Indonesian J
ournal of Ele
c
trical Engin
eering and
Computer Sci
e
nce
Vol. 1, No. 3,
March 20
16, pp. 656 ~ 6
6
4
DOI: 10.115
9
1
/ijeecs.v1.i3.pp65
6-6
6
4
656
Re
cei
v
ed
No
vem
ber 1
1
, 2015; Re
vi
sed
March 1, 201
6; Acce
pted
March 10, 20
16
Information Security Risk Assessmen
t Based on
Analytic Hierarchy Process
Mingxiang He*
1
, Xin An
2
1*
Shand
on
g Provinc
e
Ke
y
La
borator
y of W
i
s
dom Min
e
Information T
e
chno
log
y
,
Shand
on
g Uni
v
ersit
y
of Sci
e
n
c
e and T
e
chno
log
y
579 Qia
n
w
a
ng
ang R
o
a
d
Hua
ngd
ao Z
o
n
e
, Qing
dao S
han
do
ng Provi
n
ce, 2
665
90 P.R. Chi
n
a
2
Colle
ge of Info
rmation Sci
enc
e and En
gi
neer
ing, Sha
n
d
ong
Univers
i
t
y
of Scienc
e an
d T
e
chno
log
y
e-mail: hm
x07
08@
163.com
A
b
st
r
a
ct
Information s
e
curity risk ass
e
ssment was an im
portant
component of information systems
security en
gin
e
e
rin
g
and th
e selecti
on of ass
e
ssment me
th
od ha
d a dir
e
ct imp
a
ct on the
final res
u
lts of the
assess
me
nt. But there
w
e
re t
oo
many
el
e
m
ents i
n
th
e pr
ocess of
infor
m
ation secur
i
ty r
i
sk ass
e
ssment.
How
to find
the
opti
m
a
l
e
l
e
m
e
n
ts from
many
ele
m
ents
to si
mp
lify the
calc
ulati
on
of risk v
a
lu
e a
nd
provi
d
e
a
strong bas
is for taking re
lev
ant measur
es, w
h
ich w
a
s a
prob
le
m ne
ed
ed to be so
lve
d
. In additi
on, t
h
e
relia
bi
lity of the risk assess
me
nt results coul
d not
be g
uara
n
tee
d
onl
y through a si
ngl
e qua
litativ
e o
r
qua
ntitative
as
sessment
met
hod. By
An
alyt
ic Hi
erarc
h
y P
r
ocess (AH
P
),
the re
lative
w
e
ight
of el
e
m
e
n
t
s
relate
d to i
n
for
m
ati
on s
e
curit
y
risk cou
l
d
b
e
calc
ulate
d
.
T
hen the
opti
m
a
l
i
ndic
a
tors, w
h
ich prov
id
e
d
a
strong b
a
sis fo
r taking r
e
lev
a
nt me
asur
es, coul
d be s
e
l
e
cted by s
o
rting t
he w
e
ig
hts of ele
m
ents to re
du
c
e
the nu
mb
er of indic
a
tors. Moreover, Ana
l
ytic
Hierarchy
Pro
c
ess, a metho
d
of the
combi
n
ation of qu
alitat
ive
and
qua
ntitati
v
e assess
me
nt meth
ods
,
coul
d overc
o
me th
e sh
ortcomin
gs of si
ngl
e qu
alitativ
e or
qua
ntitative as
sessment meth
od.
Key
w
ords
:
ri
sk a
s
se
ssm
e
n
t
,
A
nalyt
ic Hi
era
r
c
h
y P
r
oc
es
s,
inf
o
rm
at
ion se
cu
rit
y
1. Introduc
tion
Information
secu
rity risk m
anag
ement i
s
the
overall proce
s
s that id
entifies a
nd a
nalyze
s
the ri
sk of
bei
ng exp
o
sed t
o
the
organi
zation, p
r
ov
ide
s
a
n
asse
ssm
ent of th
e p
o
tential im
pact
on
the busi
n
e
ss,
and take
s
measures to
eliminate o
r
redu
ce the ri
sk to an a
cce
ptable level [1].
Information secu
rity risk
asse
ssm
ent is a st
age o
f
information
secu
rity risk mana
geme
n
t.
Information
secu
rity risk m
anag
ement d
epen
ds o
n
th
e re
sults
of ri
sk
asse
ssme
nt to determi
ne
the sub
s
eq
ue
nt risk
control
and approva
l
activiti
es. There a
r
e man
y
risk asse
ssment method
s,
whi
c
h can
be divided i
n
to three
categori
e
s:
th
e qualitative
risk asse
ssment meth
ods,
quantitative risk a
sse
ssm
ent metho
d
s,
com
p
re
hen
sive asse
ssm
ent metho
d
s whi
c
h
com
b
ine
qualitative with quantitative assess
me
nt method
s [2].
