Optimizing information systems security design based on existing security knowledge

Abstract

Information systems and the information enclosed are of significant value and it is indispensable for organizations to ensure their protection. To achieve high security, existing knowledge is available and provides recommendations and guidelines to follow. Due to the large amount of data and the complex dependencies within their structure, it is often challenging to make informed design decisions. This paper proposes a quantitative model that is tailored to the optimal selection of security safeguards from an existing security knowledge base. The input data are extracted from the extensive IT baseline protection catalogues of the German Federal Office for Information Security (BSI). The total amount of data include more than 500 threats and 1200 safeguard options. In an application example, we illustrate that an optimal decision can reduce the number of required safeguards substantially while still maintaining a high security level.