{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:28:34Z","timestamp":1759091314651,"version":"3.41.2"},"reference-count":55,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2015,6,8]],"date-time":"2015-06-08T00:00:00Z","timestamp":1433721600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015,6,8]]},"abstract":"\n Purpose<\/jats:title>\n \u2013 This paper aims to propose a comprehensive model to find out the most preventive subset of security controls against potential security attacks inside the limited budget. Deploying the appropriate collection of information security controls, especially in information system-dependent organizations, ensures their businesses' continuity alongside with their effectiveness and efficiency. <\/jats:p>\n <\/jats:sec>\n \n Design\/methodology\/approach<\/jats:title>\n \u2013 Impacts of security attacks are measured based on interdependent asset structure. Regarding this objective, the asset operational dependency graph is mapped to the security attack graph to assess the risks of attacks. This mapping enables us to measure the effectiveness of security controls against attacks. The most effective subset is found by mapping its features (cost and effectiveness) to items\u2019 features in a binary knapsack problem, and then solving the problem by a modified version of the classic dynamic programming algorithm. <\/jats:p>\n <\/jats:sec>\n \n Findings<\/jats:title>\n \u2013 Exact solutions are achieved using the dynamic programming algorithm approach in the proposed model. Optimal security control subset is selected based on its implementation cost, its effectiveness and the limited budget. <\/jats:p>\n <\/jats:sec>\n \n Research limitations\/implications<\/jats:title>\n \u2013 Estimation of control effectiveness is the most significant limitation of the proposed model utilization. This is caused by lack of experience in risk management in organizations, which forces them to rely on reports and simulation results. <\/jats:p>\n <\/jats:sec>\n \n Originality\/value<\/jats:title>\n \u2013 So far, cost-benefit approaches in security investments are followed only based on vulnerability assessment results. Moreover, dependency weights and types in interdependent structure of assets have been taken into account by a limited number of models. In the proposed model, a three-dimensional graph is used to capture the dependencies in risk assessment and optimal control subset selection, through a holistic approach.<\/jats:p>\n <\/jats:sec>","DOI":"10.1108\/ics-12-2013-0090","type":"journal-article","created":{"date-parts":[[2015,5,22]],"date-time":"2015-05-22T08:10:47Z","timestamp":1432282247000},"page":"218-242","source":"Crossref","is-referenced-by-count":8,"title":["A comprehensive security control selection model for inter-dependent organizational assets structure"],"prefix":"10.1108","volume":"23","author":[{"given":"Maryam","family":"Shahpasand","sequence":"first","affiliation":[]},{"given":"Mehdi","family":"Shajari","sequence":"additional","affiliation":[]},{"given":"Seyed Alireza","family":"Hashemi Golpaygani","sequence":"additional","affiliation":[]},{"given":"Hoda","family":"Ghavamipoor","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"doi-asserted-by":"crossref","unstructured":"Albert, C.\n and \n Dorofee, A.\n (2003), \u201cIntroduction to the OCTAVE approach\u201d, Carnegie Mellon Software Engineering Institute, pp. 4-16.","key":"key2020122320551532400_b1","DOI":"10.21236\/ADA634134"},{"doi-asserted-by":"crossref","unstructured":"Alpcan, T.\n and \n Bambos, N.\n (2009), \u201cModeling dependencies in security risk management\u201d, Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS), IEEE, Toulouse.","key":"key2020122320551532400_b2","DOI":"10.1109\/CRISIS.2009.5411969"},{"doi-asserted-by":"crossref","unstructured":"Avizienis, A.\n , \n Laprie, J.C.\n , \n Randell, B.\n and \n Landwehr, C.