Optimal selection of security countermeasures for effective information security

Abstract

Information systems must be protected from misuse by threats that take advantage of the vulnerabilities present in them and cause financial or reputation damage to the organization. The information security official of the organization has to identify suitable controls to mitigate the risks to which the organization is exposed to by considering the risks to be addressed, its impact in terms of revenue and the cost incurred in implementing the security controls. The selection should be made in such a way that (i) the cost incurred by the selected controls should be within the budget constraints and not exceed the losses suffered by the organization, (ii) effectively address a set of vulnerabilities and also minimizes the risks that remain unaddressed. A hybrid approach combining tabu search and genetic algorithm has been proposed to aid in the selection process. The proposed algorithm helps in optimizing the security controls selection process.