Considerations on the selection and prioritization of information security solutions

This paper provides a set of guidelines that can be used to prescribe a methodology or a detailed process for selecting and prioritizing security projects or solutions. It is based on the idea that costs of security solutions should be justified by their contribution to ensuring adequate protection of information resources in the organization which implements them. The article reviews general issues of security risks and costs, arguing the need for explicit consideration of information resources security requirements in order to validate decisions concerning security projects implementation. In such an approach, security requirements of information resources are used as a reference system to quantify the benefits and limitations of security solutions defined as alternative or complementary responses to certain security risks as their implementation faces budget constraints.


Introduction
As efficiency is a key factor in decision-making and security goals must be constantly reconciled with budget constraints, each security model should aim at maximizing benefits while minimizing costs (Scholtz, 2011).Possibilities of economic substantiation of information security policies are investigated in various papers which resort to quantitative techniques and models (Böhme, 2010;Gordon and Loeb, 2002;Gordon and Loeb, 2005;Pontes et al., 2011), most of which target the information system as a whole, without regard to its structural complexity, which determines various risks and security requirements.
As software applications supporting business processes in an organization are commonly used as a starting point for security risks identification and analysis, security solutions are technically oriented and specifically designed for a certain area of information infrastructure.Relative to the typological diversity of business information they must protect, security solutions can be seen as composite structures, spanning multiple data categories, with various security requirements.This paper defines both effectiveness and limitations of security solutions in terms of the protection they offer to an organization's information resources.Having considered that security solutions are not ends in themselves, but means that must ensure an adequate level of protection for information resources, the paper aims at providing a set of guidelines and criteria to validate decisions concerning security solutions from a perspective which complements the economic and financial view with corresponding indicators (annual loss expectancy, return on security investment, net present value etc.).

Research methodology
This article is the result of a qualitative research, aimed at approaching security solutions analysis and comparison in terms of their protective impact on information resources managed by an organization.The research is based on an extensive study of literature on security risk management and the efficiency of security solutions for risk mitigation, which enabled proper argumentation of the relevance of the approach proposed in this paper.The theoretical approach concerns the following aspects: conceptual delimitation of information resources and security solutions as key elements of the analysis model, adoption of risk management tools and techniques to be used for a reference system to assess security solutions impact, identification of conceptual correlations required to quantify this impact.The results of the present research may be integrated into a formal model to assist investment decisions concerning information security; such an approach facilitates the expansion of the research through a quantitative approach, aimed at analysing data security solutions implemented by companies in the business environment.

Information security costs and benefits
In a broad sense, information security covers both digital and non-digital data, and it is presently seen as a field that transcends organizational processes and subdomains.On the other hand, given that 24% of companies reported an increase in their security budget, it is imperative to consider the efficiency issues of security strategies.Their importance is emphasized by another global study by Ernst&Young -EY (2015), which indicated budget restrictions as the main obstacle (for 67% of companies) for an adequate level of information security.Due to an invariably limited budget, security models must be optimized by weighing potential and actual benefits against security costs (Scholtz, 2011).
Risk management is essential for security budget.The first question is "How much is enough?" (Hoo, 2002), then the security budget must be adequately allocated to security controls aimed at risk management.A judicious distribution requires realistic estimation of security incidents costs, including indirect losses due to temporary applications dysfunctionalities.There must also be considered all responses to security risks.Brecht and Nowey (2012) provide a detailed analysis of cost and investment issues pertaining to information security by comparing significant contributions in literature on the subject.A potential problem of most models is the "black box" perception on an information system, while ignoring its structural complexity which determines various risks and security requirements.In the short term, this helps saving costs with data analysis and classification in terms of security requirements, as well as with security policy adaptation.In the long run, security model opacity could lead to inadequate budgets or improperly distributed budgets, oversizing some allocations and under-sizing others favouring security incidents that generate new costs.A more nuanced approach is provided by Gordon and Loeb (2002), who propose an economic model for the optimal level of security investments to ensure data integrity, confidentiality, availability, authenticity and nonrepudiation; the authors use an adjusted version of the annual loss expectancy model, adapted to scenarios when only one of the attempts to undermine security goals will be successful.Security requirements corresponding to information resources managed by an organization are explicitly addressed by the present paper, which treats them as a stable and uniform reference for assessing the benefits and limits of security projects, irrespective of their financial aspects, operational magnitude or timeframe.

