A VIKOR technique based on DEMATEL and ANP for information security risk control assessment

(1)

A VIKOR technique based on DEMATEL and ANP for information

security risk control assessment

Yu-Ping Ou Yang

a,⇑

, How-Ming Shieh

a,b

, Gwo-Hshiung Tzeng

c,d

a

Department of Business Administration, National Central University, 300 Chung-da Road, Chung-Li City 320, Taiwan

b

Department of Information Management, National Central University, 300 Chung-da Road, Chung-Li City 320, Taiwan

c

Department of Information Management, Kainan University, No. 1, Kainan Road, Luchu, Taoyuan 338, Taiwan

d

Institute of Management of Technology, National Chiao Tung University, 1001 Ta-Hsueh Road, Hsinchu 300, Taiwan

a r t i c l e

i n f o

Article history:

Available online 17 September 2011 Keywords:

VIKOR

Analytic network process (ANP) DEMATEL

Multiple criteria decision making (MCDM) Information security

Risk control assessment

a b s t r a c t

As companies and organizations have grown to rely on their computer systems and net-works, the issue of information security management has become more signiﬁcant. To maintain their competitiveness, enterprises should safeguard their information and try to eliminate the risk of information being compromised or reduce this risk to an acceptable level. This paper proposes an information security risk-control assessment model that could improve information security for these companies and organizations. We propose an MCDM model combining VIKOR, DEMATEL, and ANP to solve the problem of conﬂicting criteria that show dependence and feedback. In addition, an empirical application of eval-uating the risk controls is used to illustrate the proposed method. The results show that our proposed method can be effective in helping IT managers validate the effectiveness of their risk controls.

1. Introduction

In an era of computers and computer networks, corporations and public organizations have implemented computeriza-tion: (i) to reduce labor costs, materials, and ﬁnancial investment; and (ii) to achieve convenient and effective services. But with the development of computers and computer-networks, the threat of information security incidents that could jeopar-dize the information held by organizations is becoming increasingly serious; such incidents may even be serious enough to cause the failure of enterprises. To maintain their competitiveness, enterprises should safeguard their information system and try to eliminate the risk of being compromised or to reduce this risk to an acceptable level. There are many studies that deal with methods of information security risk assessment and ways of achieving risk controls. However, few studies calcu-late the integrated risks or assess the performance of the implemented controls after taking into account the dependence among criteria. Because information-risk factors are usually dependent on each other, it is not advisable to use traditional assessment methods where the assessment factors or criteria are assumed to be independent. Therefore, this study proposes an information security risk-control assessment model (ISRCAM) that combines the VlseKriterijumska Optimizacija I Kompro-misno Resenje technique (in Serbian, which means Multicriteria Optimization and Compromise Solution), also known as VI-KOR, the decision-making trial and evaluation laboratory (DEMATEL), and the analytic network process (ANP) to solve the problem. We hope to use this hybrid MCDM method to accurately model the interdependent risk factors and improve infor-mation security. Finally, an empirical example for inforinfor-mation security risk control is presented to illustrate our proposed method.

⇑ Corresponding author.

E-mail addresses:ouyang.ping@msa.hinet.net(Y.-P. Ou Yang),ghtzeng@mail.knu.edu.tw,ghtzeng@cc.nctu.edu.tw(G.-H. Tzeng). Contents lists available atSciVerse ScienceDirect

Information Sciences

(2)

Multiple criteria decision-making (MCDM) methods are often used to deal with problems in management that are char-acterized by several non-commensurable and conflicting (competing) criteria, and there may be no solution that satisfies all criteria simultaneously. Risk-related assessment often uses MCDM to deal with problems having multiple and conflicting objectives. Liu et al.[19]stated: ‘‘Multicriteria-analysis techniques could help decision-makers evaluate risks and counter-measures (controls) when conflicting criteria must be considered and balanced’’. Thus, MCDM methods can provide IT (infor-mation technology) managers with systematic and repeatable methods for evaluating infor(infor-mation-security-risk-related problems. Since understanding the performance gaps of the implemented controls to an assumed ideal performance level is important for assessing the effectiveness of the various risk controls, compromise-programming methods can be used to rank the risk-control areas or objectives. Among the MCDM methods, VIKOR and TOPSIS procedures are based on an aggregating function representing ‘‘closeness to the ideal’’. Furthermore, they use the compromise-programming method to rank and improve alternatives. The TOPSIS method was first developed by Hwang and Yoon[10]based on the concept that the chosen alternative should: (a) have the shortest distance from the ideal solution and (b) be the farthest from the negative-ideal solution, using Euclidean distance[10]. However, Opricovic and Tzeng[28]showed that TOPSIS has several shortcomings in its ranking process. Therefore, their study proposed an alternative VIKOR method to replace TOPSIS [27,28]. This research also uses the VIKOR method to rank the risk-control areas and risk values.

The VIKOR method was developed by Opricovic[26]. Development of the VIKOR method began when Yu[45]proved the Lp-metric for a distance function. The VIKOR method introduced the multicriteria ranking index based on a particular mea-sure of ‘‘closeness to the ideal/aspired level’’ and was introduced as an applicable technique within MCDM[26]. This method focuses on the ranking of a set of choices in the presence of conflicting criteria, which helps decision-makers select the ‘‘best’’ compromise choice[27]. The VIKOR method was developed as an MCDM method to solve discrete decision problems with non-commensurable and conflicting criteria[40,41,27–29,31]. However, few papers discuss conflicting (competing) criteria with dependence and feedback using this compromise solution method. Therefore, we developed the VIKOR method based on the ANP and DEMATEL methods to solve the problem of conflicting criteria with dependence and feedback[30]. In addi-tion, using the methods can help us rank the gaps for the risk-control objectives/areas. However, the VIKOR method ranks and selects alternatives based on all the established criteria. Namely, it uses the same criteria to assess each alternative; thus, using traditional VIKOR to rank their orders is unsuitable when each control clause/aspect of information-security risk has its own criteria (different criteria or objectives). Furthermore, because, in practice, each enterprise or government agency has different information-security risk controls, direct comparison is also not possible. Hence, this research adopts an improved VIKOR method, called VIKORRUG—VIKOR for Ranking Unimproved Gap[31]—for ranking the information-security-risk-con-trol objectives and coninformation-security-risk-con-trol areas.

ANP was proposed by Saaty as a new MCDM method to overcome the problems of interdependence and feedback among criteria and alternatives in the real world[34]. ANP is an extension of AHP based on the concepts of Markov Chain, and it is a nonlinear dynamic structure[35]. ANP is the general form of AHP[36]and has been used in MCDM to relax the restriction on hierarchical structure. ANP has been applied successfully in many practical decision-making problems[15,17,21,22,39,46]. Furthermore, a hybrid model combining ANP and DEMATEL to solve the dependence and feedback problems has been suc-cessfully used in various ﬁelds[8,18,42]. When dealing with ANP, we found that using the traditional method of normalizing the unweighted supermatrix is not reasonable. In the traditional method, each criterion in a column is divided by the number of clusters so that each column adds up to unity. Using this normalization method implies that each cluster has the same weight. However, there are different degrees of inﬂuence among the clusters of factors/criteria in the real world. Thus, the assumption of equal weights for each cluster to obtain the weighted supermatrix is unrealistic and needs to be improved [32]. Thus, this study uses the results from DEMATEL to improve the normalization process in ANP. Thus DEMATEL [3,4,6,7,44]is used not only to construct the interrelations between factors/criteria in building an NRM (network relations map) but also to improve the normalization process of ANP.

In conclusion, the contribution of this study is to propose an ISRCAM model for criteria with interdependence and feed-back to assess the performance of the risk controls of an information system. The results will help IT managers of businesses or government agencies to understand the control areas or control objectives that should be enhanced to conform to the as-pired levels or needs. In addition, by using DEMATEL to generate an NRM, the proposed method can help IT managers ana-lyze the reasons behind why some controls having larger gaps and needs to be improved. Furthermore, we use an empirical example of an enterprise information-security controls assessment to show the steps of a novel MCDM that combine VIKOR, DEMATEL, and ANP[30]to solve the problem of conflicting criteria with dependence and feedback. Our results show that this proposed method helps us deal with conflicting problems of criteria with interdependence and feedback and improves the normalization of the supermatrix to reflect reality.