In referen
c
e [
3
], the key issue
s
du
ring the
pro
c
e
s
s of inf
o
rmatio
n security ri
sk
assessment
are
prop
osed
an
d the q
uantit
ative method
s of
risk a
s
se
ssm
ent are stu
d
ie
d.
In refere
nce [4],
a qua
ntitative method
based
on ex
pert ju
dgme
n
ts,
fuzzy logi
c a
nd analytic hi
era
r
chy pro
c
ess is u
s
ed t
o
evaluate th
e impact a
n
d
possibility values
for sp
ecifi
c
threats. In reference [5], the Bayesian
net
work i
s
introd
uce
d
into info
rmation
se
cu
rity
risk asse
ssm
ent system to est
abli
s
h the risk analy
s
is mo
del. In referen
c
e [6
], the information
se
curity
ri
sk asse
ssm
ent approa
ch
b
a
s
ed on
two
stage
s d
e
ci
si
on mod
e
l wit
h
grey
synth
e
tic
measure is propo
sed to sol
v
e the fuzzin
e
ss and u
n
ce
rtainty from many asp
e
ct
s.
Ho
wever, th
ere a
r
e too
many eleme
n
ts in
the p
r
oce
s
s of informatio
n se
curity risk
asse
ssm
ent, whi
c
h ma
ke
s the calcul
ation of ri
sk value more
co
mplicate
d
an
d cumb
erso
me.
Ho
w to find t
he mo
re im
p
o
rtant el
eme
n
ts of a
s
se
ssment from
m
any eleme
n
ts to simplify t
h
e
cal
c
ulatio
n of risk value a
nd provid
e a
stron
g
ba
sis for taking re
levant measu
r
es,
which is a
probl
em ne
e
d
s to be
solv
ed. In additio
n
, the reli
abili
ty of the risk
asse
ssm
ent result
s can no
t be
guarantee
d o
n
ly through
a
single q
ualit
ative or qu
a
n
t
itative asse
ssment meth
o
d
due to the fac
t
that the qualitative asse
ssment
method
s are too sub
j
ective and ro
ugh and
som
e
risk eleme
n
t
s
may be misu
nderstoo
d or
misinte
r
prete
d
in the
pro
c
ess of quanti
t
ative asse
ssment, which will
have gre
a
t influen
ce on the
accura
cy of the evaluatio
n
result
s [7].
By AHP, the relative
wei
ght of elem
e
n
ts
related t
o
inform
ation
se
cu
rity risk can
be
cal
c
ulate
d
. Then the opti
m
al indicators, whi
c
h c
an
simplify the calcul
ation of risk valu
e, ca
n be
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 25
02-4
752
IJEECS
Vol.
1, No. 3, March 20
16 : 656 – 664
657
sele
cted by
sorting the
wei
ghts of elem
e
n
ts to re
duce
the number of indic
a
tors
[8] [9]. Ac
c
o
rding
to these
indi
cators,
whi
c
h
have g
r
eat i
n
fluen
ce o
n
t
he ri
sk, app
ropriate
mea
s
ure
s
sho
u
ld
be
taken to con
t
rol the risk.
Moreove
r
, AHP, a
method of the combinatio
n o
f
qualitative and
quantitative asse
ssm
ent met
hod
s, ca
n overcom
e
the disadvan
t
ages
of sin
g
le qu
alitative or
quantitative a
s
sessme
nt method.
2. Rese
arch
Metho
d
The An
alytic Hie
r
a
r
chy P
r
ocess [10],
a
combin
atio
n of q
uantita
t
ive and
qua
litative
analysi
s
m
e
thod
s, is
pro
p
o
se
d by the f
a
mou
s
Ame
r
i
c
an Ope
r
atio
ns Re
sea
r
ch Professo
r
Sa
aty
in the early 1
970
s. This m
e
thod is m
o
re efficient
ly used to solve
multiple co
m
p
lex probl
em
s. In
the Analytic
Hierarchy P
r
oce
s
s, elem
e
n
ts related
to
de
cisio
n
s a
r
e divided
into
target,
crite
r
i
ons
and
sol
u
tion
s. It brea
ks
do
wn
co
mplex
probl
em
s into
a
numb
e
r of
levels ba
se
d
on
domi
nan
ce
relations
[11].
