Combination of AHP and TOPSIS methods for the ranking of information security controls to overcome its obstructions under fuzzy environment

The organizations utilizing the cloud computing services are required to select suitable Information Security Controls (ISCs) to maintain data security and privacy. Many organizations bought popular products or traditional tools to select ISCs. However, selecting the wrong information security control without keeping in view severity of the risk, budgetary constraints, measures cost, and implementation and mitigation time may lead to leakage of data and resultantly, organizations may lose their user’s information, face financial implications, even reputation of the organization may be damaged. Therefore, the organizations should evaluate each control based on certain criteria like implementation time, mitigation time, exploitation time, risk, budgetary constraints, and previous effectiveness of the control under review. In this article, the authors utilized the methodologies of the Multi Criteria Decision Making (MCDM), Analytic Hierarchy Process (AHP) and Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) to help the cloud organizations in the prioritization and selection of the best information security control. Furthermore, a numerical example is also given, depicting the step by step utilization of the method in cloud organizations for the prioritization of the information security controls.

[1]  Abdel Ejnioui,et al.  Evaluation of Information Security Controls in Organizations by Grey Relational Analysis , 2011, Int. J. Dependable Trust. Inf. Syst..

[2]  Akhilesh Bajaj,et al.  Estimation of deficiency risk and prioritization of information security controls: A data-centric approach , 2016, Int. J. Account. Inf. Syst..

[3]  Muhammad Imran Tariq Analysis of the Effectiveness of Cloud Control Matrix for Hybrid Cloud Computing , 2018 .

[4]  Thomas L. Saaty,et al.  Multicriteria Decision Making: The Analytic Hierarchy Process: Planning, Priority Setting, Resource Allocation , 1990 .

[5]  Rossouw von Solms,et al.  A Formalized Approach to the Effective Selection and Evaluation of Information Security Control , 2000, Comput. Secur..

[6]  Angel R. Otero,et al.  An information security control assessment methodology for organizations' financial information , 2015, Int. J. Account. Inf. Syst..

[7]  Ana Respício,et al.  Decision support for selecting information security controls , 2018, J. Decis. Syst..

[8]  Francisco Herrera,et al.  An overview of MULTIMOORA for multi-criteria decision-making: Theory, developments, applications, and challenges , 2019, Inf. Fusion.

[9]  Alexander E. Gegov,et al.  Hybrid fuzzy MCDM model for Z-numbers using intuitive vectorial centroid , 2017, J. Intell. Fuzzy Syst..

[10]  Carlos E. Otero,et al.  A MULTI -CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FEATURES , 2010 .

[11]  Mehdi Kazemi,et al.  Ranking information security controls by using fuzzy analytic hierarchy process , 2017, Inf. Syst. E Bus. Manag..

[12]  Thomas L. Saaty,et al.  DECISION MAKING WITH THE ANALYTIC HIERARCHY PROCESS , 2008 .

[13]  T. L. Saaty A Scaling Method for Priorities in Hierarchical Structures , 1977 .

[14]  Yong-Sheng Zhou,et al.  A Multi-criteria Evaluation Method of Information Security Controls , 2011, 2011 Fourth International Joint Conference on Computational Sciences and Optimization.

[15]  Mahdi Karbasian,et al.  The application of ISM model in evaluating agile suppliers selection criteria and ranking suppliers using fuzzy TOPSIS-AHP methods , 2015, Expert Syst. Appl..

[16]  Norliza Katuk,et al.  A Multiple Attribute Decision Making for Improving Information Security Control Assessment , 2014 .

[17]  Deng Yong Plant location selection based on fuzzy TOPSIS , 2006 .

[18]  Muhammad Imran Tariq,et al.  Risk Based NIST Effectiveness Analysis for Cloud Security , 2017 .

[19]  Francisco Rodrigues Lima Junior,et al.  A comparison between Fuzzy AHP and Fuzzy TOPSIS methods to supplier selection , 2014, Appl. Soft Comput..

[20]  Ladislav Hudec,et al.  On Selecting Critical Security Controls , 2013, 2013 International Conference on Availability, Reliability and Security.

[21]  Morteza Mahmoudzadeh,et al.  A new method for consistency test in fuzzy AHP , 2013, J. Intell. Fuzzy Syst..

[22]  Muhammad Imran Tariq,et al.  Predictive Variables for Agile Development Merging Cloud Computing Services , 2019, IEEE Access.

[23]  Helge Janicke,et al.  Two-stage Security Controls Selection ☆ , 2016 .

[24]  Muhammad Imran Tariq,et al.  Agent Based Information Security Framework for Hybrid Cloud Computing , 2019, KSII Trans. Internet Inf. Syst..

[25]  Ahmad Makui,et al.  Extension of fuzzy TOPSIS method based on interval-valued fuzzy sets , 2009, Appl. Soft Comput..