Mostrar el registro sencillo del ítem

Evaluation and prioritization of information security controls of ISO/IEC 27002:2013 for SMEs Through Fuzzy TOPSIS

dc.contributor.authorTariq, Muhammad Imranspa
dc.contributor.authorTayyaba, Shahzadispa
dc.contributor.authorDe-La-Hoz-Franco, Emirospa
dc.contributor.authorAshraf, Muhammad Waseemspa
dc.contributor.authorRad, Danaspa
dc.contributor.authorButt, Shariq Azizspa
dc.contributor.authorSantarcangelo, Vitospa
dc.date.accessioned2022-07-07T13:58:31Z
dc.date.available2022-07-07T13:58:31Z
dc.date.issued2021-11-26
dc.identifier.citationTariq, M.I. et al. (2022). Evaluation and Prioritization of Information Security Controls of ISO/IEC 27002:2013 for SMEs Through Fuzzy TOPSIS. In: Pan, JS., Balas, V.E., Chen, CM. (eds) Advances in Intelligent Data Analysis and Applications. Smart Innovation, Systems and Technologies, vol 253. Springer, Singapore. https://doi.org/10.1007/978-981-16-5036-9_27spa
dc.identifier.isbn978-981-16-5035-2spa
dc.identifier.urihttps://hdl.handle.net/11323/9345spa
dc.description.abstractManaging a large number of Information Security controls with slight impact may increase the extra effort and time in the shape of implementation and mitigation of risk. Therefore, Information Security Controls need to be prioritized. The main goals of this paper are to an in-depth study of ISO/IEC 27002:2013 that consists of 114 information security controls with 35 security domains and to rank/prioritize these controls. In this study, a questioner was designed and distributed it among Information Security Experts having experience of Information Security deployment in Small Medium Enterprises (SMEs). The study initially studied different methodologies for prioritization of Information Security Controls, developed criteria including effectiveness, implementation time, mitigation time, risk and budgetary constraints to evaluate ISO/IEC 27002:2013 control. The study applies a Fuzzy Technique for Order of Preference by Similarity to Ideal Solution TOPSIS technique to evaluate and rank the information security controls. A fuzzy TOPSIS methodology comprising linguistics data is used to get unclear conditions and, therefore, fuzzy TOPSIS is used as a tool to allow a more precise calculation of inaccurate parameters than old-style methods. We contend that evaluating of ISO/IEC 27002:2013 using fuzzy TOPSIS leads to a great accurate assessment and, therefore, supports an effective selection/ranking/ prioritization of information security controls in SMEs.eng
dc.format.extent1 páginaspa
dc.format.mimetypeapplication/pdfspa
dc.language.isoeng
dc.publisherSpringer Science and Business Media Deutschland GmbHspa
dc.relation.ispartofseriesAdvances in Intelligent Data Analysis and Applications;spa
dc.rightsAtribución-NoComercial-CompartirIgual 4.0 Internacional (CC BY-NC-SA 4.0)spa
dc.rights© 2022, The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.spa
dc.rights.urihttps://creativecommons.org/licenses/by-nc-sa/4.0/spa
dc.titleEvaluation and prioritization of information security controls of ISO/IEC 27002:2013 for SMEs Through Fuzzy TOPSISeng
dc.typeCapítulo - Parte de Librospa
dc.identifier.urlhttps://doi.org/10.1007/978-981-16-5036-9_27spa
dc.source.urlhttps://link.springer.com/chapter/10.1007/978-981-16-5036-9_27spa
dc.rights.accessrightsinfo:eu-repo/semantics/openAccessspa
dc.identifier.doi10.1007/978-981-16-5036-9_27spa
dc.identifier.instnameCorporación Universidad de la Costaspa
dc.identifier.reponameREDICUC - Repositorio CUCspa
dc.identifier.repourlhttps://repositorio.cuc.edu.co/spa
dc.publisher.placeGermanyspa
dc.relation.ispartofbookSmart Innovation, Systems and Technologiesspa
dc.relation.referencesTariq, M.I., Tayyaba, S., Ashraf, M.W., Rasheed, H.: Risk based NIST effectiveness analysis for cloud security. Bahria Univ. J. Inf. Commun. Technol. (BUJICT) 10 (2017)spa
dc.relation.referencesTariq, M.I.: Analysis of the effectiveness of cloud control matrix for hybrid cloud computing. Int. J. Future Gener. Commun. Netw. 11, 1–10 (2018)spa
dc.relation.referencesTariq, M.I.: Agent based information security framework for hybrid cloud computing. KSII Trans. Internet Inf. Syst. 13 (2019)spa
