Towards the Intelligent Application of Security Controls

Abstract

Today, attacks on sensitive data held by organizations and the resulting data breaches are unfortunately all too common. In response to these attacks the organization applies security controls (e.g., encryption) to secure its vulnerabilities. However, these controls are often applied haphazardly, without any idea of their reliability, or any guidance on how they should be applied to account for the priority of the vulnerabilities or a security control’s effect on the overall security posture of the organization. This work derives a mathematical model linking the reliability of the security controls to the overall security level of the organization. The paper then combines this model with a method to prioritize vulnerabilities, allowing the organization to more intelligently apply security controls and reach its desired security level goal within negotiated budgetary constraints. The paper illustrates this approach using an application example.