Proposal of a Control Prioritization Method for Zero Trust Architecture Implementation Using Multicriteria Method
Zero Trust, Multicriteria Method, Systematic Literature Review, Cybersecurity
The evolution of computer networks has made them increasingly complex and expanded their attack surface, rendering traditional perimeter protection less secure. In this context, a new trust model called Zero Trust (ZT) emerged. This concept, encompassing various controls for its implementation, makes risk management a challenging task, as managers face the challenge of prioritizing these controls. ISO 31000 describes how the multicriteria decision-making methodology can assist decision-makers in problem modeling and action prioritization. The multicriteria concept is based on two schools of thought: the American approach, which focuses on precise calculations to prioritize controls, and the European approach, which views decision-making as a human activity. MCDA-C, originating from the European school, has the capability to incorporate multiple levels within an organization to facilitate knowledge construction and decisionmaking for decision-makers. This study proposes the utilization of controls described in the CISA's Zero Trust Architecture (ZTA) Maturity Model in conjunction with MCDA-C. This approach provides clarity in visualizing the ideal performance from decision-makers' perspectives and facilitates prioritization for ZTA control implementation. Finally, considering the proposed controls, this study demonstrates the capability of MCDA-C in aiding the understanding of the problem within the organization and constructing knowledge through the analysis of collected data. Consequently, it becomes possible to present decision-makers with the controls that should be prioritized at the outset of a ZTA implementation.