Deriving an information security assurance indicator at the organizational level

Measurement of information security assurance (ISA) is an important but difficult task. This paper aims to propose a framework, which helps in refining information security requirements into controls whose effectiveness can be measured. This work also provides aggregation techniques to combine these measurements so as to obtain an indicator for ISA at the organizational level.

A top-down approach of refining security objectives to measurable independent tasks is carried out using assign graph as the model. This captures the various objectives and their interrelationships whose initial values and relative impacts are obtained from experts. Using fuzzy cognitive model (FCM), these initial values are combined together to obtain an indicator for ISA at the firm's level.

The two applications of the framework revealed that interrelationships do exist between the different controls employed in actual security implementations and that these dependencies are seldom accounted for. When those few controls that are to be measured are clearly identified, the security experts can focus their attention on them and ensure their correct implementation and appropriate measurement. The extent of impact of a single control on the overall security picture of the firm can also be found using this approach.

While the framework is generic, the assurance values obtained are context-sensitive. This is primarily because of the subjectivity involved in assigning impact measures and initial values.

This work helps in answering two difficult questions in information security management: “what to measure?” and “how to quantify the overall security assurance of the organization?” This assists the information security team in identifying and refining those controls that needs to be appropriately emphasized. The proposed framework helps the top management in doing “what-if” analysis, thereby aiding their decision-making for information security investments.

The novel framework proposes a top-down approach for security control refinement and a bottom-up approach for combining the confidence values to obtain an indicator for ISA. This work identifies and accommodates the possibilities of having interdependencies between security controls. The proposed aggregation method using FCM is being applied for the first time in information security context and provides convergence even in the presence of cyclic dependencies amongst the controls.