Abstract

Information Security Management is focused on processes and it is currently guided by control-based standards such as ISO27002. Controls may be: management objectives, available resources or desired behaviours that contribute to information security. Under this process perspective, to reach some security level means to accomplish a specific set of controls. There are qualitative approaches and maturity models that help managers to select what controls to implement next, whilst quantitative approaches have just recently emerged under simplified formulations. The purpose of this paper is to show an answer set solution to the problem of selecting what controls to implement next, based on a given budget, security profit, and temporal dependencies between controls. The solution is illustrated by using Clingo.