Skip to main content
SpringerLink
Log in

Ranking information security controls by using fuzzy analytic hierarchy process

  • Original Article
  • Published:
Information Systems and e-Business Management Aims and scope Submit manuscript

Abstract

Information security can be achieved by implementing a set of appropriate controls. However, identifying and selecting the most effective information security controls in organizations have been major challenges for years. Although many studies have been done to address these challenges, there is still lack of research to rank these controls. In this study, a fuzzy Analytic Hierarchy Process was used to prioritize and select effective managerial domains and control objectives in information security controls. In this research, the process of implementing ISO 27001 Information Security in National Iranian Oil Products Distribution Company was selected. According to results, the access control, information systems acquisition, development and maintenance have the highest priorities among the information security controls in managerial domains. On the other hand, the business continuity management and asset management have the lowest priorities among the studied information security controls. Furthermore, it was found that among 39 control objectives, the user access management and third party service delivery management have the highest and lowest priorities, respectively.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  • Alberts Ch, Dorofee A (2002) Managing information security risks: the OCTAVE (SM) approach. Addison-Wesley Professional, Boston

    Google Scholar 

  • Barnard L, Von Solms R (2000) A formalized approach to the effective selection and evaluation of information security next term controls. Comput Secur 19(2):185–194. doi:10.1016/S0167-4048(00)87829-3

    Article  Google Scholar 

  • Chang DY (1996) Applications of extent analysis method on fuzzy AHP. Eur J Op Res 95:649–655. doi:10.1016/0377-2217(95)00300-2

    Article  Google Scholar 

  • Da Veiga A, Eloff JHP (2007) An information security governance framework. Inf Syst Manag 24(4):361–372. doi:10.1080/10580530701586136

    Article  Google Scholar 

  • Dhillon G, Torkzadeh G (2006) Value-focused assessment of information system security in organizations. Inf Syst 16(3):293–314. doi:10.1111/j.1365-2575.2006.00219.x

    Article  Google Scholar 

  • Economic Abrar (2008) Europe Union secure organization calls for reform of data protection laws. Abrar economic, financial Abrar, pp 12–13

  • Goldstein A, Frank U (2015) Components of a multi-perspective modeling method for designing and managing IT security systems. DOI, Inf Syst E-Bus Manag. doi:10.1007/s10257-015-0276-5

    Google Scholar 

  • Harmer G (2014) Governance of enterprise IT based on COBIT 5: a management guide. IT Governance Ltd

  • Institute of Standards and Industrial Research of Iran (2007) Information technology—security techniques—management of information and communications technology security, part I, concepts and models for information and communications technology security management. Tehran, Iran

  • International Standard Organization (2005) ISO/IEC17799—information technology-security technics—code of practice for information security management. Geneva

  • International Standard Organization (2005) ISO 27001-2005: information technology—security techniques—information security management systems—requirements. Geneva

  • Killmeyer J (2006) Information security architecture: an integrated approach to security in the organization. Auerbach Publications

  • Kwon S, Jang S, Lee J, Kim S (2007) Common defects in information security management system of Korean companies. J Syst Softw 80(10):1631–1638. doi:10.1016/j.jss.2007.01.015

    Article  Google Scholar 

  • Office of Government Commerce (2009) ITIL V3 foundation handbook. The Stationery Office

  • Otero AR, Otero CE, Qureshi A (2010) A multi-criteria evaluation of information security controls using boolean features. Int J Netw Secur Appl 2(4):34–45. doi:10.5121/ijnsa.2010.2401

    Google Scholar 

  • Persse JR (2001) Implementing the capability maturity model. Wiley, London

    Google Scholar 

  • Saaty T (1988) Mathematical models for decision support. Springer, Berlin

    Google Scholar 

  • Saint-Germain R (2005) Information security management best practice based on ISO/IEC 17799. Inf Manag J 39(4):60–66

    Google Scholar 

  • Scott J (2004) Measuring dimensions of perceived e-business risks. IseB 2:31–55. doi:10.1007/s10257-003-0026-y

    Article  Google Scholar 

  • Shuai R, De-jun M, Ling-bo Z (2006) Model of information security evaluation based on gray analytical hierarchy process. J Comput Appl 6:223–236

