Information Security Risk Analysis Using Analytic Hierarchy Process and Fuzzy Comprehensive Evaluation

Information Security Risk Analysis Using
Analytic Hierarchy Process and Fuzzy
Comprehensive Evaluation
Aliu Folasade Ayeni Olaniyi A. Thompson Aderonke F. Alese Boniface K.
sadealiu@gmail.com oaayeni@futa.edu.ng afthompson@futa.edu.ng bkalese@futa.edu.ng
School of Computing
The Federal University of Technology
Akure, Nigeria.
Abstract
Risk analysis happens to be a fundamental part of risk management. It helps to determine the magnitude of risk a system
is faced with. This study applies Analytic Hierarchy Process (AHP) and Fuzzy Comprehensive Evaluation (FCE) to
analyse the risk extent of an information security system. The weights obtained through AHP were used for both the
single-factor and multi-level analysis of the FCE. The rule of highest membership was used to arrive at the conclusion of
the evaluation. The maximum membership of the risk degree is 0.3254, which implies that the risk level for the system is
low. The results of risk assessment will help in recommending the necessary controls for the information security system.
Keywords
Analytic Hierarchy Process (AHP), Fuzzy Comprehensive Evaluation (FCE), Information Security, Risk Analysis
I. INTRODUCTION
Information security deals with the preservation of data from unauthorized utilization, most especially
electronic data [1]. Every organisation that uses information needs to assess the security of information at their
disposal. Hence, there is need for information security analysis. Risk assessment is the initial operation in the
procedure for management of risk. It helps to ascertain the magnitude of a likely threat and the dangers that may be
connected to an IT system [2]. The outcome of the risk assessment operation helps to pinpoint relevant measures to
help reduce the recognized risks. Security risks for information systems are dangers that come up as a result of
disclosure of confidentiality, lack of integrity, or unavailability of information. The risk degree of an information
system signifies the possible negative effects it has organization’s assets, operations and the nation [3].
Information risk analysis entails four fundamental components, that is, assets, threats, vulnerability and
controls. Asset is equivalent to clients’ private details. The information is probably very important to the clients and
also very delicate. Consequently, if the data is stolen, misplaced or damaged in any way, the effect will be tragic for
both the clients and the corporation [4]. Threats have the ability to create undesirable circumstances that can have
negative effects on the assets of a company. Mouna et al. brought forward a detailed model that outlined several
threat attributes. The model presents a guideline to establish the types of unwanted events that may have impact on
information systems organizations [5]. Vulnerabilities are flaws in a system that threats can take advantage of.
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 18, No. 6, June 2020
36 https://sites.google.com/site/ijcsis/
ISSN 1947-5500

Controls can be characterised as measures that can be taken to reduce the effects of threats on the assets of the
establishment. These controls ensure security of assets.
There are several risk assessment tools and they have been classified into two methods; that is, qualitative
and quantitative techniques. Each of these techniques has its benefits and limitations. However, when both of these
techniques are combined to give a hybrid model, they generate improved results [6].
According to [7] and [8], quantitative techniques make use of mathematical methods to determine and
analyse risk; while qualitative procedures apply the use of adjectives to perform risk assessment. Risk assessment
that is carried out using either quantitative procedures or qualitative techniques does not produce adequate
information for use in information security risk management procedures [9].
Due to these limitations, [9] recommended that soft computing should be used along side with both
quantitative and qualitative procedures in order to improve the effectiveness of the analysis. This combination will
yield much better and precise results. As a result, [10] endorsed the hybrid approach of combining AHP and FCE to
assess risks related to information security. AHP transforms risks numeric values while FCE determines the extent
of threats to an establishment [6].
II. RELATED WORKS
In [11], a risk assessment procedure for information system security using information entropy was
proposed, and the security risk analysis model of the system was constructed. The authors in [12] presented a
methodology that correlates the assets, threats, vulnerabilities, and controls of the firm, and shows the relevance of
different controls relating to the values of the firm. The proposed approach used three different grids, that is,
vulnerability grid, threat grid and control grid to acquire the statistics that is required for the risk examination.
However, this methodology works best for an existing organisation. In [13], a prototype of information security
likelihood appraisal was designed using AHP alone and showed that it can be simply applied to assess the
probability of risk in web security. The author in [14] combined FCE with information entropy to determine the risk
extent of the information security structure. The risk degree for the entire system was defined based on estimation of
probability of the frequency and the effect of risk. In [10], AHP and FCE were combined to evaluate the information
security risk of a system in L-company. AHP was applied to find the more important elements of assessments from
many elements in order to simplify the calculation of risk value and provide a strong basis for taking relevant
measures [15]. In [16], AHP was used along with FCE method to numerically assess the information security of the
exigency command system of a dangerous chemical-producing venture and also calculate the risk. The efficacy of
the model was confirmed.
III. ANALYTIC HIERARCHY PROCESS
Vol. 18, No. 6, June 2020
ISSN 1947-5500

