Toggle Main Menu Toggle Search

Open Access padlockePrints

Two-stage security controls selection

Lookup NU author(s): Dr Iryna Yevseyeva, Professor Vitor Fernandes, Professor Aad van Moorsel



This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND).


To protect a system from potential cyber security breaches and attacks, one needs to select efficient security controls, taking into account technical and institutional goals and constraints, such as available budget, enterprise activity, internal and external environment. Here we model the security controls selection problem as a two-stage decision making: First, managers and information security officers defme the size of security budget. Second, the budget is distributed between various types of security controls. By viewing loss prevention with security controls measured as gains relative to a baseline (losses without applying security controls), we formulate the decision making process as a classical portfolio selection problem. The model assumes security budget allocation as a two objective problem, balancing risk and return, given a budget constraint. The Sharpe ratio is used to identify an optimal point on the Pareto front to spend the budget. At the management level the budget size is chosen by computing the tradeoffs between Sharpe ratios and budget sizes. It is shown that the proposed two-stage decision making model can be solved by quadratic programming techniques, which is shown for a test case scenario with realistic data. (C) 2016 The Authors. Published by Elsevier B.V.

Publication metadata

Author(s): Yevseyeva I, Fernandes VB, van Moorsel A, Janicke H, Emmerich M

Publication type: Conference Proceedings (inc. Abstract)

Publication status: Published

Conference Name: International Conference on ENTERprise Information Systems/International Conference on Project MANagement/International Conference on Health and Social Care Information Systems and Technologies, CENTERIS/ProjMAN / HCist 2016

Year of Conference: 2016

Pages: 971-978

Online publication date: 04/10/2016

Acceptance date: 02/04/2016

Date deposited: 10/04/2017

ISSN: 1877-0509

Publisher: Elsevier BV


DOI: 10.1016/j.procs.2016.09.261

Series Title: Procedia Computer Science