Security Mechanisms Role in Information Security Evaluation

Abstract

Risk evaluation approaches in information technologies are based on subjective and qualitative methods of measurement and evaluation mainly. This paper proposes approach based on the Analytic Hierarchy Process technique that uses level of security mechanisms implementation as an input. By using the predefined weights of these mechanisms it will give us overall security score in five main security attributes – confidentiality, integrity, availability, authenticity and non-repudiability. The main purpose of this work is to bring an objectivity into the process of the risk assessment and to provide an adequate evaluation of implemented security controls. As a basis for our work the ISO/IEC 27002:2005 standard is used. This standard contains the database of control objectives to which the proposed security mechanisms are assigned.