The rest of this paper is organized as follows. In Section2, the research framework is proposed. In Section3, the hybrid MCDM model is described. In Section4, a numerical example with applications is illustrated to show the proposed methods in real case. Discussions and conclusions are presented in Sections5 and 6, respectively.

2. Research framework

The risk management process model[1]includes four steps: (1) risk assessment; (2) risk remediation; (3) risk monitoring and review; and (4) risk management enhancement. The ﬁrst step involves identifying and analyzing the vulnerability of

(3)

exploitation by a threat. The second step involves using controls to address the risk; this is also called risk treatment. The third step involves monitoring and measuring the risk controls for effectiveness. The fourth step is a continuous improve-ment process based on observations from each of the previous steps, which serves as feedback for the risk manageimprove-ment cy-cle. The risk management process model is an ongoing process of assessing, addressing, monitoring risks, and subsequent security enhancement. The strategy is the ‘‘Plan-Do-Check-Act (PDCA)’’ cycle, as shown inFig. 1.

Since the ‘‘monitor and review risk’’ step is also an important process and few articles discuss it for the assessment of the implemented controls in the ‘‘Check’’ step, this research focuses on improving the ‘‘monitor and review the risks’’ step by proposing a risk-control assessment system to improve controls and reduce risk. The purpose of this research is to develop an assessment model for previously implemented controls. The main framework is shown inFig. 2, and it shows that risk treatments, vulnerabilities, and implemented controls affect the selection of risk controls. The residual risks and the gaps of the implemented controls, which are the distances from the actual performances to the aspired performances on the implemented controls, are obtained by using risk-control assessment. Managers can then decide which controls should be strengthened according to the assessment results. Subsequently, these results are referred to the next step in the process – the risk management enhancement.

Because many studies adopt MCDM methods to assess risk-related problems, MCDM methods are also used to evaluate the performances of the implemented risk controls. However, some articles have proposed risk-control assessment based on the dependence and feedback among criteria during the ‘‘Check’’ phase. Therefore, we propose a suitable ISRCAM—a novel VIKOR method combined with the DEMATEL technique and ANP, to accurately infer the gaps of the implemented controls and control objectives. The following section explains our new methodology in detail.

3. A hybrid MCDM model

A VIKOR technique based on DEMATEL and ANP for evaluating and improving problems is proposed according to the above descriptions. The procedures to this novel hybrid MCDM model, a combination of DEMATEL and ANP with VIKOR, are schematically shown inFig. 3and explained in the following subsections.

3.1. DEMATEL

The Battelle Memorial Institute conducted a project concerning the concept of the DEMATEL technique through its Geneva Research Centre[6,7]. The DEMATEL technique constructs the interrelations between factors/criteria to build a network relations map (NRM)[8,18,32,42]. The method can be summarized as follows:

Step 1: Calculate the direct relation average matrix. Assuming the scales 0, 1, 2, 3 and 4 represent the range from ‘‘no influence (0)’’ to ‘‘very high influence (4)’’, respondents are asked to propose the degree of direct influence each factor/crite-rion i exerts on each factor/critefactor/crite-rion j, which is denoted by dij, using the assumed scales. A direct relation matrix would be produced by each respondent, and an average matrix D is then derived through the mean of the same fac-tors/criteria in the various direct matrices of the respondents. The average matrix D is shown as follows:

D ¼ d11 d1j d1n .. . .. . .. . di1 dij din .. . .. . .. . dn1 dnj dnn 2 6 6 6 6 6 6 6 6 4 3 7 7 7 7 7 7 7 7 5 ð1Þ Act Risk Management Enhancement Plan Risk Assessment Check Risk Monitoring and

Review

Do

Risk Remediation

(4)

Step 2: Calculate the initial direct inﬂuence matrix. The initial direct inﬂuence matrix X (i.e., X = [xij]nn) can be obtained by normalizing the average matrix D. In addition, the matrix X can be obtained through Eqs.(2) and (3), in which all principal diagonal criteria are equal to zero.

X ¼ s D ð2Þ s ¼ min 1=maxi Xn j¼1 jdijj; 1=maxj Xn i¼1 jdijj " # ð3Þ

Step 3: Derive the total inﬂuence matrix. A continuous decrease of the indirect effects of problems along the powers of X, e.g., X2_{, X}3_{, . . . , X}h_{and lim}

h?1Xh= [0]nn, where X ¼ ½xijnn; 0 6 xij<1; 0 <Pixij61 and 0 <Pjxij61, and at least one column sumP_jxijor one row sumPixijequals 1; then we can guarantee limh?1Xh= [0]nn. So the total inﬂuence matrix can be calculated as follows.

T ¼ X þ X2þ þ Xh¼ XðI þ X þ X2þ þ Xh1ÞðI XÞðI XÞ1¼ XðI XhÞðI XÞ1;when limh!1Xh¼ ½0nn; then

T ¼ XðI XÞ1

ð4Þ

where T = [tij]nn, for i, j = 1, 2, . . . , n and (I X) (I X)1= I. In addition, the method presents each row sum and col-umn sum of matrix T:

r ¼ ðriÞ_n1¼ Xn j¼1 tij " # n1 ð5Þ c ¼ ðcjÞ_n1¼ ðcjÞ0_1n¼ Xn i¼1 tij " #0 1n ð6Þ

(5)

where ridenotes the row sum of the ith row of matrix T and shows the sum of total effects (including direct and indirect effects) of factor/element i on the other factors/elements. Similarly, cjdenotes the column sum of the jth column of matrix T and shows the sum of total effects (including direct and indirect effects) that factor/element j has received from the other factors/criteria. Additionally, (ri+ ci) provides an index of the strength of inﬂuences gi-ven and received when i = j, that is, (ri+ ci) shows the degree of the central role that factor i plays in the problem. If (ri ci) is positive, then factor i is affecting other factors, and if (ri ci) is negative, then factor i is being inﬂuenced by other factors[32,38,42].

Step 4: Set a threshold value and obtain the NRM. Based on the matrix T, each factor tijof matrix T provides network infor-mation on how factor i affects factorj. Setting a threshold value

a

to ﬁlter the minor effects denoted by the factors of matrix T is necessary to isolate the relation structure of the factors. In practice, if all the information from matrix T converts to the NRM, the map would be too complex to show the necessary network information for decision-mak-ing. In order to reduce the complexity of the NRM, the decision-maker sets a threshold value

a

for the influence level to filter out minor effects: only factors whose influence value in matrix T is higher than the threshold value will be chosen and converted into the NRM. The threshold value can be decided by experts. When the threshold value and the relative NRM have been decided, the NRM can be drawn accordingly.

3.2. ANP

ANP is a mathematical theory that can systematically overcome all kinds of dependence[37]. The method can be de-scribed in the following steps:

Step 5: Form an unweighted supermatrix through pairwise comparisons. The ﬁrst step of the ANP is to use pair-wise compar-isons with the criteria. The relative importance value can be determined assuming a scale of 1 to 9 to represent equal importance to extreme importance[34,36]. The general form of the supermatrix can be described as follows:

ð7Þ

1. Using DEMATEL technique to clarify interrelations of components/criteria

2. Using improved ANP procedures to obtain the limiting supermatrix as the “weights” for VIKOR

3. Using revised VIKOR method to obtain the index values of the gaps

(6)

where Cndenotes the nth cluster, enmdenotes the mth criterion in the nth cluster, and Wijis the principal eigenvector of the inﬂuence of the criteria in the jth cluster compared to the ith cluster. In addition, if the jth cluster has no inﬂu-ence on the ith cluster, then Wij= [0].