A security approach to information resources
Although security goals can be used for both data and applications, this paper adopts a broader perspective and targets an abstraction level that is relevant to the business logic.Information resources are therefore approached as stable conceptual entities that transcend applications and business processes; in other words, the focus is the actual business information and corresponding typological and classification criteria which are also relevant from a security perspective.
As information entities with common properties are abstracted as generic types, the entire information system of an organization may be modelled on a purely conceptual level, as in the popular Entity-Relationship formalism by Chen (1976).Most frequently, however, the granularity level in such models is inadequate for the analysis and treatment of security risks, and therefore initial entities must be regrouped in information categories relevant to security risks assessments.For example, contracts, customers and receipts could be placed in the same Sales category; alternatively, one could define a category to group both suppliers and customers with their corresponding operations; another approach would be to separate contracts and financial transactions in distinct information categories.Information resources can vary considerably in terms of strategic and operational importance, in addition to which one may consider other differentiation criteria, such as policies enforced by different regulations (minimum period to store the data, conditions in which it can be destroyed or disposed of etc.).Therefore, data analysis and classification in terms of the importance it presents to the organization is a mandatory step in order to identify critical information resources and corresponding security risks.
Although information in the same category may be subject to scenarios involving multiple users and various applications or software environments with different security requirements, approaching business information in a systematic and consistent manner in the context of risk management allows for the definition of minimum thresholds for security requirements to match all scenarios that must to be addressed.Identifying the typology of information resources requires detailed analysis of the information system, as for each information category one must specify corresponding business processes, applications and types of users, with their security prerogatives and constraints.
The protection level that is adequate to each information category is the aggregated expression of security requirements concerning a specific set of security goals.Although these goals are impacted by standards like ISO27k or adherence to certain control or IT governance frameworks and, such as ISACA's COBIT, they are usually represented by the confidentiality-integrityavailability triad; also, they may be supplemented by additional criteria such as non-repudiation, authenticity, resilience etc.Even when the same quantitative and descriptive scale is applied for all security goals it is possible that security requirements for a specific category of information resources vary considerably, depending on the security goal; for example, Oberlaender (2011) outlines a set of scenarios that require different levels of security requirements for certain types of business information.
Although business information modelling issues are outside the scope of this paper, the presentation above is meant to provide a proper conceptual delimitation of information resources as key elements for security solutions analyses and comparisons.

Security solutions analysis from the perspective of information resources
The following section of the article expands on the generic components of an analysis model of security projects or solutions focused on information resources security requirements.Such a model is meant to validate decisions on selection or prioritization of solutions defined as alternative or complementary responses to certain security risks, when their implementation is subject to budget constraints.As such, the set of security solutions and their corresponding costs are presumed known and they are used as inputs for the analysis model.Furthermore, since the risk level is the most relevant criterion in prioritizing risk mitigation actions, the set of solutions to be compared should be limited to those defined as responses to risks of a certain level, assessed in advance using specific risk management tools and techniques.

