Towards Quantification of Information System Security

  • Sunil Thalia
  • Asma Tuteja
  • Maitreyee Dutta
Part of the Communications in Computer and Information Science book series (CCIS, volume 250)


Quantification is a highly successful paradigm in many technical and engineering disciplines. Security quantification is the representation and analysis of information security in a quantitative manner. The exponential growth of information technology and the prospect of increased public access to the computing, communications, and storage resources have made these systems more vulnerable to attacks. The need to protect these systems is fueling the need of quantifying security metrics to determine the exact level of security assurances. This paper presents a quantitative framework based on Fuzzy Analytic Hierarchy Process (FAHP) to quantify the security performance of an information system.


Information system Security metrics Fuzzy analytic hierarchy process 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Geer Jr., D., Hoo, K.S., Jaquith, A.: Information Security: Why the Future Belongs to the Quants. IEEE Journal on Security & Privacy 1(4), 24–32 (2003)CrossRefGoogle Scholar
  2. 2.
    Chang, D.Y.: Applications of the extent analysis method on fuzzy-AHP. European Journal of Operational Research 95(3), 649–655 (1996)CrossRefzbMATHGoogle Scholar
  3. 3.
    Salmeron, J.L., Herrero, I.: An AHP-based methodology to rank critical success factors of executive information systems. Computer Standards & Interfaces 28(1), 1–12 (2005)CrossRefGoogle Scholar
  4. 4.
    Zadeh, L.A.: Fuzzy sets. Information and Control 8(3), 338–353 (1965)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Chen, M.F., Tzeng, G.H., Ding, C.G.: Combining fuzzy AHP with MDS in identifying the preference similarity of alternatives. Applied Soft Computing 8(1), 110–117 (2008)CrossRefGoogle Scholar
  6. 6.
    Van Laarhoven, P.J.M., Pedrycz, W.: A fuzzy extension of Saaty’s priority theory. Fuzzy Sets and Systems 11(1-3), 199–227 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., Robinson, W.: NIST performance measurement guide for information security. Technical report, NIST (September 2008)Google Scholar
  8. 8.
    Saaty, T.: The Analytic Hierarchy Process. McGraw-Hill (1980)Google Scholar
  9. 9.
    Thalia, S., Tuteja, A., Dutta, M.: An algorithm design to evaluate the security level of an information system. In: Das, V.V., Stephen, J., Chaba, Y. (eds.) CNC 2011. CCIS, vol. 142, pp. 69–75. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    WISSRR Workshop Proceedings, Security System Scoring and Ranking (May 2001)Google Scholar
  11. 11.
    Introduction to ISO 27004 / ISO27004,

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Sunil Thalia
    • 1
  • Asma Tuteja
    • 2
  • Maitreyee Dutta
    • 1
  1. 1.NITTTRChandigarhIndia
  2. 2.G D Goenka World InstituteSohnaIndia

Personalised recommendations