Model to Optimize the Management of Strategic Projects Using Genetic Algorithms in a Public Organization

Abstract

Public organizations lack adequate models and methods to efficiently support and manage processes related to information security and IT investments. The objective is to optimize the management of strategic projects planned to improve the information security of a public organization and make efficient use of its available resources. The deductive method and exploratory research were used to review and analyze the available information. A mathematical model resulted that optimizes two objectives: (1) minimizing the costs of the strategic projects to be executed, and (2) maximizing the percentage of improvement in the organization’s information security. According to the result of the simulation, a subset of planned strategic projects was obtained that allows improving the information security of a public organization from 84.64% to 92.20%, considering the budgetary limitations of the organization. It was concluded that the proposed model is efficient, practical and can be a support tool for the IT management of a public organization.

1. Introduction

For the year 2022, Gartner forecasts that global spending on IT will be USD 4.4 trillion, equivalent to 4% more than the previous year [1]. The biggest spending will be on data analytics, cloud computing, customer management and security. Investment and spending on security was 50% more in 2021 than the previous year, justified by the high rates of security incidents and cyberattacks against the networks of organizations [2]. Despite the large investment in security, the efficiency of that spending is unknown. Organizations lack instruments to manage IT activities, mainly information security, to assess the efficient use of resources. IT governance does not solve the problem, and it is necessary to define specific metrics and indicators for each task [3]. Public organizations lack governance systems and efficient management tools to improve information security [4].

There is currently emerging research based on suitable approaches that measure the value of information security investments, but it is still difficult for professionals in the field to identify key and practical approaches that enable the optimization of information security [5]. The need to use models and optimization methods for the resolution of computer and economic security problems in a company is fundamental [6]. Organizational managers lack structured cost-benefit methods for evaluating IT security solutions [7]. Providing security and privacy must be in accordance with the limitations of the organization. The most important limitations are economic issues, and a useful scheme must consider all of these requirements [8]. A strategic planning approach is necessary to make strategic decisions about IT implementation to improve the efficiency and performance of solutions [9].

The ISO 27004 standard established a methodology that allows organizations to measure the effectiveness of the ISMS and the controls applied, but it does not determine what the specific metrics and results are, because each ISMS has a specific context and specific objectives [10]. Fundamentally, a strategic vision of information technology for organizations must be competitive and have decision support models and tools that allow the correct choice and prioritization of projects based on criteria and limitations of the organization [11]. Organizations manage a portfolio of projects that are often interconnected and share common resources, seeking to maximize the overall value generated [12]. It is important to prioritize projects in the organization to manage the use of IT investments, implementing a prioritization model to maximize profits using minimal resources [13]. Integrated decision-making about the selection and scheduling of a project portfolio can lead to a more desirable performance [14]. Organizations use IT governance to achieve their strategic goals, and one of the best practices is IT project portfolio implementation [15].

Why is it necessary to optimize the management of strategic projects using genetic algorithms in a Public Organization?

It is necessary to optimize the management of planned strategic projects to improve the information security of a public organization because the resources are limited. Generally, the allocated budget is not enough to guarantee that the organization can face all the risks and vulnerabilities that it faces in the present. For this reason, the management of strategic projects that guarantee confidentiality, integrity, and availability of information with the available resources becomes critical.

The objective was to optimize the management of strategic projects using genetic algorithms in a Public Organization.

The deductive method and exploratory analysis were used to review models and criteria that allow optimization of multiple objectives in problems related to information security management. A mathematical optimization model was proposed for the management of strategic projects planned to improve the information security of a public organization, which was implemented using the genetic algorithm based on NSGA-II with the Python programming language, and a simulation was carried out choosing a scenario originated with data from strategic projects planned to improve the information security of a public organization.

The following results were obtained: A general business architecture framework for a public organization; a mathematical optimization model for the management of strategic projects planned to improve the information security of a public organization based on a problem of multi-objective optimization; an algorithm based on NSGA-II to apply the proposed optimization mathematical model; and the application of the algorithm in Python language tested with data from a scenario created with information from a public organization, where the validity of the proposed model was verified.