Security solutions inventory
In this paper, the expression "security solution" designates a set of technical and organizational elements directed at information security risks mitigation.Depending on its complexity, each security solution implements security controls and mechanisms that may act on a single or several levels: x Logical: user authentication and access authorization, monitoring, auditing, backup, encryption, antivirus, firewall, etc.; x Physical: securing a certain perimeter, hardware management, etc.; x Operational and administrative: training, employee screening, work procedures, help-desk, etc.Such an approach to security solutions has a dual argument: x Adequate security risk management determines complementarity and interdependency of security measures and controls; x Financial constraints require selection of controls and prioritization of investments according to their efficiency.In view of the statements listed above, each security solution corresponds to a specific mix of technical and operational components which are relevant to risk management.Security solutions may be defined at various granularity levels provided that each solution can be implemented independently and be subject to costbenefit analyses; in other words, a particular solution may be designed as the simpler version of another security solution, the difference in granularity having direct consequences on cost levels.Given the budget constraints, the costs corresponding to a set of predefined security solutions are, in different proportions, both additive and exclusive; thus, it is necessary to identify the combination of solutions that enables an optimal response to security risks while complying with the budget limit.
From case to case, security solutions may target a wider or narrower set of information resources, while the same resources may be of interest to multiple security solutions.On the other hand, the security requirements of information resources are independent of solutions being analysed, as they are determined by the intrinsic nature of business information and its importance to the organization.Therefore, in order to quantify the overall impact of a security solution it is necessary to assess its contribution to ensuring the protection level predefined as optimal for each security goal corresponding to information resources targeted by that solution.
Even when having identical security requirements, information resources can be significantly different in terms of operational or strategic importance and therefore the criterion of the relative importance of each information category is essential for the quantitative assessments of security goals and security solutions contribution to achieving them.In a more pragmatic approach, which allows the simplification of such assessments, security solutions-information resources mappings may be defined using the subset of resources regarded as critical due to the effects of potential security incidents.This approach was used to specify the generic mappings in Table 1, which are limited to critical resources targeted by the security solutions.

Security solutions impact assessment
As security goals must be accompanied by clear criteria for specifying each level of security requirements of information resources, for the latter one can identify a certain level of compliance or non-compliance (compliance gap) with predefined security requirements; for example, NIST (2005) uses a compliance gap indicator concerning the information system as a whole.The present paper recommends a more nuanced approach, by isolating information resources security requirements; as such, a protection level higher than the one predefined as adequate is not considered necessary nor possible without entailing additional costs that are disproportionate to the expected benefits.Compliance with security requirements is not an absolute goal, but is assessed by comparison to the level set as optimal for each security criterion.As a consequence, the effectiveness of a security solution can be perceived as an aggregate of individual values that quantify its impact in terms of the actual increase in compliance with security requirements of information resources targeted by that solution.When using the optimal level of security requirements as a reference (100%), the following metrics can be considered for each security solution: x The compliance gaps preceding security solutions implementation (Previous Gap -PG) x The compliance gaps subsequent to security solutions implementation (Subsequent Gap -SG)

Solutions/ Resources Confidentiality Integrity
The compliance gap preceding security solutions implementation is assessed by taking into account the current state of the information system, while the gap subsequent to implementation corresponds to a potential future state, the transition to which is triggered by the implementation of a specific security solution.Inherent difficulties of compliance gap assessments must be handled in the context of security risk management; for example, one must assess the likelihood of security incidents and the organization's capacity of neutralizing their consequences.Such estimates involve statistical data and quantitative models, but also the professional reasoning of experts in IT security, risk management and internal audit.The limits of quantitative models in complex scenarios where professional expertise is critical are analysed by Devos et al. (2013).Accurate compliance gap quantification depends on a consistent security risk management which involves monitoring of implemented solutions and evaluation of results, to be later used as inputs in a new risk management cycle.
Although an increase of the compliance gap (SG > PG) following security solutions implementation is generally unlikely, an exception is the case of replacement of preexisting solutions which prove to be superior to potential substitution solutions that are being assessed, in terms of compliance with specific security goals.However, in the usual scenario, the analysed solutions partially or, ideally, completely, solve compliance issues concerning security requirements of information resources to which they apply.On the other hand, a detailed analysis, which opposes each security solution all information resources it must protect, may expose solutions with a partially void impact (they target a subset of security goals without any contribution to the decrease in the compliance gap corresponding to others) or solutions that satisfy certain security requirements in a degree which is higher than that predefined as appropriate for certain information resources.
The negative value of compliance subsequent to security solution implementation (SG < 0) indicates an over-compliance with security requirements.Such an effect should be distinguished from that which allows achieving the predefined optimal level of compliance, since it corresponds to oversized investments or excessive controls that cannot be justified in terms of actual security benefits.Therefore, the impact of security solutions will be quantified separately for each of the effects they may produce: x Protection, which translates as a complete elimination or a decrease in the compliance gap:

