Introduction

Information is a tool that people use to communicate among themselves from the moment they start living together. The nature and type of information technology have changed dramatically over the past decade. Simple and single batch applications are transformed into distributed computing environments including multitasking real-time control, and distributed processing. It is at least as important as the information itself to determine that information is valuable or worthless, or to measure the value carried by it. The most general definition of information security is that our own information is not passed on to anyone else. It is a combination of three main elements called “privacy”, “integrity”, and “accessibility”. Information is protected from unauthorized access which is called privacy. Integrity defined as information that is not altered by unauthorized persons. Information is available when authorized people are needed. Information is reachable and available when authorized people are needed which is called accessibility. If any of these three basic security elements are damaged, a security weakness occurs. Information security RA is essential for any corporate organizational system. It is essential to ensure that controls and expenditures are in full compliance with the risks that the organization is experiencing or experienced before. Organizations’ heavy dependence on information systems necessitates managing risks related to them [1]. One of the most important aspects of information security is technical measures. Given better access control policy models, better tools for system assessment and assurance should be resolved, including better ways to detect cryptographic formal evidence, protocols, approved firewalls, intrusions and malicious codes [2].

Information security RA is a dynamic process such that there is a requirement to be developed to discover, correct and for prevention of security problems. RA is a core part of a risk management process designed to set up required appropriate level of security for information systems [3]. The RA revealed a number of potential threats to the information security. Although technology is a kind of key element of information security, it does not consists of it alone. Information security RA has been influenced by variables such as new legal requirements [4]. Information security risk assessments are part of sound security practices. Today, with the widespread use of the internet and the development of technology, threats related to information security are increasing and diversifying. As a result, there is a rapid development of information security risk assessment ways. To ensure the security of computers and networks, to keep unauthorized persons away from the system, or to prevent them from entering the system and acquiring the information, firstly, comprehensive risk assessment is required for the whole system. RA is required at the point of information security. RA is an important component of compiling an information security policy for an organization. In addition, RA deals with all aspects of information security [5].

Managing information security is primarily a risk. Risk management usually involves performing a RA. Identifying and evaluating risks reduces the risks with using risk management techniques. Likewise, the standard approach to managing information security involves conducting a RA to identify the risks of privacy, integrity and availability.

Information systems are monitored by risk management. Control measures are used to mitigate these risks. The protection of information resources from the complicated and swiftly changing landscape of security threats is one of the most significant challenge for modern organization risk management. The main concern for any organization is the infiltration and alteration of sensitive information [6, 7].

Multi attribute decision-making (MADM) is an important methodology that a generic risk management standard—IEC 31010:2009—has mentioned on the selection and application of systematic techniques for RA. AHP and TOPSIS methods are most widely used MADM methods that come up with advantages of computational simplicity in different areas of research, the flexibility to integrate with other techniques and being independent of limitations. Since information security RA has challenging issues and conflicting parameters, AHP–TOPSIS-integrated method can supply advantages which are mentioned above. On the other hand, one of the significant expected contributions of integrating Pythagorean fuzzy sets in information security RA is the power to express uncertainty and depict the fuzziness which strengthened the proposed AHP–TOPSIS integration for information security RA model.

This paper aims to make information security RA comprehensive, efficient and effective with MADM methods by the integration of fuzzy logic. Pythagorean fuzzy sets-based model helps to minimize of uncertainties and improve the functionality of RA. Pythagorean fuzzy sets allows the user to determine uncertainties in the real world better and more accurately while helps to eliminate the uncertainties [8,9,10,11,12]. Application of Pythagorean fuzzy-based information security RA method can be applied to any information-based system to make them more functional.

The rest of this paper structured as follows: “Literature review” presents literature review, contribution to this study and research gaps on information security RA. “Methodology” presents methodology and method. In “Case study: information security RA for corrugated cardboard sector”, the applications of case study, comparison, and discussion of result are presented. In the last section, concluding remarks and future recommendations are given.

Literature review

There are many quantitative, qualitative, knowledge-based, model-based risk assessment tools to analyze main reasons of risks in various industries and features of the companies. Quantitative RA methods use statistical and mathematical ways to represent risk while qualitative RA methods are analyzed by adjectives instead of them. Information systems security (ISS) checklist, standards, maturity criteria methods are classical RA methods. There are solutions and procedures and it is assumption when selected ISS checklists and procedures can be observed and converted into a list. Capturing the best practice and putting standards are targets of ISS standards for common, authoritative, and international use. Offering an objective and appropriate scale for classification is target of ISS maturity method.