\n (2004), \u201cBasic concepts and taxonomy of dependable and secure computing\u201d, \n IEEE Transactions on Dependable and Secure Computing\n , Vol. 1 No. 1, pp. 11-33.","key":"key2020122320551532400_b4","DOI":"10.1109\/TDSC.2004.2"},{"doi-asserted-by":"crossref","unstructured":"Boehmer, W.\n (2008), \u201cAppraisal of the effectiveness and efficiency of an information security management system based on ISO 27001\u201d, 2nd International Conference on Emerging Security Information Systems and Technologies (SECURWARE\u201908), IEEE, Cap Esterel.","key":"key2020122320551532400_b7","DOI":"10.1109\/SECURWARE.2008.7"},{"doi-asserted-by":"crossref","unstructured":"Breu, R.\n , \n Innerhofer-Oberperfle, F.\n and \n Yautsiukhin, A.\n (2008), \u201cQuantitative assessment of enterprise security system\u201d, Proceedings of the 3rd International Conference on Availability, Reliability and Security, IEEE, Barcelona.","key":"key2020122320551532400_b8","DOI":"10.1109\/ARES.2008.164"},{"unstructured":"BritishStandard\n (2006), \u201cBS7799 -3:2006, information security management systems -Part 3: guidelines for information security risk management\u201d.","key":"key2020122320551532400_b9"},{"doi-asserted-by":"crossref","unstructured":"Demetz, L.\n and \n Bachlechner, D.\n (2013), \u201cTo invest or not to invest? Assessing the economic viability of a policy and security configuration management tool\u201d, \n The Economics of Information Security and Privacy\n , Springer Berlin Heidelberg, pp. 25-47.","key":"key2020122320551532400_b10","DOI":"10.1007\/978-3-642-39498-0_2"},{"doi-asserted-by":"crossref","unstructured":"Dewri, R.\n , \n Poolsappasit, N.\n , \n Ray, I.\n and \n Whitley, D.\n (2007), \u201cOptimal security hardening using multi-objective optimization on attack tree models of networks\u201d, Proceedings of the 14th ACM Conference on Computer and Communications Security, ACM, New York, NY.","key":"key2020122320551532400_b11","DOI":"10.1145\/1315245.1315272"},{"doi-asserted-by":"crossref","unstructured":"Dewri, R.\n , \n Ray, I.\n , \n Poolsappasit, N.\n and \n Whitley, D.\n (2012), \u201cOptimal security hardening on attack tree models of networks: a cost-benefit analysis\u201d, \n International Journal of Information Security\n , Vol. 11 No. 3, pp. 167-188.","key":"key2020122320551532400_b12","DOI":"10.1007\/s10207-012-0160-y"},{"doi-asserted-by":"crossref","unstructured":"Eom, J.-H.\n , \n Park, S.-H.\n , \n Kim, T.-K.\n and \n Chung, T.-M.\n (2005), \u201cTwo-dimensional quantitative asset analysis method based on business process-oriented asset evaluation\u201d, \n Journal of Information Processing Systems\n , Vol. 1 No. 1, pp. 79-85.","key":"key2020122320551532400_b13","DOI":"10.3745\/JIPS.2005.1.1.079"},{"doi-asserted-by":"crossref","unstructured":"Hagen, J.M.\n , \n Albrechtsen, E.\n and \n Hovden, J.\n (2008), \u201cImplementation and effectiveness of organizational information security measures\u201d, \n Information Management & Computer Security\n , Vol. 16 No. 4, pp. 377-397.","key":"key2020122320551532400_b14","DOI":"10.1108\/09685220810908796"},{"unstructured":"Innerhofer-Oberperfle, F.\n and \n Breu, R.\n (2006), \u201cUsing an enterprise architecture for IT risk management\u201d, \n Proceedings of ISSA-06\n .","key":"key2020122320551532400_b18"},{"unstructured":"ISO\n (2008), \u201cInformation security risk management, international standard organization\u201d, \n ISO\/IEC\n \n 27005.","key":"key2020122320551532400_b19"},{"unstructured":"ISO\n (1998), \u201cInformation technology -guidelines for the management of ITSecurity \u2013 part 3: techniques for the management of IT Security\u201d, ISO\/lEC TR 13335-3.","key":"key2020122320551532400_b21"},{"doi-asserted-by":"crossref","unstructured":"Jahnke, M.\n , \n Thul, C.\n and \n Martini, P.\n (2007), \u201cGraph based metrics for intrusion response measures in computer networks\u201d, \n Proceedings of Local Computer Networks\n , IEEE, Dublin.","key":"key2020122320551532400_b22","DOI":"10.1109\/LCN.2007.45"},{"doi-asserted-by":"crossref","unstructured":"Liu, H.