Protection effect (P) = Subsequent Compliance Gap -Previous Compliance Gap
x Overprotection, which involves the elimination of the initial compliance gap and an additional protection above the level defined as optimal for specific information security requirements:

The overall impact of security solutions
Given that a security solution applies to multiple information resources, its overall impact will be computed as the average of values that quantify its effect considering individual security requirements of information resources corresponding to that solution.
However, these values must be first separated into two data subsets, depending on the nature of the effect; therefore, we distinguish between the average protection effect and, if available, the average overprotection effect.The average protection effect is a measure of the effectiveness of a security solution, in terms of its contribution to ensuring an adequate protection level for information resources; on the other hand, a higher or lower level of the average overprotection effect is expected to entail costs that cannot be accounted for in terms of actual security needs of information resources.
The identification and quantification of the overprotection effect produced by security solutions are guided by the idea that only a protection level deemed necessary is acceptable from a cost perspective.On the other hand, given that security solutions are collectively aimed at several categories of information resources, providing an adequate level of protection for certain resources may result in overprotection of others, without this leading to an increase in costs of security solutions implementation.
A direct and immediate relationship between the overprotection effect and costs may be difficult if not impossible to determine, given the difference of perspectives used for their assessment: information resources security requirements in contrast with economic value of assets and services required for securing information resources managed by the organization.In such circumstances, the arithmetic computation of a portion of costs attributable to overprotection has no economic justification, as overprotection is only an assumption, not a certainty of an increase in security solutions costs.As a result, the overprotection effect will not influence the treatment of costs, as inputs required to assess the effectiveness of security solutions.

The efficiency of security solutions
The subject of security solutions efficiency is covered extensively in various papers that analyse specific indicators and issues raised by their computation -for example, Pontes et al. (2011).Leaving aside other economic and financial data (monetary value of the software applications and equipment, estimated trends of productivity or financial results etc.), NIST (2005) uses an efficiency indicator expressed as the ratio of the compliance gap to the cost of a security project.The assumption is that security solutions will achieve their purpose, namely the elimination of compliance gaps; the higher the compliance gap and the lower the costs, the more efficient the security solution.
Although this paper approaches efficiency of security solutions in a similar manner (a certain number of effect "units" to a cost "unit"), explicit consideration of information resources security requirements helps with increasing the relevance of such indicators.In other words, for better risk mitigation on a limited budget, the costs of each security solution must be justified by its actual utility, considering the expected and necessary effect and disregarding a possible overprotection of resources.Therefore, the efficiency of a security solution will be expressed as a ratio of its average protection effect to the costs entailed by its implementation.Since they raise the cost size issue, efficiency indicators are relevant only to the extent that the analysed security solutions have comparable levels of implementation costs.This scenario should be, however, implicit, as projects and solutions which differ significantly in terms of their impact on the information system question the relevance and usefulness of the comparative analysis of security solutions.Efficiency indicators of generic solutions used for exemplification are available in Table 2; to simplify their use, the actual values have been multiplied by 10,000.