The main
ste
p
s of the Anal
ytic Hiera
r
chy
Proce
s
s are
as follo
ws.
2.1. Decomp
osition of th
e Sy
stem and the Co
nstr
uction of
the
Hierarchy
Model
Analyzing the
information system, make
s the pr
o
b
lem
s
be
come hie
r
archi
c
al by d
e
viding
the compl
e
x system into
elements, a
nd gro
u
p
s
them acco
rdin
g to domina
n
ce
relation
ship.
Finally, an
orderly la
dde
r h
i
era
r
chic
al
structure m
odel
can
be
e
s
tabl
ishe
d. In fa
ct, the p
r
o
c
e
s
s
of
establi
s
hi
ng t
he hi
era
r
chy
model i
s
th
e
pro
c
e
s
s of
a
n
a
lyzing
the
problem. T
he
model
co
nsi
s
t
s
of
the targ
et lay
e
r, the
crite
r
i
on laye
r an
d
the soluti
on l
a
yer, a
s
sho
w
n in
Figu
re
1. The
r
e i
s
o
n
ly
one ele
m
ent
in the targ
et layer, whi
c
h i
s
ge
ner
ally intende
d for t
he analy
s
is
of the pro
b
le
m.
There are a
seri
es of inte
rmedi
ate links in the cr
iterion layer, which cons
ist
of several layers
su
ch a
s
crite
r
ion an
d su
b
criteri
on. Similarly,
there
are all kind
s of optional
measu
r
e
s
a
nd
solutio
n
s in t
he sol
u
tion l
a
yer. This p
aper, ba
se
d on the hiera
r
chy mo
del
of three laye
rs,
analyzes the
AHP.
Figure 1. The
hiera
r
chy model
2.2. The Con
s
truc
tion of
Judgmen
t M
a
trix
The jud
g
men
t
matrix is a matrix whi
c
h i
s
co
nst
r
u
c
ted
by compa
r
in
g a ce
rtain el
ement in
the uppe
r lay
e
r with all
ele
m
ents
related
to it in th
is layer. For exa
m
ple, as fo
r the criterio
n H in
crite
r
ion laye
r, these are n element
s (
n
w
w
w
,
,
,
2
1
) related to it in solution laye
r. Therefore,
the
judgme
n
t matrix is sho
w
n i
n
formula (1).
Evaluation Warning : The document was created with Spire.PDF for Python.
IJEECS
ISSN:
2502-4
752
Inform
ation Secu
rity Ri
sk Assessm
ent Base
d
on Anal
ytic Hi
era
r
ch
y Proce
s
s (Min
gxia
ng He)
658
nn
n
n
n
n
n
n
n
n
a
a
a
a
a
a
a
a
a
w
w
w
w
w
w
w
w
w
w
w
w
A
2
1
2
22
21
1
12
11
2
1
2
1
2
1
2
1
1
1
1
(1)
In the matrix
above,
ij
a
refers to the ratio
of importa
nce of
the eleme
n
t i and el
ement
j in
terms of the crite
r
ion H a
nd satisfie
s
)
,
,
2
,
1
,
(
1
n
j
i
a
a
ij
ji
.Gene
rally, it
can be give
n
b
y
experts who familiar with the probl
em
s or by
the
deci
s
ion makers or
by analysts through
techni
cal
adv
ice. In th
e A
nalytic
Hierarchy Pr
ocess,
the
com
pari
s
on
of the
two elem
ents
can
become qu
an
titative according to Saaty's 1-
9
scale m
e
thod, as
sho
w
n in Tabl
e 1
[12].
Table 1. Saat
y's 1-9
scale
method
Scale
Meaning (the co
mparison of the t
w
o
elements)
1
the t
w
o elements
are of equ
al importance
3
one element is slightly
m
o
re impor
tant than anot
her
element
5
one element is obviously
more
important tha
n
anot
her element
7
one element is strongl
y
mo
re imp
o
rtant than
anoth
e
r element
9
one element is extremel
y mor
e
important tha
n
anot
her element
2
、、、
4
6
8
median of the t
w
o adjacent judgments above
the reciprocal of t
he
number ab
ove
the importance r
a
tio of the eleme
n
t i and element j is
ij
a
, so the import
ance
ratio of the elem
ent j and element
i is
ij
ji
a
a
1
2.3. The Calc
ulation of
Re
spec
tiv
e
Index Weigh
t
It is req
u
ired
to cal
c
ul
ate
the maximu
m
eige
nvalue
and
eigenve
c
tor
of the ju
dgment
matrix and ch
eck the con
s
i
s
ten
c
y of the
judgme
n
t
matrix [13]. For a certain ele
m
ent in the upper
layer, the rel
a
tive weight
s of the eleme
n
ts rel
a
t
ed to
it in this laye
r are dete
r
mi
ned by jud
g
m
ent
matrix and m
a
thematical method
s of
the matrix. For instan
ce, the
relative wei
g
ht vector of the n
element
s
rela
ted to the
cri
t
erion
H i
n
th
e solution l
a
yer
sho
u
ld
be
cal
c
ul
ated a
c
cordi
ng to
the
judgme
n
t matrix A const
r
u
c
ted in step 2.