Step 6: Obtain the weighted supermatrix by multiplying the normalized matrix, which is derived according to the NRM from DEM-ATEL. Normalization is used to derive the weighted supermatrix by transforming each column to sum exactly to unity. The step is similar to the Markov chain concept for ensuring that the sum of the probabilities of all states equals 1[9]. In traditional ANP, normalization is done by dividing each criterion in a column by the number of clus-ters so that each column will sum to unity exactly. This implicitly assumes that each cluster is given the same weight. However, we know that the effect that a cluster has on the other clusters may be different in size. Thus, the assumption of equal weight for each cluster in obtaining the weighted supermatrix is not a reasonable one in traditional ANP, and DEMATEL is used to help relax this assumption by inﬂuential weights. First, we use the DEM-ATEL method (Section3.1) to derive the NRM. Next, this study uses the total inﬂuence matrix T and a threshold value

a

to generate a new matrix (here, we can select to set

a

or not). Note that

a

is decided by the decision-makers or experts. If the values in matrix T are less than

a

, then the values of the clusters in matrix T are reset to zero. Namely, they have a lower inﬂuence on other clusters if their values are less than

a

. The new matrix with

a

cut is called the

a

cut total inﬂuence matrix Ta.

where if tij<

a

, then taij¼ 0, else tija¼ tij, and tijis in the total inﬂuence matrix T. The

a

-cut total inﬂuence matrix Ta needs to be normalized by dividing the elements in row i by di¼Pnj¼1taij. Therefore, the normalized

a

-cut total inﬂu-ence matrix is represented as Ts.

Ts¼ ta 11=d1 ta1j=d1 ta1n=d1 .. . .. . .. . ta i1=di taij=di tain=di .. . .. . .. . tan1=dn tanj=dn tann=dn 2 6 6 6 6 6 6 6 6 6 4 3 7 7 7 7 7 7 7 7 7 5 ¼ ts 11 t s 1j t s 1n .. . .. . .. . ts i1 t s ij t s in .. . .. . .. . ts n1 tsnj tsnn 2 6 6 6 6 6 6 6 6 6 4 3 7 7 7 7 7 7 7 7 7 5 ð8Þ

The normalized matrix Tsand the unweighted supermatrix W are used according to Eq.(9)to obtain the weighted superm-atrix Ww. Ww¼ ts 11 W11 ts21 W12 tsn1 W1n ts 12 W21 ts22 W22 .. . .. . .. . ts ni Win .. . .. . .. . ts 1n Wn1 ts2nWn2 tsnn Wnn 2 6 6 6 6 6 6 6 6 6 4 3 7 7 7 7 7 7 7 7 7 5 ð9Þ

Step 7: Calculate the overall priorities with the limiting supermatrix. The weighted supermatrix Wwis multiplied with itself multiple times to obtain the limiting supermatrix (limiting weighted supermatrix). In other words, the weighted supermatrix is raised to the gth power until the supermatrix has converged and has become a stable supermatrix in order to obtain the global priority-inﬂuential vectors, also called the ANP weights.

W

¼ limg!1ðWwÞ g

ð10Þ

The ANP weights for each criterion can be obtained by limg?1(Ww)g, where g represents any number of power.

In brief, the overall weights are calculated by using the above steps to derive a stable limiting supermatrix. Therefore, a hybrid model combining DEMATEL and ANP can deal with the problem of interdependence and feedback. The proposed model described above is more suitable for dealing with real-world applications than the traditional method.

(7)

3.3. VIKOR method

The compromise ranking method (VIKOR) was proposed by Opricovic as an MCDM method that helps a decision-maker rank a number of choices or alternatives by looking at their performance scores with respect to a set of criteria[26]. Let k = 1, 2, . . . , m and A1, A2, . . . , Ak, . . . , Amdenote the m alternatives facing a decision-maker. Let j = 1, 2, . . . , n, with n being the num-ber of criteria. Then the performance score for alternative Akwith respect to the jth criterion is denoted by fkj. Let wjbe the weight on the jth criterion which expresses the relative importance of that criterion (here, weight wjis derived using DEM-ATEL and ANP as described earlier). VIKOR uses the following Lp-metric:

Lpk¼ Xn j¼1 ½wjðjfj fkjjÞ=ðjfj f j jÞ p ( )1=p ð11Þ

where 1 6 p 6 1; k = 1, 2, . . . , m. In the traditional approach, the positive ideal point with respect to the jth criterion is de-ﬁned empirically as the highest performance score with respect to the jth criterion among all alternatives or f

j ¼ maxkfkj. Likewise, the negative ideal point with respect to the jth criterion is deﬁned empirically as the lowest performance score with respect to the jth criterion among all alternatives or f

j ¼ minkfkj. Of course, instead of empirically searching for the highest and lowest performance scores, we can also set the positive ideal point as the best/aspired level f

j in theory and the negative ideal point as the worst value f

j in theory. Alternatively, if we ﬂip the range of the scores for fkjso that the as-pired level takes a value of 0 and the worst value takes the value of 10, we can deﬁne f

j ¼ 0 and fj¼ 10. This alternative deﬁnition would be more appropriate in our empirical analysis of information security risk in real world, with a normalized scale of 0 denoting the best value with no risk gap and a normalized scale of 1 denoting the worst value with the largest risk gap. But in what follows we will revert to the traditional approach in our exposition. The VIKOR method also uses Lp¼1

k (as Sk) and Lp¼1_k (as Qk) to formulate the ranking measure[26–29,40,41].

Sk¼ Lp¼1k ¼ Xn j¼1 ½wjðjfj fkjjÞ=ðjfj fjjÞ ð12Þ Qk¼ Lp¼1k ¼ maxjfwjðjfj fkjjÞ=ðjfj fjjÞjj ¼ 1; 2; ; ng ð13Þ Rk¼

v

ðSk SÞ=ðS SÞ þ ð1

v

ÞðQk QÞ=ðQ QÞ ð14Þ where S⁄_{= min}

kSk, S= maxkSk, Q⁄= minkQk, Q= maxkQk, and 0 6

v

61, with

v

as the weight on the strategy of maximum group utility (average gap in scale normalization) and 1

v

as the weight on individual regret (maximal gap in special cri-terion for priority improvement).

VIKOR ranks the alternatives by sorting the values of Sk, Qkand Rk, for k = 1, 2, . . . , m, in decreasing order. Opricovic[26] and Opricovic and Tzeng[27]propose as a compromise the alternative (A(1)_{) which is ranked ﬁrst by the measure} min{-Rkjk = 1, 2, . . . , m} if the following two conditions are satisﬁed:

H1. Acceptable advantage: R(A(2)_{) R(A}(1)_{) P 1/(m 1), where A}(2)_{is the alternative in the second position of the ranking} list by R; m is the number of alternatives.

H2. Acceptable stability in decision making: The alternative A(1)_{must also be the best when ranked by S}

kand/or Qk, k = 1, 2, . . ., m.

A set of compromise solutions is proposed if one of the above conditions is not satisﬁed. The set of compromise solutions consists of:

(1) Alternatives A(1)_{and A}(2)_{, if H1 is satisﬁed and H2 is not satisﬁed.}

(2) Alternatives A(1)_{, A}(2)_{, . . . , A}(M)_{, if H1 is not satisﬁed. Note that A}(M)_{is determined by the relation R(A}(M)_{) R(A}(1)_{) < 1/} (m 1) for maximum M (the positions of these alternatives are close).

The compromise solution minkLpkwill be chosen because its value is closest to the ideal/aspired level. In addition, when p is small, group utility is emphasized (such as p = 1) and as p increases to p = 1, the individual maximal regrets/gaps receive more importance, as shown by Freimer and Yu[5]and Yu[45]. Therefore, minkSkemphasizes the maximum group utility, whereas minkQkemphasizes selecting the minimum of the maximum of individual regrets. Based on the above concepts, the compromise ranking algorithm VIKOR is modiﬁed by the following steps (for detailed steps see[31]and it is called VIKORRUG (VIKOR for Ranking Unimproved Gap)).