MADM-based method is one of the most important and effective methods for RA of systems [13,14,15,16,17,18,19,20,21,22]. There are finite number of choices or alternatives existing and evaluated based on finite number of attributes or objectives. In these methods, decision makers often have difficulty in accurate rating and assessment throughout risk parameters. Therefore, implementing potential RA methods can show satisfactory results in terms of incomplete risk data or high uncertainty. Quantitative and qualitative techniques have some weak aspects and their own disadvantages in the RA process. While quantitative techniques have high level of uncertainty, qualitative techniques rely more on judgment than on statistical calculations while fuzzy sets make analysis more appropriate with respect to uncertainty, unpredictability, and effectiveness. Besides, fuzzy sets can increase testing accuracy of RA due to logic behind it. Information has numerical- and linguistic-type uncertainties. With the combination of fuzzy sets to information security RA process, identifying potential risk factors, evaluating the corresponding control measures can be done more detailed due to structure of fuzzy logic [23, 24]. In this case the ways that combining MADM and fuzzy sets are accepted to model the structure [25]. One of the important advantages of fuzzy MADM methods is relatively assessing the risk parameters using fuzzy numbers instead of crisp numbers. This is one of the significant advantages for the decision maker.

Various RA studies have been carried out in the field of information security [3, 4, 6, 7, 26, 27]. Today, information systems have a complex, intricate structure and common use. For this reason, detailed mathematical measures used to model for complex risk environments make the process more convenient. Process of RA is also quite complicated. Although mathematical and classical RA models are used in information security, these methods are not succeeded to cover whole information security process and risks related to it. It can be observed that previous studies on RA of information security are reactive and aim to prevent repetition of a fault while our proposed methodology is proactive and aim to prevent any event that has potential cause for loss by eliminating factors before fault occurs. In this study proposed method for information security RA also supplies opportunity to decrease uncertainty in system with comprehensive and detailed analysis of system by the aid of fuzzy set theory. This approach makes this study different from the previous studies.

On the other hand, several approaches are proposed regarding combination of fuzzy set theory and MADM methods recently. Table 1 shows some recent studies with different type of fuzzy sets applied, MADM method and characteristic of RA problem. According to the Table 2, AHP–TOPSIS integration is studied in Gul and Ak [28] and Carpitella et al. [29]. However, in both studies, trapezoidal fuzzy set-based TOPSIS was applied to prioritize hazards. In the first study, PFAHP was used in weighing two fundamental risk parameters named severity and probability. Then, hazards were prioritized using trapezoidal fuzzy number-based TOPSIS. In the second study, both methods were integrated with trapezoidal fuzzy numbers.

Table 1 Recent fuzzy MADM-based RA studies
Full size table
Table 2 Difference between FTOPSIS, IFTOPSIS, and PFTOPSIS
Full size table

In the light of above-mentioned studies, it is easily seen that current study has contributions to the knowledge from both application view point (providing RA studies in the information security area) and methodological view point (providing Table 1 to show the recent RA studies by MADM methods and different versions of fuzzy set theory). (1) A novel integrated RA approach under Pythagorean fuzzy environment is provided. A PFAHP–PFTOPSIS integration in RA field has not been studied in the literature yet. (2) The integrated approach is tested in a real case study for information security RA in corrugated cardboard sector. (3) A comparative analysis with classical RA method that the observed facility followed is provided. (4) A new risk parameter called value of information, that is specific for information security, is considered in this study for the first time. The parameter of value of information refers to the sum of three factors as privacy, integrity, and accessibility.

Methodology

Pythagorean fuzzy sets and related notations

In this section, firstly, some preliminaries of Pythagorean fuzzy sets and corresponding notations are described. Then, the algorithm of Pythagorean fuzzy analytic hierarchy process (PFAHP) and Pythagorean fuzzy technique for order preference by similarity to ideal solution (PFTOPSIS) methods are explained with details. Pythagorean fuzzy sets were first proposed by Yager [30] and have been applied to various problems respecting uncertainty like interval type-2 fuzzy sets, hesitant fuzzy sets and intuitionistic fuzzy sets. Both intuitionistic fuzzy sets and Pythagorean fuzzy sets can be expressed in terms of membership function, non-membership function and hesitancy degree. However, in some cases, the degrees of membership and non-membership are bigger than 1 for intuitionistic fuzzy sets. To overcome the challenge, Yager [30] developed Pythagorean fuzzy sets. These sets are the generalization to the intuitionistic fuzzy sets in some condition where intuitionistic fuzzy sets cannot address the uncertainty. Therefore, Pythagorean fuzzy sets are more powerful and flexible to solve problems involving uncertainty [28, 31,32,33,34].