-L.\n and \n Zhu, Y.-J.\n (2009), \u201cMeasuring effectiveness of information security management\u201d, \n International Symposium on Computer Network and Multimedia Technology, CNMT\n , IEEE, Wuhan.","key":"key2020122320551532400_b23","DOI":"10.1109\/CNMT.2009.5374634"},{"unstructured":"Mell, P.\n , \n Scarfone, K.\n and \n Romanosky, S.\n (2007), \u201cA complete guide to the common vulnerability scoring system version 2.0\u201d, FIRST-Forum of Incident Response and Security Teams.","key":"key2020122320551532400_b26"},{"unstructured":"MFPA\n (2012), \u201cMagerit version 3 (Spanish): methodology of risk analysis and management of information systems\u201d, Ministry of Finance and Public Administration.","key":"key2020122320551532400_b27"},{"unstructured":"Moody, D.L.\n and \n Walsh, P.\n (1999), \u201cMeasuring the value of information-an asset valuation approach\u201d, ECIS.","key":"key2020122320551532400_b28"},{"doi-asserted-by":"crossref","unstructured":"Mounzer, J.\n , \n Alpcan, T.\n and \n Bambos, N.\n (2010a), \u201cIntegrated security risk management for IT-intensive organizations\u201d, 6th International Conference on Information Assurance and Security (IAS), IEEE, Atlanta, GA.","key":"key2020122320551532400_b29","DOI":"10.1109\/ISIAS.2010.5604086"},{"doi-asserted-by":"crossref","unstructured":"Mounzer, J.\n , \n Tansu, A.\n and \n Bambos, N.\n (2010b), \u201cDynamic control and mitigation of interdependent IT security risk\u201d, International Conference on Communications (ICC), IEEE, Cape Town.","key":"key2020122320551532400_b30","DOI":"10.1109\/ICC.2010.5502671"},{"unstructured":"Neubauer, T.\n , \n Ekelhart, A.\n and \n Fenz, S.\n (2008), \u201cInteractive selection of ISO 27001 controls under multiple objectives\u201d, Proceedings of The IFTP \u2013 Tc 11 23rd International Information Security Conference, Springer, Milano.","key":"key2020122320551532400_b31"},{"doi-asserted-by":"crossref","unstructured":"Paintsil, E.\n (2012), \u201cTaxonomy of security risk assessment approaches for researchers\u201d, 4th International Conference on Computational Aspects of Social Networks (CASoN), IEEE.","key":"key2020122320551532400_b33","DOI":"10.1109\/CASoN.2012.6412412"},{"unstructured":"Poolsappasit, N.\n (2010), \u201cTowards an efficient vulnerability analysis methodology for better security risk management\u201d, PhD Dissertation, Colorado State University.","key":"key2020122320551532400_b34"},{"doi-asserted-by":"crossref","unstructured":"Poore, R.S.\n (2000), \u201cValuing information assets for security risk management\u201d, \n Auerbach Publications\n , Vol. 9 No. 4, pp. 1-7.","key":"key2020122320551532400_b35","DOI":"10.1201\/1086\/43311.9.4.20000910\/31364.4"},{"doi-asserted-by":"crossref","unstructured":"Rakes, T.R.\n , \n Deane, J.K.\n and \n Rees, L.P.\n (2012), \u201cIT security planning under uncertainty for high-impact events\u201d, \n Omega: International Journal of Management Science\n , pp. 79-88.","key":"key2020122320551532400_b36","DOI":"10.1016\/j.omega.2011.03.008"},{"doi-asserted-by":"crossref","unstructured":"Rees, L.P.\n , \n Deane, J.K.\n , \n Rakes, T.R.\n and \n Baker, W.H.\n (2011), \u201cDecision support for Cybersecurity risk planning\u201d, \n Decision Support Systems\n , Vol. 51 No. 3, pp. 493-505.","key":"key2020122320551532400_b37","DOI":"10.1016\/j.dss.2011.02.013"},{"unstructured":"SANS\n (2013), \u201cTop 20 critical security controls\u201d.","key":"key2020122320551532400_b40"},{"doi-asserted-by":"crossref","unstructured":"Sawik, T.\n (2013), \u201cSelection of optimal countermeasure portfolio in IT security planning\u201d, \n Decision Support Systems\n , Vol. 55 No. 1, pp. 156-164.","key":"key2020122320551532400_b41","DOI":"10.1016\/j.dss.2013.01.001"},{"doi-asserted-by":"crossref","unstructured":"Sawilla, R.E.