Step 8: Normalize the original rating matrix. In this step, we determine the best f

j and the worst fjvalues of all cri-terion functions, j = 1, 2, . . . , n. In traditional VIKOR method, we deﬁne f

j ¼ maxkfkjand fj¼ minkfkj. However, in order to ﬁt an IT managers’ needs in the real world, it would be more suitable to deﬁne the f

j and fjvalues according to their aspired level and tolerable level (the worst value) for improving the gaps of each criterion in each project. In addition, because each project is ranked according to its own criteria, the ideal point (posi-tive ideal point) function and the non-ideal point (nega(posi-tive ideal point) function are expressed as follows:

(8)

f

kj¼ aspired fkjðor fkj¼ aspired le

v

elÞ

f

kj¼ tolerable fkj;ðor fkj¼ tolerable le

v

elÞ

In general, the beneﬁt or cost must be determined according to the expectation of the decision maker for each cri-terion in each project, and we call the best f

kjthe aspired level and the worst fkjthe tolerable level. Moreover, because each project has its own assessing criteria, the weights wk

j must be normalized under the same project (where j = 1, 2, . . ., nk, and nkis the number of criteria in each project), such that the weights would sum up to unity:Pnj¼1k wkj ¼ 1. In addition, for each criterion j of each project k, the best f

kjis the aspired/desired level and the worst fkjis the tolerable level (for example, f11has an aspired/desired level f11, f12has an aspired/desired level f12, etc.). The normalized ratings (i.e., the normalized gaps of the performance scores for each criterion) rkjare denoted by:

rkj¼ ðjfkj fkjjÞ=ðjfkj f

kjjÞ ð15Þ

Step 9: Compute the values Skand Qk, k = 1, 2, . . . , m, with the following:

Sk¼ Xn j¼1 wk jrkj ð16Þ Qk¼ maxjfrkjjj ¼ 1; 2; . . . ; ng ð17Þ

where Eq.(16) and (17)show the mean of group utility and maximal regret, respectively. In traditional VIKOR, Qkis defined as maxjfwkjrkjjj ¼ 1; 2; . . . ; ng, which implies that group utility is more important than maximal individual re-gret. Since the individual is part of the group, Qkis only a part of Sk, and Skis larger than Qk. Therefore,Skis emphasized more than Qkin traditional VIKOR. However, the maximal individual regret (gap) is also very important in practice and is usually taken into account to reflect its importance. In order to balance Skand Qk, Eq.(17)is used to define our Qkinstead of the definition used in traditional VIKOR.

Step 10: Compute the index values Rkby Eq.(14). Eq.(14)can also be rewritten as Rk= vSk+ (1

v

)Qk(Here, S⁄= Q⁄= 0 (the best/aspired level is no risk in our case example), and S_{= Q}_{= 1 (the worst value) are set, then} Rk= vSk+ (1

v

)Qk).

Step 11: Rank the alternatives by sorting on the values of Sk, Qkand Rk, for k = 1, 2, . . . , m, in decreasing order (refer to the VIKOR method).

The VIKORRUG method determines the compromise solution; the obtained compromise solution is accept-able to the decision-makers because it provides maximum group utility for the majority (represented by min S, Eq.(16)), and a minimum individual maximal regret for the opponent (represented by min Q, Eq. (17)). Our model uses DEMATEL and ANP in Sections3.1 and 3.2to obtain the criteria weights with depen-dence and feedback and uses the VIKORRUG method to obtain the compromise solution.

4. Empirical case: information security risk controls assessment

In this section, we will provide an empirical case to demonstrate the proposed method. In what follows we will discuss the background, the nature of the problem, and the assessment processes respectively.

4.1. Background and problem statements

The Taiwanese government promotes the use of computers and the internet to provide innovative services and improve service efﬁciency. In January 2001, the government launched the National Information and Communication Security Task-force[23]. Its primary intention was to set up an integrated information-and-communication-security defense system for the thousands of departments in the government bureaucracy. It has also enforced strict controls on major national infra-structure-information systems that affect national security and social stability. Its preliminary goal has been to achieve the aspired security levels. In 2002, the government expedited an information-security project throughout the government bureaucracy[2]. The project proposed the level of information-security, which was divided into four levels—A, B, C, and D— according to the sizes of the departments, authorized tasks, and the amount of investments. For example, level A represents primary core units; level B represents secondary units; and so on. Different levels within the bureaucracy have different requirements for information-security protection. These government organizations must adjust their information security managements to meet their information security level. They need to check their information security controls regularly to ensure the safety of their information assets. However, since there are a large number of information security controls, the decision-makers usually do not know which control areas and control objectives should be improved. The evaluation and prioritization of these control areas and control objectives constitute an MCDM problem. In fact, MCDM methods can help the IT managers rank the unimproved gaps in these control areas and control objectives. This paper proposes an ISR-CAM, which uses a compromise-ranking algorithm—VIKOR for Ranking Unimproved Gap or VIKORRUG, to aggregate the unimproved gaps in terms of the controls for upper-level control objectives and control areas. Moreover, this method con-siders the dependency among the control areas and control objectives by combining ANP and DEMATEL to obtain the

(9)

weights of the control areas for VIKORRUG. Our method can help uncover gaps in the control areas. This will help IT man-agers diagnose the information security problem by pointing out which control objectives (or control areas) need to be strengthened and improved. Thus, our MCDM method can help IT managers effectively and efﬁciently manage the informa-tion security controls in their respective organizainforma-tions.

4.2. Generating evaluative criteria and collection of data and weights

To implement a successful ISRCAM, we adopt the audit items from Taiwan’s Research Development and Evaluation Com-mission (RDEC) in designing the information security risk control assessment aspects/objectives/criteria of this study. Since ISO/IEC 17799 (ISO 27002) is widely used to improve security controls and processes[33], we take the audit-items from ISO/ IEC 17799 (BS 7799-1) as our list of best practices for control objectives and controls. This list includes the following 11 con-trol areas for information security management: (1) security policy, (2) organization of information security, (3) asset man-agement, (4) human resources security, (5) physical and environmental security, (6) communications and operations management, (7) access control, (8) information systems acquisition, development and maintenance, (9) information secu-rity incident management, (10) business continuity management, and (11) compliance[12,13]. The structure of this research is presented inFig. A1(Appendix A). InFig. A1, the overall risk-control assessment at Level 1 is listed. There are two subgoals in Level 2: organizational/management and operational/technical criteria, which are referred to by René[33]and the NIST [24], and the two subgoals are classiﬁed after experienced audits. There are 11 aspects in Level 3: the 11 aspects are taken from Annex A of ISO/IEC 27001 (BS 7799-2). In Level 4, there are 39 main security objectives (categories) in Annex A of ISO/ IEC 27001 (BS 7799-2). In Level 5, there are 197 criteria (risk controls), as collected from the RDEC (in Taiwan). The RDEC-proposed audit items are mostly taken from BS 7799. In this case, two unsuitable controls were omitted based on the needs and situations of the organization with reference to information security.

The above subgoals/aspects/objectives/criteria are used to design the three questionnaires. The first phase of our research investigates the interrelations of the aspects (control areas) and subgoals according to the viewpoints of the information-security auditors and the maintenance staff in this case. In the questionnaires, a scale of 0, 1, 2, 3, 4, and 5 represents the range from ‘‘no influence’’ to ‘‘very high influence’’, with respondents proposing the degree of direct influence that each as-pect/subgoal exerts on another asas-pect/subgoal (13 questionnaires were returned with their consensus values less than 5%). The data from the questionnaires are used in DEMATEL. The second phase of our research investigates the grades of impor-tance of the subgoals/aspects/objectives (weights) according to the above-mentioned auditors and maintenance staff (13 questionnaires were returned, their consensuses are less than 5%). Here, a scale of 0, 1, 2, . . . , and 5 represents the range from ‘‘absolutely unimportant’’ to ‘‘absolutely important’’. The corresponding data are used in ANP. The other questionnaire is de-signed to investigate the performances of the implemented controls by using a scale of 0, 1, 2,. . ., and 10 to represent the range from ‘‘the worst’’ to ‘‘the best’’. In addition, it also investigates the probability of the occurrence of a security breach (P) and the consequence of the occurrence of a security breach (C) under each information-security-risk-control objective after its controls are implemented; and the probability is divided into 7 categories, from ‘‘very strongly low’’ to ‘‘very strongly high’’. This questionnaire was completed by the maintenance staff in this case. The residual risk value of each con-trol objective is obtained using Eq.(A.1)(Appendix B, that is, the range of risk (R) is from 1 to 49). Then, the VIKORRUG meth-od (here, the minimal risk value of 1 is the best f

kjin risk and the maximum risk value of 49 is the worst fkjin risk) is used to obtain the ranking of the control areas (upper level) from these control objectives (lower level). The steps detailed in Section 3are used to obtain the risk-control-assessment values (called the gaps of the implemented control areas/objectives) and the residual risk values under each control area and control objective. These steps are described in more detail in the following section.

