On Identifying Proper Security Mechanisms

  • Jakub Breier
  • Ladislav Hudec
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7804)


Selection of proper security mechanisms that will protect the organization’s assets against cyber threats is an important non-trivial problem. This paper introduces the approach based on statistical methods that will help to choose the proper controls with respect to actual security threats. First, we determine security mechanisms that support control objectives from ISO/IEC 27002 standard and assign them meaningful weights. Then we employ a factor analysis to reveal dependencies among control objectives. Then this knowledge can be reflected to security mechanisms, that inherit these dependencies from control objectives.


Risk Evaluation Information Security Security Standards Security Mechanisms ISO/IEC 27002 standard 


  1. 1.
    Baker, W., Hutton, A., Hylender, D., Pamula, J., Porter, C., Spitler, M.: 2012 Data Breach Investigations Report. Technical report, Verizon (2012)Google Scholar
  2. 2.
    Baker, W., Wallace, L.: Is information security under control?: Investigating quality in information security management. IEEE Security and Privacy 5(1), 36–44 (2007)CrossRefGoogle Scholar
  3. 3.
    Castiglione, A., De Santis, A., Fiore, U., Palmieri, F.: An enhanced firewall scheme for dynamic and adaptive containment of emerging security threats. In: 2010 International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA), pp. 475–481 (November 2010)Google Scholar
  4. 4.
    Cybenko, G., Landwehr, C.E.: Security analytics and measurements. IEEE Security & Privacy 10, 5–8 (2012)CrossRefGoogle Scholar
  5. 5.
    De Santis, A., Castiglione, A., Fiore, U., Palmieri, F.: An intelligent security architecture for distributed firewalling environments. Journal of Ambient Intelligence and Humanized Computing, 1–12 (2011)Google Scholar
  6. 6.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)CrossRefGoogle Scholar
  7. 7.
    ISO. ISO/IEC Std. ISO 27001:2005, Information Technology - Security Techniques - Information security management systems - Requirements. ISO (2005)Google Scholar
  8. 8.
    ISO. ISO/IEC Std. ISO 27002:2005, Information Technology - Security Techniques - Code of Practice for Information Security Management. ISO (2005)Google Scholar
  9. 9.
    Llanso, T.: CIAM: A data-driven approach for selecting and prioritizing security controls. In: 2012 IEEE International Systems Conference (SysCon), pp. 1–8 (March 2012)Google Scholar
  10. 10.
    Plackett, R.L., Burman, J.P.: The design of optimum multifactorial experiments. Biometrika 33(4), 305–325 (1946)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Singh, A., Lilja, D.: Improving risk assessment methodology: a statistical design of experiments approach. In: Proceedings of the 2nd International Conference on Security of Information and Network (SIN 2009), pp. 21–29. ACM, New York (2009)Google Scholar
  12. 12.
    Stoneburner, G., Goguen, A., Feringa, A.: NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. In: NIST (2002)Google Scholar
  13. 13.
    Verendel, V.: Quantified security is a weak hypothesis: a critical survey of results and assumptions. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop (NSPW 2009), pp. 37–50. ACM, New York (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Jakub Breier
    • 1
  • Ladislav Hudec
    • 1
  1. 1.Faculty of Informatics and Information TechnologiesSlovak University of TechnologyBratislavaSlovakia

Personalised recommendations