UUM ETD | Universiti Utara Malaysian Electronic Theses and Dissertation
FAQs | Feedback | Search Tips | Sitemap

Control priorization model for improving information security risk assessment

Al-Safwani, Nadher Mohammed Ahmed (2014) Control priorization model for improving information security risk assessment. PhD. thesis, Universiti Utara Malaysia.

[img] Text
s93043.pdf
Restricted to Registered users only

Download (1MB)
[img]
Preview
Text
s93043_abstract.pdf

Download (184kB) | Preview

Abstract

Evaluating particular assets for information security risk assessment should take into consideration the availability of adequate resources and return on investments (ROI). Despite the need for a good risk assessment framework, many of the existing frameworks lack of granularity guidelines and mostly depend on qualitative methods. Hence, they require additional time and cost to test all the information security controls. Further, the reliance on human inputs and feedback will increase subjective judgment in organizations. The main goal of this research is to design an efficient Information Security Control Prioritization (ISCP) model in improving the risk assessment process. Case studies based on penetration tests and vulnerability assessments were performed to gather data. Then, Technique for Order Performance by Similarity to Ideal Solution (TOPSIS) was used to prioritize them. A combination of sensitivity analysis and expert interviews were used to test and validate the model. Subsequently, the performance of the model was evaluated by the risk assessment experts. The results demonstrate that ISCP model improved the quality of information security control assessment in the organization. The model plays a significant role in prioritizing the critical security technical controls during the risk assessment process. Furthermore, the model’s output supports ROI by identifying the appropriate controls to mitigate risks to an acceptable level in the organizations. The major contribution of this research is the development of a model which minimizes the uncertainty, cost and time of the information security control assessment. Thus, the clear practical guidelines will help organizations to prioritize important controls reliably and more efficiently. All these contributions will minimize resource utilization and maximize the organization’s information security.

Item Type: Thesis (PhD.)
Uncontrolled Keywords: Information security risk assessment, risk management, assessment process, security control prioritization.
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Divisions: Awang Had Salleh Graduate School of Arts & Sciences
Depositing User: Mr. Badrulsaman Hamid
Date Deposited: 20 Dec 2015 02:14
Last Modified: 24 Apr 2016 08:04
URI: http://etd.uum.edu.my/id/eprint/5327

Actions (login required)

View Item View Item