Integrating Modern Portfolio Theory into Information Security Control Selection Optimisation

Integrating Modern Portfolio Theory into Information Security Control Selection Optimisation

연구 분야: Safety

학회: 2024 International Conference on IT Innovation and Knowledge Discovery (ITIKD)

Risk management and optimised security control selection in information technology, particularly information security, is crucial for identifying and mitigating organisational threats. Information security control selection and planning are challenging due to limited resources such as funding, time and staffing. This research article is an academic exposition in which a quantitative method of evaluating cyber security risk and utilizing principles of Modern Portfolio Theory (MPT) to optimize the allocation of resources and funding to select security controls to mitigate an organization's specific security risk and in addition reduce and organisations attack surface as the identified Return on Investment (ROI). This article details and illustrates a novel model that uses quantitative risk evaluation methods such as Monte Carlo simulations as opposed to the widely used qualitative methods in the aim to provide organisations with empirical data to make informed decisions, using Modern Portfolio Theory (MPT), when selecting and managing a portfolio of security controls such as Anti-DDOS solutions, Endpoint Detection and Response (EDR) and Cloud Access Security Broker (CASB) solutions.