    Google Scholar 

  • Systems Groups (2011) Today’s new technologies, tomorrow development tools. Retrieved 12 July, 2011, from http://www.sgnec.net/pages/services/security/isms.aspx

  • Van der Haar H, Von Solms R (2003) A model for deriving information security controls attributeprofiles. Comput Secur 22(3):233–244. doi:10.1016/S0167-4048(03)00311-0

    Article  Google Scholar 

  • Von Solms R, Van der Haar H, Von Solms SH, Caelli WJ (1994) A framework for information security evaluation. Inf Manag 26(3):143–153. doi:10.1016/0378-7206(94)90038-8

    Article  Google Scholar 

  • Zhou Y. S, Wang Y. Z (2011) A multi-criteria evaluation method of information security controls. Fourth international joint conference on computational science and optimization. doi:10.1109/CSO.2011.43

Download references

Author information

Authors and Affiliations

  1. Faculty of Management and Economics, University of Sistan and Baluchestan, Zahedan, Iran

    Hamid Khajouei & Mehdi Kazemi

  2. Department of Industrial Engineering, Faculty of Engineering, Shahid Bahonar University of Kerman, Kerman, Iran

    Seyed Hamed Moosavirad

Authors
  1. Hamid Khajouei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mehdi Kazemi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Seyed Hamed Moosavirad
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hamid Khajouei.

Appendix

Appendix

ISO 27001: Managerial domains and control objectives in information security controls

  1. 1.

    Security Policy

    • Security Policy addresses management support, commitment, and direction in accomplishing information security goals.

      • Information security policy

        • Providing management direction and support for information security in accordance with business requirements and relevant laws and regulations.

  2. 2.

    Organization of Information Security

    • Organization of Information Security addresses the need for a management framework that creates, sustains, and manages the security infrastructure.

      • Internal organization

        • Managing information security within the organization. A management framework should be established to initiate and control the implementation of information security within the organization.

      • External parties

        • To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.

  3. 3.

    Asset Management

    • Asset Management addresses the ability of the security infrastructure to protect organizational assets.

      • Responsibility for assets

        • To achieve and maintain appropriate protection of organizational assets. All assets should be accounted for and have a nominated owner.

      • Information classification

        • To ensure that information receives an appropriate level of protection. Information should be classified to indicate the need, priorities, and expected degree of protection when handling the information. Information has varying degrees of sensitivity and criticality.

  4. 4.

    Human Resource Security

    • Human Resource Security addresses an organization’s ability to mitigate risk inherent in human Interactions.

      • Prior to employment

        • To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

      • During employment

        • To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.

      • Termination or change of employment

        • To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner. Responsibilities should be in place to ensure an employee’s, contractor’s or third party user’s exit from the organization is managed, and that the return of all equipment and the removal of all access rights are completed.

  5. 5.

    Physical and Environmental Security

    • Physical and Environmental Security addresses risk inherent to organizational premises.

      • Secure areas

        • To prevent unauthorized physical access, damage, and interference to the organization’s premises and information. Critical or sensitive information processing facilities should be housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls.

      • Equipment security

        • To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities. Equipment should be protected from physical and environmental threats.

  6. 6.

    Communications and Operations Maintenance

    • Communications and Operations Maintenance addresses an organization’s ability to ensure correct and secure operation of its assets.

      • Operational procedures and responsibilities

        • To ensure the correct and secure operation of information processing facilities. Responsibilities and procedures for the management and operation of all information processing facilities should be established.

      • Third party service delivery management

        • To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.

      • System planning and acceptance

        • To minimize the risk of systems failures. Advance planning and preparation are required to ensure the availability of adequate capacity and resources to deliver the required system performance.

      • Protection against malicious and mobile code

        • To protect the integrity of software and information. Precautions are required to prevent and detect the introduction of malicious code and unauthorized mobile code.

      • Back-up

        • To maintain the integrity and availability of information and information processing facilities. Routine procedures should be established to implement the agreed back-up policy and strategy for taking back-up copies of data and rehearsing their timely restoration.

      • Network security management

        • To ensure the protection of information in networks and the protection of the supporting infrastructure.

      • Media handling

        • To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities. Media should be controlled and physically protected.

