As companies and organizations have grown to rely on their computer systems and networks, the issue of information security management has become more significant. To maintain their competitiveness, enterprises should safeguard their information and try to eliminate the risk of information being compromised or reduce this risk to an acceptable level. This paper proposes an information security risk-control assessment model that could improve information security for these companies and organizations. We propose an MCDM model combining VIKOR, DEMATEL, and ANP to solve the problem of conflicting criteria that show dependence and feedback. In addition, an empirical application of evaluating the risk controls is used to illustrate the proposed method. The results show that our proposed method can be effective in helping IT managers validate the effectiveness of their risk controls.
In an era of computers and computer networks, corporations and public organizations have implemented computerization: (i) to reduce labor costs, materials, and financial investment; and (ii) to achieve convenient and effective services. But with the development of computers and computer-networks, the threat of information security incidents that could jeopardize the information held by organizations is becoming increasingly serious; such incidents may even be serious enough to cause the failure of enterprises. To maintain their competitiveness, enterprises should safeguard their information system and try to eliminate the risk of being compromised or to reduce this risk to an acceptable level. There are many studies that deal with methods of information security risk assessment and ways of achieving risk controls. However, few studies calculate the integrated risks or assess the performance of the implemented controls after taking into account the dependence among criteria. Because information-risk factors are usually dependent on each other, it is not advisable to use traditional assessment methods where the assessment factors or criteria are assumed to be independent. Therefore, this study proposes an information security risk-control assessment model (ISRCAM) that combines the VlseKriterijumska Optimizacija I Kompromisno Resenje technique (in Serbian, which means Multicriteria Optimization and Compromise Solution), also known as VIKOR, the decision-making trial and evaluation laboratory (DEMATEL), and the analytic network process (ANP) to solve the problem. We hope to use this hybrid MCDM method to accurately model the interdependent risk factors and improve information security. Finally, an empirical example for information security risk control is presented to illustrate our proposed method.
Multiple criteria decision-making (MCDM) methods are often used to deal with problems in management that are characterized by several non-commensurable and conflicting (competing) criteria, and there may be no solution that satisfies all criteria simultaneously. Risk-related assessment often uses MCDM to deal with problems having multiple and conflicting objectives. Liu et al. [19] stated: “Multicriteria-analysis techniques could help decision-makers evaluate risks and countermeasures (controls) when conflicting criteria must be considered and balanced”. Thus, MCDM methods can provide IT (information technology) managers with systematic and repeatable methods for evaluating information-security-risk-related problems. Since understanding the performance gaps of the implemented controls to an assumed ideal performance level is important for assessing the effectiveness of the various risk controls, compromise-programming methods can be used to rank the risk-control areas or objectives. Among the MCDM methods, VIKOR and TOPSIS procedures are based on an aggregating function representing “closeness to the ideal”. Furthermore, they use the compromise-programming method to rank and improve alternatives. The TOPSIS method was first developed by Hwang and Yoon [10] based on the concept that the chosen alternative should: (a) have the shortest distance from the ideal solution and (b) be the farthest from the negative-ideal solution, using Euclidean distance [10]. However, Opricovic and Tzeng [28] showed that TOPSIS has several shortcomings in its ranking process. Therefore, their study proposed an alternative VIKOR method to replace TOPSIS [27] and [28]. This research also uses the VIKOR method to rank the risk-control areas and risk values.
The VIKOR method was developed by Opricovic [26]. Development of the VIKOR method began when Yu [45] proved the Lp-metric for a distance function. The VIKOR method introduced the multicriteria ranking index based on a particular measure of “closeness to the ideal/aspired level” and was introduced as an applicable technique within MCDM [26]. This method focuses on the ranking of a set of choices in the presence of conflicting criteria, which helps decision-makers select the “best” compromise choice [27]. The VIKOR method was developed as an MCDM method to solve discrete decision problems with non-commensurable and conflicting criteria [40], [41], [27], [28], [29] and [31]. However, few papers discuss conflicting (competing) criteria with dependence and feedback using this compromise solution method. Therefore, we developed the VIKOR method based on the ANP and DEMATEL methods to solve the problem of conflicting criteria with dependence and feedback [30]. In addition, using the methods can help us rank the gaps for the risk-control objectives/areas. However, the VIKOR method ranks and selects alternatives based on all the established criteria. Namely, it uses the same criteria to assess each alternative; thus, using traditional VIKOR to rank their orders is unsuitable when each control clause/aspect of information-security risk has its own criteria (different criteria or objectives). Furthermore, because, in practice, each enterprise or government agency has different information-security risk controls, direct comparison is also not possible. Hence, this research adopts an improved VIKOR method, called VIKORRUG—VIKOR for Ranking Unimproved Gap [31]—for ranking the information-security-risk-control objectives and control areas.