\n and \n Ou, X.\n (2008), \u2018Identifying critical attack assets in dependency attack graphs\u2019, \n 13th European Symposium on Research in Computer Security\n , Springer Berlin Heidelberg.","key":"key2020122320551532400_b42","DOI":"10.1007\/978-3-540-88313-5_2"},{"doi-asserted-by":"crossref","unstructured":"Shahpasand, M.\n and \n Hashemi, G.A.\n (2013), \u201cOptimum countermeasure portfolio selection: a knapsack approach\u201d, \n Emerging Trends in ICT Security \u2013 Chapter 19\n .","key":"key2020122320551532400_b43","DOI":"10.1016\/B978-0-12-411474-6.00019-0"},{"unstructured":"Sheyner, O.\n (2004), \n Scenario Graphs and Attack Graphs\n , University of Wisconsin.","key":"key2020122320551532400_b44"},{"unstructured":"Soldal, LM\n , \n Solhaug, B.\n and \n Stolen, K.\n (2011), \n Model-Driven Risk Analysis: The CORAS Approach\n , Springer.","key":"key2020122320551532400_b46"},{"doi-asserted-by":"crossref","unstructured":"Stoneburner, G.\n , \n Goguen, A.\n and \n Feringa, A.\n (2002), \n Risk Management Guide For Information Technology Systems\n , NIST Special Publication.","key":"key2020122320551532400_b47","DOI":"10.6028\/NIST.SP.800-30"},{"doi-asserted-by":"crossref","unstructured":"Torres, J.M.\n , \n Sarrieg, J.M.\n , \n Santos, J.\n and \n Serrano, N.\n (2006), \u201cManaging information systems security: critical success factors and indicators to measure effectiveness\u201d, \n Information Security\n , Springer Berlin Heidelberg, pp. 530-545.","key":"key2020122320551532400_b48","DOI":"10.1007\/11836810_38"},{"unstructured":"Verizon\n (2013), \u201cData breach investigations report\u201d, available at: www.verizonenterprise.com\/DBIR\/2013","key":"key2020122320551532400_b49"},{"doi-asserted-by":"crossref","unstructured":"Viduto, V.\n , \n Maple, C.\n , \n Huang, W.\n and \n L\u00f3pez-Per\u00e9z, D.\n (2012), \u201cA novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem\u201d, \n Decision Support Systems\n , Vol. 53 No. 3, pp. 599-610.","key":"key2020122320551532400_b50","DOI":"10.1016\/j.dss.2012.04.001"},{"unstructured":"Yazar, Z.\n (2002), \u201cA qualitative risk analysis and management tool \u2013 CRAMM\u201d, SANS InfoSec Reading Room White Paper.","key":"key2020122320551532400_b54"},{"unstructured":"Zhang, Z.\n , \n Wang, S.\n and \n Kadobayashi, Y.\n (2013), \u201cExploring attack graph for cost-benefit security hardening: a probabilistic approach\u201d, \n Computer & Security\n , Vol. 23, pp. 158-169.","key":"key2020122320551532400_b55"},{"unstructured":"Asghari, M.\n and \n Shariari, H.\n (2010), \u201cThreat propagation modeling based on the relationship of assets and vulnerabilities for security risk analysis\u201d, 16th Annual International Conference of Computer Society of Iran, Computer Society of Iran, Tehran-Iran (In persian).","key":"key2020122320551532400_frd1"},{"doi-asserted-by":"crossref","unstructured":"Bistarelli, S.\n , \n Fioravanti, F.\n and \n Peretti, P.\n (2007), \u201cUsing cp-nets as a guide for countermeasure selection\u201d, \n ACM Symposium on Applied Computing\n , Seoul.","key":"key2020122320551532400_frd2","DOI":"10.1145\/1244002.1244073"},{"doi-asserted-by":"crossref","unstructured":"Blakley, B.\n , \n McDermott, E.\n and \n Geer, D.\n (2001), \u201cInformation security is information risk management\u2019, \n Proceedings of the workshop on New security paradigms\n , ACM, NY, NY, USA.","key":"key2020122320551532400_frd3","DOI":"10.1145\/508171.508187"},{"unstructured":"Homer, J.\n , \n Ou, X.\n and \n Schmidt, D.\n (2009), \u201cA sound and practical approach to quantifying security risk in enterprise networks\u201d, KS State University Technical Report.","key":"key2020122320551532400_frd5"},{"unstructured":"Homer, J.\n , \n Varikut, A.\n , \n Ou, X.\n and \n McQueen, M.A.\n (2008), \u201cImproving attack graph visualization through data reduction and attack grouping\u201d, \n Visualization for Computer Security\n , Springer Berlin Heidelberg.","key":"key2020122320551532400_frd4"},{"doi-asserted-by":"crossref","unstructured":"Ingols, K.