2.
In pra
c
tical a
pplication
s
,
sum and p
r
o
d
u
ct metho
d
a
nd sq
ua
re
ro
ot method a
r
e often
use
d
to cal
c
ul
ate the eigen
vector, a
s
sh
own in formul
a (2).
n
n
j
ij
i
a
w
1
,
)
,
(
n
,
2
,
1
i
(2)
So the vector
T
n
w
w
w
)
,
,
,
(
2
1
can be g
o
t. By using
n
j
j
i
i
w
w
w
1
)
,
(
n
,
2
,
1
i
to
norm
a
lize the
vector
, the vec
t
or
T
n
w
w
w
w
)
,
,
(
2
1
is the eigenve
c
tor t
hat is nee
ded
.
The m
a
ximu
m eige
nvalue
ca
n be
obtai
ned by
th
e ei
genve
c
tor
an
d judg
ment
matrix, as
sho
w
n in formula (3
).
n
i
i
i
w
Aw
n
1
max
)
(
1
(3)
The vecto
r
Aw
is sho
w
n in
formula (4). (
Aw
) is the i-th
element of vector B.
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 25
02-4
752
IJEECS
Vol.
1, No. 3, March 20
16 : 656 – 664
659
B
b
b
b
w
w
w
a
a
a
a
a
a
a
a
a
Aw
n
n
nn
n
n
n
n
2
1
2
1
2
1
2
22
21
1
12
11
(4)
And then it is nece
s
sary to
che
ck the
co
nsi
s
ten
c
y by introdu
cin
g
the
con
s
i
s
ten
c
y
index
CI
, as
s
h
own in formula (5).
1
max
n
n
CI
(5)
The
smalle
r
CI is, the n
e
a
r
er
max
approximates to n
.
Ideally, CI equal
s zero. In
fact, the
highe
r the di
mensi
on n of the judgme
n
t matrix is, the worse the
co
nsi
s
ten
c
y is.
So, it is req
u
ired to
re
d
u
ce th
e re
q
u
ir
em
ent for con
s
i
s
ten
c
y of high-dim
ensi
onal
judgme
n
t ma
trix by introd
ucin
g the
averag
e ran
d
o
m
co
nsi
s
ten
cy index RI. T
he value
of
RI is
related to the
dimen
s
ion of
the judgme
n
t matrix,
which can b
e
assig
ned a
c
cordi
n
g to the Table
2
[14].
Table 2. Saat
y's 1-1
0
dime
nsio
n RI
Dimension of the judgment matri
x
RI
1 0
2 0
3 0.52
4 0.90
5 1.12
6 1.26
7 1.36
8 1.41
9 1.46
10 1.49
The co
rrecte
d con
s
i
s
ten
cy index
is obtained by calculating the
RI
CI
CR
. I
f
1
.
0
CR
,
the judgme
n
t matrix will pass the
con
s
iste
ncy test. What’s more, the eigenve
c
tor
T
n
w
w
w
w
)
,
,
(
2
1
will be the wei
ght vect
or and
ea
ch com
ponent
of
it represents the
prop
ortio
n
or
sha
r
e of
co
rresp
ondi
ng m
easure
s
o
r
so
lutions i
n
criterion
H. If the judgme
n
t ma
trix
doesn’t pass
the consi
s
tency test, it will
be
nessary to adjust it until the test passed.
2.4. The Calc
ulation of
Co
mprehensiv
e Index Weig
ht
Comp
re
hen
si
ve index weig
ht repr
esents
the weig
ht vector of
all ele
m
ents in the
solutio
n
layer for the
target laye
r.
And ea
ch
compon
ent of
it rep
r
e
s
ent
s the
pro
p
o
r
tion o
r
sha
r
e
of
corre
s
p
ondin
g
measures o
r
solutio
n
s in
the target.