It is concluded that the proposed optimization model for the management of planned strategic projects makes it possible to efficiently improve the information security of a Public Organization considering its budget limitations. In addition, it is very easy to implement, very practical and can be a powerful decision-making tool for an organization’s IT management.

2. Materials and Methods

2.1. Materials

2.1.1. IT Enterprise Architecture

Organizations must adopt a business architecture as the reference framework to optimize their processes to align all their resources with the mission, vision, strategies, objectives and organizational needs; and allows continuous improvement based on the knowledge of the organization, considering the beneficial effects of aligning the business with information systems and technologies [16,17].

Most enterprise IT architectures are based on strategic planning and the four dimensions of the TOGAF framework [16,17,18,19]. Some key factors that support enterprise architecture should be considered, such as strategic alignment and IT governance [20,21], the technological culture of the organization’s staff, efficient communication channels between business and technology specialists, managerial skills of the IT director [20,22], user satisfaction [23] and the efficiency in enterprise architecture project portfolio management [24].

Organizations must have a strategic perspective of information technologies. It is essential for organizations to be competitive, as well as have decision support models and tools that allow the correct selection and prioritization of projects based on the criteria and limitations of the organization [25]. Organizations manage a set of projects that are generally interconnected and compete for common resources, always seeking the highest profitability with the least use of resources [26]. Integrated decision-making on the management of a set of projects results in a better performance of the organization’s resources [27]. Based on these criteria, we can say that in order to meet their planned objectives, organizations need a strategic perspective, the adoption of a business architecture accompanied by the best IT governance practices and the implementation of efficient project portfolio management for success.

Figure 1 shows the proposed framework for a public organization, where we can highlight the efficient management of the project portfolio as a key factor.

2.1.2. Project Portfolio Optimization

Various projects are generated in organizations to achieve the strategic objectives outlined by senior management and others derived from unplanned situations, which must be carried out to meet some need of the organization. The problem of selecting and scheduling a subset of projects is a complex and challenging task faced by many organizations, with budget constraints limiting the number of projects that can be selected [28,29]. In the literature, we found some methods and solutions for the prioritization of projects applied in different areas, each one with its own strengths and limitations. Researchers have identified the main advances, trends and approaches of the different scientific communities for the management and optimization of project portfolios [30,31]. They have proposed a solution for selecting the most appropriate portfolio based on the organizational resilience strategy [32,33]. They have used decision models to optimize project portfolio selection [34,35,36,37,38,39]. They have proposed an optimization model for the project portfolio selection and scheduling problem, with a personalized heuristic approach, which was improved with meta-heuristic approaches [40]. They have proposed evolutionary computation for the selection and programming of project portfolios [29,41,42,43]. The authors of [44] proposed a mixed-integer programming model for project portfolio selection and scheduling considering the resource management, cash flow, cost of delay and robustness of multiple projects [44]. The authors of [45] produced a mathematical model based on commitment scheduling and fuzzy overshooting to help decisionmakers analyze multi-criteria project portfolios quickly [45]. The authors of [46] proposed a method based on the theory of complex networks to select a robust project portfolio under strategic objectives [46]. The authors of [47] proposed a dynamic modeling of resource allocation for project management applying two strategies, static and dynamic [47]. The authors of [48] proposed a project portfolio selection method considering uncertainty through fuzzy classification based on stochastic dominance [48]. The authors of [49] proposed models and algorithms using machine learning in project portfolio management [49]. The authors of [50] developed a portfolio selection and scheduling problem formulation inspired by the Future Defense Force Design process and used genetic algorithms to simulate testing [50]. The authors of [51] exposed a mixed-integer nonlinear programming model based on the goal programming approach [51]. The authors of [52] proposed a project portfolio selection method using decision rounds with multi-criteria analysis, mathematical programming and the Monte Carlo simulation within the framework of the Iterative Trichotomic Approach [52]. The authors of [53] presented a mathematical programming model for optimal project portfolio management using a risk-adjusted net present value approach [53].

