A hybrid dynamic decision making methodology for defensive information technology contingency measure selection in the presence of cyber threats

The increased reliance on information technology systems and communications networks in support of the core organizational processes creates an environment where significant, and potentially catastrophic, losses can result from a loss or corruption of a critical information resource. Risk assessment is the widely accepted process used to understand, quantify, and document the effects of undesirable events on organizational objectives so that risk management, continuity of operations planning, and contingency planning can be performed. In this paper, we present the application of a simulation-based hybrid analytic dynamic forecasting methodology that combines the techniques of analytic hierarchy process, factor analysis, and spanning tree to the problem of selecting among a set contingency measures following events which place the organizational mission at risk. The methodology makes use of qualitative subjective assessments by subject matter experts at multiple levels of the organization and uses historical event occurrences (when available) to provide the decision maker with a ongoing recommendation of the best contingency measures to employ to assure the organizational mission objectives. The method is novel because it augments the decision maker’s experiential knowledge with a probabilistic forecast of the best contingency measure to take in response to events based upon subject matter expert knowledge, historical evidence, and the real-time status critical resources. The methodology provides a structured approach to mitigate operational risk in complex environments and decreases the time required to make decisions under conditions of uncertainty.

[1]  J. Dyer Remarks on the analytic hierarchy process , 1990 .

[2]  R. L. Winkler Decision modeling and rational choice: AHP and utility theory , 1990 .

[3]  T. Masuda Hierarchical sensitivity analysis of priority used in analytic hierarchy process , 1990 .

[4]  T. Saaty Fundamentals of Decision Making and Priority Theory With the Analytic Hierarchy Process , 2000 .

[5]  A. R. Banai-Kashani,et al.  Building Systems Innovations in Urban Housing Production: a Planning Application of the Analytic Hierarchy Process , 1986 .

[6]  Luis G. Vargas,et al.  Inconsistency and rank preservation , 1984 .

[7]  Timothy Grance,et al.  Contingency Planning Guide For Information Technology Systems: Recommendations Of The National Institute Of Standards And Technology , 2004 .

[8]  Michael R. Grimaila,et al.  Design Considerations for a Cyber Incident Mission Impact Assessment (CIMIA) Process , 2009, Security and Management.

[9]  Thomas L. Saaty,et al.  Marketing Applications of the Analytic Hierarchy Process , 1980 .

[10]  Fatemeh Zahedi,et al.  The Analytic Hierarchy Process—A Survey of the Method and its Applications , 1986 .

[11]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[12]  Saifur Rahman,et al.  A hierarchical approach to electric utility planning , 1984 .

[13]  T. Saaty,et al.  The Analytic Hierarchy Process , 1985 .

[14]  P. Fishburn Choice probabilities and choice functions , 1978 .

[15]  M. A. Mustafa,et al.  An integrated hierarchical programming approach for industrial planning , 1989 .

[16]  Adedeji B. Badiru,et al.  DDM: Decision support system for hierarchical dynamic decision making , 1993, Decis. Support Syst..

[17]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[18]  Christopher J. Alberts,et al.  Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0 , 1999 .

[19]  Roger N. Wabalickis Justification of FMS with the analytic hierarchy process , 1988 .

[20]  Luis G. Vargas,et al.  The theory of ratio scale estimation: Saaty's analytic hierarchy process , 1987 .

[21]  Thomas L. Saaty,et al.  Theory and Applications of the Analytic Network Process: Decision Making With Benefits, Opportunities, Costs, and Risks , 2005 .

[22]  T. Saaty Axiomatic foundation of the analytic hierarchy process , 1986 .

[23]  T. Saaty An exposition of the AHP in reply to the paper “remarks on the analytic hierarchy process” , 1990 .

[24]  S R Watson,et al.  COMMENTS ON: ASSESSING ATTRIBUTE WEIGHTS BY RATIO , 1983 .

[25]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[26]  Reza Banai-Kashani,et al.  Discrete mode-choice analysis of urban travel demand by the Analytic Hierarchy Process , 1989 .

[27]  Matthew J. Liberatore,et al.  An extension of the analytic hierarchy process for industrial R&D project selection and resource allocation , 1987, IEEE Transactions on Engineering Management.

[28]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[29]  Thomas L. Saaty,et al.  Conflict resolution : the analytic hierarchy approach , 1989 .

[30]  T. L. Saaty A Scaling Method for Priorities in Hierarchical Structures , 1977 .