Proposal of a Model Supporting Decision-Making Based On Multi-Objective Optimization Analysis on Information Security Risk Treatment
Management is required to understand all information security risks within an organization, and to make decisions on which information security risks should be treated in what level by allocating how much amount of cost. However, such decision-making is not usually easy, because various measures for risk treatment must be selected with the suitable application levels. In addition, some measures may have objectives conflicting with each other. It also makes the selection difficult. Moreover, risks generally have trends and it also should be considered in risk treatment. Therefore, this paper provides the extension of the model proposed in the previous study. The original model supports the selection of measures by applying a combination of weighted average method and goal programming method for multi-objective analysis to find an optimal solution. The extended model includes the notion of weights to the risks, and the larger weight means the priority of the risk.
[1] Kawasaki (Aiba), R.,Hiromatsu, T., (2014). Proposal of a Model Supporting Decision-Making on Information Security Risk Treatment.World Academy of Science, Engineering and Technology, International Science Index 88, International Journal of Computer, Information Science and Engineering, 8(4), 34 - 40.
[2] ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management system – Requirement
[3] Hyodo, T., Nakamura, I., Nishigaki M., Soga, M. (2003). A modeling of security measure selection problem, The Special Interest Group (SIG) Technical Reports (TR) of Information Processing Society of Japan (IPSJ), Computer Security (CSEC) Group, 74, 249-256. (Japanese document)
[4] Nakamura, I., Hyodo, T., Soga, M., Mizuno, T., &Nishigaki, M. (2004). A Practical Approach for Security Measure Selection Problem and Its Availability. IPSJ Journal, 45(8), 2022-2033. (Japanese document)
[5] ISO/IEC 27001:2005 Information technology -- Security techniques -- Information security management system – Requirement
[6] ISO/IEC TR 13335-3:1998Information technology - Guidelines for the management of IT Security - Part3:Techniques for the management of IT Security
[7] Next Generation Electronic Commerce Promotion Council of Japan (ECOM) (2002). Explanations of information security management standard (JIS X 5080:ISO/IEC 17799). fromhttp://www.jipdec.or.jp/archives/ecom/results/h13seika/h13results-10.pdf (Japanese document)
[8] Nagai Y., Fujiyama T., & Sasaki R. (2000). An Optimal Decision Method for Establishment of Security Objectives. IPSJ Journal, 41(8), 2264-2271. (Japanese document)
[9] Sasaki R., Yoshiura H., &Itoh S. (2002). Consideration on Combinatorial Optimization of Illegal Copy Countermeasures. IPSJ Journal, 43(8), 2435-2446. (Japanese document)
[10] Usui, Y., Yamamoto, T., Magata, F., Teshigawara, Y., Sasaki, & R., Nishigaki, M. (2009). A case study of a security measure selection scheme with consideration of potential lawsuit. In Proceedings of the Computer Security Symposium 2009, IPSJ, 105-110. (Japanese document)
[11] Nishigaki, M., Usui, Y., Yamamoto, T., Magata, F., Teshigawara, Y., & Sasaki, R. (2011). A Case Study of a Security Measure Selection Scheme with Consideration of Potential Lawsuit. IPSC Journal 52(3), 1173-1184 (Japanese document)
[12] Otero, A. R., Otero, C. E., &Qureshi, A. (2010), A Multi-Criteria Evaluation of Information Security Controls Using Boolean Features. International Journal of Network Security & Its Applications (IJNSA), 2(4). doi:10.5121/ijnsa.2010.2401 1.
[13] ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls
[14] ISO 31000:2009, Risk management – Principles and guidelines
[15] Barnard, L., &Solms, R. V., (2000). A Formalized Approach to the Effective Selection and Evaluation of Information Security Controls. Computers & Security, 19(2), 185-194.
[1] Kawasaki (Aiba), R.,Hiromatsu, T., (2014). Proposal of a Model Supporting Decision-Making on Information Security Risk Treatment.World Academy of Science, Engineering and Technology, International Science Index 88, International Journal of Computer, Information Science and Engineering, 8(4), 34 - 40.