In Pythagorean fuzzy sets, the sum of membership and non-membership degrees can exceed 1 but the sum of squares cannot [8,9,10,11,12, 28, 31,32,33, 35, 36]. This situation is shown below in Definition 1.

Definition 1

Let a set X be a universe of discourse. A Pythagorean fuzzy set P is an object having the form [8, 9, 36,37,38]:

$$ P = \left\{ {\left\langle {x,\,P(\mu_{\text{P}} (x),v_{\text{P}} (x))} \right\rangle \left| {x \in X} \right.} \right\}, $$
(1)

where \( \mu_{P} (x):X \mapsto [0,1] \) defines the degree of membership and \( v_{\text{P}} (x):X \mapsto [0,1] \) defines the degree of non-membership of the element \( x \in X \) to P, respectively, and, for every \( x \in X \), it holds:

$$ 0 \le \mu_{\text{P}} (x)^{2} + v_{\text{P}} (x)^{2} \le 1. $$
(2)

For any PFS P and \( x \in X \), \( \pi_{\text{P}} (x) = \sqrt {1 - \mu^{2}_{\text{P}} (x) - v^{2}_{\text{P}} (x)} \) is called the degree of indeterminacy of x to P.

Definition 2

Let \( \beta_{1} = P(\mu_{{\beta_{1} }} ,v_{{\beta_{1} }} ) \) and \( \beta_{2} = P(\mu_{{\beta_{2} }} ,v_{{\beta_{2} }} ) \) be two Pythagorean fuzzy numbers, and λ > 0, then the operations on these two Pythagorean fuzzy numbers are defined as follows [35, 36]:

$$ \beta_{1} \oplus \beta_{2} = P(\sqrt {\mu_{{\beta_{1} }}^{2} + \mu_{{\beta_{2} }}^{2} - \mu_{{\beta_{1} }}^{2} \mu_{{\beta_{2} }}^{2} } , \, v_{{\beta_{1} }} v_{{\beta_{2} }} ) $$
(3)
$$ \beta_{1} \otimes \beta_{2} = P\left( {\mu_{{\beta_{1} }} \mu_{{\beta_{2} }} ,\,\sqrt {v_{{\beta_{1} }}^{2} + v_{{\beta_{2} }}^{2} - v_{{\beta_{1} }}^{2} v_{{\beta_{2} }}^{2} } } \right), $$
(4)
$$ \lambda \beta_{1} = P\left( {\sqrt {1 - (1 - \mu_{{\beta_{1} }}^{2} )^{\lambda } } ,(v_{{\beta_{1} }} )^{\lambda } } \right),\quad \lambda > 0, $$
(5)
$$ \beta_{1}^{\lambda } = P\left( {(\mu_{{\beta_{1} }} )^{\lambda } ,\sqrt {1 - (1 - v_{{\beta_{1} }}^{2} )^{\lambda } } } \right),\quad \lambda > 0. $$
(6)

Definition 3

Let \( \beta_{1} = P(\mu_{{\beta_{1} }} ,v_{{\beta_{1} }} ) \) and \( \beta_{2} = P(\mu_{{\beta_{2} }} ,v_{{\beta_{2} }} ) \) be two Pythagorean fuzzy numbers, a nature quasi-ordering on the Pythagorean fuzzy numbers is defined as follows [8,9,10,11,12, 36, 39, 40]:

$$ \beta_{1} \ge \beta_{2} \,{\text{if}}\,{\text{and}}\,{\text{only}}\,{\text{if}}\,\mu_{{\beta_{1} }} \ge \mu_{{\beta_{2} }} \,{\text{and}}\,v_{{\beta_{1} }} \le v_{{\beta_{2} }} . $$

To compare magnitude of two Pythagorean fuzzy numbers, a score function is developed by Garg [8,9,10,11,12, 36, 39, 40] as follows:

$$ s(\beta_{1} ) = \left( {\mu_{{\beta_{1} }} } \right)^{2} - \left( {v_{{\beta_{1} }} } \right)^{2} . $$
(7)