AHP is a method for decision-making based on numerous yardsticks which converts personalized
estimation of comparable factors in to a set of scores, weights or numbers. The first step in the AHP algorithm is to
make basic or simple comparisons (judgement matrix) between each factor. It is as shown in equation 1.
=
1 ⋯
1 ⋯
⋮ ⋮ ⋱ ⋮
⋯ 1
=
⋯
⋯
⋮ ⋮ ⋱ ⋮
⋯
(1)
Where A = basic comparison matrix,
w1 = weight of factor 1,
w2 = weight of factor 2,
wn = weight of factor n.
Information security metrics to be analysed using AHP are represented in Table 1.
TABLE 1
GUIDE OF EVALUATION FOR INFORMATION SECURITY RISK ANALYSIS
Objective Index of Criterion Layer 1 Index of Criterion Layer 2
Information Security Risk Analysis
Assets (X1)
Confidentiality (X11)
Integrity (X12)
Availability (X13)
Threats (X2)
Natural (X21)
Human (X22)
Environmental (X23)
Vulnerability (X3)
Management (X31)
Operational (X32)
Technical (X33)
Control Measures (X4)
Preventive (X41)
Detective (X42)
A standard scale of preference is used to judge the importance of one factor over the other in a matrix, A
using values 1 to 9. Table 2 shows the standard scale of preference.
TABLE 2
AHP SCALE OF PREFERENCE FOR COMPARISONS
Value Representation
1 Equal significance
3 Average significance over another
5 Crucial importance
7 Very crucial importance
9 Extremely crucial importance
2, 4, 6, 8 Values for in-between comparison
The judgement matrices (pair-wise comparisons) are shown as follows.
Vol. 18, No. 6, June 2020
ISSN 1947-5500

Criterion Layer 1:
=
1 7 5 3
1
7
1
1
3
1
5
1
5
3 1
1
3
1
3
5 3 1
= 0.558 0.057 0.122 0.263
Asset:
=
1 3 5
1
3
1 3
1
5
1
3
1
= 0.63 0.26 0.11
Threats:
=
1
1
5
1
3
5 1 3
3
1
3
1
= 0.11 0.63 0.26
Vulnerability:
=
1 5
1
3
1
5
1
1
7
3 7 1
= 0.28 0.08 0.64
Controls:
=
1 3
1
3
1
= 0.75 0.25
Obtain a normalised pair-wise matrix by adding the figures in each column of the pair-wise matrix and then
dividing each value in the matrix by its column sum.
= ∑
(2)
Vol. 18, No. 6, June 2020
ISSN 1947-5500

To generate the weighted matrix (priority vector), the total of the normalised matrix of the column of
matrix is then divided by the amount of factors used. It is given as:
=
∑
(3)
A product of the pair-wise matrix and the weights vector is used to obtain the value of the consistency
vector (λmax). Thereafter, the sum of row entries is divided by the corresponding criterion weight.
The Consistency Index (CI) is given as:
=
λ
(4)
such that, n is the order of matrix.
Finally, the consistency ratio is computed by dividing the CI with random index (RI). In general, if CR is
smaller than or equal to 0.1, the judgments are in consonance with one another. The formula for CR is:
= (5)
where the value of RI (Random Index) is shown in the Random Consistency Index Table 3.
TABLE 3
RANDOM CONSISTENCY INDEX
n 1 2 3 4 5 6 7 8 9 10
RI 0 0 0.58 0.9 1.12 1.24 1.32 1.41 1.45 1.49
If 0.1, then the judgement is acceptable, else the judgement should be re-examined.
From the pair-wise matrices, the weights are generated and the judgements are consistent. The weights are:
= 0.558 0.057 0.122 0.263
= 0.63 0.26 0.11
= 0.11 0.63 0.26
= 0.28 0.08 0.64
= 0.75 0.25
Table 4 shows the overall weights for the information security risk metrics.
Vol. 18, No. 6, June 2020
ISSN 1947-5500