From the review of the literature, there are no published approaches that have addressed the full complexity of the project portfolio selection and scheduling problem to improve information security in public organizations. We can determine that there is a tendency to pose the problems of selection and programming of project portfolio and other applications as a multi-objective optimization scheme. In these problems, multiple objectives must be optimized simultaneously considering their criteria and constraints, resulting in a set of optimal solutions. For the present work, we used the non-dominated classification genetic algorithm NSGA-II because it is a classic algorithm, which is widely tested and used in multi-objective optimization applications.

2.1.3. Multi-Objective Optimization Problems

Most studies have focused on developing and applying variants using evolutionary algorithms because they solve the multi-objective optimization problem efficiently and practically. Currently, computational intelligence approaches have been widely used in the field of information security and have achieved good results. Research is advancing to generate, run and implement combinations of evolutionary algorithms to solve a variety of optimization problems [54]. More and more scenarios of organizations require information security. Therefore, it is necessary to develop more advanced computational intelligence approaches and techniques [55]. The authors of [56] presented = a general framework for solving large-scale MOP based on the NSGA-II algorithm [56]. The authors of [57] provided the analysis of the ant colony algorithm and Holland’s genetic algorithm, in which different laws of probability distribution of chromosomal mutations were used [57]. The authors of [58] proposed the Point-Weighted Prediction Method (WPPM) for dynamic multi-objective optimization (DMO) to predict the Pareto optimal set and to initialize the population with the appropriate diversity [58]. The authors of [59] presented an ICSBP algorithm to overcome the shortcomings of traditional neural networks, which was used as part of the information security risk assessment (ISRA) processes for a miniature IoT system [59]. The authors of [60] proposed an application model of the genetic algorithm (GA) to solve the multicriteria optimization problem in the distribution of resources destined to the cybersecurity of the protected object with the Bellman-Zade principle [60]. The authors of [61] developed an information security risk assessment model based on the GA and BP neural network to establish an information security risk assessment model [61]. The authors of [62] evaluated the performance of a restricted version of the non-dominated classification genetic algorithm 2 (NSGA II), a multi-objective evolutionary optimization algorithm, written in MATLAB [62]. The authors of [63] developed a multi-objective mathematical programming model for time-cost-quality trade-off scheduling problems in construction projects, applying three metaheuristic algorithms: the multi-objective gray wolf optimizer (MOGWO), the non-dominated genetic classification algorithm (NSGA- II) and multi-objective particle swarm optimization (MOPSO) [63]. A variety of investigations that have combined various techniques using the NSGA-II genetic algorithm, or by modifying the NSGA-II algorithm to obtain higher efficiency and better solutions [64,65,66,67,68,69]. Some works have proposed an improved multi-objective genetic algorithm, comparing it with other algorithms such as the NSGA-II to measure its effectiveness [8,70,71].

2.1.4. Criteria Used for Multi-Objective Optimization

We can categorize the most used criteria in information security optimization problems in economic criteria and technical criteria for effectiveness [8,60,72,73,74,75,76]. Other authors have used cost-benefit criteria [5,6,7,77,78]. They have also used examples of benefits, such as cost reduction, income and economic efficiency; and examples of cost, such as operating cost, opportunity cost, switching cost and total costs. Criteria widely used in this field of information security are: the threat as probability of threats, efficiency of attackers, possibility of risk; impact criteria, such as potential damage; vulnerability criteria, such as exposure factor and risk factor [5,6,59,79]. Other categories used are resources, such as fixed budgets, asset values or attacker resources; and functions as decision trees, mitigation quality parameters and fuzzy numbers [5]. The criterion considered in this work is the Information Security Management Capacity (CGSI), which considers five factors: strategic, resources and capacities, organization/management, continuous improvement and the local context, national and international. Once the five factors have been evaluated, the organization can be classified within five levels: initial, formative, managed, strategic and optimized, which is the maximum level that an organization must reach [80].