4.3. Operations and results

The network structure is constructed by using the DEMATEL procedures (in Section3), that is, from Steps 1 to 3 of DEM-ATEL to obtain the total influence matrix T for the subgoals, as shown inTable 1. Using Step 4, if a threshold value of 0.1 is chosen, then the resulting NRM is shown inFig. 4. Similarly, using Steps 1 to 4, the total influence matrix T and the NRM of the aspects (control areas) of the two subgoals are obtained. The components of the total influence matrix T are listed in Tables 2 and 3, and they indicate that all aspects are interdependent. In addition, using Eqs.(5) and (6), the sums of the influ-ence given and received by each dimension can be obtained as shown inTables 4–6.

Tables 4–6generate the causal diagram of the total relationship presented inFig. A2(Appendix A). In the upper panel of Fig. A2, ‘‘C1Security policy’’ is the ﬁrst in the index of strength of inﬂuence given and received, ‘‘C10Business continuity man-agement’’ is next, and ‘‘C2Organization of information security’’ is the third in Subgoal G1(organizational/management). In

Table 1

The total inﬂuence matrix T for the subgoals.

Subgoals G1 G2

G1 3.52 4.52

(10)

addition, since the values of ri cifor C1, C2, and C11aspects are positive, this shows that they affect the other factors more than the other factors affect them in subgoal G1. Similarly, in the lower panel ofFig. A2, ‘‘C7access control’’ is the ﬁrst in the index of strength of inﬂuence given and received, ‘‘C6communications and operations management’’ is next, and ‘‘C5physical and environmental security’’ is the third in subgoal G2(operational/technical). In addition, since the values of ri ciof ‘‘C5

Cluster 2 (Subgoal G2) 3.52 Cluster 1 (Subgoal G1) C1, C2, C3, C4, C10, C11 C5, C6, C7, C8, C9 3.52 3.52 4.52

Fig. 4. The structure of subgoals for the empirical case.

Table 2

The total inﬂuence matrix T for the aspects of subgoal G1.

Aspects C1(e1) C2(e2) C3(e3) C4(e4) C10(e5) C11(e6) C1(e1) 1.31 1.42 1.34 1.41 1.49 1.43 C2(e2) 1.41 1.18 1.26 1.32 1.42 1.34 C3(e3) 1.21 1.15 0.97 1.15 1.22 1.17 C4(e4) 1.21 1.17 1.11 1.02 1.23 1.19 C10(e5) 1.36 1.29 1.22 1.28 1.20 1.30 C11(e6) 1.36 1.28 1.20 1.27 1.35 1.14 Table 3

The total inﬂuence matrix T for the aspects of the subgoal G2.

Aspects C5(e7) C6(e8) C7(e9) C8(e10) C9(e11) C5(e7) 1.76 2.15 2.23 2.00 1.96 C6(e8) 2.05 2.09 2.37 2.14 2.10 C7(e9) 2.07 2.31 2.16 2.15 2.10 C8(e10) 1.83 2.06 2.12 1.74 1.87 C9(e11) 1.83 2.06 2.11 1.91 1.71 Table 4

The sum of inﬂuences given and received on subgoals.

Subgoals (i) G1 G2

Organizational/management Operational/technical

ri+ ci 15.09 15.09

ri ci 1.00 1.00

Table 5

The sum of inﬂuences given and received on aspects of the subgoal G1.

Aspects (i) C1(e1) C2(e2) C3(e3) C4(e4) C10(e5) C11(e6)

ri+ ci 16.27 15.41 13.96 14.37 15.55 15.18

ri ci 0.54 0.44 0.23 0.52 0.25 0.03

Table 6

The sum of inﬂuences given and received on aspects of subgoal G2.

Aspects (i) C5(e7) C6(e8) C7(e9) C8(e10) C9(e11)

ri+ ci 19.63 21.42 21.79 19.56 19.35

(11)

physical and environmental security’’ and ‘‘C6communications and operations management’’ are positive, this shows that they affect the other factors more than the other factors affect them in subgoal G2. On the other hand, since the values of ri ciof C7, C8, and C9are negative, this shows that these aspects are inﬂuenced by the other factors more than they affect the other factors. Furthermore, the middle panel ofFig. A2shows that G1affects G2more than G2affects G1. Subsequently, the total inﬂuence matrix T (Table 1) is normalized, as inTable 7.

Using the structure ofFig. 4and the data computed from the second phase (the grades of importance of the 11 aspects investigated), the unweighted supermatrix can be obtained as follows. Here, e1, e2, . . . , e11represent the control areas in Fig. A1(Appendix A).

Eq.(9)is used to obtain the weighted supermatrix, which is shown as follows:

Next, the limiting supermatrix W⁄_{is obtained by using Eq.}₍₁₀₎_{, which is shown below:}

(12)

Finally, using the range of ratings for each criterion (control) as 0 (the worst value) to 10 (the best value), the performance ratings of controls (lower level) are integrated by arithmetic average for the upper-level objectives (upper level). Similarly, the ratings of the control objectives (lower level) are integrated for the control areas (upper level). Because the dependence and feedback of aspects (control areas) are involved, the weights of the aspects (from Eq.(18)) are used to calculate the inte-grated ratings of aspects. The inteinte-grated ratings of the objectives and weights are listed inTable 8. Then, the VIKORRUG method (Section3.3) is used to obtain the ranking index Sk, Qk, and Rkof the subgoals, as presented inTable 9(Here, if both maximum group utility and minimum individual regret are considered simultaneously, then

v

= 0.5 is selected).

As shown inTable 8, among the 11 aspects, ‘‘C8information systems acquisition, development and maintenance’’ is the farthest from the ideal/aspired level (because its normalized/ local/global ratings are the highest than the others, it shows the unimproved gap is the biggest), whereas ‘‘C1security policy’’ is the closest to the ideal/aspired level in both normalized and local ratings (which concerns their corresponding weights). Here, the questionnaire asks respondents to rate the perfor-mances of the implemented controls on a scale of 0, 1, 2,. . ., and 10, with the ideal/aspired level being 10. Therefore, ‘‘infor-mation systems acquisition, development and maintenance’’ should be improved in this case. Currently, government agencies outsource many of their information systems.

The results inTable 9show that SG2>SG1; QG2>QG1, and RG2>RG1; in addition, the ranks of the subgoals are G1 G2.

Here, these subgoals only satisfy condition H2, which represent an acceptable stability. Therefore, the set of compromise solutions is {G1, G2}. Since our research aims to ﬁnd the worst between the two subgoals, G2 should be prioritized for improvement when a subgoal is selected. In addition, the overall performance score of the risk controls is 0.329 (The calcu-lation is shown under the notes inTable 9). Simultaneously, this study also uses the revised VIKOR (VIKORRUG) to calculate the residual risk value of each subgoal from their control areas (the minimal risk value of 1 is the best risk f

kj, and the max-imum risk value of 49 is the worst risk f

kjÞ. The results are listed inTables 10 and 11.

Table 11shows that the risk of operational/technical subgoals is higher than the risk of the subgoal organizational/man-agement.Table 10shows that, among the 11 aspects, ‘‘C8information systems acquisition, development and maintenance’’ is the farthest from the ideal/aspired level (that is, its risk is the highest among the 11 aspects), whereas ‘‘C11compliance’’ is the closest to the ideal/aspired level (that is, its risk is the lowest among others) in both normalized and local ratings (which comprise the ratings with the weights).

In sum, this study ﬁnds that the aspect ‘‘C8information systems acquisition, development and maintenance’’ has the high-est risk and should be improved among the 11 aspects considered in this case. In addition, ‘‘operational/technical (G2)’’ in-volves a risk greater than the risk of ‘‘organizational/management (G1)’’, with the performance of the subgoal ‘‘operational/ technical’’ also being lower than the performance of ‘‘organizational/management’’. Therefore, the subgoal ‘‘operational/ technical’’ should be improved, and the aspect ‘‘C8information systems acquisition, development and maintenance’’ should be given priority for improvement. When most Taiwanese government’s information systems are outsourced, it is crucial for information security related requirements to be included in these outsourcing contracts.

