An information security control assessment methodology for organizations' financial information

• A fuzzy logic-based methodology was developed following design-science research.
• The methodology assesses information security controls in organizations' application systems.
• Literature-supported weaknesses in traditional methodologies were addressed.
• The methodology was tested on a financial system of an actual organization.
• The methodology impacted information security positively at the organization.

In an era where dependence of information systems is significantly high, the threat of incidents related to information security that could jeopardize financial information held by organizations is serious. Alarming facts within the literature point to inadequacies in information security practices, particularly the evaluation of information security controls in organizations. Research efforts have resulted in various methodologies developed to deal with the information security controls assessment problem. A closer look at these traditional methodologies highlights various weaknesses that prevent an effective information security controls assessment in organizations. This paper develops a methodology that addresses such weaknesses when evaluating information security controls in organizations' financial systems. The methodology uses the fuzzy set theory which allows for a more accurate assessment of imprecise criteria than traditional methodologies. It is argued that using the fuzzy set theory to evaluate information security controls in organizations addresses existing weaknesses identified in the literature and leads to a more precise assessment. This, in turn, results in a more effective selection of information security controls and enhanced information security in organizations. The main contribution of this research is the development of a fuzzy set theory-based assessment methodology that provides for a thorough evaluation of information security controls in organizations. Overall, the methodology presented herein proved to be a feasible technique for evaluating information security controls in organizations' financial systems.