2.1.5. Multi-Objective Algorithm Metrics

There are many performance indicators to measure the quality of the Pareto front approximations produced, which allows the comparison and analysis of the results of different algorithms. Performance indicators are categorized into four groups according to their properties: cardinality, convergence, distribution and dispersion [81,82,83]. In the present work, we only mention a few indicators that found in the literature: The hypervolume indicator and the hyperarea difference are good measures of dominance and distribution properties and do not require knowledge of the Pareto front [84,85,86]; a widely used indicator to compare multi-objective algorithms is the computational time or CPU time in seconds used to execute the algorithm— the shorter the time, the better [63,87]; the number of points in the approximate front or number of non-dominated solutions are considered quality measures of the algorithms [82,88]; the Karush-Kuhn-Tucker Proximity Measure (KKTPM) [64,66]; and the non-uniformity of the solutions obtained in front of Pareto, which is measured by SPREAD [64]. Regarding the convergence metrics, the generational distance and the Inverse Generational Distance are widely used [64,82].

2.1.6. Criteria for Classifying and Prioritizing Cybersecurity Projects

There are multiple criteria to classify and prioritize cybersecurity projects which depend on each organization. These criteria are important to achieve strategic objectives. In

Table 1. Criteria for classifying and prioritizing projects.

Criteria	Classification Examples	Reference
Project Type	Organizational, technical and regulatory	[13,25,89]
Cost	Low, medium and high	[13,89]
Origin of non-compliance	Security incident, risk analysis, Audit and security assessment	[87]
Execution time	Short, medium and long	[13,25,89]
Means	Own and external	[13,25,89]
Gain/effort ratio	Valuation according to the project, complexity, etc.	[25,89]
Risk	Risk assessment, probability of success, technical uncertainty, etc.	[12,13,53]
Benefit	Financial performance (VAN, IRR, CIR, etc.). technical performance, etc.	[13,26,90]
Technological contribution	According to Gartner	[13]
Coverage	Number of customers affected	[25]
Compromised areas	Number of areas involved internal or external to the organization	[25]

, we can observe the most used criteria to classify and prioritize cybersecurity projects found in the literature and in the practice of public organizations.

2.2. Methods

To carry out this research, the deductive method was used, which involved exploratory research and the review of the information available from official websites, regulations and provisions related to the optimization of projects. To obtain the results, the following activities were carried out.

2.2.1. First Phase

In the first phase, the available information on business architecture models, criteria and variables to consider in an organization was analyzed to propose a general framework for public organizations. Figure 1 shows the general framework of the work proposed.

2.2.2. Second Phase

In the second phase, the information available on the most important criteria and variables related to project planning to improve information security in an organization was analyzed. In addition, the solution alternatives to multi-objective optimization problems were reviewed, as well as the main metrics and quality indicators of the results. With this analysis, we can pose the problem to solve in order to propose improvements in the information security of organizations.

Figure 2 shows the process of planning strategic projects to improve the information security of a Public Organization. The starting point is the analysis of the information security of the Public Organization to determine the current situation. For this, we considered the CGSI Information Security Management Capacity model because it gives importance to strategic planning as a starting point, which traces the route through which the organization efficiently uses all its resources and capabilities in order to preserve the continuity, integrity and availability of information. The analysis serves to highlight deficiencies and limitations in organizations, such as a lack of strategies and objectives, lack of managerial support, lack of a unified vision at all levels of the organization, lack of organizational culture and lack of resources, among others, that were related to the lack of strategic planning [80].

Once the current situation of information security is known, the organization proposes the desired situation; for this, a strategic planning is necessary that allows directing the resources and capacities to obtain the proposed objectives from the strategic, tactical and operational, through planned projects. The critical problem to be solved by the IT management is the optimal selection of the projects that the organization must implement considering the economic criterion that has a fixed budget that is less than the total budget of all the planned projects. In addition, for the selection of the projects, technical criteria or criteria must be considered in the prioritization of the projects. The list of criteria taken from the literature review can be seen in Table 1.

