Evaluation of Information Security Controls in Organizations by Grey Relational Analysis

Abstract

In an era where dependence of information systems is significantly high, the threat of incidents related to information security that could jeopardize the information held by is becoming critical. Alarming facts within the literature point to inadequacies in information security practices, particularly the evaluation and prioritization of information security controls in organizations. Research efforts have resulted in various methodologies developed to deal with the ISC assessment problem. A closer look at these traditional methodologies highlights various weaknesses that can prevent effective assessments of information security controls in organizations. This research proposes a novel approach using Grey Relational Analysis to quantify the importance of each information security control taking into account organizations’ goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of information security controls based on multiple application-specific criteria.