dc.relation.referencesSaint-Germain, R.: Information security management best practice based on ISO/IEC 17799. Inf. Manag. J.-Prairie Village 39, 60 (2005)spa
dc.relation.referencesTariq, M.I., Tayyaba, S., Hashmi, M.U., Ashraf, M.W., Mian, N.A.: Agent based information security threat management framework for hybrid cloud computing. IJCSNS 17, 57 (2017)spa
dc.relation.referencesVan der Haar, H., Von Solms, R.: A model for deriving information security control attribute profiles. Comput. Secur. 22, 233–244 (2003)spa
dc.relation.referencesTariq, M.I., Tayyaba, S., Rasheed, H., Ashraf, M.W.: Factors influencing the cloud computing adoption in higher education institutions of Punjab, Pakistan. Presented at the 2017 International Conference on Communication, Computing and Digital Systems (C-CODE) (2017)spa
dc.relation.referencesDe la Hoz, E., de la Hoz, E., Ortiz, A., Ortega, J., Martínez-Álvarez, A.: Feature selection by multi-objective optimisation: application to network anomaly detection by hierarchical self-organising maps. Knowl. Based Syst. 71, 322–338 (2014)spa
dc.relation.referencesChen, C.-T.: Extensions of the TOPSIS for group decision-making under fuzzy environment. Fuzzy Sets Syst. 114, 1–9 (2000)spa
dc.relation.referencesGharaee, H., AGHA, M.M.: Designing of multi criteria decision making model for improve ranking of information security risks (2015)spa
dc.relation.referencesBrožová, H., Šup, L., Rydval, J., Sadok, M., Bednar, P.: Information security management: ANP based approach for risk analysis and decision making. Agris On-line Papers Econ. Inf. 8, 13–23 (2016). https://doi.org/10.7160/aol.2016.080102spa
dc.relation.referencesSendi, A.S., Jabbarifar, M., Shajari, M., Dagenais, M.: FEMRA: fuzzy expert model for risk assessment. In: 2010 Fifth International Conference on Internet Monitoring and Protection, pp. 48–53 (2010)spa
dc.relation.referencesZhao, D. m, Wang, J. h, Ma, J. f: Fuzzy risk assessment of the network security. In: 2006 International Conference on Machine Learning and Cybernetics, pp. 4400–4405 (2006)spa
dc.relation.referencesEren-Dogu, Z.F., Celikoglu, C.C.: Information security risk assessment: Bayesian prioritization for AHP group decision making 8, 14 (2012)spa
dc.relation.referencesXinlan, Z., Zhifang, H., Guangfu, W., Xin, Z.: Information security risk assessment methodology research: group decision making and analytic hierarchy process. In: 2010 Second World Congress on Software Engineering, pp. 157–160 (2010)spa
dc.relation.referencesLv, J.J., Zhou, Y.S., Wang, Y.Z.: A multi-criteria evaluation method of information security controls. In: 2011 Fourth International Joint Conference on Computational Sciences and Optimization, pp. 190–194 (2011)spa
dc.relation.referencesEjnioui, A., Otero, A.R., Tejay, G., Otero, C.E., Qureshi, A.A.: A multi-attribute evaluation of information security, 7spa
dc.relation.referencesGuan, B.-C., Lo, C.-C., Wang, P., Hwang, J.-S.: Evaluation of information security related risks of an organization: the application of the multicriteria decision-making method. In: IEEE 37th Annual 2003 International Carnahan Conference onSecurity Technology, 2003. Proceedings, pp. 168–175 (2003)spa
dc.relation.referencesNgeru, J., Bardhan, T.K.: Selecting cloud deployment model using a delphi analytic hierarchy process (DAHP). Ind. Syst. Eng. Rev. 3, 59–70 (2015)spa
dc.relation.referencesSupriya, M., Sangeeta, K., Patra, G.: Trustworthy cloud service provider selection using multi criteria decision making methods. Eng. Lett. 24 (2016)spa
dc.relation.referencesOtero, A.R., Otero, C.E., Qureshi, A.: A multi-criteria evaluation of information security controls using Boolean features. Int. J. Netw. Secur. Its Appl. 2, 1–11 (2010). https://doi.org/10.5121/ijnsa.2010.2401spa
dc.relation.referencesAl-Safwani, N., Hassan, S., Katuk, N.: A multiple attribute decision making for improving information security control assessment. Int. J. Comput. Appl. 89, 19–24 (2014). https://doi.org/10.5120/15482-4222spa
dc.relation.referencesOtero, A.R.: An information security control assessment methodology for organizations 176 (2014)spa
