On Optimizing the Path to Information Security Compliance

Information Security Management has been contemporarily confronted by standards covering business aspects related to Information Technology. Different standards map the problem of information security to a set of controls that represent safeguards for different security vulnerabilities. Several procedure-oriented maturity models have been proposed for managing the progress on information security, however, few approaches use quantitative techniques for analyzing the progress on information security. In this paper we propose that the problem of becoming security compliance can be analyzed as a problem of multi-paths where checking different controls means choosing different ways of reaching a security compliance. We identify a set of concepts from security ontologies in order to identify a set of variables influencing these paths. The main contribution is formulating the problem of reaching some standard compliance in the shape of optimization problems, thus existing optimization techniques can be applicable.