The Open Cybernetics & Systemics Journal

2012, 6 : 26-37
Published online 2012 June 28. DOI: 10.2174/1874110X01206010026
Publisher ID: TOCSJ-6-26

Fuzzy Multi-Criteria Decision-Making for Information Security Risk Assessment

A. Shameli-Sendi , M. Shajari , M. Hassanabadi , M. Jabbarifar and M. Dagenais
Computer Engineering Department, Ecole Polytechnique de Montreal, P.O. Box 6079, Succ. Downtown, Montreal, Quebec, H3C 3A7, Canada.

ABSTRACT

Risk assessment is a major part of the ISMS process. In a complex organization which involves a lot of assets, risk assessment is a complicated process. In this paper, we present a practical model for information security risk assessment. This model is based on multi-criteria decision-making and uses fuzzy logic. The fuzzy logic is an appropriate model to assess risks and represents the practical results. The proposed risk assessment is a qualitative approach according to ISO/IEC 27005 standard. Main objectives and processes of business have been considered in this model and assessment of risk has been done in managerial and operational levels. This model was performed completely in the information technology section of a supply chain management company and the results show its efficiency and reliability.

Keywords:

Risk assessment, information security, fuzzy logic, multi-criteria decision-making, ISO/IEC 27005.