dc.relation.referencesAlmeida, L., Respício, A.: Decision support for selecting information security controls. J. Decis. Syst. 27, 173–180 (2018). https://doi.org/10.1080/12460125.2018.1468177spa
dc.relation.referencesKierzkowski, A., Kisiel, T.: Evaluation of a security control lane with the application of fuzzy logic. Procedia Eng. 187, 656–663 (2017). https://doi.org/10.1016/j.proeng.2017.04.427spa
dc.relation.referencesWaxler, J.: Prioritizing security controls using multiple criteria decision making for home users (2018)spa
dc.relation.referencesJalayer, F.S., Nabiollahi, A.: Ranking criteria of enterprise information security architecture using fuzzy TOPSIS. Int. J. Comput. Sci. Inf. Technol. 8 (2016)spa
dc.relation.referencesKhajouei, H., Kazemi, M., Moosavirad, S.H.: Ranking information security controls by using fuzzy analytic hierarchy process. IseB 15, 1–19 (2017)spa
dc.relation.referencesChoo, K.K., Mubarak, S., Mani, D.: Selection of information security controls based on AHP and GRA. Presented at the (2014)spa
dc.relation.referencesYevseyeva, I., Basto, F.V., van Moorsel, A., Janicke, H., Michael, T.: Two-stage security controls selection. Procedia Comput. Sci. 100, 8 (2016)spa
dc.relation.referencesBarnard, L., Von Solms, R.: A formalized approach to the effective selection and evaluation of information security controls. Comput. Secur. 19, 185–194 (2000)spa
dc.relation.referencesOtero, C.E., Dell, E., Qureshi, A., Otero, L.D.: A quality-based requirement prioritization framework using binary inputs. Presented at the (2010)spa
dc.relation.referencesChen, Z., Yoon, J.: IT auditing to assure a secure cloud computing. Presented at the Services (SERVICES-1), 2010 6th World Congress on (2010)spa
dc.relation.referencesDhillon, G., Torkzadeh, G.: Value-focused assessment of information system security in organizations. Inf. Syst. J. 16, 293–314 (2006)spa
dc.relation.referencesBaskerville, R., Siponen, M.: An information security meta-policy for emergent organizations. Logist. Inf. Manag. 15, 337–346 (2002)spa
dc.relation.referencesYang, Y.-P.O., Shieh, H.-M., Tzeng, G.-H.: A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Inf. Sci. 232, 482–500 (2013)spa
dc.relation.referencesDe-La-Hoz-Franco, E., Ariza-Colpas, P., Quero, J.M., Espinilla, M.: Sensor-based datasets for human activity recognition—a systematic review of literature. IEEE Access. 6, 59192–59210 (2018)spa
dc.relation.referencesBellman, R.E., Zadeh, L.A.: Decision-making in a fuzzy environment. Manag. Sci. 17, B-141 (1970)spa
dc.relation.referencesSJ, C., Hwong, C., Chen, S., Hwong, C.: Fuzzy multiple attribute decision-making: methods and applications. книгa (1992)spa
dc.relation.referencesPandey, M., Khare, N., Shrivastava, S.: New aggregation operator for trapezoidal fuzzy numbers based on the geometric means of the left and right apex angles. Submitted for Publication (2012)spa
dc.subject.proposalFuzzy logiceng
dc.subject.proposalInformation securityeng
dc.subject.proposalInformation security controlseng
dc.subject.proposalISO/IEC 27002:2013eng
dc.subject.proposalTOPSISeng
dc.type.coarhttp://purl.org/coar/resource_type/c_3248spa
dc.type.contentTextspa
dc.type.driverinfo:eu-repo/semantics/bookPartspa
dc.type.redcolhttp://purl.org/redcol/resource_type/CAP_LIBspa
dc.type.versioninfo:eu-repo/semantics/draftspa
dc.relation.citationendpage289spa
dc.relation.citationstartpage271spa
dc.type.coarversionhttp://purl.org/coar/version/c_ab4af688f83e57aaspa
dc.rights.coarhttp://purl.org/coar/access_right/c_abf2spa
dc.identifier.eisbn978-981-16-5036-9spa


Ficheros en el ítem

Thumbnail
Nombre:
Evaluation and prioritization ...
Tamaño:
72.01Kb
Formato:
PDF
Ver/

Este ítem aparece en la(s) siguiente(s) colección(ones)

  • Artículos científicos [3154]
    Artículos de investigación publicados por miembros de la comunidad universitaria.

Mostrar el registro sencillo del ítem

Atribución-NoComercial-CompartirIgual 4.0 Internacional (CC BY-NC-SA 4.0)
Excepto si se señala otra cosa, la licencia del ítem se describe como Atribución-NoComercial-CompartirIgual 4.0 Internacional (CC BY-NC-SA 4.0)