5. Discussion

In order to illustrate that the method proposed in this research is better than the traditional methods, we also calculate the limiting supermatrix using the traditional normalization method; the result is as follows.

Table 7

The normalized matrix Tson T.

Subgoals G1 G2

G1 0.44 0.56

(13)

This study further analyses the weights obtained using both the proposed model and traditional methods, and the results are shown inTable 12andFig. 5, respectively.

Table 8

The weights and the integrated performance ratings for the empirical case.

Subgoals (k) Using ANP Using VIKORRUG

Aspects (j) Local weights ðwk jÞ Global weights ðg_wk jÞ Integrated performance ratings Normalized ratings (rkj) Local ratings wk jrkj Global ratings g_ws jrkj Organizational/management 0.472 7.833 0.217 0.217 0.103 C1Security policy (e1) 0.174 0.082 8.688 0.131a 0.023a 0.011a

C2Organization of information security (e2) 0.155 0.073 7.875 0.213 0.033 0.016

C3Asset management (e3) 0.159 0.075 6.667 0.333 0.053 0.025

C4Human resources security (e4) 0.163 0.077 7.433 0.257 0.042 0.020

C10Business continuity management (e5) 0.180 0.085 8.000 0.200 0.036 0.017

C11Compliance (e6) 0.169 0.080 8.217 0.178 0.030 0.014

Operational/technical 0.528 7.639 0.236 0.235 0.125

C5Physical and environmental security (e7) 0.189 0.100 8.638 0.136 0.026 0.014

C6Communications and operations

management (e8)

0.205 0.108 8.239 0.176 0.036 0.019

C7Access control (e9) 0.214 0.113 8.248 0.175 0.037 0.020

C8Information systems acquisition,

development and maintenance (e10)

0.195 0.103 4.806 0.519b

0.101b

0.053b

C9Information security incident management

(e11)

0.197 0.105 8.200 0.180 0.035 0.019

a _{The closest to the ideal/aspired level.} b _{The farthest from the ideal/aspired level.}

Table 9

The ranking indexes of performances for the empirical case.

Subgoals (k) Sk(v= 1.0) Qk(v= 0.0) Rk(v= 0.5)

Organizational/management (G1) 0.217 0.333 0.275

Operational/technical (G2) 0.235 0.519 0.377

Note: The overall performance score of the risk controls =PkwkRk¼ 0:472 0:275 þ 0:528 0:377 ¼ 0:329 (where the Rkof G1and G2are obtained by

using the revised VIKOR andv= 0.5,they are 0.275 and 0.377, respectively; 0.472 and 0.528 are the local weight using ANP fromTable 8).

Table 10

The weights and the integrated risk ratings for the empirical case.

Subgoals (k) Using ANP Using VIKORRUG

Aspects (j) Local Weights ðwk jÞ Global weights ðg_wk jÞ Integrated risk ratings Normalized ratings (rkj) Local ratings wk jrkj Global ratingsg_wk jrkj Organizational/management 0.472 7.853 0.143 0.143 0.067 C1Security policy (e1) 0.174 0.082 7.00 0.125 0.022 0.010a

C2Organization of information security (e2) 0.155 0.073 8.75 0.161 0.025 0.012

C3Asset management (e3) 0.159 0.075 8.00 0.146 0.023 0.011a

C4Human resources security (e4) 0.163 0.077 8.67 0.160 0.026 0.012

C10Business continuity management (e5) 0.180 0.085 8.00 0.146 0.026 0.012

C11Compliance (e6) 0.169 0.080 6.83 0.122a 0.021a 0.010a

Operational/technical 0.528 11.861 0.226 0.226 0.120

C5Physical and environmental security (e7) 0.189 0.100 13.50 0.260 0.049 0.026

C6Communications and operations

management (e8)

0.205 0.108 10.35 0.195 0.040 0.021

C7Access control (e9) 0.214 0.113 9.93 0.186 0.040 0.021

C8Information systems acquisition,

development and maintenance (e10)

0.195 0.103 13.83 0.267b

0.052b

0.028b

C9Information security incident management

(e11)

0.197 0.105 12.00 0.229 0.045 0.024

a _{The closest to the ideal/aspired level.} b

(14)

Several facts are clear fromTable 1andFig. 4: (a) each cluster has feedback and dependence; (b) the effect of Cluster 1 on Cluster 2 is 4.52, whereas the effect of Cluster 2 on Cluster 1 is 3.52. In other words, the degree to which Cluster 2 is affected is higher (4.52) than that for Cluster 1 (3.52). Therefore, Cluster 2 should be paid more attention than the other clusters in the real world, that is, it should be given additional weight, whereas Cluster 1 should have its weight reduced. Since e1, e2, . . . , e6 belong to Cluster 1 and e7, e8, . . . , e11belong to Cluster 2, these criteria e7, e8, . . . , e11should be paid more attention than e1, e2, . . ., e6. Using the traditional normalization method implies that each cluster has the same weight (each criterion in a column is divided by the number of clusters to normalize the unweighted supermatrix). However, there are different degrees of influence among the clusters of factors/criteria in this empirical case (referenceTable 4). Thus, by using DEMATEL to improve the normalization of ANP in the unweighted supermatrix, our study finds these results better suit the real world. In this empirical case, we find that the weights of the criteria e1, e2, . . . , e6in the traditional method are higher than those in the proposed method, but the weights of the criteria e7, e8, . . . , e11are lower in the traditional method than in the proposed method (Table 12andFig. 5). If this research uses the assumption of equal weights for each cluster to normalize the un-weighted supermatrix and to obtain the un-weighted supermatrix, the results of the assessed weights would be higher or lower than the more realistic situation.Fig. 5shows that the criteria of Cluster 2 (e7,e8, . . . ,e11) are underestimated, whereas the criteria of Cluster 1 (e1,e2, . . . ,e6) are overestimated if this research adopts the traditional method. Therefore, DEMATEL com-bined with ANP can be used to obtain better and more accurate results in real-world applications.

Table 11

The ranking indexes of risk for the empirical case.

Subgoals (k) Sk(v= 1.0) Qk(v= 0.0) Rk(v= 0.5) Organizational/management (G1) 0.143 0.161 0.152 Operational/technical (G2) 0.226 0.267 0.247 0.087 0.078 0.08 0.082 0.089 0.084 0.094 0.103 0.107 0.097 0.099 0.082 0.073 0.075 0.077 0.085 0.08 0.1 0.108 0.113 0.103 0.104 1

e

1

e

₂

e

3

e

4

e

5

e

6

e

7

e

8

e

9

e

10

e

11

e

1

e

₂

e

3

e

4

e

5

e

6

e

7

e

8

e

9

e

10

e

11 e e₂ e3 e4 e5 e6 e7 e8 e9 e10 e11 0 0.02 0.04 0.06 0.08 0.1 W eight 0.12 Aspects Traditional hybrid method

The proposed method

Fig. 5. Comparisons of the weights of each criterion between the traditional hybrid method and herein-proposed method.

Table 12

Comparisons of the weights of each criterion between the traditional hybrid method and the herein-proposed method.