ANP was proposed by Saaty as a new MCDM method to overcome the problems of interdependence and feedback among criteria and alternatives in the real world [34]. ANP is an extension of AHP based on the concepts of Markov Chain, and it is a nonlinear dynamic structure [35]. ANP is the general form of AHP [36] and has been used in MCDM to relax the restriction on hierarchical structure. ANP has been applied successfully in many practical decision-making problems [15], [17], [21], [22], [39] and [46]. Furthermore, a hybrid model combining ANP and DEMATEL to solve the dependence and feedback problems has been successfully used in various fields [8], [18] and [42]. When dealing with ANP, we found that using the traditional method of normalizing the unweighted supermatrix is not reasonable. In the traditional method, each criterion in a column is divided by the number of clusters so that each column adds up to unity. Using this normalization method implies that each cluster has the same weight. However, there are different degrees of influence among the clusters of factors/criteria in the real world. Thus, the assumption of equal weights for each cluster to obtain the weighted supermatrix is unrealistic and needs to be improved [32]. Thus, this study uses the results from DEMATEL to improve the normalization process in ANP. Thus DEMATEL [3], [4], [6], [7] and [44] is used not only to construct the interrelations between factors/criteria in building an NRM (network relations map) but also to improve the normalization process of ANP.
In conclusion, the contribution of this study is to propose an ISRCAM model for criteria with interdependence and feedback to assess the performance of the risk controls of an information system. The results will help IT managers of businesses or government agencies to understand the control areas or control objectives that should be enhanced to conform to the aspired levels or needs. In addition, by using DEMATEL to generate an NRM, the proposed method can help IT managers analyze the reasons behind why some controls having larger gaps and needs to be improved. Furthermore, we use an empirical example of an enterprise information-security controls assessment to show the steps of a novel MCDM that combine VIKOR, DEMATEL, and ANP [30] to solve the problem of conflicting criteria with dependence and feedback. Our results show that this proposed method helps us deal with conflicting problems of criteria with interdependence and feedback and improves the normalization of the supermatrix to reflect reality.
The rest of this paper is organized as follows. In Section 2, the research framework is proposed. In Section 3, the hybrid MCDM model is described. In Section 4, a numerical example with applications is illustrated to show the proposed methods in real case. Discussions and conclusions are presented in Sections 5 and 6, respectively.
Because organizations have grown increasingly dependent on their computer-based information systems, information security is becoming very important. Previous researches have proposed information security risk management related issues. PDCA processes are regarded as necessary in information security management. When the “Check Phase” is carried out in an ISMS, ensuring the effectiveness of these implemented controls is important. Therefore, this study proposes an ISRCAM in the Check Phase. Because many studies consider that risk problems are MCDM problems, they adopt the same methods to deal with information-security-risk-related problems.
Among the numerous approaches available for conflict management, MCDM is one of the most prevalent. VIKOR is a method within MCDM; it is based on an aggregating function representing closeness to the ideal, which can be viewed as a derivative of compromise-programming. However, most decision-making methods assume independence between the criteria of a decision and the alternatives of that decision, or simply among either the criteria or the alternatives themselves. However, assuming independence among the criteria/variables is too strict to overcome the problem of dependent criteria in the real world. Therefore, many studies have used ANP to overcome this problem of dependent criteria. In addition, a hybrid model combining ANP and DEMATEL has been widely and successfully used in various fields. The DEMATEL technique is not only used to construct the NRM, but is also used to transform the unweighted supermatrix to a weighted supermatrix. The traditional method overcomes normalization for the weighted supermatrix in the ANP procedure by assuming equal weights for each cluster; however, this ignores the different effects among clusters. Our research uses a new concept to overcome this unreasonable assumption of equal weights. The novel combination model is more suitable than the traditional method to solve problems with different degrees of effects among clusters. This research also uses ANP and VIKOR to obtain the compromise-ranking index. Moreover, an empirical case is used to show the effectiveness and feasibility of our proposed method. In addition, managers should select the unimproved items from the results of the assessment and consider the influencers to improve simultaneously (i.e. those influencers of the aspect that is selected for improvement) through NRM. Our proposed method gives a result that is more comprehensive than the traditional analysis method. Consequently, our proposed method (ISRCAM that is founded on the revised VIKOR based on DEMATEL and ANP) is effective at improving the compromise-solution method and overcoming the problem of interdependence and feedback among criteria. Furthermore, our proposed method uses NRM, to analyze the results, which is a better way than traditional analysis.
Many uncertain influencers and factors affect risk. Moreover, human beings determine the risk value, risk probability of occurrence of security breach, or the consequence of occurrence of security breach according to their experiences. This implies some subjectivity; accordingly, it would be very appropriate to use the fuzzy concept here. Furthermore, ANP can overcome the problems of interdependence and feedback among criteria. Another method—the fuzzy integral method—can overcome interdependence among criteria. Therefore, when the criteria do not show feedback, the fuzzy integral can also be a very suitable method. Finally, managers should consider the related costs and resources when they implement the controls to reduce risk. How do managers use the lowest cost and the least resources to establish controls to reduce risk to an acceptable level? All these above issues can be investigated in future studies