A comprehensive security control selection model for inter-dependent organizational assets structure

This paper aims to propose a comprehensive model to find out the most preventive subset of security controls against potential security attacks inside the limited budget. Deploying the appropriate collection of information security controls, especially in information system-dependent organizations, ensures their businesses' continuity alongside with their effectiveness and efficiency.

Impacts of security attacks are measured based on interdependent asset structure. Regarding this objective, the asset operational dependency graph is mapped to the security attack graph to assess the risks of attacks. This mapping enables us to measure the effectiveness of security controls against attacks. The most effective subset is found by mapping its features (cost and effectiveness) to items’ features in a binary knapsack problem, and then solving the problem by a modified version of the classic dynamic programming algorithm.

Exact solutions are achieved using the dynamic programming algorithm approach in the proposed model. Optimal security control subset is selected based on its implementation cost, its effectiveness and the limited budget.

Estimation of control effectiveness is the most significant limitation of the proposed model utilization. This is caused by lack of experience in risk management in organizations, which forces them to rely on reports and simulation results.

So far, cost-benefit approaches in security investments are followed only based on vulnerability assessment results. Moreover, dependency weights and types in interdependent structure of assets have been taken into account by a limited number of models. In the proposed model, a three-dimensional graph is used to capture the dependencies in risk assessment and optimal control subset selection, through a holistic approach.