\n , \n Lippmann, R.\n and \n Piwowarski, K.\n (2006), \u201cPractical attack graph generation for network defense\u201d, ACSAC\u201906 22nd Annual Conference on Computer Security Applications, IEEE, Miami Beach, FL.","key":"key2020122320551532400_frd6","DOI":"10.1109\/ACSAC.2006.39"},{"unstructured":"ISO\n (2013), \u201cSecurity techniques \u2013 information security management systems\u201d, ISO\/IEC 27001, International Organization for Standardization and International Electrotechnical Commission.","key":"key2020122320551532400_frd7"},{"doi-asserted-by":"crossref","unstructured":"Lv, H.\n (2009), \u201cResearch on network risk assessment based on attack probability\u201d, \n Proceedings of 2nd International Workshop on Computer Science and Engineering\n , Qingdao.","key":"key2020122320551532400_frd8","DOI":"10.1109\/WCSE.2009.834"},{"unstructured":"Marinos, L.\n (2013), \u201cENISA threat landscape 2013\u201d, ENISA.","key":"key2020122320551532400_frd9"},{"unstructured":"Noel, S.\n , \n Jacobs, M.\n , \n Kalapa, P.\n and \n Jajodia, S.\n (2005), \u201cMultiple coordinated views for network attack graphs\u201d, \n IEEE Workshop on Visualization for Computer Security\n , IEEE.","key":"key2020122320551532400_frd10"},{"doi-asserted-by":"crossref","unstructured":"Rong, A.\n , \n Figueira, J.R.\n and \n Pato, M.V.\n (2011), \u201cA two state reduction based dynamic programming algorithm for the bi-objective 0-1 knapsack problem\u201d, \n Computers & Mathematics with Applications\n , Vol. 62 No. 8, pp. 2913-2930.","key":"key2020122320551532400_frd11","DOI":"10.1016\/j.camwa.2011.07.067"},{"unstructured":"RTO (NATO)\n (2008), \u201cAnalysis, RTO-TR-IST-049-PRE-RELEASE: improving common security risk\u2019, research and technology organisation (NATO)\u201d, BP 25, F-92201 Neuilly-sur-Seine Cedex.","key":"key2020122320551532400_frd12"},{"unstructured":"Sheyner, O.\n , \n Haines, J.\n , \n Jha, S.\n , \n Lippmann, R.\n and \n Wing, J.M.\n (2002), \u201cAutomated generation and analysis of attack graphs\u201d, \n Proceedings of the IEEE Symposium on Security and Privacy\n , Oakland, CA.","key":"key2020122320551532400_frd13"},{"unstructured":"Vorster, A.\n and \n Les, L.\n (2005), \u201cA framework for comparing different information security risk analysis methodologies\u201d, \n Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on IT Research in Developing Countries\n , South African Institute for Computer Scientists and Information Technologists.","key":"key2020122320551532400_frd14"},{"doi-asserted-by":"crossref","unstructured":"Wang, L.\n , \n Islam, T.\n , \n Long, T.\n , \n Singhal, A.\n and \n Jajodia, S.\n (2008), \u201cAn attack graph-based probabilistic security metric\u201d, \n Data and Applications Security XXII\n , Springer Berlin Heidelberg, pp. 283-296.","key":"key2020122320551532400_frd15","DOI":"10.1007\/978-3-540-70567-3_22"},{"unstructured":"Williams, L.\n , \n Lippmann, R.\n and \n Ingols, K.\n (2007), \u201cAn interactive attack graph cascade and reachability display\u201d, \n VizSEC 2007\n , Springer Berlin Heidelberg.","key":"key2020122320551532400_frd16"}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/ICS-12-2013-0090","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2013-0090\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2013-0090\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:24Z","timestamp":1753406604000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/23\/2\/218-242\/119721"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,6,8]]},"references-count":55,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2015,6,8]]}},"alternative-id":["10.1108\/ICS-12-2013-0090"],"URL":"https:\/\/doi.org\/10.1108\/ics-12-2013-0090","relation":{},"ISSN":["2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2015,6,8]]}}}