Prioritizing Information Security Controls: An Evaluation of Human Factors

While security management systems are not new, they recently received widespread attention fostered by regulations: e. g., the general NIS2 Directive requires organizations to introduce information security management systems (Article 21.1 and 21.2 (a)) and the domain specific UN regulation 155 requires automotive companies to introduce cybersecurity management systems.The security management systems have the goal to manage and improve security which is also required in the NIS 2 Directive (Article 21.2 (f): assess the effectiveness of cybersecurity risk-management measures). However, to do so, security needs to be measurable. A common approach to do so is to have a list of objectives, respectively controls, often from standards such as ISO/IEC 27001:2013 and assess to which degree they are fulfilled.To determine the overall security level of an organization, the different objectives, respectively controls, are weighted by their importance and an overall weighted score is derived. The weights can be derived individually for an organization or for a specific domain, such as sectors of critical infrastructure, automotive or e-commerce (e-commerce is in the scope of NIS2 Directive as a digital provider) organizations. The latter allows a comparison of different organizations within a domain. The quality of security maturity level assessments of security objectives, respectively controls, has already been studied. However, the quality of experts' assessment of importance (weights) for security objectives, respectively controls, or groups of them has not been sufficiently investigated yet. In this paper, we investigate the reliability of determining weights on the basis of the controls of ISO/IEC 27001:2013. In particular, we examine the experts' capabilities to assess the importance of security controls individually compared to group discussions. For this purpose, we ran an experiment where experts from the e-commerce domain had to assess and discuss priorities for two selected ISO/IEC 27001:2013 control groups. Our key result is that the individual assessments have a huge deviation while the results from the groups discussions share the same tendency. Based on qualitative feedback, we provide guidance how to optimize the assessment of the weight.

@Misc{SP25srn,
  author       = {Schmid, Michael and Pape, Sebastian},
  title        = {Prioritizing Information Security Controls: An Evaluation of Human Factors},
  howpublished = {, . Available at SSRN:},
  month        = {02},
  year         = {2025},
  doi          = {http://dx.doi.org/10.2139/ssrn.5143868},
}