Criteria Traditional method The proposed method Difference

e1 0.087 0.082 0.005 e2 0.078 0.073 0.005 e3 0.080 0.075 0.005 e4 0.082 0.077 0.005 e5 0.089 0.085 0.004 e6 0.084 0.080 0.004 e7 0.094 0.100 (0.006)a e8 0.103 0.108 (0.005)a e9 0.107 0.113 (0.006)a e10 0.097 0.103 (0.006)a e11 0.099 0.104 (0.005)a a

(15)

Next, our results show that all aspects (control areas) and subgoals are dependent and relative, according toTables 1–3. Fig. A2shows their causal relationship, and it can help managers review the relationships among these control areas.Fig. A2 shows that G1affects G2more than G2affects G1. G1expands its aspects as the upper portion ofFig. A2. For the control areas, the ri civalues for C1(security policy), C2(organization of information security), and C11(compliance) are positive, which means that they affect other aspects (control areas) more than the other control areas affect them. In other words, when organizations adopt these control areas, ‘‘security policy’’, ‘‘organization of information security’’, and ‘‘compliance’’ will

(16)

affect the success or failure of the other control areas. Similarly, G2expands its aspects as the lower portion ofFig. A2. Among the various aspects of G2, the ri ci values for C5 (physical and environmental security) and C6 (communications and operations management) are positive, which means that these two control areas affect the other control areas in the oper-ational/technical subgoal more than the others affect them. Therefore, when organizations adopt these control areas, the areas that can affect others should be adopted ﬁrst. However, when the organization has adopted controls over a long period,

G₁ Organizat ional/ Management (15.08 , 1.00) G₂ Operat ional/ Technical (15.08 , -1.00) -1.20 -1.00 -0.80 -0.60 -0.40 -0.20 0.00 0.20 0.40 0.60 0.80 1.00 1.20 11.0 12.0 13.0 14.0 15.0 16.0 17.0 18.0 19.0 20.0 r + c r - c C5 Physical and environmental security (19.63 , 0.55) C₆Communications and operations management (21.42 , 0.08) C₇ Access control (21.79 , -0.20) C8Information systems acquisition, development and maintenance (19.56 , -0.31) C9 Information security incident management (19.35 , -0.12)

-0.4

-0.2

0

0.2

0.4

0.6

19

19.5

20

20.5

21

21.5

22 r + c

r

-c

Cluster 1 (G

₁

Organizational/ Management)

C1 Security policy (16.27 , 0.54 ) C2 Organization of information security (15.41 , 0.44) C₃ Asset management (13.96 , -0.23) C₄ Human resources security (14.37 , -0.52) C₁₀ Business continuity management (15.55 , -0.25) C₁₁Compliance (15.18 , 0.03) -0.6 -0.4 -0.2 0 0.2 0.4 0.6 13.5 14.0 14.5 15.0 15.5 16.0 16.5

r + c

r

c

(17)

risk-control assessment should be used to identify the lower performances of controls (control objectives or control areas) that need improvement. Furthermore, when the controls with lower performances are improved, the inﬂuencers should also be checked again. For example, ‘‘C8information systems acquisition, development and maintenance’’ should be given prior-ity to be improved in this empirical case. However, the inﬂuencers C5and C6within the same cluster and C1, C2, and C11in subgoal G1(because G1affects G2more than G2affects G1) should be checked again. Among these, C5may need improvement because its risk rating is the second farthest from the ideal/aspired level, as shown inTable 10.

Finally, using the VIKORRUG method aggregates the aspects that have dependence and feedback characteristics to ob-tain the ranking indexes of performances and risks of the subgoals, as shown inTables 9 and 11. If we want to maximize group utility and minimize individual regret (

v

= 0.5), the results indicate that G1 G2. Thus, among the two subgoals, G1 (organizational/management) is the closest to the ideal/aspired level, whereas G2(operational/technical) is the farthest from the ideal/aspired level. If managers aim to improve the subgoals according to their performances, then G2 should be given priority during selection. However, when a manager chooses the subgoal with lower performances for improve-ment, the influencers among its aspects or subgoals should be considered thoroughly. InTable 4andFig. A2, G1affects G2 more than G2affects G1. Therefore, if G2is selected for improvement, G1should be checked to determine whether it should be improved simultaneously. In general, if G2is performing very well, then G1 will be performing very well too. In this case, if G2should be improved, then ‘‘C8information systems acquisition, development and maintenance’’ should be im-proved first, as is clear fromTables 8 and 10. In Table 8, the gaps of the performance rankings are C8> C3> C4= C7> C9= C6> C10> C2> C5= C11> C1. In Table 10, the gaps of the risk rankings are C8> C5> C9> C6= C7> C2= C4= C10> C3> C1= C11. Thus the IT managers should choose the risk controls with lower performances (higher risks) for improve-ment according to the gaps of performance rankings or risk rankings. In addition, according to the above stateimprove-ments, the influencers C1, C2, C11, C5, and C6should be checked (because the ri civalues for C1, C2, C11, C5, and C6are positive inFig. A2, which means that they affect other aspects more than they are being affected). If the IT managers accept the performance and risk of G1, then the other aspects within the same group—subgoal G2—such as ‘‘C5physical and environ-mental security’’ and ‘‘C6communications and operations management’’ need to be checked. These two aspects should be improved simultaneously because they affect C8. Especially, ‘‘C5physical and environmental security’’ has the second high-est risk rating (13.5) inTable 10. In short, these influencers should also be checked again when the controls having lower performance are enhanced. Checking the influencers using the NRM is more comprehensive than the traditional analysis method.

To sum up, the hybrid model that combines DEMATEL with ANP has been widely used in MCDM problems. In this study, the DEMATEL method is used to construct interrelations between criteria/factors, and ANP is used to overcome the problems of dependence and feedback. In addition, this study also shows that using DEMATEL and ANP to normalize the unweighted supermatrix is more reasonable than working by assuming equal weights in each cluster. Furthermore, the weights obtained from the ANP and VIKOR methods are used to derive the ranking index. Our empirical study also shows that this method is more suitable and effective than the traditional ANP method.

6. Conclusions

Because organizations have grown increasingly dependent on their computer-based information systems, information security is becoming very important. Previous researches have proposed information security risk management related is-sues. PDCA processes are regarded as necessary in information security management. When the ‘‘Check Phase’’ is carried out in an ISMS, ensuring the effectiveness of these implemented controls is important. Therefore, this study proposes an ISR-CAM in the Check Phase. Because many studies consider that risk problems are MCDM problems, they adopt the same meth-ods to deal with information-security-risk-related problems.

Among the numerous approaches available for conflict management, MCDM is one of the most prevalent. VIKOR is a method within MCDM; it is based on an aggregating function representing closeness to the ideal, which can be viewed as a derivative of compromise-programming. However, most decision-making methods assume independence between the cri-teria of a decision and the alternatives of that decision, or simply among either the cricri-teria or the alternatives themselves. However, assuming independence among the criteria/variables is too strict to overcome the problem of dependent criteria in the real world. Therefore, many studies have used ANP to overcome this problem of dependent criteria. In addition, a hybrid model combining ANP and DEMATEL has been widely and successfully used in various fields. The DEMATEL technique is not only used to construct the NRM, but is also used to transform the unweighted supermatrix to a weighted supermatrix. The traditional method overcomes normalization for the weighted supermatrix in the ANP procedure by assuming equal weights for each cluster; however, this ignores the different effects among clusters. Our research uses a new concept to overcome this unreasonable assumption of equal weights. The novel combination model is more suitable than the traditional method to solve problems with different degrees of effects among clusters. This research also uses ANP and VIKOR to obtain the com-promise-ranking index. Moreover, an empirical case is used to show the effectiveness and feasibility of our proposed meth-od. In addition, managers should select the unimproved items from the results of the assessment and consider the influencers to improve simultaneously (i.e. those influencers of the aspect that is selected for improvement) through NRM. Our proposed method gives a result that is more comprehensive than the traditional analysis method. Consequently, our proposed method (ISRCAM that is founded on the revised VIKOR based on DEMATEL and ANP) is effective at improving

(18)

the compromise-solution method and overcoming the problem of interdependence and feedback among criteria. Further-more, our proposed method uses NRM, to analyze the results, which is a better way than traditional analysis.

Many uncertain inﬂuencers and factors affect risk. Moreover, human beings determine the risk value, risk probability of occurrence of security breach, or the consequence of occurrence of security breach according to their experiences. This im-plies some subjectivity; accordingly, it would be very appropriate to use the fuzzy concept here. Furthermore, ANP can over-come the problems of interdependence and feedback among criteria. Another method—the fuzzy integral method—can overcome interdependence among criteria. Therefore, when the criteria do not show feedback, the fuzzy integral can also be a very suitable method. Finally, managers should consider the related costs and resources when they implement the con-trols to reduce risk. How do managers use the lowest cost and the least resources to establish concon-trols to reduce risk to an acceptable level? All these above issues can be investigated in future studies.

Appendix A Figs. A1, A2 Appendix B

The risk is combination of the probability of an event and its consequence[11,12]. Many studies have introduced the for-mulas of risk. Several risk forfor-mulas are introduced as follows. Firstly, the most popular formula is:

R ¼ P C ðA:1Þ

where R represents ‘‘risk’’, P represents ‘‘probability of occurrence of security breach,’’ and C represents ‘‘consequence of occurrence of security breach’’[14,16,20,25,43].

