A hybrid information security risk assessment procedure considering interdependences between controls

Risk assessment is the core process of information security risk management. Organizations use risk assessment to determine the risks within an information system and provide sufficient means to reduce these risks. In this paper, a hybrid procedure for evaluating risk levels of information security under various security controls is proposed. First, this procedure applies the Decision Making Trial and Evaluation Laboratory (DEMATEL) approach to construct interrelations among security control areas. Secondly, likelihood ratings are obtained through the Analytic Network Process (ANP) method; as a result, the proposed procedure can detect the interdependences and feedback between security control families and function in real world situations. Lastly, the Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) operator is used to aggregate impact values assessed by experts, applied to diminish the influence of extreme evaluations such as personal views and drastic perspectives. A real world application in a branch office of the health insurance institute in Taiwan was examined to verify the proposed procedure. By analyzing the acquired data, we confirm the proposed procedure certainly detects the influential factors among security control areas. This procedure also evaluates risk levels more accurately by coping with the interdependencies among security control families and determines the information systems safeguards required for better security, therefore enabling organizations to accomplish their missions.

► Risk assessment and prevention is essential for information systems to ensure information security and system functions; however, it is hard to identify and apply corrective measures to complex and interrelated critical risk factors that information systems are exposed to.
► In this paper, a hybrid procedure for evaluating risk levels is proposed where Decision Making Trial and Evaluation Laboratory (DEMATEL), Analytic Network Process (ANP) and Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) methods are used to detect and rank interrelated influential factors amongst security control areas.
► A real world case was examined to verify the proposed procedure and results were successful where it certainly detected influential factors among security control areas and evaluated risk levels accurately by coping with interdependencies to determine required safeguards against threats for organizations.