[2] ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management system – Requirement
[3] Hyodo, T., Nakamura, I., Nishigaki M., Soga, M. (2003). A modeling of security measure selection problem, The Special Interest Group (SIG) Technical Reports (TR) of Information Processing Society of Japan (IPSJ), Computer Security (CSEC) Group, 74, 249-256. (Japanese document)
[4] Nakamura, I., Hyodo, T., Soga, M., Mizuno, T., &Nishigaki, M. (2004). A Practical Approach for Security Measure Selection Problem and Its Availability. IPSJ Journal, 45(8), 2022-2033. (Japanese document)
[5] ISO/IEC 27001:2005 Information technology -- Security techniques -- Information security management system – Requirement
[6] ISO/IEC TR 13335-3:1998Information technology - Guidelines for the management of IT Security - Part3:Techniques for the management of IT Security
[7] Next Generation Electronic Commerce Promotion Council of Japan (ECOM) (2002). Explanations of information security management standard (JIS X 5080:ISO/IEC 17799). fromhttp://www.jipdec.or.jp/archives/ecom/results/h13seika/h13results-10.pdf (Japanese document)
[8] Nagai Y., Fujiyama T., & Sasaki R. (2000). An Optimal Decision Method for Establishment of Security Objectives. IPSJ Journal, 41(8), 2264-2271. (Japanese document)
[9] Sasaki R., Yoshiura H., &Itoh S. (2002). Consideration on Combinatorial Optimization of Illegal Copy Countermeasures. IPSJ Journal, 43(8), 2435-2446. (Japanese document)
[10] Usui, Y., Yamamoto, T., Magata, F., Teshigawara, Y., Sasaki, & R., Nishigaki, M. (2009). A case study of a security measure selection scheme with consideration of potential lawsuit. In Proceedings of the Computer Security Symposium 2009, IPSJ, 105-110. (Japanese document)
[11] Nishigaki, M., Usui, Y., Yamamoto, T., Magata, F., Teshigawara, Y., & Sasaki, R. (2011). A Case Study of a Security Measure Selection Scheme with Consideration of Potential Lawsuit. IPSC Journal 52(3), 1173-1184 (Japanese document)
[12] Otero, A. R., Otero, C. E., &Qureshi, A. (2010), A Multi-Criteria Evaluation of Information Security Controls Using Boolean Features. International Journal of Network Security & Its Applications (IJNSA), 2(4). doi:10.5121/ijnsa.2010.2401 1.
[13] ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls
[14] ISO 31000:2009, Risk management – Principles and guidelines
[15] Barnard, L., &Solms, R. V., (2000). A Formalized Approach to the Effective Selection and Evaluation of Information Security Controls. Computers & Security, 19(2), 185-194.
@article{"International Journal of Information, Control and Computer Sciences:67270", author = "Ritsuko Kawasaki (Aiba) and Takeshi Hiromatsu", title = "Proposal of a Model Supporting Decision-Making Based On Multi-Objective Optimization Analysis on Information Security Risk Treatment", abstract = "Management is required to understand all information security risks within an organization, and to make decisions on which information security risks should be treated in what level by allocating how much amount of cost. However, such decision-making is not usually easy, because various measures for risk treatment must be selected with the suitable application levels. In addition, some measures may have objectives conflicting with each other. It also makes the selection difficult. Moreover, risks generally have trends and it also should be considered in risk treatment. Therefore, this paper provides the extension of the model proposed in the previous study. The original model supports the selection of measures by applying a combination of weighted average method and goal programming method for multi-objective analysis to find an optimal solution. The extended model includes the notion of weights to the risks, and the larger weight means the priority of the risk.
", keywords = "Information security risk treatment, Selection of risk measures, Risk acceptanceand Multi-objective optimization.", volume = "8", number = "5", pages = "832-7", }
