Control priorization model for improving information security risk assessment
Evaluating particular assets for information security risk assessment should take into consideration the availability of adequate resources and return on investments (ROI). Despite the need for a good risk assessment framework, many of the existing frameworks lack of granularity guidelines and mostl...
Saved in:
| Main Author: | |
|---|---|
| Format: | Thesis |
| Language: | English English |
| Published: |
2014
|
| Subjects: | |
| Online Access: | https://etd.uum.edu.my/5327/1/s93043.pdf https://etd.uum.edu.my/5327/2/s93043_abstract.pdf https://etd.uum.edu.my/5327/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Universiti Utara Malaysia |
| Language: | English English |
| id |
my.uum.etd.5327 |
|---|---|
| record_format |
eprints |
| spelling |
my.uum.etd.53272023-01-08T08:38:43Z https://etd.uum.edu.my/5327/ Control priorization model for improving information security risk assessment Al-Safwani, Nadher Mohammed Ahmed QA75 Electronic computers. Computer science Evaluating particular assets for information security risk assessment should take into consideration the availability of adequate resources and return on investments (ROI). Despite the need for a good risk assessment framework, many of the existing frameworks lack of granularity guidelines and mostly depend on qualitative methods. Hence, they require additional time and cost to test all the information security controls. Further, the reliance on human inputs and feedback will increase subjective judgment in organizations. The main goal of this research is to design an efficient Information Security Control Prioritization (ISCP) model in improving the risk assessment process. Case studies based on penetration tests and vulnerability assessments were performed to gather data. Then, Technique for Order Performance by Similarity to Ideal Solution (TOPSIS) was used to prioritize them. A combination of sensitivity analysis and expert interviews were used to test and validate the model. Subsequently, the performance of the model was evaluated by the risk assessment experts. The results demonstrate that ISCP model improved the quality of information security control assessment in the organization. The model plays a significant role in prioritizing the critical security technical controls during the risk assessment process. Furthermore, the model’s output supports ROI by identifying the appropriate controls to mitigate risks to an acceptable level in the organizations. The major contribution of this research is the development of a model which minimizes the uncertainty, cost and time of the information security control assessment. Thus, the clear practical guidelines will help organizations to prioritize important controls reliably and more efficiently. All these contributions will minimize resource utilization and maximize the organization’s information security. 2014 Thesis NonPeerReviewed text en https://etd.uum.edu.my/5327/1/s93043.pdf text en https://etd.uum.edu.my/5327/2/s93043_abstract.pdf Al-Safwani, Nadher Mohammed Ahmed (2014) Control priorization model for improving information security risk assessment. PhD. thesis, Universiti Utara Malaysia. |
| institution |
Universiti Utara Malaysia |
| building |
UUM Library |
| collection |
Institutional Repository |
| continent |
Asia |
| country |
Malaysia |
| content_provider |
Universiti Utara Malaysia |
| content_source |
UUM Electronic Theses |
| url_provider |
http://etd.uum.edu.my/ |
| language |
English English |
| topic |
QA75 Electronic computers. Computer science |
| spellingShingle |
QA75 Electronic computers. Computer science Al-Safwani, Nadher Mohammed Ahmed Control priorization model for improving information security risk assessment |
| description |
Evaluating particular assets for information security risk assessment should take into consideration the availability of adequate resources and return on investments (ROI). Despite the need for a good risk assessment framework, many of the existing frameworks lack of granularity guidelines and mostly depend on qualitative methods. Hence, they require additional time and cost to test all the information security controls. Further, the reliance on human inputs and feedback will increase subjective judgment in organizations. The main goal of this research is to design an efficient Information Security Control Prioritization (ISCP) model in improving the risk assessment process. Case studies based on penetration tests and vulnerability assessments
were performed to gather data. Then, Technique for Order Performance by Similarity to Ideal Solution (TOPSIS) was used to prioritize them. A combination of sensitivity analysis and expert interviews were used to test and validate the model. Subsequently, the performance of the model was evaluated by the risk assessment experts. The results
demonstrate that ISCP model improved the quality of information security control assessment in the organization. The model plays a significant role in prioritizing the critical security technical controls during the risk assessment process. Furthermore, the model’s output supports ROI by identifying the appropriate controls to mitigate risks to an acceptable level in the organizations. The major contribution of this research is the development of a model which minimizes the uncertainty, cost and time of the information security control assessment. Thus, the clear practical guidelines will help organizations to prioritize important controls reliably and more efficiently. All these contributions will minimize resource utilization and maximize the organization’s information security. |
| format |
Thesis |
| author |
Al-Safwani, Nadher Mohammed Ahmed |
| author_facet |
Al-Safwani, Nadher Mohammed Ahmed |
| author_sort |
Al-Safwani, Nadher Mohammed Ahmed |
| title |
Control priorization model for improving information security risk assessment |
| title_short |
Control priorization model for improving information security risk assessment |
| title_full |
Control priorization model for improving information security risk assessment |
| title_fullStr |
Control priorization model for improving information security risk assessment |
| title_full_unstemmed |
Control priorization model for improving information security risk assessment |
| title_sort |
control priorization model for improving information security risk assessment |
| publishDate |
2014 |
| url |
https://etd.uum.edu.my/5327/1/s93043.pdf https://etd.uum.edu.my/5327/2/s93043_abstract.pdf https://etd.uum.edu.my/5327/ |
| _version_ |
1754532312818647040 |