Definition 4

Depending on the proposed score functions of Pythagorean fuzzy numbers as demonstrated above, the following laws are defined to compare two Pythagorean fuzzy numbers [8,9,10,11,12, 36, 38, 39]:

$$ \begin{aligned} & ( {\text{i}})\,{\text{If}}\,s(\beta_{1} ) < s(\beta_{2} ),\quad {\text{then}}\,\beta_{1} \prec \beta_{2} , \\ & ( {\text{ii}})\,{\text{If}}\,s(\beta_{1} ) > s(\beta_{2} ),\quad {\text{then}}\,\beta_{1} \succ \beta_{2} , \\ & ( {\text{iii}})\,{\text{If}}\,s(\beta_{1} ) = s(\beta_{2} ),\quad {\text{then}}\,\beta_{1} \sim \beta_{2} . \\ \end{aligned} $$

Proposed integrated approach

This section describes the theoretical background of the methods used in the proposed integrated approach. In the first sub-section, steps of the PFAHP are provided. In the second sub-section, the PFTOPSIS method that is used to assess the hazards presented. Finally, an overall picture of the proposed approach PFAHP and FTOPSIS methods is demonstrated.

PAHP

Based on the definitions given in “Pythagorean Fuzzy sets and related notations”, procedural steps of PFAHP are presented in the following.

Step 1 The compromised pairwise comparison matrix \( A = (a_{ik} )_{\text{mxm}} \) is structured based on linguistic evaluations of experts using the scale proposed by Ilbahar et al. [32].

Step 2 The difference matrices \( D = (d_{ik} )_{\text{mxm}} \) between the lower and upper values of the membership and non-membership functions are calculated using Eqs. (8) and (9):

$$ d_{{ik_{L} }} = \mu_{{ik_{L} }}^{2} - v_{{ik_{U} }}^{2} , $$
(8)
$$ d_{{ik_{U} }} = \mu_{{ik_{U} }}^{2} - v_{{ik_{L} }}^{2} . $$
(9)

Step 3 Interval multiplicative matrix \( S = (s_{ik} )_{\text{mxm}} \) is computed using Eqs. (10) and (11):

$$ s_{{ik_{L} }} = \sqrt {1000^{{d_{{ik_{L} }} }} } , $$
(10)
$$ s_{{ik_{U} }} = \sqrt {1000^{{d_{{ik_{L} }} }} } . $$
(11)

Step 4 The determinacy value \( \tau = (\tau_{ik} )_{\text{mxm}} \) is calculated using Eq. (12):

$$ \tau_{ik} = 1 - \left( {\mu_{{ik_{U} }}^{2} - \mu_{{ik_{L} }}^{2} } \right) - \left( {v_{{ik_{U} }}^{2} - v_{{ik_{L} }}^{2} } \right). $$
(12)

Step 5 The determinacy degrees are multiplied with \( S = (s_{ik} )_{\text{mxm}} \) matrix for obtaining the matrix of weights \( T = (t_{ik} )_{\text{mxm}} \) before normalization using Eq. (13):

$$ t_{ik} = \left( {\frac{{s_{{ik_{L} }} + s_{{ik_{U} }} }}{2}} \right)\tau_{ik} . $$
(13)

Step 6 Each normalized priority weight \( w_{i} \) is computed using Eq. (14):

$$ w_{i} = \frac{{\sum\nolimits_{k = 1}^{m} {t_{ik} } }}{{\sum\nolimits_{i = 1}^{m} {\sum\nolimits_{k = 1}^{m} {t_{ik} } } }}. $$
(14)

PFTOPSIS

PFTOPSIS is a multi-criteria decision-making (MCDM) technique based on the concept of choosing the solution with the shortest distance from the ideal solution and the farthest distance from the negative ideal solution by considering concept of Pythagorean fuzzy sets. The difference between FTOPSIS and intuitionistic fuzzy TOPSIS (IFTOPSIS) and PFTOPSIS is provided in Table 2.

Based on the definition and explanations above, the procedural steps of PFTOPSIS algorithm are provided in the following:


Step 1 In the first step, Pythagorean fuzzy number-based decision matrix \( R = (C_{j} (x_{i} ))_{mxn} \) is constructed. Here, \( C_{j} (j = 1,2, \ldots ,n) \) and \( x_{i} (i = 1,2, \ldots ,m) \) refer to values of criteria and alternatives. The matrix form is as follows:

$$ R = (C_{j} (x_{i} ))_{mxn} = \left( {\begin{array}{*{20}l} {P(u_{11} ,v_{11} )} \hfill & {P(u_{12} ,v_{12} )} \hfill & \ldots \hfill & {P(u_{1n} ,v_{1n} )} \hfill \\ {P(u_{21} ,v_{21} )} \hfill & {P(u_{22} ,v_{22} )} \hfill & \ldots \hfill & {P(u_{2n} ,v_{2n} )} \hfill \\ \vdots \hfill & \vdots \hfill & \vdots \hfill & \vdots \hfill \\ {P(u_{m1} ,v_{m1} )} \hfill & {P(u_{m2} ,v_{m2} )} \hfill & \ldots \hfill & {P(u_{mn} ,v_{mn} )} \hfill \\ \end{array} } \right). $$

Step 2 In the second step, Pythagorean fuzzy positive ideal solution (PIS) and negative ideal solutions (NIS) are determined using Eqs. (15, 16) as follows:

$$\begin{aligned} x^{ + } &= \left\{ {C_{j} ,\mathop {\hbox{max} }\limits_{i} \left\langle {s(C_{j} (x_{i} ))} \right\rangle \left| {j = 1,2, \ldots ,n} \right.} \right\}\\ &= \Big\{ {\left\langle {C_{1} ,P(u_{1}^{ + } ,v_{1}^{ + } )} \right\rangle ,\left\langle {C_{2} ,P(u_{2}^{ + } ,v_{2}^{ + } )} \right\rangle , \ldots ,\left\langle {C_{n} ,P(u_{n}^{ + } ,v_{n}^{ + } )} \right\rangle } \Big\},\end{aligned} $$
(15)
$$\begin{aligned} x^{ - } &= \left\{ {C_{j} ,\mathop {\hbox{min} }\limits_{i} \left\langle {s(C_{j} (x_{i} ))} \right\rangle \left| {j = 1,2, \ldots ,n} \right.} \right\}\\ &= \Big\{ {\left\langle {C_{1} ,P(u_{1}^{ - } ,v_{1}^{ - } )} \right\rangle ,\left\langle {C_{2} ,P(u_{2}^{ - } ,v_{2}^{ - } )} \right\rangle , \ldots ,\left\langle {C_{n} ,P(u_{n}^{ - } ,v_{n}^{ - } )} \right\rangle } \Big\}.\end{aligned} $$
(16)

Step 3 In the third step, distances from Pythagorean fuzzy PIS and NIS are determined using Eqs. (17, 18) as follows:

$$\begin{aligned} D(x_{i} ,x^{ + } ) &= \sum\limits_{j = 1}^{n} {w_{j} d} (C_{j} (x_{i} ),C_{j} (x^{ + } )) \\ &= \frac{1}{2}\sum\limits_{j = 1}^{n} w_{j} \left( \left| {(\mu_{ij} )^{2} - (\mu_{j}^{ + } )^{2} } \right| + \left| {(v_{ij} )^{2} - (v_{j}^{ + } )^{2} } \right|\right.\\ &\quad\left.+\, \left| {(\pi_{ij} )^{2} - (\pi_{j}^{ + } )^{2} } \right| \right) ,\end{aligned} $$
(17)
$$\begin{aligned} D(x_{i} ,x^{ - } ) &= \sum\limits_{j = 1}^{n} {w_{j} d} (C_{j} (x_{i} ),C_{j} (x^{ - } ))\\ &= \frac{1}{2}\sum\limits_{j = 1}^{n} w_{j} \left( \left| {(\mu_{ij} )^{2} - (\mu_{j}^{ - } )^{2} } \right| + \left| {(v_{ij} )^{2} - (v_{j}^{ - } )^{2} } \right|\right. \\&\quad\left.+\, \left| {(\pi_{ij} )^{2} - (\pi_{j}^{ - } )^{2} } \right| \right) .\end{aligned} $$
(18)

for Eqs. (17, 18) i = 1,2, … ,n. In general, the smaller \( D(x_{i} ,x^{ + } ) \) the better the alternative \( x_{i} \) and the bigger \( D(x_{i} ,x^{ - } ) \) the better the alternative \( x_{i} \) and let \( D_{\hbox{min} } (x_{i} ,x^{ + } ) = \mathop {\hbox{min} }\nolimits_{1 \le i \le m} D(x_{i} ,x^{ + } ) \) and \( D_{\hbox{max} } (x_{i} ,x^{ - } ) = \mathop {\hbox{max} }\nolimits_{1 \le i \le m} D(x_{i} ,x^{ - } ) \).


