Estimation of deficiency risk and prioritization of information security controls: A data-centric approach

Risk of unauthorized disclosure or modification of corporate data can impact in different ways, including affecting operations, the public image and/or the firm's legal/compliance exposure. While management views risk along these dimensions, the information technology function (ITF) typically views risk from an IT infrastructure compromise viewpoint, and this drives the establishment of IT security controls. It is oftentimes difficult for the internal audit function (IAF) to assess control deficiency risk (CDR) in the area of information security, as well as estimate the importance of each in-place security control. Using a design science approach, we propose the Operational, Public image, Legal (OPL) model and method to classify the security criticality of the organization's data along three dimensions. Through an empirical study, we demonstrate how the OPL method allows for a quantitative estimation of the importance of in-place security controls as well as the CDR of missing controls. This information provides guidance on strategies for testing in-place controls during audit, as well as for determining which controls may need to be incrementally added. (C) 2016 Elsevier Inc. All rights reserved.