Security solutions selection and prioritization
Although efficiency can be used as a criterion for security projects selection, this indicator only takes into account the positive impact of solutions, and not their limitations relative to security requirements of information resources they must protect.The extent to which a solution has achieved its purpose is the aggregate expression of compliance gap values resulting from its application (SG) and it is quantified as their average.For the generic solutions considered for exemplification, the indicators of average compliance gap subsequent to implementation are presented in Table 2.A particular treatment is required for cases of overprotection of information resources.While this may be a prerequisite for an increase in costs that cannot be justified in terms of actual security requirements of information resources, it is certain that the level of achieved protection enables the full elimination of the compliance gap preceding the implementation of security solutions.Therefore, when computing the average compliance gap subsequent to the implementation of a security solution, 0 must be used as input for each overprotection occurrence.
In the absence of a conceptual correlation leading to a relevant indicator which involves both criteria, the efficiency and the average compliance gap subsequent to security solutions implementation will be combined in a matrix that allows delineation of generic contexts which qualify security solutions as being more or less advantageous relative to certain combinations of values.
In Figure 1, the quantitative and descriptive categories commonly used for risk management (low, medium, high) were applied for each of the two criteria; the corresponding value scales are predefined in terms of risk tolerance and are independent of security solutions that are being analysed.Obviously, the solutions selection starts from the extremity of high efficiency and low compliance gap and continues with cells in its close proximity.The actual approach of selecting one or more solutions raises, however, a number of issues that can be mapped to the following scenarios: x Multiple security solutions positioned in the same section of the matrix.Efficiency, compliance gap subsequent to implementation, cost, or average overprotection effect can be used as differentiating criteria in a predefined order, which depends on the importance attached to them.For example, if no strict budget limitations apply, one may favour the compliance gap due to the security risks it entails.
x Non-exclusive security solutions, to be implemented in parallel (concurrently) while meeting budget constraints.Starting from the extremity corresponding to the optimal combination and, if necessary, continuing with adjacent cells, there must be identified the combination of solutions that complies with the budget limit.
x Non-exclusive security solutions, to be implemented sequentially.In this case it is assumed that all solutions must be implemented, though not simultaneously; therefore, the highest priority will be given to the most advantageous solutions in terms of their effects.The prioritization starts from the extremity corresponding to the optimal combination, but the direction to advance depends on the importance of the criteria expressing expected effects of security solutions (high efficiency or low compliance gap subsequent to solution implementation).

Figure 1. Security solution selection and prioritization matrix
Source: Author's processing When targeting a common set of resources, nonexclusive security solutions raise the question of analysis consistency.Thus, assessing compliance with security requirements of information resources individually, for each solution that is being analysed, does not allow for identification of possible overcompliance resulting from accumulation of protection effects of each security solution selected for implementation.In case of an integrated approach, the post-conditions of implementing a solution become preconditions for the subsequent solution to be implemented, so the compliance gap relative to the security requirements of resources targeted by multiple security solutions is not identical for each of them and does not remain that which was initially estimated, as it is updated after each selection of a solution, according to the prioritization criteria described above.Selecting one of the solutions for implementation requires redefinition of security solutions -information resources mappings by adjusting the set of solutions and reconsidering the initial compliance gap for shared resources (it is equal to the estimated value of the compliance gap subsequent to the implementation of the latest selected solution).Despite its complexity, this approach is more adequate for real-world implementation scenarios as it allows identifying overprotection effects on information resources and, subsequently, the risk of unnecessary costs that cannot be exposed and estimated unless explicitly considering the dynamics that a specific prioritization logic enforces on compliance gaps relative to predefined security requirements.

The limits of the proposed approach
The main limit of the approach proposed for analysing and comparing security solutions stems from the theoretical construction and therefore its usefulness and applicability should be tested on real organizations in the business environment.The actual implementation of guidelines in the article presents a series of specific difficulties, the first of which concerns consistent definition, using an adequate abstraction level, of information resources and security solutions; they also raise the question of appropriate granularity and treatment of possible overlaps and dependencies.In addition, the analysis and classification of information resources, followed by the assessment of compliance with security requirements are rather laborious endeavours.Though common in the context of security risk, management compliance gap assessments are complicated by the detailed approach, as they must be performed for each of the security goals corresponding to information resources.

Conclusions
Although it does not prescribe a detailed process for security solutions selection or prioritization, this paper provides a set of guidelines that may be used for this purpose and which are based on the assumption that costs of each solution must be accounted for in

Considerations on the selection and prioritization of information security solutions
No. 5(137)/2016 573 terms of its contribution to ensuring an adequate level of protection for information resources to which it applies.Putting aside the fact that estimating compliance gaps relative to security requirements raises inherent difficulties and is dependent on a coherent management of security risks, information resources security requirements are used as a non-monetary reference system, in order to quantify the efficiency and limits of security solutions.From this perspective, the guidelines and criteria proposed for security solutions analysis and comparison have the advantage of being generic and uniformly applicable to any organizational context, regardless of how information security is addressed.The presented approach complements those regarding the economic and financial dimension of information security as the results produced by solutions selection and prioritization may be used to validate analyses concerning the financial impact of security solutions.