2.2.3. Third Phase

In the third phase, with the strategic projects planned and the criteria and restrictions of the organization known, a mathematical model was proposed for the optimization of the management of strategic projects to improve the information security of a Public Organization based on the generic model of multi-objective optimization problem (MOP) and through the genetic algorithm NSGA-II, considering that evolutionary computation is of the current trends to efficiently solve this type of problem according to the review of the literature. According to [91], the generic model used, considering the sets of n decision variables, k objective functions and m restrictions, is as follows:

$$\mathrm{Optimize}:\mathrm{y}=\mathrm{F}(\mathrm{x})=({\mathrm{f}}_1(\mathrm{x}),{\mathrm{f}}_2(\mathrm{x}),\dots ,{\mathrm{f}}_{\mathrm{k}}(\mathrm{x})),$$

(1)

$$\mathrm{Subject}\mathrm{to}:{\mathrm{g}\left(\mathrm{x}\right)=(\mathrm{g}}_1{\left(\mathrm{x}\right),\mathrm{g}}_2\left(\mathrm{x}\right),\dots {,\mathrm{g}}_{\mathrm{m}}\left(\mathrm{x}\right))\le 0,$$

(2)

$$\mathrm{Where}:\mathrm{x}=({\mathrm{x}}_1,{\mathrm{x}}_2,\dots ,x_n)\in \mathrm{X}\subseteq {\mathrm{R}}^{\mathrm{n}},$$

(3)

$$\mathrm{y}=({\mathrm{y}}_1,{\mathrm{y}}_2,\dots ,{\mathrm{y}}_{\mathrm{n}})\in \mathrm{Y}\subseteq {\mathrm{R}}^{\mathrm{n}},$$

(4)

We define x as the decision vector in a decision space X and y as the objective vector in an objective space Y. The problem lies in finding a set of optimal solutions such that one cannot be improved without deteriorating another, which we call a Pareto optimal set.

Once the optimization model has been determined with all the criteria or objectives involved in a public organization, we simplified the model, keeping only two objectives through the cost-benefit concept. According to [6], using the costs of the planned strategic projects and instead of the economic benefit, we used the technical benefit of the improvement in information security that is achieved with the implementation of the chosen projects, considering contribution of the criteria of the initial model. We considered the same weight for all the criteria that contributed to the calculation of the CMSI %. In addition, to standardize its calculation, the percentage relative frequency was used, and then the average of the frequencies of all the criteria was determined.

2.2.4. Fourth Phase

In the fourth phase, a generic algorithm was developed considering the mathematical optimization model proposed in the previous phase. According to [66], the pseudocode of the generic Algorithm 1 is as follows:

Algorithm 1 NSGA-II

1. Randomly generate the initial population 2. For counter from 1 to (number of generations defined) 3. Assess individuals for all target values 4. Non-dominated classification based on Pareto dominance 5. Generates non-dominated front sets 6. Selection by Tournament 7. Crossing 8. Mutation 9. Create the next generation of individuals 10. End For

We chose the genetic algorithm using NSGA-II because it is one of the main multi-objective optimization methods which is widely applied, and its Pareto-based approach makes it suitable for optimization problems with few objectives. NSGA-II has been proven to be effective for two-objective functions in portfolio selection problems [66]. Simulations have shown that NSGA-II is able, for most problems, to find a much better distribution of solutions and better convergence near the true Pareto optimal front compared to other algorithms [68].

2.2.5. Fifth Phase

In the fifth phase, for the experimentation of the proposed model, the algorithm was implemented in the Python programming language to perform a simulation and obtain results to analyze the quality and robustness of the solutions.

Real data were taken from 30 strategic projects planned to improve the security of a distributed database of a public organization in order to create several test scenarios, one of which was taken to present in this investigation. We ran the program 20 times and selected one test scenario at random to display the results.

Table 2. List of planned strategic projects.