Step 4 In the fourth step, the revised closeness \( \xi (x_{i} ) \, \) of the alternative \( x_{i} \) is computed using Eq. (19) as follows:

$$ \xi (x_{i} ) = \frac{{D(x_{i} ,x^{ - } )}}{{D_{\hbox{max} } (x_{i} ,x^{ - } )}} - \frac{{D(x_{i} ,x^{ + } )}}{{D_{\hbox{min} } (x_{i} ,x^{ + } )}}. $$
(19)

Step 5 In the fifth step, the best ranking order of the alternatives is determined. The alternative with the highest revised coefficient value is the best alternative.

Overall picture of the proposed approach

An RA process is especially followed by the steps of hazard identification, risk assessment, reducing risks, risk-residuals analysis, and selection of risk control options. Hazard identification step includes determining risks caused by potential hazards. The RA step is to calculate risk value based on three parameters of risk likelihood, risk severity and value of information. The value of information parameter is a special parameter for information security RA that refers to the sum of three factors as privacy, integrity, and accessibility. The risk reduction step enables the process to become more efficient so that significant risks are fast eliminated using hazard control hierarchy. After the risk reduction a second assessment is carried out to validate that the selected measures reduce the risks effectively. This is the step of assessing residual risks. The overall process follows a decision step hereafter. The risk assessment team decides on that the risks are reduced to an acceptable level by some control options. The structure of the proposed integrated approach followed in this study is given in Fig. 1.

Fig. 1
figure 1

The flow of proposed integrated RA approach

Full size image

Case study: information security RA for corrugated cardboard sector

The observed facility and risks

The observed production facility is one of the biggest companies in the corrugated cardboard industry of Turkey with its domestic capital. The main activity of the factory is the production of corrugated cardboard and corrugated cardboard boxes (printed and unprinted). One of the basic management policies of the firm is to provide a safe working environment through proactive activities related to occupational health and safety. In this context, firstly, a RA team consisting of six experts with different sector experience levels is established. Then, potential information security hazards and their corresponding risks are identified in terms of maintenance and repair process of the corrugated cardboard production facility. A total of ten risks are identified by the expert team. The list of potential hazards associated within the maintenance and repair operations is provided in Table 3.

Table 3 Descriptions of the risks in information security RA of maintenance and repair process
Full size table

Application of the proposed approach

The second step of an RA process is regarding assessing the hazards and associated risks. In this step, PFAHP is used in weighing three risk parameters by taking into consideration pairwise comparison and fuzzy linguistic ratings. In the literature, classic RA methods mostly consider equal weights to two (e.g., likelihood and severity in decision matrix method), three (e.g., likelihood, severity and frequency in Fine–Kinney method and likelihood, severity and detection in FMEA method) or more risk parameters. Besides, different combinations of judgments on the parameters may lead to a completely different meaning. For example, hazards with high likelihood and low severity could be classified at the same level as hazards with low likelihood and high severity. These minuses are articulated in the literature [41]. So, this study considers weighting of the three parameters by interval-valued Pythagorean fuzzy numbers-based AHP. The priority orders of ten different hazards with respect to these parameters are then determined using PFTOPSIS (see Fig. 1). Data of the information security risks are taken from the expert team working in the corrugated cardboard production facility. This team first evaluates and rates the risk parameters in a pair wise systematic. Then, they rate risks with respect to the previously evaluated risk parameters. Due to space limitations, the evaluation forms are not included here. Readers can find all forms in Supplementary file.

The procedure explained in “Proposed integrated approach” shows the computational processes to derive the importance weights of three risk parameters. Six experts are asked to express their pairwise comparisons for each risk parameter using the linguistic variables defined in Table 4.

Table 4 Weighing scale for PFAHP [32]
Full size table

In this stage, the linguistic variables are transferred into corresponding interval-valued Pythagorean fuzzy numbers. Since the ratings of these evaluators are different, it is required to aggregate their subjective judgments towards a compromised pairwise comparison matrix A as indicated in Step 1 of “Proposed integrated approach”. The aggregated compromised pairwise comparison matrix for three parameters is given in Table 5. The difference matrix D and interval multiplicative matrix S are also given in Tables 6 and 7, respectively. The determinacy value matrix as stated in Eq. (12) and matrix of weights before normalization as in Eq. (13) are given in Tables 8 and 9, respectively.

Table 5 Aggregated compromised pairwise comparison evaluation of experts in matrix form
Full size table
Table 6 The difference matrix
Full size table
Table 7 The interval multiplicative matrix
Full size table
Table 8 The determinacy value matrix (τ)
Full size table
Table 9 Matrix of weights before normalization (t)
Full size table

Finally, the normalized priority weights of risk parameters are computed using Eq. (14) as shown in Fig. 2.

