A hybrid information security risk assessment procedure considering interdependences between controls

Chi-Chun Lo, Wan-Jia Chen

Research output: Contribution to journalArticlepeer-review

68 Scopus citations


Risk assessment is the core process of information security risk management. Organizations use risk assessment to determine the risks within an information system and provide sufficient means to reduce these risks. In this paper, a hybrid procedure for evaluating risk levels of information security under various security controls is proposed. First, this procedure applies the Decision Making Trial and Evaluation Laboratory (DEMATEL) approach to construct interrelations among security control areas. Secondly, likelihood ratings are obtained through the Analytic Network Process (ANP) method: as a result, the proposed procedure can detect the interdependences and feedback between security control families and function in real world situations. Lastly, the Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) operator is used to aggregate impact values assessed by experts, applied to diminish the influence of extreme evaluations such as personal views and drastic perspectives. A real world application in a branch office of the health insurance institute in Taiwan was examined to verify the proposed procedure. By analyzing the acquired data, we confirm the proposed procedure certainly detects the influential factors among security control areas. This procedure also evaluates risk levels more accurately by coping with the interdependencies among security control families and determines the information systems safeguards required for better security, therefore enabling organizations to accomplish their missions. Crown Copyright (C) 2011 Published by Elsevier Ltd. All rights reserved.
Original languageEnglish
Pages (from-to)247-257
JournalExpert Systems with Applications
Issue number1
StatePublished - Jan 2012
Event1st International Symposium on Computing in Science and Engineering - Kusadasi, Turkey
Duration: 3 Jun 20105 Jun 2010


  • Information security; Risk assessment; Decision Making Trial and Evaluation Laboratory (DEMATEL); Analytic Network Process (ANP); Order Weighted Averaging (OWA) operator; Fuzzy linguistic quantifiers; Maximum entropy method

Fingerprint Dive into the research topics of 'A hybrid information security risk assessment procedure considering interdependences between controls'. Together they form a unique fingerprint.

Cite this