No.	Cost (USD)	%CMSI	No.	Cost (USD)	%CMSI	No.	Cost (USD)	%CMSI
1	6231.00	5.16	11	4169.00	4.41	21	19,089.00	4.91
2	14,848.00	0.94	12	12,763.00	0.76	22	10,606.00	5.29
3	12,149.00	0.25	13	12,270.00	4.78	23	12,850.00	4.53
4	10,105.00	5.98	14	9667.00	3.46	24	19,918.00	1.64
5	6094.00	2.27	15	2423.00	0.31	25	7300.00	5.60
6	8055.00	2.01	16	16,054.00	6.10	26	3279.00	3.40
7	12,029.00	1.83	17	18,571.00	5.54	27	2501.00	5.85
8	4349.00	1.13	18	5090.00	1.76	28	8467.00	3.65
9	4039.00	0.88	19	13,403.00	1.89	29	10,482.00	6.04
10	13,449.00	5.48	20	3582.00	4.09	30	3614.00	0.06
Total cost and % CMSI:							$287,446.00	100.00

shows data from 30 planned projects with the required cost in USD and the %CMSI that each project contributes to 100% of the strategic projects planned to improve information security.

The parameters of the problem were the budget allocated for the planned projects P = $200,000.00 and the minimum %CMSI expected to be obtained for the planned period. For this simulation, it was E = 80%. We easily analyzed that the problem for the IT administrators of the organization was to implement a set of projects to achieve the highest %CGSI with the assigned budget, since 100% of the planned projects exceeded the budget. For this simulation, it was USD 287,446.00.

Considering the data of the problem in Table 2, the parameters of the problem and the parameters of the genetic algorithm in

Table 3. Genetic algorithm parameters.

Parameter	Value
Crossover probability	0.7
Mutation probability	0.3
Number of generations	200
Tournament size	3
Number of chromosomes	30
Number of individuals	300
Range of decision variables	[0 1]

. A Pareto front plot was created to show the optimal, non-dominated results of the simulation performed.

The execution of the algorithm implemented in Python version 3.7 was carried out on a computer with an Intel(R) Core(TM) i3-5005U CPU @ 2.00GHz, with 6.00 GB RAM and a 64-bit operating system.

2.2.6. Sixth Phase

To analyze the relationship between the variables number of planned projects, cost of projects and CMSI%, we created scatterplots and Pearson’s coefficient [92,93,94].

3. Results

3.1. Mathematical Optimization Model

3.1.1. Goal Optimization Model

Given the n decision variables, x = (x1, x2, x3, …, xn), representing all the projects planned to improve the organization’s information security, the model must obtain a subset of projects to execute, which are the optimal solutions. These solutions allow five objectives to be achieved: (1) the minimization of costs, (2) the maximization of origin of fulfillment, (3) the maximization of the profit/effort ratio, (4) the execution time maximization and (5) resource maximization. The five objectives are bounded by the constraints, which make it possible to find the subset of feasible solutions of the problem.

Optimization criteria:

$$Min\to Y_1=f_1(x)={\displaystyle \sum _{i=1}^n{c}_i{x}_i},$$

(5)

$$Max\to Y_2=f_2(x)={\displaystyle \sum _{i=1}^n{o}_i{x}_i},$$

(6)

$$Max\to Y_3=f_3(x)={\displaystyle \sum _{i=1}^n{g}_i{x}_i},$$

(7)

$$Max\to Y_4=f_4(x)={\displaystyle \sum _{i=1}^n{t}_i{x}_i},$$

(8)

$$Max\to Y_5=f_5(x)={\displaystyle \sum _{i=1}^n{r}_i{x}_i},$$

(9)

Restrictions:

$${\displaystyle \sum _{i=1}^n{c}_i{x}_i}\le P,$$

(10)

$${\displaystyle \sum _{i=1}^n{o}_i}{x}_i=100\%,$$

(11)

$${\displaystyle \sum _{i=1}^n{g}_i}{x}_i=100\%,$$

(12)

$${\displaystyle \sum _{i=1}^n{t}_i}{x}_i=100\%,$$

(13)

$${\displaystyle \sum _{i=1}^n{r}_i}{x}_i=100\%,$$

(14)

$$i\succ 0;P\succ 0,$$

(15)

where

c: the costs required by the projects planned by the organization, ranging from i = 1 to “n” planned projects.

o: the information security improvement assessments added by each project due to the origin of the project’s non-compliance, expressed in percentage terms, of the “n” planned projects.

g: the valuations of the profit/effort ratio of each project, expressed in percentage terms, of the “n” planned projects.

t: the evaluations based on the execution time of each project, expressed in percentage terms, of the “n” planned projects.

r: the assessments of the types of resources required for each project, expressed in percentage terms, of the “n” planned projects.

