Estimation of deficiency risk and prioritization of information security controls: A data-centric approach

•A multi-dimensional model to specify data table level security is proposed.•Protection levels against unauthorized access and modifications of data are derived•In-place information security controls are scored for the protection levels needed.•Missing information security controls are scored for the protection levels needed.•Scores for in-place and missing controls guide the collaborative security audit

Risk of unauthorized disclosure or modification of corporate data can impact in different ways, including affecting operations, the public image and/or the firm's legal/compliance exposure. While management views risk along these dimensions, the information technology function (ITF) typically views risk from an IT infrastructure compromise viewpoint, and this drives the establishment of IT security controls. It is oftentimes difficult for the internal audit function (IAF) to assess control deficiency risk (CDR) in the area of information security, as well as estimate the importance of each in-place security control. Using a design science approach, we propose the Operational, Public image, Legal (OPL) model and method to classify the security criticality of the organization's data along three dimensions. Through an empirical study, we demonstrate how the OPL method allows for a quantitative estimation of the importance of in-place security controls as well as the CDR of missing controls. This information provides guidance on strategies for testing in-place controls during audit, as well as for determining which controls may need to be incrementally added.