Fig. 2
figure 2

Priority weights of three risk parameters by PFAHP

Full size image

In the second stage, using these risk parameters’ weights, and the evaluations of hazards with respect to each risk parameter, the PFTOPSIS is applied. The expert group evaluated ten hazards using linguistic variables and corresponding Pythagorean fuzzy numbers as shown in Table 10. At the end of this evaluation, the Pythagorean fuzzy decision matrix is constructed as in Table 11.

Table 10 Nine-point Pythagorean fuzzy linguistic scale for assessing risks [49]
Full size table
Table 11 Pythagorean fuzzy decision matrix
Full size table

Then, using Eqs. (15, 16), Pythagorean fuzzy PIS and Pythagorean fuzzy NIS values are determined. The obtained results are as follows:

$$ \begin{aligned} x^{ + } = \Big\{ {P(0.325,0.895),P(0.517,0.782),P(0.567,0.737)} \Big\} \hfill \\ x^{ - } = \Big\{ {P(0.100,0.987),P(0.125,0.965),P(0.100,0.977)} \Big\}. \hfill \\ \end{aligned} $$

Then, employing Eqs. (17, 18), distances from Pythagorean fuzzy PIS and NIS are calculated. The results are provided in Table 12. Moreover, the revised closeness values are computed using Eq. (19) and the results are also listed in Table 12. According to these revised closeness values, ranking of hazards is obtained as shown in Fig. 3.

Table 12 Results obtained by the PFTOPSIS
Full size table
Fig. 3
figure 3

Ranking orders of information security risks in the maintenance and repair process of a corrugated cardboard production facility

Full size image

It is shown in Fig. 3 that the most important five identified hazards for information security RA of maintenance and repair process are ISR8 (extension of spare parts procurement period), ISR3 (non-execution of maintenance), ISR10 (the absence of an area where copies of investment projects and copies of all the documents in all facilities are not available, not followed, no backup of soft documents on the common server), ISR7 (non-availability of spare parts) and ISR4 (intervention to electrical faults late).

Comparison of the results

To validate the efficiency of the proposed integrated approach, a comparison study is performed with classical method that the facility followed, PFAHP–PFVIKOR integration and PAHP–PFMOORA integration. According to the followed classical RA, three parameters are combined for risk score. The parameters are severity (S), likelihood (L) and value of information (VofI). The risk score is calculated by multiplexing these three parameters. Parameter of VofI is a special parameter for the information security RA. It combines three factors of privacy (P), integrity (I), and accessibility (A). The calculation of this parameter is to sum of three factors. For each of the parameters, a five-point scale is available as given in Tables 13, 14 and 15.

Table 13 Likelihood ratings
Full size table
Table 14 Severity ratings
Full size table
Table 15 Ratings of privacy, integrity, and accessibility
Full size table

The evaluation of information security risks done by the facility executives and the ranking results using the ratings in Tables 13, 14 and 15 are represented in Table 16. Risk scores of 10 information risks were obtained. Risk score with a value of 108 (ISR8) is the most important risk. ISR10 with a score value of 96 is placed at the second rank. ISR7 and ISR4 are followed by this risk with score values of 84 and 72 and clustered in the third and fourth ranking orders. ISR6 with a score value of 54 is the fifth most important risk. Two risks fell in the sixth ranking order that have a risk value of 48. ISR1, ISR2, and ISR5 are the least important hazards with a score value of 12.

Table 16 Evaluations of the information security risks by means of the classical method followed by facility
Full size table

To provide a more visual comparison between the proposed integrated approach and the other three approaches, the ranking order results of each approach can be demonstrated visually in Fig. 4.

Fig. 4
figure 4

Ranking order results of information security risk in terms of four approaches

Full size image

The first comparison analysis is conducted between the proposed approach and classical method. The comparison shows that, the ranking orders of information security risks are partially different from the proposed integrated approach. The ranking orders of risks ISR3, ISR4, ISR6, ISR7, and ISR10 are different between the two approaches. According to the Fig. 4, ISR ranks the first in terms of both approaches. The ranking order of the least important risks is partially the same.

The second comparison analysis is performed between the ranking order results obtained by the integration based on PFAHP and PFVIKOR and the proposed RA approach. It can be seen that information security risks ISR8, ISR3, ISR10, and ISR7 have the highest priority ranking orders in the proposed approach. It is consistent with the ranking results of PFAHP–PFVIKOR integrated approach. In addition, the hazards ISR1, ISR2, and ISR have the lowest risk priority ranking orders in the proposed approach. It is also consistent with the PFAHP–PFVIKOR integrated approach.

