. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36818-9_29
Download citation
DOI: https://doi.org/10.1007/978-3-642-36818-9_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36817-2
Online ISBN: 978-3-642-36818-9
eBook Packages: Computer ScienceComputer Science (R0)