Evaluation of Information Security Controls in Organizations by Grey Relational Analysis

Evaluation of Information Security Controls in Organizations by Grey Relational Analysis

Angel R. Otero (Department of Computer and Information Sciences, Nova Southeastern University, Ft. Lauderdale, FL, USA), Abdel Ejnioui (Department of Information Technology, University of South Florida Lakeland, Lakeland, FL, USA), Carlos E. Otero (Department of Information Technology, University of South Florida Lakeland, Lakeland, FL, USA) and Gurvirender Tejay (Department of Computer and Information Sciences, Nova Southeastern University, Ft. Lauderdale, FL, USA)
DOI: 10.4018/jdtis.2011070103
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

In an era where dependence of information systems is significantly high, the threat of incidents related to information security that could jeopardize the information held by is becoming critical. Alarming facts within the literature point to inadequacies in information security practices, particularly the evaluation and prioritization of information security controls in organizations. Research efforts have resulted in various methodologies developed to deal with the ISC assessment problem. A closer look at these traditional methodologies highlights various weaknesses that can prevent effective assessments of information security controls in organizations. This research proposes a novel approach using Grey Relational Analysis to quantify the importance of each information security control taking into account organizations’ goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of information security controls based on multiple application-specific criteria.
Article Preview

Introduction

In an era where use and dependence of information systems is significantly high, the threat of incidents related to information security that could jeopardize the information held by organizations is becoming critical. As evidenced by the Federal Bureau of Investigation (FBI), by the end of 2011, there were 726 pending corporate fraud cases in the United States (U.S.) involving accounting schemes designed to deceive investors, auditors, and analysts regarding the true financial condition of a corporation. Through the manipulation and abuse of corporations’ financial information (e.g., share price, valuation measurements, etc.), financial performance remains artificially inflated based on fictitious performance indicators.

In line with the above, in a study performed by Bedard, Graham, and Jackson (2008), about 21 percent of all deficiencies detected in selected audited organizations were related to information security. Particularly, Bedard et al.’s (2008) study noted that there were no adequate information security controls (ISC) in place within the organizations examined, and the ones in place were not operating effectively. To further emphasize the significance of security over organizations’ information, a 2008 survey conducted by Chief Information Officer Research on 173 Information Technology executives revealed that information security is by far the single largest potential barrier to organizations (Mather, Kumaraswamy, & Latif, 2009).

The alarming facts and figures just presented point to existent inadequacies in regards to information security practices, while also serve as motivation for finding innovative ways to assist organizations improve their capabilities for securing valuable information. To this end, it is imperative that ISC in organizations be evaluated and, most importantly, accurately prioritized so that only the best ISC get implemented. Adequate selection and implementation of ISC reduce opportunities for information system failures. Simultaneously, the effective operation of ISC assists organizations in maintaining a well designed and controlled information system environment.

Research efforts have resulted in various approaches and methodologies developed to deal with the ISC assessment problem. A closer look at these approaches and methodologies highlights various opportunities to create new or additional methodologies for ISC evaluation to improve the overall information security in organizations. For instance, there have been weaknesses and inadequacies identified in current/traditional ISC assessment methodologies that can prevent the effective assessment and prioritization of ISC in organizations. To mention one, the selection of ISC in organizations using traditional methods has been mainly determined based on crisp or dichotomous values (yes or no type answers). That is, organizations base their selection process on whether the ISC is either relevant or not. ISC that are determined to be relevant will be selected and implemented. There are other reasons that cause current ISC assessment methodologies to prompt for improvement. For example, some methodologies do not adequately account for organization constraints (e.g., costs, resource availability, scheduling of personnel, etc.). Other methodologies leave the identification of ISC to users, resulting in the potential inclusion of unnecessary ISC and/or exclusion of required ones. Furthermore, traditional ISC assessment methodologies may be based solely on the decision maker’s preference, thereby lacking in producing precise evaluation values when assessing ISC. These weaknesses not only affect the ISC selection process, but also impact the overall protection of the information’s confidentiality, integrity, and availability (Saint-Germain, 2005).

The aim of this research is to develop an assessment methodology using Grey Relational Analysis (GRA) that will adequately address the weaknesses identified in traditional ISC assessment methodologies, resulting in a more accurate selection of ISC. Consistent with the above, the following research question (RQ) is posted:

  • RQ1: How does an ISC assessment methodology that is developed using GRA improve the evaluation and selection of ISC in the organization?

Complete Article List

Search this Journal:
Reset
Volume 2: 3 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing