A VIKOR-BASED MULTIPLE CRITERIA DECISION ... - Semantic Scholar

June 24, 2009 15:29 WSPC/173-IJITDM

00337

International Journal of Information Technology & Decision Making Vol. 8, No. 2 (2009) 267–287 c World Scientific Publishing Company


A VIKOR-BASED MULTIPLE CRITERIA DECISION METHOD FOR IMPROVING INFORMATION SECURITY RISK

YU-PING OU YANG∗ , HOW-MING SHIEH and JUN-DER LEU Department of Business Administration, National Central University 300 Chung-da Road, Chung-Li City 320, Taiwan ∗[email protected] GWO-HSHIUNG TZENG Department of Business and Entrepreneurial Management Kainan University, No. 1, Kainan Road, Luchu Taoyuan 338, Taiwan and Institute of Management of Technology National Chiao Tung University 1001 Ta-Hsueh Road, Hsinchu 300, Taiwan [email protected]

Most multicriteria methods focus on ranking and selecting from a set of alternatives. These methods are usually used to compare all alternatives based on the synthesized scorings within a normalized scale with respect to the same criteria in multicriteria problems. However, the decision makers often simultaneously manage one or several alternatives/projects with conflicting and noncommensurable criteria to reduce the gaps to achieve the aspired grade in practice. They then need to rank the gaps that have not been reduced or improved (the unimproved gaps) for the alternatives/projects or aspects of a project to get the most benefit. Because these compared alternatives/projects do not usually have the same criteria/aspects, traditional methods are unsuitable to deal with them. Thus, this research proposes a new VIKOR method to solve this problem; this new method allows the decision maker to understand these gaps of the projects/aspects and rank them to improve these large gaps in control items to achieve the aspired level. Its concept originates in compromise solutions, in particular the VIKOR method. In addition, this research also provides an example of improving information security risk to demonstrate the suitability of this new method. The results show the effectiveness of the new method. Keywords: Multiple criteria decision making (MCDM); compromise solution; VIKOR; risk assessment; residual risk; information security management system (ISMS).

1. Introduction Multiple criteria decision making (MCDM) is the tool most frequently used to deal with conflict management.5,20 Practical problems are often characterized by ∗ Corresponding

author. 267

June 24, 2009 15:29 WSPC/173-IJITDM

268

00337

Y.-P. Ou Yang et al.

several noncommensurable and conflicting (competing) criteria, and there may be no solution satisfying all criteria simultaneously. Therefore, the solution is a set of noninferior solutions, or a compromise solution according to the decision makers’ preference. A compromise solution for a problem with conflict criteria can allow the decision makers to reach a final decision. The foundation for compromise solutions was established by Yu26 and Zeleny,27 and other distance-based techniques have also been developed.1 The compromise solution is a feasible solution closest to the ideal/aspired level and a compromise means an agreement established by mutual concessions. The VIKOR (VlseKriterijumska Optimizacija I Kompromisno Resenje in Serbian, means Multicriteria Optimization and Compromise Solution) method introduced the multicriteria ranking index based on the particular measure of closeness to the ideal/aspired level solution and was introduced as one applicable technique to implement within MCDM.16 The VIKOR method was developed as a multicriteria decision-making method to solve discrete decision problems with noncommensurable and conflicting criteria.17–19,22,23 This method focuses on ranking and selecting from a set of alternatives in the presence of conflicting criteria, which could help the decision makers to reach a final decision.19 These methods rank and select alternatives based on all established criteria, using the same criteria for each alternative. However, in practice the decision maker often simultaneously manages or improves the achieved rate of progress in one or several projects (plans); he therefore needs to know the unimproved gaps of the projects or aspects of a project (“projects or aspects of a project” is abbreviated to “projects/aspects”) so as to improve them to achieve the minimum/zero gaps. However, when these unimproved gaps of the projects/aspects need to be ranked, because they each have their own individual criteria, the traditional methods are unsuitable for dealing with them. Therefore, this research proposes a method for solving these problems. The concept behind the method proposed in this research is to derive a compromise solution for finding minimal gaps; in particular, the method draws on the concept of VIKOR. The VIKOR method modified to fit our needs ranks the unimproved gaps of the projects/aspects calculated based on the lower level criteria. Namely, this new method can rank the unimproved gaps of the projects/aspects, which are managed or improved simultaneously so as to control the progress of all cases. We call this new method the VIKORRUG (VIKOR for Ranking Unimproved Gap) method. In this research, we illustrate a case of information security management system (ISMS) implementation to demonstrate the feasibility of the proposed method. We also develop a hierarchical ISMS risk management model and, respectively, use the VIKORRUG and SAW (Simple Additive Weighting) methods to rank the unimproved gaps of the risk control objectives and control areas to help the decision makers improve the information security risk. The results show VIKORRUG is an effective and applicable method for ranking the progress of several projects/ aspects.

June 24, 2009 15:29 WSPC/173-IJITDM

00337

A Vikor-Based Multiple Criteria Decision Method

269

The remainder of this paper is organized as follows: in Sec. 2, we present the concepts of the VIKOR method. In Sec. 3, the VIKORRUG method is proposed; in Sec. 4, an empirical study is done using approach detailed in Sec. 3, and the results are presented and discussed. Finally, Sec. 5 presents the conclusions. 2. VIKOR Method The VIKOR method began with the form of Lp -metric, which was used as an aggregating function in a compromise programming method and developed into the multicriteria measure for compromise ranking. We assume the alternatives are denoted as A1 , A2 , . . . , Ai , . . . , Am . wj is the weight of the jth criterion, expressing the relative importance of the criteria, where j = 1, 2, . . . , n, and n is the number of criteria. The rating (performance score) of the jth criterion is denoted by fij for alternative Ai . The form of Lp -metric was introduced by Duckstein and Opricovic2 and is formulated as follows: 1/p  n   Lpi = [wj (|fj∗ − fij |)/(|fj∗ − fj− |)]p , 1 ≤ p ≤ ∞; i = 1, 2, . . . , m.   j=1 (1) The VIKOR method is not only generated with the above form of Lp -metric, (as Si in Eq. (2)) and Lp=∞ (as Qi in Eq. (3)) to formulate the but also uses Lp=1 i i 16,18,19,23 ranking measure. Si = Lp=1 = i

n 

[wj (|fj∗ − fij |)/(|fj∗ − fj− |)],

(2)

Qi = Lp=∞ = max{wj (|fj∗ − fij |)/(|fj∗ − fj− |)|j = 1, 2, . . . , n}. i

(3)

j=1

j

When p is small, the group utility is emphasized (such as p = 1) and as p increases, the individual regrets/gaps receive more weight.4,26 In addition, the compromise solution mini Lpi will be chosen because its value is closest to the ideal/aspired level. Therefore, mini Si expresses the minimization of the average sum of the individual regrets/gaps and mini Qi expresses the minimization of the maximum individual regret/gaps for prioritizing the improvement. In other words, mini Si emphasizes the maximum group utility, whereas mini Qi emphasizes selecting minimum among the maximum individual regrets. Based on the above concepts, the compromise-ranking algorithm VIKOR consists of the following steps. Step 1: Determine the best fj∗ , and the worst fj− values of all criterion functions, j = 1, 2, . . . , n. If we assume the jth function represents a benefit, then fj∗ = maxi fij (or setting an aspired level) and fj− = mini fij (or setting a tolerable level). Alternatively, if we assume the jth function represents a cost/risk, then

June 24, 2009 15:29 WSPC/173-IJITDM

270

00337

Y.-P. Ou Yang et al.

fj∗ = mini fij (or setting an aspired level) and fj− = maxi fij (or setting a tolerable level). Moreover, we propose an original rating matrix and a normalized weightrating matrix of risk as follows: criteria

criteria

alternatives

normalized

where, rij = (|fj∗ − fij |)/(|fj∗ − fj− |), fj∗ is the aspired/desired level, and fj− is tolerable level for each criterion. Step 2: Compute the values Si and Qi , i = 1, 2, . . . , m, using the relations Si =

n 

wj rij ,

(4)

j=1

Qi = max{wj rij |j = 1, 2, . . . , n}. j

(5)

Step 3: Compute the index values Ri , i = 1, 2, . . . , m, using the relation Ri = v(Si − S ∗ )/(S − − S ∗ ) + (1 − v)(Qi − Q∗ )/(Q− − Q∗ ),

(6)

where S ∗ = mini Si (or setting the best S ∗ = 0), S − = maxi Si (or setting the worst S − = 1), Q∗ = mini Qi (or setting the best Q∗ = 0), Q− = maxi Qi (or setting the worst Q− = 1), and 0 ≤ v ≤ 1, where v is introduced as a weight for the strategy of maximum group utility, whereas 1 − v is the weight of the individual regret. In other words, when v > 0.5, this represents a decision-making process that could use the strategy of maximum group utility (i.e. if v is big, group utility is emphasized), or by consensus when v ≈ 0.5, or with veto when v < 0.5. Step 4: Rank the alternatives, sorting by the value of {Si , Qi , and Ri |i = 1, 2, . . . , m}, in decreasing order. Propose as a compromise the alternative (A(1) ) which is ranked first by the measure min{Ri |i = 1, 2, . . . , m} if the following two conditions are satisfied: C1. Acceptable advantage: R(A(2) )−R(A(1) ) ≥ 1/(m−1), where A(2) is the alternative with second position in the ranking list by R; m is the number of alternatives. C2. Acceptable stability in decision making: Alternative A(1) must also be the best ranked by {Si or/and Qi |i = 1, 2, . . . , m}.

June 24, 2009 15:29 WSPC/173-IJITDM

00337

A Vikor-Based Multiple Criteria Decision Method

271

If one of the conditions is not satisfied, then a set of compromise solutions is proposed, which consists of: • Alternatives A(1) and A(2) if only condition C2 is not satisfied. • Alternatives A(1) , A(2) , . . . , A(M) if condition C1 is not satisfied. A(M) is determined by the relation R(A(M) ) − R(A(1) ) < 1/(m − 1) for maximum M (the positions of these alternatives are close. The compromise solution is determined by the compromise-ranking method; the obtained compromise solution could be accepted by the decision makers because it provides maximum group utility of the majority (represented by min S, Eq. (4)), and minimum individual regret of the opponent (represented by min Q, Eq. (5)). The VIKOR algorithm determines the weight stability intervals for the obtained compromise solution with the input weights given by the experts.16 3. VIKORRUG Method In this section, we will present the basic idea of the VIKORRUG method and its computational steps and relative functions. In addition, a numerical example will be used to illustrate the new method. The idea behind the new VIKOR (VIKORRUG) compromise-ranking algorithm originates from the VIKOR method. The VIKOR method was developed to solve MCDM problems with conflicting and noncommensurable (different units) criteria and provides a solution that is the closest to the ideal; the concept of being closest to the ideal is also used in the VIKORRUG method. VIKOR and VIKORRUG differ as follows: the alternatives are ranked according to all established criteria, using the same criteria for each alternative in the VIKOR method, the focus being on ranking and selecting alternatives, whereas with the VIKORRUG method, this study replaces a fixed common number of criteria for all projects/aspects with a set of criteria for each alternative/project and proposes a method for the decision maker to rank the unimproved gaps of the alternatives/projects/aspects. This is the most important contribution of this paper. Specifically, each project/aspect has its own criteria; these projects/aspects are ranked by using the VIKORRUG method to aggregate the unimproved gaps according to the particular criteria for each project/aspect. Detailed illustrations of how the VIKORRUG method modifies the VIKOR method are described below. Projects A1 , A2 , . . . , Ai , . . . , Am are assessed by n1 , n2 , . . . , ni , . . . , nm criteria, respectively, where ni is the number of criteria of the project Ai , i = 1, 2, . . . , m. We assume wji is the weight (importance) of criterion j of project Ai and fij is the value (rating) of criterion j of project Ai . The VIKORRUG method is presented by the following steps: Step 1: Determine the best fj∗ and the worst fj− values. Because each project is ranked according to its own criteria, an ideal point and nonideal point, as in the VIKOR method (fj∗ = maxi fij and fj− = mini fij ), cannot be set. Therefore, the

June 24, 2009 15:29 WSPC/173-IJITDM

272

00337

Y.-P. Ou Yang et al.

benefit or cost must be reset according to the expectation of the decision maker for each criterion of each project, and we call the best fij∗ the aspired level and the worst fij− the tolerable level; these functions are expressed as follows. fij∗ = aspired fij

(or fij∗ = aspired level),

fij− = tolerable fij

(or fij− = tolerable level).

In addition, we rewrite the normalized weight-rating table for the new method as follows: Table 1. The normalized weight-rating table for VIKORRUG. Project

Criteria c1

···

m ··· A1 f11 .. .. . . m ··· Ai fi1 .. .. . . Am fm1 . . .

cj f1j .. . fij .. . fmj

Project

···

cni

···

f1n1 .. Normalized . ⇒ fini ×wji .. . fmnm

··· ···

Criteria c1

A1 .. . Ai .. . Am

w11 r11 .. . w1i ri1 . .. w1m rm1

···

cj

···

wj1 r1j

··· ...

.. . wji rij . .. wjm rmj

··· ··· ··· ···

cni 1 r wn 1 1n1

.. . i r wn i ini . .. m r wn m mnm

where ni is the number of criteria in each project Ai , because each project has its own assessing criteria. The weights wji must be normalized under the same ni wji = 1. In addition, the best fij∗ is the project (where j = 1, . . . , ni ), i.e. j=1 − aspired/desired level and the worst fij is the tolerable level for each criterion of each ∗ , f12 has an aspired/desired project (for example, f11 has an aspired/desired level f11 ∗ level f12 , others are similar). The normalized ratings (performance scores) rij are denoted as rij = (|fij∗ − fij |)/(|fij∗ − fij− |) Step 2: Compute the values Si and Qi , i = 1, 2, . . . , m. The functions are ni  Si = wji rij , i = 1, 2, . . . , m,

(7)

j=1

Qi = max{rij |j = 1, 2, . . . , ni }, j

i = 1, 2, . . . , m.

(8)

In the traditional VIKOR method, Qi is represented as maxj {wj rij |j = 1, 2, . . . , n}, which implies group utility is more important than maximal regret. Since Qi is only a part of Si , Si is unquestionably more than Qi . Therefore, Si is emphasized more than Qi in the traditional VIKOR method. However, the maximal regret is also very important in practice and is usually taken into account in order to improve it. In order to balance Si and Qi , Eq. (8) is used instead of the traditional VIKOR Qi . Step 3: Compute the index values Ri , i = 1, 2, . . . , m. The function Ri and value v are as the same as in Step 3 of the VIKOR method. Moreover, S ∗ , S − , Q∗ , and

June 24, 2009 15:29 WSPC/173-IJITDM

00337

A Vikor-Based Multiple Criteria Decision Method

273

Q− are rewritten and listed as below. S ∗ = min Si , i

S − = max Si i

Q∗ = min Qi , Q− = max Qi i

i

or

S ∗ = best S,

S − = worst S,

or Q∗ = best Q, Q− = worst Q.

In the VIKOR method, we set S ∗ , S − , Q∗ , and Q− by S ∗ = mini Si , S − = maxi Si , Q∗ = mini Qi , and Q− = maxi Qi . However, in the VIKORRUG method, we append an aspired level and a tolerable level for S and Q of the compared projects (or aspects/objectives), respectively, to obtain absolute relations for the index values Ri . This study decides S ∗ = 0, Q∗ = 0, S − = 1, and Q− = 1 in order to get absolute relations for the index values Ri . Specifically, if we use mini Si as S ∗ and mini Qi as Q∗ , it implies a relative relation for the index relations Ri of these projects (or aspects/objectives), whereas if we use 0 as the best level and 1 as the worst level, it implies an absolute relation for the index relations Ri of these projects (or aspects/objectives). These latter settings (append settings) will have more elasticity to fit the needs of organizations. Therefore, we can add the best (aspired) and the worst (tolerable) levels to the VIKORRUG method. In addition, 0 ≤ v ≤ 1; when v > 0.5, this indicates S is emphasized more than Q in Eq. (6), whereas when v < 0.5 this indicates Q is emphasized more than S in Eq. (6). More specifically, when v = 1, it represents a decision-making process that could use the strategy of maximum group utility; whereas when v = 0, it represents a decision-making process that could use the strategy of minimum individual regret, which is obtained among maximum individual regrets/gaps of lower level criteria of each project (or aspects/objectives). The weight (v) would affect the ranking order of the projects/aspects/objectives and it is usually determined by the experts or decision making. To sum up, we not only use the above steps to obtain the best projects (or aspects/objectives) based on the values {Ri |i = 1, 2, . . . , m}, which are those with the minimum value of {Ri |i = 1, 2, . . . , m}, but also to prioritize the projects (or aspects/objectives) with respect to the gaps, based on {Ri |i = 1, 2, . . . , m}, for achieving improvements. In order to illustrate the new method, the following two numerical examples are proposed. Numerical example 1 We assume projects A1 , A2 , A3 have different assessing criteria, the number of criteria being 3, 2, 3, respectively. The detailed weights and performance scores (ratings) are presented in Table 2. The ranges of the scores of fij are defined as following fij− (tolerable level for each criterion of each project) and fij∗ (aspired/desired level for each criterion of each project). In addition, if we want S ∗ = aspired S = 0 and S − = tolerable S = 1, and v = 0.5, then we use the above steps of the VIKORRUG method to gain the results, which are presented in Table 2.

June 24, 2009 15:29 WSPC/173-IJITDM

274

00337

Y.-P. Ou Yang et al.

Table 2. Results of this case for VIKORRUG. Projects Criteria Weights i ni wji

Ratings − fij fij

∗ fij

Normalized wji rij Si Qi Ri Rating (v = 1.0) (v = 0.0) (v = 0.5) rij

A1

C11 C12 C13

0.3 0.2 0.5

70 5 4

1 1 1

100 10 5

0.30 0.56 0.25

0.09 0.11 0.13

0.33

0.56

0.45

A2

C21 C22

0.3 0.7

3 20

1 1

5 25

0.50 0.21

0.15 0.15

0.30

0.50

0.40

A3

C31 C32 C33

0.4 0.2 0.4

5 3 30

1 1 1

10 5 50

0.56 0.50 0.41

0.22 0.10 0.16

0.48

0.56

0.52

From Table 2, we find the ranking orders of the unimproved gaps are R3 > R1 > R2 , i.e. A2  A1  A3 . Therefore, we need to improve A3 first, A1 next, and A2 is improved last. Numerical example 2 We assume projects A1 , A2 , A3 have different assessing criteria for measuring risk problems, the number of criteria being 4, 2, 3, respectively. The detailed weights and performance scores (ratings) are presented in Table 3. If the ranges of the scores of fij are set from 0 to 10, we can accept the lowest constraint is 10 and the aspired level is 0 (no risk), and we can then set all fij∗ = 0 and fij− = 10. In addition, if we want S ∗ = aspired S = 0 and S − = tolerable S = 1, and v = 0.5, then we use the above steps of the VIKORRUG method to gain the results, which are presented in Table 3. From Table 3, we find the ranking orders of the unimproved gaps are R3 > R1 > R2 , i.e. A2  A1  A3 . Therefore, we need to improve A3 first, A1 next, and A2 is improved last.

Table 3. Results of this case for VIKORRUG. Projects i

Criteria ni

Weights wji

Ratings fij

Normalized rating rij

wji rij

Si (v = 1.0)

Qi (v = 0.0)

Ri (v = 0.5)

A1

C11 C12 C13 C14

0.2 0.1 0.5 0.2

2 3 4 3

0.2 0.3 0.4 0.3

0.04 0.03 0.20 0.06

0.33

0.4

0.37

A2

C21 C22

0.4 0.6

3 2

0.3 0.2

0.12 0.12

0.24

0.3

0.27

A3

C31 C32 C33

0.3 0.3 0.4

5 3 2

0.5 0.3 0.2

0.15 0.09 0.08

0.32

0.5

0.41

June 24, 2009 15:29 WSPC/173-IJITDM

00337

A Vikor-Based Multiple Criteria Decision Method

275

4. An Empirical Case of Improving Information Security Risk In this section, a case of information security risk rank is used to illustrate the feasibility of the proposed approach. The background, the problem statements and the assessing processes of this empirical case are discussed below. 4.1. Problem descriptions With the development of computers and computer networks, the threat of information security incidents that would jeopardize the valuable information of organizations is becoming increasingly serious; it may even influence the success or failure of enterprises. In order to maintain their competitiveness, enterprises should safeguard their information and try to reduce the risk of it being compromised to zero or an acceptable level. Therefore, the issue of relative information security management has also become more significant.11,12,25 The main point of an ISMS is to protect information from a wide range of threats in order to ensure business sustainability/continuity for minimizing business damage and maximizing the return on investment and business opportunities.6 A systematic ISMS can find potential information risks for enterprises and it can also improve information security and reduce risk to zero or an acceptable level in an organization. In order to implement a systemic ISMS method, relative standards and guidelines concerning information security are being developed, such as ISO/IEC 13335-1,8 ISO/IEC TR 13335-3,9 ISO/IEC TR 13335-4,10 ISO/IEC 17799,6 ISO/IEC 27001,7 NIST 800-30 Special Publication15 and the other standards and guides related to information technologies.21 These standards will help organizations to manage and protect valuable information assets. In Taiwan, the government strives to use computers and the internet to provide innovative services and improve service efficiency. Therefore, the Information & Communication Security Mechanism Plan, Phase I was approved and the National Information and Communication Security Taskforce (NICST) was established in January 2001.14 Its primary intention was to set up an integral information and communication security defense system for thousands of major government departments. It has also implemented strict controls on major national infrastructure information systems that affect national security and social stability. Its preliminary goal has been to achieve the aspired levels. In 2002,3 the government expedited information security work across the board. It was divided into levels A, B, C, and D according to the size of the departments, authorized tasks and the amount of investment, in which level A represents core units, level B comes next, and so on. Different levels have different requirements for information security protection. These government organizations must implement their information security management depending on their information security level. They need to check their information security control regularly to ensure the safety of information assets. However, in a large number of information security controls, the decision makers usually do not know which control areas and control objectives should be improved. To evaluate and prioritize these control areas and control

June 24, 2009 15:29 WSPC/173-IJITDM

276

00337

Y.-P. Ou Yang et al.

objectives are a MCDM problem. Thus, using MCDM methods to rank the unimproved gaps of control areas and control objectives can achieve the goal. Therefore, this research proposes a hierarchical ISMS structure and a compromised ranking algorithm, VIKORRUG, to aggregate the unimproved gaps in terms of controls for upper level control objectives; moreover, we use SAW method to aggregate the unimproved gaps of lower level control objectives for control areas (upper level). Their results can help decision makers to understand which control objectives (or control areas) should be strengthened. Besides, in practice, these control objectives or control areas may be managed by some related information security managers or teams; we can understand the implementation progress of these managers or teams using the new method. To sum up, the results can help the decision maker efficiently manage ISMS in organizations. 4.2. Constructing a new VIKORRUG method for a risk management system The following are the construction of a hierarchical ISMS risk management system: (1) generating evaluative criteria and constructing a hierarchical ISMS improved risk model for the case of a government agency; (2) collecting ratings and weights; (3) using VIKORRUG to obtain the risk ranking order. A detailed illustration is described as follows. 4.2.1. Generating evaluative criteria and constructing a hierarchical ISMS improved risk model for the case of a government agency In order to implement a successful ISMS, this research takes BS7799 (ISO/IEC 177996 and 270017) and the auditing items of Public Administration in Taiwan into account design information security risk assessing aspects/objectives/criteria. Its structure is presented in Fig. A1 (Appendix A). In Fig. A1, there are 12 aspects in level 1: one is risk assessment management, taken from clause 4 of ISO/IEC 270017 (BS 7799-2), and the other 11 aspects are taken from Annex A of ISO/IEC 270017 (BS 7799-2). At level 2, there are 42 objectives, including the three main security objectives in risk assessment management and the 39 main security objectives (categories) in Annex A of ISO/IEC 270017 (BS 7799-2). At level 3, there are 210 criteria taken from Public Administration (in Taiwan). The Public Administration originally proposed 212 audit items (these items are mainly taken from BS 7799); in this case, two unsuitable controls were omitted based on the needs and situations of organizations in information security. Finally, the obtained risk values were calculated as ratings using Eq. (A1) (Appendix C) and are listed at level 4. In this case, in order to improve the gaps of the control objectives and control areas, we adopt a hierarchical structure and use our proposed method (VIKORRUG) and SAW, respectively, to derive the unimproved gaps of these compared risk control objectives and risk control areas. Specifically, we will aggregate

June 24, 2009 15:29 WSPC/173-IJITDM

00337

A Vikor-Based Multiple Criteria Decision Method

277

the unimproved gaps with controls (level 3) for the control objectives (level 2) by using VIKORRUG, and we will also aggregate the unimproved gaps with the control objectives (level 2) for the control areas (level 1) by using SAW. 4.2.2. Collecting ratings and weights This study uses the above aspects/objectives/criteria to design two questionnaires. The first questionnaire investigates the grades of importance of aspects/objectives/ criteria according to the viewpoints of information security auditors and maintenance staff in this case. The other questionnaires are responded by the maintenance staff. These questionnaires are designed to investigate the probability of the occurrence of a security breach (P ) and the consequence of the occurrence of a security breach (C) under each information security risk control before and after implementation. This study, according to these collected values of (P ) and (C), uses Eq. (A1) (Appendix C) to gain assessing risk values (or ratings) before and after implementation. In the questionnaires, we adopt the following linguistic terms for the grades of importance at every aspect (or objective, criterion): “absolutely important,” “very strongly important,” “very important,” “ordinary,” “very unimportant,” “very strongly unimportant” and “absolutely unimportant” with respect to a seven-level scale. In addition, the consequence and the probability of the occurrence of a security breach under the information security risk controls are also divided into five degrees, as described in Tables B1 and B2, respectively (Appendix B). 4.2.3. Using new VIKORRUG to obtain risk ranking orders According to the data collected as described above, we hope to rank the unimproved gaps of the control objectives and control areas, and these ranking processes are presented as follows. First, we rank the unimproved gaps of the control objectives (aggregate controls in level 3 for control objectives in level 2) by using the processes of VIKORRUG in Sec. 3: Step 1: Determine the best fij∗ and the worst fij− risk values, i = 1, 2, . . . , 42, j = 1, 2, . . . , ni , where ni is the number of controls (criteria) in each objective. If we want to rank the unimproved gaps of the control objectives, then we can aggregate controls (lower level) for the control objectives (upper level) with our proposed new method. Here, because the risk value fij (bottom risk values) are obtained, using Eq. (A1) (in Appendix C), according to the consequence (C) and the probability (P ) of the occurrence of a security breach under the information security risk controls from the questionnaire investigation, we adopt the minimum and the maximum values of Tables B1 and B2 and calculate them using Eq. (A1) (in Appendix C) to derive the minimal risk value 1 as the best risk fij∗ and the maximum risk value 25 as the worst risk fij− , i.e. the lowest risk (aspired risk) level for the jth criterion of the ith objective is assumed to be 1, whereas the high-risk (tolerable risk)

June 24, 2009 15:29 WSPC/173-IJITDM

278

00337

Y.-P. Ou Yang et al.

level for the jth criterion of the ith objective is assumed to be 25. In addition, the  i wji = weights wij must be normalized under the same control objectives (i.e. nj=1 1). The normalized ratings (risk values) rij are represented with the following formula rij = |(fij∗ − fij )|/|(fij∗ − fij− )| = |1 − fij |/24. Step 2: Compute the values Si and Qi , i = 1, 2, . . . , 42 control objectives, using Eqs. (7) and (8) of Sec. 3 to obtain Si and Qi . Step 3: Compute the values Ri , i = 1, 2, . . . , 42, using Eq. (6), where S ∗ = best S = 0, S − = worse S = 1, Q∗ = best Q = 0, Q− = worse Q = 1, v = 0 or 0.5 or 1. In this case, we set up the values S ∗ and Q∗ as 0, the values S − and Q− as 1, so as to obtain the absolute relations for the index values Ri (i = 1, 2, . . . , 42). In order to understand how the Ri of each objective is affected by v (0 ≤ v ≤ 1), this study, respectively, adopts v = 0, 0.5, and 1 to compare these index values Ri for the control objectives before and after implementation and presents them in Table 4. Their relations are also listed as Figs. 1 and 2, respectively. Next, we further analyze the unimproved gaps of the control areas (the aspects of the upper level) in the hierarchical structure by using the following equation Rt =

nt 

wkt Rk ,

(9)

k=1

where t = 1, 2, . . . , 12 represents 12 control areas (aspects) at level 1 in Fig. A1 (Appendix A), and each control area t has its own control objectives k = 1, . . . , nt , and nt is the number of control objectives under each control area (aspect). Moreover, there are 42 control objectives (i = 1, 2, . . . , 42) at level 2, and the 42 control objectives are divided into 12 clusters by the upper level control areas. For example, the 12 clusters in level 2, in this case, include 12 (1, . . . , n1 ), (1, . . . , n2 ), . . . , (1, . . . , nt ), . . . , (1, . . . , n12 ), and t=1 nt = 42. At level 1, the aspect C1 has a cluster (1, . . . , n1 ), where n1 = 3; therefore, it represents C1 has three control objectives (C11, C12, C13). Similarly, the other aspects have individual clusters. In order to derive the unimproved gaps of aspects at level 1 of the hierarchical structure in this case, we adopt the SAW method in Eq. (9) to aggregate the unimproved gaps of the control objectives (lower level) for control areas (upper level), which is the ranking index Rt , so as to obtain the rankings of control areas. The results of Rt on the control areas according to v = 0, 0.5, and 1 before and after implementation are presented in Table 5. Their relations are also shown in Figs. 3 and 4, respectively. In this case, we assume each control area (aspect) has the same weight. If the weights are different, we could consider each ranking rating can be obtained according to Rt being multiplied by its weight.

June 24, 2009 15:29 WSPC/173-IJITDM

00337

A Vikor-Based Multiple Criteria Decision Method

279

Table 4. Comparison of value Ri of control objectives according to v = 0, 0.5, and 1 before and after implementation. Before Improvement

After Improvement

Control Objectives

Ri (v = 0)

Ri (v = 0.5)

Ri (v = 1)

Ranking Orders on v = 0/0.5/1

Ri (v = 0)

Ri (v = 0.5)

Ri (v = 1)

Ranking Orders on v = 0/0.5/1

C1.1 C1.2 C1.3 C2.1 C3.1 C3.2 C4.1 C4.2 C5.1 C5.2 C5.3 C6.1 C6.2 C7.1 C7.2 C7.3 C7.4 C7.5 C7.6 C7.7 C7.8 C7.9 C7.10 C8.1 C8.2 C8.3 C8.4 C8.5 C8.6 C8.7 C9.1 C9.2 C9.3 C9.4 C9.5 C9.6 C10.1 C10.2 C11 C12.1 C12.2 C12.3

1.0000 0.7917 0.6250 1.0000 1.0000 1.0000 0.6250 1.0000 0.6250 1.0000 0.6250 1.0000 1.0000 1.0000 1.0000 0.7917 0.7917 1.0000 1.0000 0.7917 0.7917 0.7917 1.0000 0.6250 0.6250 0.7917 0.6250 0.6250 0.6250 0.6250 0.6250 0.6250 0.6250 1.0000 0.7917 1.0000 1.0000 1.0000 0.7917 0.7917 0.7917 0.7917

0.8945 0.7500 0.6250 0.8792 0.9120 0.9423 0.6250 0.9063 0.6250 0.9063 0.6250 0.8398 0.8727 0.9370 1.0000 0.7917 0.7917 1.0000 0.9593 0.7298 0.7292 0.7083 0.8569 0.6250 0.6250 0.7292 0.6250 0.6250 0.6250 0.6250 0.6250 0.6250 0.6250 0.9046 0.7917 0.9479 0.9479 1.0000 0.7917 0.7708 0.7917 0.7750

0.7891 0.7083 0.6250 0.7585 0.8239 0.8846 0.6250 0.8125 0.6250 0.8125 0.6250 0.6797 0.7454 0.8740 1.0000 0.7917 0.7917 1.0000 0.9187 0.6680 0.6667 0.6250 0.7138 0.6250 0.6250 0.6667 0.6250 0.6250 0.6250 0.6250 0.6250 0.6250 0.6250 0.8091 0.7917 0.8958 0.8958 1.0000 0.7917 0.7500 0.7917 0.7583

3/13/11 2/5/5 1/1/1∗ 3/12/10 3/16/15 3/18/17 1/1/1∗ 3/15/14 1/1/1∗ 3/15/14 1/1/1∗ 3/9/4 3/11/7 3/17/16 3/21/20− 2/8/12 2/8/12 3/21/20− 3/20/19 2/4/3 2/3/2 2/2/1 3/10/6 1/1/1∗ 1/1/1∗ 2/3/2 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 3/14/13 2/8/12 3/19/18 3/19/18 3/21/20− 2/8/12 2/6/8 2/8/12 2/7/9

0.0000 0.1250 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.1250 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0417 0.0000 0.0000 0.0000 0.0000 0.0417 0.0000 0.2083 0.0417 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000

0.0000 0.0790 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0710 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0262 0.0000 0.0000 0.0000 0.0000 0.0239 0.0000 0.1176 0.0242 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000

0.0000 0.0331 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0170 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0108 0.0000 0.0000 0.0000 0.0000 0.0061 0.0000 0.0269 0.0068 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000 0.0000

1/1/1∗ 3/6/7 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 3/5/5 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 2/4/4 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 2/2/2 1/1/1∗ 4/7/6− 2/3/3 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗

∗ The

− The

best ranking order for the control objectives. worst ranking order for the control objectives.

June 24, 2009 15:29 WSPC/173-IJITDM

280

00337

Y.-P. Ou Yang et al.

Ri(v=0) Ri(v=0.5) Ri(v=1)

1.10 1.00

Ri

0.90 0.80 0.70 0.60 C1.1 C1.2 C1.3 C2.1 C3.1 C3.2 C4.1 C4.2 C5.1 C5.2 C5.3 C6.1 C6.2 C7.1 C7.2 C7.3 C7.4 C7.5 C7.6 C7.7 C7.8 C7.9 C7.10 C8.1 C8.2 C8.3 C8.4 C8.5 C8.6 C8.7 C9.1 C9.2 C9.3 C9.4 C9.5 C9.6 C10.1 C10.2 C11 C12.1 C12.2 C12.3

0.50 Control objectives

Fig. 1. The relations of value Ri with control objectives according to v = 0, 0.5, and 1 before improvement.

0.40

Ri

0.35 0.30

Ri(v=0)

0.25

Ri(v=0.5)

0.20

Ri(v=1)

0.15 0.10 0.05 C1.1 C1.2 C1.3 C2.1 C3.1 C3.2 C4.1 C4.2 C5.1 C5.2 C5.3 C6.1 C6.2 C7.1 C7.2 C7.3 C7.4 C7.5 C7.6 C7.7 C7.8 C7.9 C7.10 C8.1 C8.2 C8.3 C8.4 C8.5 C8.6 C8.7 C9.1 C9.2 C9.3 C9.4 C9.5 C9.6 C10.1 C10.2 C11 C12.1 C12.2 C12.3

0.00 Control objectives

Fig. 2. The relations of value Ri with control objectives according to v = 0, 0.5, and 1 after improvement.

4.3. Analyses and discussions In Table 4, several findings are apparent as follows: (1) the research obtains different ranking orders of Ri (unimproved gaps) according to v = 0, 0.5, and 1. When the strategy of maximum group utility is adopted and the individual regret ignored, v = 1 can be selected for the calculation, whereas when the individual regret is considered and the strategy of maximum group utility ignored, v = 0 can be selected. Generally speaking, when decision makers simultaneously are concerned about the strategy of maximum group utility and the minimum individual regret, then v = 0.5

June 24, 2009 15:29 WSPC/173-IJITDM

00337

A Vikor-Based Multiple Criteria Decision Method

281

Table 5. Comparison of value Rt of control areas according to v = 0, 0.5, and 1 before and after implementation. Before Improvement Area

C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 C11 C12 ∗The

−The

After Improvement

Rt (v = 0)

Rt (v = 0.5)

Rt (v = 1)

Ranking Orders on v = 0/0.5/1

Rt (v = 0)

Rt (v = 0.5)

Rt (v = 1)

Ranking Orders on v = 0/0.5/1

0.8061 1.0000 1.0000 0.8125 0.7450 1.0000 0.8928 0.6484 0.7809 1.0000 0.7917 0.7917

0.7568 0.8792 0.9271 0.7656 0.7150 0.8572 0.8473 0.6396 0.7559 0.9741 0.7917 0.7792

0.7074 0.7585 0.8543 0.7188 0.6850 0.7144 0.8017 0.6309 0.7309 0.9482 0.7917 0.7667

5/4/3 8/10/7 8/11/11 6/5/5 2/2/2 8/9/4 7/8/10 1/1/1∗ 3/3/6 8/12/12− 4/7/9 4/6/8

0.0385 0.0000 0.0000 0.0000 0.0000 0.0662 0.0043 0.0416 0.0000 0.0000 0.0000 0.0000

0.0243 0.0000 0.0000 0.0000 0.0000 0.0376 0.0027 0.0236 0.0000 0.0000 0.0000 0.0000

0.0102 0.0000 0.0000 0.0000 0.0000 0.0090 0.0011 0.0057 0.0000 0.0000 0.0000 0.0000

3/4/5 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗ 5/5/4− 2/2/2 4/3/3 1/1/1∗ 1/1/1∗ 1/1/1∗ 1/1/1∗

best ranking order for the control areas. worst ranking order for the control areas.

should be selected. This selection is decided based on the preference (concern) of the decision makers. In this case, if we know which control objectives of the top 5 need to be further improved before implementation (based on v = 0.5), we find C7.2 (third party service delivery management) and C7.5 (back-up) and C10.2 (management of information security incidents and improvements) need to be improved first, then C7.6 (network security management) comes next, and then C9.6 (technical vulnerability management) and C10.1 (reporting information security events and weaknesses) follows; (2) after improvement, we find that almost all values Ri of control objectives approach the lowest risk (less than 0.2083), only C1.2 (risk treatment), C6.2 (equipment security), C7.7 (media handling), C8.2 (user access management), C8.4 (network access control), and C8.5 (operating system access control) still have a residual risk value. This finding implies these control objectives have been improved and these results can be accepted for this case. The reasons the values for the control objectives are low in this organization may reside in the requirement of a high level of information security in this case. In Table 5, several findings are also apparent as follows: (1) before implementation, C8 (Access control) is the best ranking order for the control areas, whereas the worst ranking order is C10 (information security incident management); (2) after improvement, all control areas are less than 0.07, which indicates these items have been improved after implementation. From Figs. 1 to 4, we find the ranking relations of values Ri with v = 0, 0.5, and 1, and it can be shown as Ri (v = 0) ≥ Ri (v = 0.5) ≥ Ri (v = 1), and Rt with v = 0, 0.5, and 1, which shows as Rt (v = 0) ≥ Rt (v = 0.5) ≥ Rt (v = 1). In other

June 24, 2009 15:29 WSPC/173-IJITDM

282

00337

Y.-P. Ou Yang et al. 1.05

Rt

1.00 0.95

Rt(v=0)

0.90

Rt(v=0.5)

0.85

Rt(v=1)

0.80 0.75 0.70 0.65 0.60 C1

C2

C3

C4

C5

C6

C7

C8

C9

C10 C11 C12

Control areas Fig. 3. The relations of value Rt with control areas according to v = 0, 0.5, and 1 before improvement.

0.07 0.06 0.05

Rt(v=0)

Rt

0.04

Rt(v=0.5)

0.03

Rt(v=1)

0.02 0.01 0.00 C1

C2

C3

C4

C5

C6

C7

C8

C9

C10 C11 C12

Control areas Fig. 4. The relations of value Rt with control areas according to v = 0, 0.5, 1 after improvement.

words, if we rank the unimproved gaps of the control objectives (or control areas) by Ri (v = 0) (or Rt (v = 0)), the values Ri (or Rt ) for the control objectives (or control areas) are the highest among the three situations; moreover, the unimproved gaps of the control objectives (or control areas) are ranked according to the minimum individual regret/gap, which is selected among the maximum individual regrets/gaps (these worst ones). In contrast, if we rank the unimproved gaps of the control objectives (or control areas) based on Ri (v = 1) (or Rt (v = 1)), then all values Ri (or Rt ) of the control objectives (or control areas) are lower than the ones when the other two decision preferences are v = 0.5 and 0. This finding indicates the ranking index Ri (or Rt ) for maximum group utility (v = 1) is the lowest risk among the

June 24, 2009 15:29 WSPC/173-IJITDM

00337

A Vikor-Based Multiple Criteria Decision Method

283

three situations. Here, each of the most unimproved gap comes from the lower level controls (or control objectives) of each control objective (or control area). Consequently, the decision makers can select suitable weights (v) according to their needs to make their decision: if they are concerned about maximum group utility and individual regret, then R(v = 0.5) would be used; if they are concerned about maximum group utility, then R(v = 1) would be used; if they are concerned about individual regret, then R(v = 0) would be used. In addition, the VIKORRUG method is able to derive and rank the unimproved gaps of the control objectives and control areas in this case, and the results can help the related managers strengthen the control areas and control objectives. Therefore, this research proposes VIKORRUG as a suitable and effective method for ranking the gaps of the improvement of projects or objectives in a project. 5. Conclusions Many recent papers have proposed analytical models to provide solutions to the questions in conflict management situations. Among the numerous approaches available for conflict management, one of the most prevalent is MCDM. In the MCDM methods, the VIKOR and TOPSIS (technique for order preference by similarity to an ideal solution) methods are based on an aggregating function representing closeness to the ideal, which originated in the compromise programming method. However, those methods rank and select alternatives using all criteria but in practice, the decision makers control the progress of aspects or objectives in one or several projects (alternatives), and they only need to rank the unimproved gaps of the objectives or aspects in one or several projects. In order to achieve the aspired level, we only need to aggregate the gaps in terms of the criteria (i.e. not all criteria) to obtain the aggregated gap values. Therefore, this research modifies the VIKOR method and proposes a new method, VIKORRUG, to achieve the goal. Through the new method, decision makers can decide which objectives or aspects or projects should be further improved or should be done better to achieve the aspired levels. This research has also employed a practical case of a hierarchical ISMS risk management model to show the effectiveness and feasibility of the VIKORRUG. The analysis performed using the VIKORRUG method is able not only to find the improved room (space) to enhance the information risk management, but also to help decision makers understand the ranking orders of the implementation performance of managers or teams in this case. Consequently, the hierarchical ISMS risk management model using the VIKORRUG method proposed in this research is an appropriate approach to rank the achieved progress of control objectives and areas. Acknowledgments The authors would like to sincerely thank all anonymous reviewers for their valuable comments and suggestions.

June 24, 2009 15:29 WSPC/173-IJITDM

284

00337

Y.-P. Ou Yang et al.

Appendix A Level 1 a

Aspects (Control Areas)

Level 3 b

Objectives (Control Objectives)

c

Level 4

Criteria

Ratingd (Risk values) Risk1.1.1 ~Risk1.1.9 Risk1.2.1 ~Risk1.2.4 Risk1.3.1 ~Riskv 3.2

(Controls)

C1.1Risk assessment

Controls 1.1.1~1.1.9

C1 Risk assessment management

C1.2 Risk treatment C1.3 Documentation

Controls 1.2.1~1.2.4 Controls 1.3.1~1.3.2

C2 Security policy

C2.1 Information security policy

Controls 2.1.1 ~2.1.8

C3 Organization of information security

C3.1 Internal organization C3.2 External parties

Controls 3.1.1~3.1.10 Controls 3.2.1~3.2.3

C4 Asset management

C4.1Responsibility for assets C4.2 Information classification

Controls 4.1.1~4.1.3 Controls 4.2.1~4.2.2

Risk4.1.1 ~Risk4.1.3 Risk4.2.1 ~Risk4.2.2

Risk2.1.1 ~Risk2.1.8 Risk3.1.1 ~Risk3.1.10 Risk3.2.1 ~Risk3.2.3

C5.1 Prior to employment

Controls 5.1.1~5.1.3

C5 Human resources security

C5.2 During employment C5.3 Termination or change of employment

Controls 5.2.1~5.2.5 Controls 5.3.1~5.3.3

Risk5.1.1 ~Risk5.1.3 Risk5.2.1 ~Risk5.2.5 Risk5.3.1 ~Risk5.3.3

C6 Physical and environmental security

C6.1 Secure areas C6.2 Equipment security

Controls 6.1.1~6.1.12 Controls 6.2.1~6.1.13

Risk6.1.1 ~Risk6.1.12 Risk6.2.1 ~Risk6.1.13

C7.1 Operational procedures and responsibilities

Controls 7.1.1~7.1.5

Risk7.1.1 ~Risk7.1.5

C7.2 Third party service delivery management

Controls 7.2.1~7.2.3

Risk7.2.1 ~Risk5.2.3

C7.3 System planning and acceptance

Controls 7.3.1~7.3.2

Risk7.3.1 ~Risk7.3.2

C7.4 Protection against malicious and mobile code

Controls 7.4.1~7.4.5

Risk7.4.1 ~Risk7.4.5

C7.5 Back-up

Controls 7.5.1~7.5.5

C7.6 Network security management

Controls 7.6.1~7.6.5

Risk7.5.1 ~Risk7.5.5 Risk7.6.1 ~Risk7.6.5

C7.7 Media handling

Controls 7.7.1~7.7.4

Risk7.7.1 ~Risk7.7.4

C7.8 Exchange of information

Controls 7.8.1~7.8.4

Risk7.8.1 ~Risk7.8.4

C7.9 Electronic commerce services

Controls 7.9.1~7.9.2

C7.10Monitoring

Controls 7.10.1~7.10.6

C7 Communications and operations management

ISMS risk management systrm

Level 2

C8 Access control

Risk7.9.1 ~Risk7.9.2 Risk7.10.1 ~Risk7.10.6

C8.1 Business requirement for access control

Controls 8.1.1

C8.2 User access management

Controls 8.2.1~8.2.13

C8.3 User responsibilities

Controls 8.3.1~8.3.4

Risk8.3.1 ~Risk8.3.4

C8.4 Network access control

Controls 8.4.1~8.4.10

Risk8.4.1 ~Risk8.4.10

C8.5 Operating system access control

Controls 8.5.1~8.5.12

Risk8.5.1 ~Risk8.5.12

C8.6 Application and information access control

Controls 8.6.1~8.6.3

Risk8.6.1 ~Risk8.6.3

C8.7 Mobile computing and teleworking

Controls 8.7.1~8.7.2

Risk8.7.1 ~Risk8.7.2

Risk8.1.1 Risk8.2.1 ~Risk8.2.13

C9.1 Security requirements of information systems

Controls 9.1.1

C9.2 Correct processing in applications

Controls 9.2.1~9.2.3

C9.3 Cryptographic controls C9.4 Security of system files

Controls 9.3.1 Controls 9.4.1~9.4.5

C9.5 Security in development and support processes

Controls 9.5.1~9.5.9

C9.6 Technical vulnerability management

Controls 9.6.1~9.6.2

C10 Information security incident management

C10.1Reporting information security events and weaknesses

Controls 10.1.1~10.1.2

Risk10.1.1 ~Risk10.1.2

C10.2 Management of information security incidents and improvements

Controls 10.2.1~10.2.5

Risk10.2.1 ~Risk10.2.5

C11 Business continuity management

C11.1 Information security aspects of business continuity management

Controls 11.1.1~11.1.6

Risk11.1.1 ~Risk11.1.6

C12.1Compliance with legal requirements

Controls 12.1.1~12.1.4

Risk12.1.1 ~Risk12.1.4

C12.2 Compliance with security policies and standards, and technical compliance

Controls 12.2.1~12.2.3

Risk12.2.1 ~Risk12.2.3

C12.3 Information systems audit considerations

Controls 12.3.1~12.3.5

Risk12.3.1 ~Risk12.3.5

C9 Information systems acquisition, development and maintenance

C12 Compliance

Risk9.1.1 Risk9.2.1 ~Risk9.2.3 Risk9.3.1 Risk9.4.1 ~Risk9.4.5 Risk9.5.1 ~Risk9.5.9 Risk9.6.1 ~Risk9.6.2

Fig. A.1. Hierarchical ISMS risk improved model for the case government agency.

June 24, 2009 15:29 WSPC/173-IJITDM

00337

A Vikor-Based Multiple Criteria Decision Method

285

Appendix B

Table B1. Aspects/objectives/criteria for survey of consequences of occurrence. Quantitative Level

Qualitative Level

1 2 3 4 5

Very low Low Medium High Very high

Description Almost no impact or negligible consequences Low impact or minor consequences Medium impact or important consequences Serious impact or consequences Very serious impact or consequences

Table B2. Aspects/objectives/criteria for survey of probability of occurrence. Quantitative Level

Qualitative Level

1 2 3 4 5

Very low Low Medium High Very high

Description The The The The The

likelihood likelihood likelihood likelihood likelihood

that that that that that

a a a a a

threat threat threat threat threat

event event event event event

will will will will will

occur occur occur occur occur

is is is is is

very low low medium high very high

Appendix C The ISRAM risk model The ISRAM risk model is based on the following function which is the fundamental risk function11,13,15,24 : Risk = P × C,

(A.1)

where P : Probability of occurrence of security breach; C: Consequence of occurrence of security breach. Fig. A.1 (Figure on facing page). Hierarchical ISMS risk improved model for the case governmental agency. has 12 control areas (aspects, t = 1, 2, . . . , 12) at level 1, we adopt the SAW method in Eq. (9) to aggregate the unimproved gaps of the control objectives (level 2) for control areas (level 1). b There are 42 control objectives (i = 1, 2, . . . , 42) at level 2, and the 42 control objectives are divided into 12 clusters by the upper level control areas. For example, the 12 clusters in level 2, P in this case, include (1, . . . , n1 ), (1, . . . , n2 ), . . . , (1, . . . , nt ), . . . , (1, . . . , n12 ), and 12 t=1 nt = 42. At level 1, the aspect C1 has a cluster (1, . . . , n1 ), where n1 = 3; therefore, it represents C1 has three control objectives (C11, C12, C13). c There are 42 control objectives (i = 1, 2, . . . , 42) at level 2, each control objective i has its own controls j = 1, 2, . . . , ni in level 3, where ni is the number of controls (criteria) in each objective. We rank the unimproved gaps of the control objectives (aggregate controls in level 3 for control objectives in level 2) by using the processes of VIKORRUG. d The risk value f ij is obtained according to the control j of control objective i by using Eq. (A.1) (in Appendix C). a It

June 24, 2009 15:29 WSPC/173-IJITDM

286

00337

Y.-P. Ou Yang et al.

References 1. S. J. Chen and C. L. Hwang, Fuzzy Multiple Attribute Decision Making: Methods and Applications (Springer-Verlag, Berlin, 1992). 2. L. Duckstein and S. Opricovic, Multiobjective optimization in river basin development, Water Resour. Res. 16(1) (1980) 14–20. 3. K. J. Farn, S. K. Lin and C. C. Lo, A study on e-Taiwan information system security classification and implementation, Comput. Stand. Interfaces 30(1) (2008) 1–7. 4. M. Freimer and P. L. Yu, Some new results on compromise solutions for group decision problems, Management Sci. 22(6) (1976) 688–693. 5. G. L. Fu, C. Yang and G. H. Tzeng, A multicriteria analysis on the strategies to open Taiwan’s mobile virtual network operators services, Int. J. Inf. Technol. Decision Making 6(1) (2007) 85–112. 6. ISO/IEC 17799, Information Technology, Security techniques, Code of Practice for Information Security Management (2005). 7. ISO/IEC 27001, Information Technology, Security techniques, Information Security Management System, Requirements (2005). 8. ISO/IEC TR 13335-1, Information technology, Security techniques, Management of information and communications technology security, Part 1: Concepts and models for information and communications technology security management (2004). 9. ISO/IEC TR 13335-3, Information technology, Guidelines for the Management of IT Security, Part 3: Techniques for the management of IT security (1998). 10. ISO/IEC TR 13335-4, Information technology, Guidelines for the management of IT security, Part 4: Selection of safeguards (2000). 11. B. Karabacak and I. Sogukpinar, ISRAM: Information security risk analysis method, Comput. Secur. 24(2) (2005) 147–159. 12. K. K. Lai, S.-Y. Wang and L. Yu, Progress in risk management guest editors’ introduction, Int. J. Inf. Technol. Decision Making 5(3) (2006) 419–420. 13. N. McEvoy and A. Whitcombe, Structured risk analysis, in InfraSec (2002), p. 88–103 [LNCS 2437]. 14. National Information and Communication Security Taskforce (NICST), Background (2001), . 15. National Institute of Standards and Technology (NIST), NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems (2002). 16. S. Opricovic, Multicriteria optimization of civil engineering systems, Faculty of Civil Engineering (Belgrade, 1998). 17. S. Opricovic and G. H. Tzeng, Multicriteria planning of post-earthquake sustainable reconstruction, Computer-Aided Civ. Infrastruct. Eng. 17(3) (2002) 211–220. 18. S. Opricovic and G. H. Tzeng, Compromise solution by MCDM methods: A comparative analysis of VIKOR and TOPSIS, Eur. J. Oper. Res. 156(2) (2004) 445–455. 19. S. Opricovic and G. H. Tzeng, Extended VIKOR method in comparison with outranking methods, Eur. J. Oper. Res. 178(2) (2007) 514–529. 20. Y. Shi, Y. Peng, G. Kou and Z. Chen, Classifying credit card accounts for business intelligence and decision making: A multiple-criteria quadratic programming approach, Int. J. Inf. Technol. Decision Making 4(4) (2005) 581–599. 21. A. Toval, J. Nicolas, B. Moros and F. Garcia, Requirements reuse for improving systems security: A practitioner’s approach, Requirements Eng. 6(4) (2002) 205–219. 22. G. H. Tzeng, M. H. Teng, J. J. Chen and S. Opricovic, Multicriteria selection for a restaurant location in Taipei, Int. J. Hospitality Management 21(2) (2002) 171–187.

June 24, 2009 15:29 WSPC/173-IJITDM

00337

A Vikor-Based Multiple Criteria Decision Method

287

23. G. H. Tzeng, C. W. Lin and S. Opricovic, Multi-criteria analysis of alternative-fuel buses for public transportation, Energy Policy 33(1) (2005) 1373–1383. 24. United States General Accounting Office (USGAO), Information Security Risk Assessment (1999), . 25. L. V. Utkin, Risk analysis under partial prior information and nonmonotone utility functions, Int. J. Inf. Technol. Decision Making 6(4) (2007) 625–647. 26. P. L. Yu, A class of solutions for group decision problems, Management Sci. 19(8) (1973) 936–946. 27. M. Zeleny, Multiple Criteria Decision Making (McGraw-Hill, New York, 1982).