TABLE 4
FINAL WEIGHTS FOR INFORMATION SECURITY RISK
Element Weight Combined Weight
Criterion Layer 2
Confidentiality 0.63 0.35154
Integrity 0.26 0.14508
Availability 0.11 0.06138
Natural 0.11 0.00627
Human 0.63 0.03591
Environmental 0.26 0.01482
Management 0.28 0.03416
Operational 0.08 0.00976
Technical 0.64 0.07808
Preventive 0.75 0.19725
Detective 0.25 0.06575
Criterion Layer 1
Assets 0.558
Threats 0.057
Vulnerability 0.122
Controls 0.263
Combined Consistency: 0.09612267
The values in the second column show the weights of the factors in the second criterion layer with respect
to their corresponding factors in the first criterion layer. The values in the third column (combined weights) show
the overall influence of each factor when compared to the objective of the analysis. The results of the combined
weights show that element of confidentiality of information is most important in the assessment of information
security while factors of operational vulnerability have the least effect on information security risk.
The weights in the second column for criterion layer 2 will be used for the lone-element appraisal in the
Fuzzy Comprehensive Evaluation (FCE) while the weights for the first criterion layer will be used for the multi-
level evaluation in the FCE. The overall consistency for the hierarchy is 0.09612267, which shows that the analysis
is acceptable because it is less than 0.1.
IV. FUZZY COMPREHENSIVE EVALUATION
Fuzzy comprehensive evaluation technique is a certain implementation procedure which applies fuzzy
mathematics. The steps are highlighted below.
A. Determine the domain of evaluated objects factors
The object factors, X = {x1, x2, ..., xj}, mean that there are ‘j’ assessment factors from which a person is to
judge the assessed object factor; xi represents the ith
index. According to table 1, the risk factors have been
identified. The fuzzy set X = {X11, X12, X13, X21, X22, X23, X31, X32, X33, X41, X42}, of which X11, X12, X13, X21, X22, X23,
X31, X32, X33, X41, X42 are the risk factors.
Comments set is set up in order to be used by evaluators to evaluate the objects, with Y as an assessment
index set: Y = {y1, y2, ..., yn}. Since risk is a function of probability and impact, two different evaluation sets are
Vol. 18, No. 6, June 2020
ISSN 1947-5500

built. The interpretation and meaning of the assessment set Y = {Y1, Y2...Y5} of the risk factor set X for the risk
likelihood, Rp, is shown in Table 5.
TABLE 5
DESCRIPTION OF RISK LIKELIHOOD LEVEL
Risk Likelihood Likelihood Description
Y1 Very Low Might never occur.
Y2 Low Might occur once in 3 years.
Y3 Medium Might occur about twice in one year.
Y4 High Might occur at least once in a month.
Y5 Very High Might occur every day.
The assessment set Y = {Y1, Y2...Y5} of risk factor set, X and its interpretation for the risk impact, Rc, is
shown in Table 6.
TABLE 6
DESCRIPTION OF RISK IMPACT LEVEL
Risk Impact Impact Description
Y1 Very Low There is almost no impact on the system.
Y2 Low There is mild impact on the system but can be recovered with little efforts.
Y3 Medium The impact can damage the reputation of the organisation but can be quickly restored if properly handled.
Y4 High There is a partial breakdown of the system which can lead to loss of trust among clients.
Y5 Very High There is complete and devastating breakdown of the entire system.
Each of the experts assesses the likelihood and impact of the risk factors, X, based on table 5 and table 6. A
risk matrix, R is generated for each expert based on table 7.
TABLE 7
RISK MATRIX
Risk Y1 Y2 Y3 Y4 Y5
Y1 VL (Y1) VL (Y1) L (Y2) L (Y2) M (Y3)
Y2 VL (Y1) L (Y2) L (Y2) M (Y3) M (Y3)
Y3 L (Y2) L (Y2) M (Y3) M (Y3) H (Y4)
Y4 L (Y2) M (Y3) M (Y3) H (Y4) VH (Y5)
Y5 M (Y3) M (Y3) H (Y4) VH (Y5) VH (Y5)
B. Evaluate single factor and establish the fuzzy relationship grid, R.
The process of assessing an element individually and establishing the membership degree set ‘Y’ of the
evaluated element is referred to as single-factor fuzzy evaluation. Twenty (20) experts were selected to evaluate the
information security risk. These experts individually decided the level of the evaluated elements in relation to the
information security risk. Considering each xj , rij stands for the grade of affiliation on xj to vi .
= (6)
where n stands for the amount of xj and z represents the sum total of experts. R denotes the fuzzy matrix of element
x j on grade vi as shown in equation 7.
Vol. 18, No. 6, June 2020
ISSN 1947-5500