P: the budget that the organization has allocated to execute the selected projects.

3.1.2. Simplified Cost-Benefit Optimization Model, for the Management of Planned Strategic Projects

Given the model of Formulas (5)–(15), of the five criteria, we can simplify the model using the cost-benefit criterion, where the cost defines the first objective, (1) minimization of the cost of the project, and the benefit defines the second objective, (2) maximization of the improvement of the information security CMSI. The second objective was calculated by means of the average of the four criteria of the previous model: assessment of the origin of the non-compliance, the profit/effort ratio, the execution time and the types of resources. All criteria to calculate the CMSI% had the same weight of 25%, and to standardize its calculation, the percentage relative frequency was used and then the average was determined. The result of the %CMSI calculation can be seen in Table 2.

Optimization criteria:

$$Min\to Y_1=f_1(x)={\displaystyle \sum _{i=1}^n{c}_i{x}_i},$$

(16)

$$Max\to Y_2=f_2(x)={\displaystyle \sum _{i=1}^n{b}_i{x}_i},$$

(17)

Restrictions:

$${\displaystyle \sum _{i=1}^n{c}_i{x}_i}\le P,$$

(18)

$${\displaystyle \sum _{i=1}^n{b}_i}=100\%,$$

(19)

$${\displaystyle \sum _{i=1}^n{b}_i}\ge E,$$

(20)

$$i\succ 0;P_j\succ 0;E\succ 0,$$

(21)

$$0\prec E\prec 100\%,$$

(22)

where

c: the costs required by the projects planned by the organization, ranging from i = 1 to “n” planned projects.

b: the calculated benefits or the improvement contribution to information security of each planned project (CMSI), expressed in percentage terms, of the “n” planned projects.

P: the budget that the organization has allocated to execute the selected projects.

E: the % of CMSI that the organization expects to obtain from 100% of the n planned projects.

Models (5)–(15) and (16)–(22) meet the conditions to be considered linear programming problems, which can be solved by classical methods such as the simplex algorithm; however, we used genetic algorithms because, according to the literature review carried out, we observed a tendency to use these evolutionary methods as they overcome certain aspects and limitations of linear programming. Genetic algorithms are more efficient than linear programming algorithms [95]. In addition, they are more practical to implement, the solutions are closer to real-world problems and they can take advantage of increased computational processing power.

3.2. Genetic Algorithm Applied to the Optimization Model

The method we chose to solve the optimization problem of planned projects to improve information security for an organization was through the genetic algorithm using NSGA-II, belonging to the group of evolutionary methods that can be used to solve information security problems such as search and optimization. Figure 3 shows the application of the genetic algorithm using NSGA-II, an optimization process in which the individuals of a population of planned projects gradually improve by adapting to their environment. The environment of this evolutionary process is determined by the objective function and its restrictions.

3.3. Experiment and Analysis

The average response time of the execution of the algorithm with the data presented was 25 s, a quite acceptable computational cost, which is an important aspect when implementing practical tools that help in the planning and optimization of the related tasks to information security in organizations.

In this simulation, the average number of solutions in the Pareto Front obtained were 43 different non-dominated ones, which are shown in Figure 4. In

Table 4. Top 10 optimal solutions from the Pareto front.

No	Optimized Population (Pareto Front)	Projects	%CMSI	Budget (USD)
1	[1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0]	23	84.64	200,024.00
2	[1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1]	22	85.08	200,040.00
3	[1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0]	22	87.04	200,056.00
4	[0, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1]	23	87.35	200,079.00
5	[1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1]	22	88.42	200,091.00
6	[1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0]	21	88.86	200,120.00
7	[1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0]	23	89.18	200,145.00
8	[1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1]	23	90.25	200,216.00
9	[1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0]	22	92.13	200,273.00
10	[1, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0]	21	92.20	201,314.00

, we can observe the first 10 optimal solutions that meet the budget criteria and %CMSI. The results show solutions with a %CMSI from 84.64% to 92.20, higher than the 80% required, with a budget close to USD 200,000.00. The final decision will depend not only on the highest CMSI% that the set of projects contributes, but also on the number of projects to be executed and other characteristics that the IT management can compare. If the IT management has the ability to influence the senior management to achieve a larger budget, it will be able to find better solutions, which have a CMSI% close to 100%.

