On Selecting Critical Security Controls

Abstract

Selection of proper security controls is an important part of building a secure information infrastructure in an organization. There exist many databases of security controls, but the final selection is left on security managers that have to make decisions based on their skills and experience. In this paper, we propose a novel approach, based on grey relational analysis combined with the TOPSIS decision making method, providing a quantitative technique for the security controls selection and prioritization. Our method can help security managers more effectively perform their decisions in this field.