=
⋯
⋮ ⋱ ⋮
⋯
(7)
Table 8 shows the evaluation reports of the experts.
TABLE 8
EXPERTS EVALUATION REPORTS
Risk
Fuzzy Assessment Level
V1 V2 V3 V4 V5
U11 3 4 5 4 4
U12 2 8 5 2 3
U13 7 3 2 6 2
U21 5 5 5 0 5
U22 2 7 6 0 5
U23 1 11 2 1 5
U31 3 9 4 2 2
U32 3 8 5 3 1
U33 1 8 2 5 4
U41 2 9 1 3 5
U42 3 8 4 3 2
The single factor risk evaluation matrices are:
=
0.15 0.2 0.25 0.2 0.2
0.1 0.4 0.25 0.1 0.15
0.35 0.15 0.1 0.3 0.1
=
0.25 0.25 0.25 0 0.25
0.1 0.35 0.3 0 0.25
0.05 0.55 0.1 0.05 0.25
=
0.15 0.45 0.2 0.1 0.1
0.15 0.4 0.25 0.15 0.05
0.05 0.4 0.1 0.25 0.2
=
0.1 0.45 0.05 0.15 0.25
0.15 0.4 0.2 0.15 0.1
C. Determine the fuzzy weight values of the assessed factors
To help determine the fuzzy level of each element, the weight wi (i = 1,2,...,n) given to the elements of ‘X’,
generally requires that wi satisfies the condition that ≥ 0 and ∑ = 1 such that wi represents the ith
element
weights, and also constitute the fuzzy weight set, ‘W’, for each of the element weights. The weights applied in FCE
have substantial consequence on the final outcome of the evaluation. In this work, AHP is applied to acquire the
weights.
Vol. 18, No. 6, June 2020
ISSN 1947-5500

D. Obtain the comprehensive result
The weight, W, is used to multiply the fuzzy matrix, R, in order to obtain the FCE output vector, D, of each
of the assessed object elements. FCE model is seen in equation 8.
= ∙ = , , … ,
⋯
⋯
⋮ ⋮ ⋱ ⋮
⋯
= , , … , (8)
The results of the single-factor evaluation are:
= ∙ (9)
= 0.159 0.2465 0.2335 0.185 0.176
= 0.1035 0.391 0.2425 0.013 0.25
= 0.086 0.414 0.13 0.2 0.16
= 0.1125 0.4375 0.0875 0.15 0.2125
The results of the multi-factor evaluation are:
= (10)
= ∙ (11)
= 0.1347 0.3254 0.1842 0.1678 0.1879
E. Get the conclusion of the result
The conclusion of the overall assessment is acquired through the concept of topmost integration. The topmost
membership of the risk is 0.3254. This indicates that the overall risk level is low, and the risk index is acceptable.
The results of this risk evaluation procedure will be a guide to recommend relevant procedural and technical security
controls for the selected information security system.
V. CONCLUSION
This research employs the use of AHP and FCE to assess the risk of an information security system. AHP was
applied to analyse the information security metrics. The weights obtained from the analysis were used for the fuzzy
evaluation. The results show that the risk level of the system is low, thus making the risk to be acceptable. The
results obtained will be used to recommend suitable controls for the system.
Vol. 18, No. 6, June 2020
ISSN 1947-5500

