Abstract

Information Security Management is currently guided by process-based standards. Achieving one or some of these standards means deploying their corresponding set of security controls under different constraints on resources, budgets, information assets to protect, and risks to avoid or mitigate, among other factors. This constitutes a complex combinatorial problem in the decision-making process. To select, schedule and deploy these security controls, qualitative approaches have mainly been proposed. Quantitative approaches to information security management are just emerging, and they have been applied only to simplified theoretical cases. The purpose of this paper is to support the notion that the problems of implementing information security controls, in the sense of being put into effect, can be formulated as a family of existing and already solved optimization problems. The main result is a mapping from a set of seven information security management types of problems to their corresponding operational research formulations. A solved case from a governmental institution illustrates the use of the proposed map.