3.4. Variable Correlation Analysis

The correlation matrix in

Table 5. Pearson correlation matrix.

Number of Projects	1.00
Budget (USD)	0.96	1.00
%CMSI	0.81	0.85	1.00
	Number of projects	Budget (USD)	%CMSI

shows the Pearson correlation values, which measure the degree of the linear relationship between each pair of variables, as well as the strength and direction of the relationship. All correlations were positive, meaning the two variables tended to increase or decrease at the same time. All variables had correlation values greater than 0.7; therefore, they are considered highly correlated. This correlation is reflected in Figure 4, Figure 5 and Figure 6, which show that the higher the budget, the greater the CMSI%; the higher the budget, the greater the number of projects to be executed; and the higher the CMSI%, the greater the number of projects to be executed.

4. Discussion

We measured the quality and robustness of the solutions by comparing our results with other heuristic approaches considering metrics and indicators widely used in the literature. The measurements performed in the simulation, such as computation time, convergence, distribution and average number of solutions in the Pareto Front of Figure 4, show that the NSGA-II algorithm is effective for two objectives. We discarded measures that required knowing the real Pareto frontier because it was not feasible for this case.

The results obtained in the simulation demonstrate the quality and robustness of the solutions produced by the mathematical optimization Models (16)–(22) proposed. These results confirm the theoretical and practical arguments of our scientific review on project portfolio selection and scheduling issues, multi-objective optimization problems and evolutionary algorithms such as NSGA-II and decision theory, among others.

The proposed mathematical optimization Models (16)–(22) efficiently ensures the improvement of the information security of a public organization based on a strategic planning that allows directing the available resources and capacities to achieve of the objectives established for the organization; as it is a model that allows the selection of a set of security projects aligned with the strategic management objectives, better results will be achieved when organizations have more resources or higher budgets because the number of projects, the budget and the CMSI% are highly positively correlated variables.

From the review of the literature carried out, we found cases where genetic algorithms were applied both for the critical project portfolio selection problem and other multi-objective optimization problems with results similar to those of this work. The application of genetic algorithms allowed decisionmakers to have a set of optimal, quality solutions in a reasonable time that can be implemented in practical applications such as [43,62,63,64,65,66,68,69,70,71,79,84,88,96]. The proposed model is generic, so it can be implemented in any organization, whether public or private, from any line of business, from any country.

5. Future Work and Conclusions

In the future, we propose the application of the optimization model to a larger set of planned strategic projects of a public organization; it should also include all types of resources that are used in strategic project planning. The comparison must be made with other optimization algorithms, and the NSGA-II must be combined with other Artificial Intelligence methods that make it possible to obtain the solutions more efficiently.

Models (16)–(22) are a multi-objective optimization problem with two opposing criteria: the minimization of project costs and the maximization of the CMSI% of a Public Organization. The simulation carried out allowed us to verify that the model is efficient. We found a set of optimal solutions with a CMSI% from 84.64% to 92.20, which met the organization’s budget.

The mathematical model for optimizing the management of strategic projects planned to improve the information security of a Public Organization can be used as a component in the analysis and strategic planning of the information security of a Public Organization or even any type of organization.

The simulation carried out showed that the proposed model is very easy to implement, very practical and can be a powerful decision-making tool to choose the best solution considering the objectives and limitations of a Public Organization.

Among the benefits for organizations, it is worth mentioning the increase in productivity and the effectiveness of the selection process of strategic projects planned to improve information security, automation of the process, reduction of errors in the process and improvement in decision-making when have a set of optimal solutions for quality.