TY - GEN
T1 - Integrating Modern Portfolio Theory into Information Security Control Selection Optimisation
AU - Abrahams, Muhammad Zaid
AU - Langerman, Josef J.
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Risk management and optimised security control selection in information technology, particularly information security, is crucial for identifying and mitigating organisational threats. Information security control selection and planning are challenging due to limited resources such as funding, time and staffing. This research article is an academic exposition in which a quantitative method of evaluating cyber security risk and utilizing principles of Modern Portfolio Theory (MPT) to optimize the allocation of resources and funding to select security controls to mitigate an organization's specific security risk and in addition reduce and organisations attack surface as the identified Return on Investment (ROI). This article details and illustrates a novel model that uses quantitative risk evaluation methods such as Monte Carlo simulations as opposed to the widely used qualitative methods in the aim to provide organisations with empirical data to make informed decisions, using Modern Portfolio Theory (MPT), when selecting and managing a portfolio of security controls such as Anti-DDOS solutions, Endpoint Detection and Response (EDR) and Cloud Access Security Broker (CASB) solutions.
AB - Risk management and optimised security control selection in information technology, particularly information security, is crucial for identifying and mitigating organisational threats. Information security control selection and planning are challenging due to limited resources such as funding, time and staffing. This research article is an academic exposition in which a quantitative method of evaluating cyber security risk and utilizing principles of Modern Portfolio Theory (MPT) to optimize the allocation of resources and funding to select security controls to mitigate an organization's specific security risk and in addition reduce and organisations attack surface as the identified Return on Investment (ROI). This article details and illustrates a novel model that uses quantitative risk evaluation methods such as Monte Carlo simulations as opposed to the widely used qualitative methods in the aim to provide organisations with empirical data to make informed decisions, using Modern Portfolio Theory (MPT), when selecting and managing a portfolio of security controls such as Anti-DDOS solutions, Endpoint Detection and Response (EDR) and Cloud Access Security Broker (CASB) solutions.
KW - Cyber Security
KW - Defence in Depth
KW - Information Security Attacks
KW - Modern Portfolio Theory
KW - Risk
KW - Risk Management
UR - https://www.scopus.com/pages/publications/105007530496
U2 - 10.1109/ITIKD63574.2025.11004647
DO - 10.1109/ITIKD63574.2025.11004647
M3 - Conference contribution
AN - SCOPUS:105007530496
T3 - 2nd International Conference on IT Innovations and Knowledge Discovery, ITIKD 2024
BT - 2nd International Conference on IT Innovations and Knowledge Discovery, ITIKD 2024
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2nd International Conference on IT Innovations and Knowledge Discovery, ITIKD 2024
Y2 - 13 April 2025 through 15 April 2025
ER -