      • Exchange of information

        • To maintain the security of information and software exchanged within an organization and with any external entity.

      • Electronic commerce services

        • To ensure the security of electronic commerce services, and their secure use. The security implications associated with using electronic commerce services, including on-line transactions, and the requirements for controls, should be considered.

      • Monitoring

        • To detect unauthorized information processing activities. Systems should be monitored and information security events should be recorded.

  7. 7.

    Access Control

    • Access Control addresses an organization’s ability to control access to assets based on business and security requirements.

      • Business requirement for access control

        • To control access to information. Access to information, information processing facilities, and business processes should be controlled on the basis of business and security requirements. Access control rules should take account of policies for information dissemination and authorization.

      • User access management

        • To ensure authorized user access and to prevent unauthorized access to information systems. Formal procedures should be in place to control the allocation of access rights to information systems and services.

      • User responsibilities

        • To prevent unauthorized user access, and compromise or theft of information and information processing facilities. The co-operation of authorized users is essential for effective security.

      • Network access control

        • To prevent unauthorized access to networked services. Access to both internal and external networked services should be controlled.

      • Operating system access control

        • To prevent unauthorized access to operating systems. Security facilities should be used to restrict access to operating systems to authorized users.

      • Application and information access control

        • To prevent unauthorized access to information held in application systems. Security facilities should be used to restrict access to and within application systems.

      • Mobile computing and teleworking

        • To ensure information security when using mobile computing and teleworking facilities. The protection required should be commensurate with the risks these specific ways of working cause.

  8. 8.

    Information System Acquisition, Development and Maintenance

    • Information System Acquisition, Development and Maintenance address an organization’s ability to ensure that appropriate information system security controls are both incorporated and maintained.

      • Security requirements of information systems

        • To ensure that security is an integral part of information systems. Information systems include operating systems, infrastructure, business applications, off-the-shelf products, services, and user-developed applications.

      • Correct processing in applications

        • To prevent errors, loss, unauthorized modification or misuse of information in applications. Appropriate controls should be designed into applications, including user developed applications to ensure correct processing.

      • Cryptographic controls

        • To protect the confidentiality, authenticity or integrity of information by cryptographic means. A policy should be developed on the use of cryptographic controls.

      • Security of system files

        • To ensure the security of system files. Access to system files and program source code should be controlled, and IT projects and support activities conducted in a secure manner. Care should be taken to avoid exposure of sensitive data in test environments.

      • Security in development and support processes

        • To maintain the security of application system software and information. Project and support environments should be strictly controlled. Managers responsible for application systems should also be responsible for the security of the project or support environment.

      • Technical Vulnerability Management

        • To reduce risks resulting from exploitation of published technical vulnerabilities. Technical vulnerability management should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

  1. 9.

    Information Security Incident Management

    • The goal of an effective Information Security Incident Management strategy is reducing the impact of security event. Appropriate management of Security event makes to prevent future occurrences.

      • Reporting information security events and weaknesses

        • To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. Formal event reporting and escalation procedures should be in place.

      • Management of information security incidents and improvements

        • To ensure a consistent and effective approach is applied to the management of information security incidents. Responsibilities and procedures should be in place to handle information security events and weaknesses effectively once they have been reported.

  2. 10.

    Business Continuity Management

    • Business Continuity Management addresses an organization’s ability to counteract interruptions to normal operations.Information security aspects of business continuity management To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

  3. 11.

    Compliance

    • Compliance addresses an organization’s ability to remain in compliance with regulatory, statutory, contractual, and security requirements.

      • Compliance with legal requirements

        • To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. The design, operation, use, and management of information systems may be subject to statutory, regulatory, and contractual security requirements.

      • Compliance with security policies and standards, and technical compliance

        • To ensure compliance of systems with organizational security policies and standards. The security of information systems should be regularly reviewed.

      • Information systems audit considerations

        • To maximize the effectiveness of and to minimize interference to/from the information systems audit process.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Khajouei, H., Kazemi, M. & Moosavirad, S.H. Ranking information security controls by using fuzzy analytic hierarchy process. Inf Syst E-Bus Manage 15, 1–19 (2017). https://doi.org/10.1007/s10257-016-0306-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10257-016-0306-y

Keywords

Search

Navigation