Call for Paper - January 2024 Edition
IJCA solicits original research papers for the January 2024 Edition. Last date of manuscript submission is December 20, 2023. Read More

A Multiple Attribute Decision Making for Improving Information Security Control Assessment

International Journal of Computer Applications
© 2014 by IJCA Journal
Volume 89 - Number 3
Year of Publication: 2014
Nadher Al-safwani
Suhaidi Hassan
Norliza Katuk

Nadher Al-safwani, Suhaidi Hassan and Norliza Katuk. Article: A Multiple Attribute Decision Making for Improving Information Security Control Assessment. International Journal of Computer Applications 89(3):19-24, March 2014. Full text available. BibTeX

	author = {Nadher Al-safwani and Suhaidi Hassan and Norliza Katuk},
	title = {Article: A Multiple Attribute Decision Making for Improving Information Security Control Assessment},
	journal = {International Journal of Computer Applications},
	year = {2014},
	volume = {89},
	number = {3},
	pages = {19-24},
	month = {March},
	note = {Full text available}


Information security control assessment provides a comprehensive control analysis approach to assist an organization in measuring the effectiveness of its current and planned security controls. ISO/IEC 27005 is a risk management framework that can manage and treat risks in organizations. However, ISO/IEC 27005 does not define a clear guideline on how to select and prioritize information security control despite the need for an efficient security analysis method. The ISO 27005 framework mostly depends on subjective judgment and qualitative approaches for security control analysis. This paper aims to improve the ISC analysis method by proposing the concept of multiple attribute decision making to provide clear guidelines in solving these issues. Order performance by similarity to ideal solution (TOPSIS) method was utilized to determine the critical vulnerable controls on the basis of different evaluation criteria. We argue that evaluating ISC by using TOPSIS leads to a cost-effective analysis and an efficient assessment in terms of testing and selecting ISCs in organizations.


  • A. Asosheh, B. Dehmoubed, and A. Khani. A new quantitative approach for information security risk assessment. In Computer Science and Information Technology, 2009. ICCSIT 2009. 2nd IEEE International Conference on, pages 222–227, 2009.
  • Shuo-Yan Chou, Yao-Hui Chang, and Chun-Ying Shen. A fuzzy simple additive weighting system under group decision-making for facility location selection with objective/subjective attributes. European Journal of Operational Research, 189(1):132 – 145, 2008.
  • A. Ekelhart, S. Fenz, and T. Neubauer. Aurum: A framework for information security risk management. In System Sciences, 2009. HICSS '09. 42nd Hawaii International Conference on, pages 1 –10, jan. 2009.
  • Nan Feng and Minqiang Li. An information systems security risk assessment model under uncertain environment. Applied Soft Computing, 11(7):4332 – 4340, 2011.
  • Douglas W. Hubbard. The Failure of Risk Management : Why It is Broken and How to Fix It. Willy, New Jeresy,USA, 2009.
  • C. L. Hwang and K. P. Yoon. Multiple Attribute Decision Making Methods and Applications: A State-of-the Art Survey. Lecture Notes in Economics and Mathematical Systems Series. Springer London, Limited, 1981.
  • ISO/IEC. Iso 27005 information technology security techniques information security risk management, 2008.
  • Cengiz Kahraman and Selçuk Çeb. A new multi-attribute decision making method: Hierarchical fuzzy axiomatic design. Expert Syst Appl. , 36(3):4848–4861, 2009.
  • E. Kiesling, C. Strausss, and C. Stummer. A multi-objective decision support framework for simulation-based security control selection. In a, editor, Availability, Reliability and Security (ARES), 2012 Seventh International Conference on, pages 454–462, 2012.
  • S. Lauesen and H. Younessi. Six styles for usability requirements. In Proceedings of the Fourth International Workshop on Requirements Engineering: Foundation for Software Quality: REFSQ'98, pages 155–166, Pisa, Italy, 1998. Presses Universitaires de Namur.
  • Jun-Jie Lv, Yong-Sheng Zhou, and Yuan-Zhuo Wang. A multi-criteria evaluation method of information security controls. In Computational Sciences and Optimization (CSO), 2011 Fourth International Joint Conference on, pages 190–194, 2011.
  • Serafim Opricovic and Gwo-Hshiung Tzeng. Compromise solution by mcdm methods: A comparative analysis of vikor and topsis. European Journal of Operational Research, 156(2):445 – 455, 2004.
  • Angel R. Otero, Carlos E. Otero, and Abrar Qureshi. A multi criteria evaluation of information security controls using boolean features. Network Security and Its Applications (IJNSA), 2(4):1–11, October 2010.
  • Hsu-Shih Shih, Huan-Jyh Shyur, and E. Stanley Lee. An extension of topsis for group decision making. Mathematical and Computer Modelling, 45:801 – 813, 2007.
  • Anand Singh and David Lilja. Improving risk assessment methodology: a statistical design of experiments approach. In 4th International Conference Security of Information and Networks (SIN 2011), pages 21–29, Sydney, Australia, October 2009. ACM.
  • Evan Wheeler. Building an Information Security Risk Management Program from the Ground Up. Waltham, 2011.
  • K . Paul Yoon and Ching-Lai Hwang. Multiple Attribute Decision Making: An Introduction (Quantitative Applications in the Social Sciences, volume 104:83. USA, SAGE Publications, Inc. , 1995.
  • Edmundas Kazimieras Zavadskas, Arturas Kaklauskas, Zenonas Turskis, and Jolanta Tamošaitien?e. Multi-attribute decision-making model by applying grey numbers. Informatica, 20(2):305–320, April 2009.