REFERENCES
[1] INTERNATIONAL STANDARD ISO/IEC 27005. (2008) Information technology—Security techniques—
Information security risk management.
[2] NIST Special Publication 800-30. (2002). Risk Management Guide for Information Technology Systems.
[3] Ron, R., Janet, C.O., Michael, M. (2014). Systems Security Engineering: An Integrated Approach to Building
Trustworthy Resilient Systems. National Institute of Standards and Technology (NIST) Special Publication
800-160 Initial Public Draft.
[4] Edward, H. (2010). Information Security Risk Management. Handbook for ISO/IEC 27001
[5] Mouna, J., Latifa, B., Arfa, R., & Anis, B.A. (2014). Classification of Security Threats in Information
Systems. 5th International Conference on Ambient Systems, Networks and Technologies (ANT), Procedia
Computer Science 32 (2014 ) 489 – 496. Available online at www.sciencedirect.com
[6] Zabawi, A.Y., Ahmad, R., & Abdul-Latip, S.F. (2015). A Comparative Study for Risk Analysis Tools in
Information Security. ARPN Journal of Engineering and Applied Sciences, Vol. 10, No. 23, ISSN 1819-6608
[7] Wawrzyniak, D. (2006). Information Security Risk Assessment Model for Risk Management.
[8] Neeta, S. & Sachin, K. (2012). A Comparative Study on Information Security Risk Analysis Practices.
International Journal of Computer Applications.
[9] Armaghan, B., Rafhana, A. R. & Junaid, A.C. (2012). A survey of Information Security Risk Analysis
Method. Smart Computing Review, vol. 2, no. 1.
[10] Ming-Chang, L. (2014). Information Security Risk Analysis Methods and Research Trends: AHP and Fuzzy
Comprehensive Method. International Journal of Computer Science & Information Technology (IJCSIT),
Vol 6, No1. DOI: 10.5121/ijcsit.2014.6103 29
[11] Sha, F., Zhongli, L., Hangjun, Z., Wenbin, L., & Bo, L. (2015). A Security Risk Analysis Method for
Information System Based on Information Entropy. The Open Cybernetics & Systemics Journal.
[12] Sanjay, G. & Vicki, C. (2004). Information Security Risk Analysis – A Matrix-Based Approach.
[13] Ning, X., & Dong-Mei, Z. (2011). The Research of Information Security Risk Assessment Method Based on
AHP. Advanced Material Research, Trans Tech Publications, Switzerland.
[14] Cheng, Y. (2014). Quantitative risk analysis method of information security-combining fuzzy comprehensive
analysis with information entropy. Bio Technology An Indian Journal (BTAIJ), 10(21), [12753-12761]
[15] Ming-Xiang, H., & Xin, A. (2016). Information Security Risk Assessment Based on Analytic Hierarchy
Process. Indonesian Journal of Electrical Engineering and Computer Science. Volume 1, No. 3.
[16] Zhang, J., Gai, K., Yang, F., Yang, R., & Wang, S. (2019). Information Security Risk Assessment of
Hazardous Chemicals Emergency Command System Based on AHP-Fuzzy Comprehensive Evaluation
Model. IOP Conference Series: Materials Science and Engineering. doi:10.1088/1757-899X/612/5/052004
Vol. 18, No. 6, June 2020
ISSN 1947-5500

IJCSIS
ISSN (online): 1947-5500
Please consider to contribute to and/or forward to the appropriate groups the following opportunity to submit and publish
original scientific results.
CALL FOR PAPERS
International Journal of Computer Science and Information Security (IJCSIS)
January-December 2020 Issues
The topics suggested by this issue can be discussed in term of concepts, surveys, state of the art, research,
standards, implementations, running experiments, applications, and industrial case studies. Authors are invited
to submit complete unpublished papers, which are not under review in any other conference or journal in the
following, but not limited to, topic areas.
See authors guide for manuscript preparation and submission guidelines.
Indexed by Google Scholar, DBLP, CiteSeerX, Directory for Open Access Journal (DOAJ), Bielefeld
Academic Search Engine (BASE), SCIRUS, Scopus Database, Cornell University Library, ScientificCommons,
ProQuest, EBSCO and more.
Deadline: see web site
Notification: see web site
Revision: see web site
Publication: see web site
For more topics, please see web site https://sites.google.com/site/ijcsis/
For more information, please visit the journal website (https://sites.google.com/site/ijcsis/)

Context-aware systems
Networking technologies
Security in network, systems, and applications
Evolutionary computation
Industrial systems
Evolutionary computation
Autonomic and autonomous systems
Bio-technologies
Knowledge data systems
Mobile and distance education
Intelligent techniques, logics and systems
Knowledge processing
Information technologies
Internet and web technologies, IoT
Digital information processing
Cognitive science and knowledge
Agent-based systems
Mobility and multimedia systems
Systems performance
Networking and telecommunications
Software development and deployment
Knowledge virtualization
Systems and networks on the chip
Knowledge for global defense
Information Systems [IS]
IPv6 Today - Technology and deployment
Modeling
Software Engineering
Optimization
Complexity
Natural Language Processing
Speech Synthesis
Data Mining

Information Security Risk Analysis Using Analytic Hierarchy Process and Fuzzy Comprehensive Evaluation

Recommended

Recommended

More Related Content

What's hot

What's hot (13)

Similar to Information Security Risk Analysis Using Analytic Hierarchy Process and Fuzzy Comprehensive Evaluation

Similar to Information Security Risk Analysis Using Analytic Hierarchy Process and Fuzzy Comprehensive Evaluation (20)

Recently uploaded

Recently uploaded (20)

Information Security Risk Analysis Using Analytic Hierarchy Process and Fuzzy Comprehensive Evaluation