The third comparison is carried with the integration based on PFAHP and PFMOORA. From Fig. 4, the risk priority ranking results by the proposed approach and PFAHP–PFMOORA-integrated approach are similar to the second comparison. That is, the first three information security risks and the last two risks remain the same in both approaches.

In addition, a correlation coefficient is applied to measure the correlation between the final risk score values of classical method, ξ values of the proposed integrated approach, final VIKOR score values (Q values) and final MOORA score values. The outputs of correlation analysis are demonstrated in Table 17.

Table 17 Correlation coefficient results of the compared approaches
Full size table

According to results in Table 17, the relationships between ranking results are very strong. In PFAHP–PFVIKOR approach, a higher index value shows a lower ranking order. Hence, the correlation coefficient between PFAHP–PFVIKOR approach and the remaining approaches is a negative, high value as tabulated in Table 17. The correlation coefficient between the proposed approach and PFAHP–PFMOORA approach is positive and the highest of all approaches (0.99). The lowest correlation coefficient values are obtained from the comparisons of classical method with others (0.91 and − 0.92). This indicates the weakness of classical method. In contrast, the proposed approach can overcome this disadvantage associated with the classical method. According to the results, it is proved that the proposed approach can produce reasonable results and provide suitable information to assist management in the risk assessment problems.

The above-obtained results indicate the effectiveness and easiness of the model to prefer proposed model rather than classical model for the company. Firstly, it is very important that the information security risk analysis on the managerial basis requires the highest level of security and detailed work. The proposed method offers a much more detailed analysis than the classical model. Secondly information security risk analysis also has great importance as it will create a table to show which security measures will be taken on an administrative basis. On the other hand, information security is also important as an element of corporate governance. It should be recognized that the priority must be high, as it has obligations to employees, business partners, and customers. Therefore, it is important for each employee to pay attention to confidentiality, integrity, and usability of corporate and personal information assets in terms of criticality, sensitivity, importance, and value levels. It can be observed that proposed model has significant advantages over classical risk assessment models.

Conclusion

Classical RA methods are commonly applied in various workplaces for health, safety, and security problems. These methods determine the score of risk parameters (mostly parameters of severity and probability) using crisp values, assume the risk parameters as independent and produce the same risk value by different combinations of risk parameters’ scores. All these mentioned shortcomings require proposal of a new and novel RA methodology that can improve effectiveness in practical risk management. In this paper, a new RA methodology is proposed based on AHP–TOPSIS integration extended with Pythagorean fuzzy sets and applied to the information security RA. The interval-valued PFAHP is used to calculate the weights of risk parameters. A new parameter specific to information security RA is considered in this study for the first time. The parameters are risk likelihood, risk severity, and value of information. The value of information parameter refers to the sum of three factors as privacy, integrity, and accessibility. The risk priority of each hazard is calculated using the PFTOPSIS. A case study on the assessment of risks was carried out for maintenance and repair process in corrugated cardboard sector. According to the comparison study, it can be summarized that the proposed method can provide more reasonable and precise calculation of risk values in classical method, as well as improve the effectiveness of the classical RA method that the observed facility follows.

In summary, contributions of the current study to the literature are as follows:

  • A new risk parameter for information security RA called value of knowledge is considered for the first time in the literature.

  • The PFAHP and PFTOPSIS, which are commonly used MADM methods with Pythagorean fuzzy sets, are applied integrally to the assessment of risks for the first time in the literature. By doing this, an upgraded fuzzy MADM-based RA approach using linguistic terms with Pythagorean fuzzy set theory has been implemented. Use of Pythagorean fuzzy sets successfully managed the uncertainty and vagueness of the expert teams’ perceptions during the subjective judgment process.

  • A comparative analysis with classical RA method, PFAHP–PFVIKOR, PFAHP–PFMOORA approach that the observed facility followed is carried out. Results of this analysis proved that the proposed approach can produce reasonable results and provide suitable information to assist management in the risk assessment problems.

Although the study has contributions, it has some limitations. Subjective evaluation of both risk parameters and hazards depends on safety expert’s experience. This may make the RA results different. Therefore, an objective evaluation procedure can be followed such as, making a different weighing among experts, using different risk parameter weights for evaluation of each hazard and proposing an optimized way in determination of each risk parameter. Another future direction may be using the proposed RA approach to address risk evaluation problems in other practical cases.