A Decision Support System for Optimal Selection of Enterprise Information Security Preventative Actions

Sonmez F. O. , Günel Kiliç B.

IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, vol.18, no.3, pp.3260-3279, 2021 (Journal Indexed in SCI) identifier identifier

  • Publication Type: Article / Article
  • Volume: 18 Issue: 3
  • Publication Date: 2021
  • Doi Number: 10.1109/tnsm.2020.3044865
  • Page Numbers: pp.3260-3279
  • Keywords: Security, Information security, Risk management, Visualization, Decision support systems, Security management, Analytical models, Enterprise information security, security investment, analytical hierarchical process (AHP), MIP, optimization, visualization, ANALYTIC HIERARCHY PROCESS, MODEL, TIME, SDN


Types and complexity of information security related vulnerabilities are growing rapidly and present numerous challenges to the enterprises. One of the key challenges is to identify the optimal set of precautions with limited budget. Despite the fact that majority of enterprises have a budget constraint for installing and maintaining the protection systems, the majority of the previous work only focus on prioritization of security targets and do not consider the preventative actions and budget constraints. This article presents a decision support system (DSS) based on analytical hierarchical process and mixed integer programming techniques for optimal selection of enterprise information security preventative actions. The proposed approach enables maximizing the amount of risk prevented for a fixed amount of budget by identifying the optimal set of precautions. The new DSS also assists enterprise decision-makers in determining the minimum enterprise information security budget for a given level of risk. The main contribution of the paper is that it provides a risk management method to identify a multi-level threat model and the corresponding optimal combination of preventative actions for an enterprise while considering the budget constraints. The treemap information visualization technique is also integrated into the proposed method to improve information security related management decisions.