On Clustering of Risk Mitigation Controls

In the Information Technology Communication Society, information and its related systems in any organization are exposed to various kinds of risks. The organizations should prepare countermeasures against exposed risks in order to protect their assets and secure their activities´ continuity. Risk evaluation and management systems are effective methods for that purpose, and they usually have several sorts of importance, such as construction of secure information system, ascent of personnel´s consciousness on the information security, etc. On the final stage of a risk management system, after the risk evaluation was done and some serious risks were clarified, the system usually goes on the process of choosing effective and available mitigation controls against each of risks. For that purpose, a database of mitigation controls with values properly related to a type of clarified risk should be set up beforehand. In this paper, we propose a method for giving a kind of property vector to each mitigation control and how to apply fuzzy c-mean clustering to set up the database.