References

[1] K. Biery, Aligning an information risk management approach to BS 7799-3:2005, SANS Institute InfoSec Reading Room, 2006.

[2] K.J. Farn, S.K. Lin, C.C. Lo, A study on e-Taiwan information system security classiﬁcation and implementation, Computer Standards & Interfaces 30 (1) (2008) 1–7.

[3] E. Fontela, A. Gabus, DEMATEL, innovative methods, Report no. 2, Structural analysis of the world problematique, Battelle Geneva Research Institute, 1974.

[4] E. Fontela, A. Gabus, The DEMATEL observer, Battelle Institute, Geneva Research Center, 1976.

[5] M. Freimer, P.L. Yu, Some new results on compromise solutions for group decision problems, Management Science 22 (6) (1976) 688–693. [6] A. Gabus, E. Fontela, World problems an invitation to further thought within the framework of DEMATEL, Battelle Geneva Research Centre, Geneva,

Switzerland, 1972.

[7] A. Gabus, E. Fontela, Perceptions of the world problematique: communication procedure, communicating with those bearing collective responsibility (DEMATEL Report No. 1), Battelle Geneva Research Centre, Geneva, Switzerland, 1973.

[8] C.Y. Huang, J.Z. Shyu, G.H. Tzeng, Reconﬁguring the innovation policy portfolios for Taiwan’s SIP Mall industry, Technovation 27 (12) (2007) 744–765. [9] J.J. Huang, G.H. Tzeng, C.S. Ong, Multidimensional data in multidimensional scaling using the analytic network process, Pattern Recognition Letters 26

(2005) 755–767.

[10] C.L. Hwang, K. Yoon, Multi-objective Decision Making – Methods and Application – A State-of-the-Art Study, Springer-Verlag, New York, 1981. [11] ISO/IEC Guide 73, Risk management-vocabulary-guidelines for use in standards, 2002.

[12] ISO/IEC 17799, Information technology-security techniques-code of practice for information security management, 2005. [13] ISO/IEC 27001, Information technology-security techniques-information security management system-requirements, 2005. [14] B. Karabacak, I. Sogukpinar, ISRAM: information security risk analysis method, Computers & Security 24 (2) (2005) 147–159.

[15] E.E. Karsak, S. Sozer, S.E. Alptekin, Product planning in quality function deployment using a combined analytic network process and goal programming approach, Computers & Industrial Engineering 44 (1) (2002) 171–190.

[16] A.S. Kirkwood, Why do we worry when scientists say there is no risk? Disaster Prevention and Management 3 (2) (1994) 15–22.

[17] J.W. Lee, S.H. Kim, Using analytic network process and goal programming for interdependent information system project selection, Computers & Operations Research 27 (4) (2000) 367–382.

[18] J.J.H. Liou, G.H. Tzeng, H.C. Chang, Airline safety measurement using a hybrid model, Air Transport Management 13 (4) (2007) 243–249.

[19] F. Liu, K. Dai, Z. Wang, J. Ma, Research on fuzzy group decision making in security risk assessment, Lecture Notes in Computer Science 3421 (2005) 1114–1121.

[20] N. McEvoy, A. Whitcombe, Structured risk analysis, in: InfraSec, LNCS, vol. 2437, 2002, pp. 88–103.

[21] L.M. Meade, A. Presley, R&D project selection using the analytic network process, IEEE Transactions on Engineering Management 49 (1) (2002) 59–66. [22] J.A. Momoh, J. Zhu, Optimal generation scheduling based on AHP/ANP, IEEE Transactions on Systems, Man and Cybernetics—Part B: Cybernetics 33 (3)

(2003) 531–535.

[23] National Information and Communication Security Taskforce (NICST), Background, 2001.<http://www.nicst.nat.gov.tw/content/application/nicst/ eng_background/guest-cnt-browse.php?cnt_id=56>.

[24] National Institute of Standards and Technology (NIST), NIST Special Publication 800-53, Information Security, 2005.

[25] National Institute of Standards and Technology (NIST), NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, 2002.

[26] S. Opricovic, Multicriteria optimization of civil engineering systems, Faculty of Civil Engineering, Belgrade, 1998.

[27] S. Opricovic, G.H. Tzeng, Extended VIKOR method in comparison with outranking methods, European Journal of Operational Research 178 (2) (2007) 514–529.

[28] S. Opricovic, G.H. Tzeng, Compromise solution by MCDM methods: a comparative analysis of VIKOR and TOPSIS, European Journal of Operational Research 156 (2) (2004) 445–455.

[29] S. Opricovic, G.H. Tzeng, Multicriteria planning of post-earthquake sustainable reconstruction, Computer-Aided Civil and Infrastructure Engineering 17 (3) (2002) 211–220.

[30] Y.P. Ou Yang, H.M. Shieh, G.H. Tzeng, A VIKOR technique with applications based on DEMATEL and ANP, MCDM 2009, Communications in Computer and Information Science (CCIS), vol. 35, Springer-Verlag, Berlin Heidelberg, 2009, pp.780–799.

(19)

[31] Y.P. Ou Yang, H.M. Shieh, J.D. Leu, G.H. Tzeng, A VIKOR-based multiple criteria decision method for improving information security risk, International Journal of Information Technology & Decision Making 8 (2) (2009) 267–287.

[32] Y.P. Ou Yang, H.M. Shieh, J.D. Leu, G.H. Tzeng, A novel hybrid MCDM model combined with DEMATEL and ANP with applications, International Journal of Operations Research 5 (3) (2008) 160–168.

[33] S.G. René, Information security management best practice based on ISO/IEC 17799, Information Management Journal 39 (4) (2005) 60–66. [34] T.L. Saaty, Decision Making with Dependence and Feedback: Analytic Network Process, RWS Publications, Pittsburgh, 1996.

[35] T.L. Saaty, Fundamentals of the analytic network process, in: International Symposium on the Analytic Hierarchy Process, Kobe, 1999. [36] T.L. Saaty, The Analytic Hierarchy Process, McGraw-Hill, New York, 1980.

[37] T.L. Saaty, The analytic network process: dependence and feedback in decision making (Part 1): theory and validation examples, SESSION 4B: theory and development of the analytic hierarchy process/analytic network process, in: The 17th International Conference on Multiple Criteria Decision Making, August 6–11, 2004, The Whistler Conference Centre, Whistler, British Columbia, Canada, 2004.

[38] M. Tamura, H. Nagata, K. Akazawa, Extraction and systems analysis of factors that prevent safety and security by structural models, in: 41st SICE Annual Conference, Osaka, Japan, 2002.

[39] U.R. Tuzkaya, S. Önüt, A fuzzy analytic network process based approach to transportation-mode selection between Turkey and Germany: a case study, Information Sciences 178 (15) (2008) 3133–3146.

[40] G.H. Tzeng, M.H. Teng, J.J. Chen, S. Opricovic, Multicriteria selection for a restaurant location in Taipei, International Journal of Hospitality Management 21 (2) (2002) 171–187.

[41] G.H. Tzeng, C.W. Lin, S. Opricovic, Multi-criteria analysis of alternative-fuel buses for public transportation, Energy Policy 33 (1) (2005) 1373–1383. [42] G.H. Tzeng, C.H. Chiang, C.W. Li, Evaluating intertwined effects in e-learning programs: a novel hybrid MCDM model based on factor analysis and

DEMATEL, Expert Systems with Applications 32 (4) (2007) 1028–1044.

[43] United States General Accounting Ofﬁce (USGAO), Information Security Risk Assessment, 1999.<http://www.gao.gov/special.pubs/ai00033.pdf>. [44] J.N. Warﬁeld, Societal Systems, Planning, Policy and Complexity, John Wiley & Sons, New York, 1976.

[45] P.L. Yu, A class of solutions for group decision problems, Management Science 19 (8) (1973) 936–946.

[46] I. Yüksel, M. Dagˆdeviren, Using the analytic network process (ANP) in a SWOT analysis – A case study for a textile ﬁrm, Information Sciences 177 (16) (2007) 3364–3382.