Evaluating Policy Layer Security Controls for Value Realisation in Secure Systems
Cusack, B; Al-Khazrajy, M
MetadataShow full metadata
A strategic question for any business is: What value do control frameworks give? The question concerns the costs associated with implementing and maintaining control frameworks compared with the benefits gained. Each control framework contains many controls that may or may not benefit a situation and this research is aimed at testing different selections and combinations of controls to forecast probable impacts on business outcomes. The scope of the research is limited to a representative set of security controls and the lesser question: What are the criteria for selecting the most effective and efficient security control configurations for best business value? We design a decision support tool (DSS), run a pilot study and begin to develop output sets as part of the exploratory research. The conclusion is that in controlled environments the security controls may be optimised to deliver the best business value and that the highest performing sets of controls can be forecasted once the interaction factors are known.