The weight
vector
T
n
w
w
w
w
)
,
,
(
2
1
has been o
b
tai
ned in
ste
p
2.3, whi
c
h
rep
r
e
s
ent
s th
e pro
p
o
r
tion
or sha
r
e of n
elem
ent
s in
crite
r
ion
H. Suppo
sin
g
there are
m(
n
m
)
element
s in
the
solutio
n
la
yer an
d n
ele
m
ents rel
a
ted
to the
criteri
on
H, no
w th
e weight ve
ct
or
T
n
w
w
w
w
)
,
,
(
2
1
can be tra
n
s
form
ed a
s
follows: the weights of n el
ements
relat
ed to the
crite
r
ion
H re
main the un
chang
ed, and
the weight
s o
f
m-n elemen
ts unrel
ated to H are
zero
s.
Finally, a
ne
w
weig
ht vector
T
mH
H
H
H
w
w
w
Q
)
,
,
(
2
1
can
be
ob
tained,
whi
c
h
re
pre
s
e
n
ts t
h
e
prop
ortio
n
of all eleme
n
ts
of the solutio
n
layer
in crit
erion H.
Assu
ming
t
hat there are
k ele
m
e
n
ts
in the criterio
n layer, the combine
d
wei
ght vector
W
of all eleme
n
ts i
n
the sol
u
tion
layer to the
crite
r
ion l
a
yer can
be o
b
tai
ned by the
m
e
thod m
entio
ned a
bove.T
he content of
W
is shown in
formula (6).
Evaluation Warning : The document was created with Spire.PDF for Python.
IJEECS
ISSN:
2502-4
752
Inform
ation Secu
rity Ri
sk Assessm
ent Base
d
on Anal
ytic Hi
era
r
ch
y Proce
s
s (Min
gxia
ng He)
660
mk
m
m
k
k
k
w
w
w
w
w
w
w
w
w
Q
Q
Q
W
2
1
2
22
21
1
12
11
2
1
)
,
,
,
(
(6)
Similarly, the weight ve
cto
r
T
k
c
c
c
C
)
,
,
,
(
2
1
of all elem
e
n
ts in the
crit
erion l
a
yer to
the target layer ca
n be obt
ained.
Then, acco
rdi
ng to the com
b
ination weig
ht vector
W
and the weig
ht vector
C
, the vector
U
ca
n be calculated, as
sh
own in formul
a (7).
m
k
mk
m
m
k
k
u
u
u
c
c
c
w
w
w
w
w
w
w
w
w
C
W
U
2
1
2
1
2
1
2
22
21
1
12
11
(7)
The vecto
r
U
represents t
he com
p
rehe
nsive weight
of all element
s in the sol
u
tion layer
to the ta
rget.
By so
rting t
he
weig
hts
o
f
them, seve
ral im
porta
nt
indicators, which
have
great
influen
ce o
n
the ri
sk,
will
be obtai
ned.
Base
d on t
hese impo
rta
n
t indicators,
co
rre
sp
ondi
ng
measures
should be taken to control t
he ri
sk. In
addition, the number
of
ri
sk element
s will
be
greatly re
du
ced, whi
c
h will
simplif
y the calcul
ation of risk valu
e.
3. Results a
nd Discu
ssi
on
The info
rmat
ion security risk a
s
sessm
ent
is
carrie
d out a
c
cording to the
analytic
hiera
r
chy pro
c
e
ss. The hi
era
r
chy mod
e
l of thr
ee layers is
con
s
t
r
ucte
d ba
sed
on a compa
n
y's
actual i
n
form
ation sy
stem,
as
sho
w
n
in
Figure 2. T
h
e
element
of the targ
et layer
is the
risk in
d
e
x
of the info
rm
ation
system
to be
teste
d
. The
elem
ents
of criterion laye
r ma
inly inclu
de t
h
e
physi
cal secu
rity, the operation
se
cu
rity and the appl
ication
se
cu
ri
ty. The elements of sol
u
tion
layer mainly inclu
de enviro
n
mental secu
rity, devic
e se
curity, media
se
curity, network m
onitori
n
g
,
vulnera
b
ility scan
n
ing, viru
s prev
ention,
data ba
ckup, acce
ss
cont
rol, informatio
n encryption
and
intrusi
on dete
c
tion.
Figure 2. Th
e hiera
r
chy model of a com
pany
3.1. The Co
nstru
c
tion o
f
the
Judgm
ent Ma
trix a
nd the
Calc
ulation of
Respec
tiv
e
In
de
x
Weigh
t
In target-crite
rion laye
r, the judgme
n
t matrix
is gen
erally given b
y
experts wh
o familiar
with the pro
b
l
e
ms an
d the stru
cture
of it
is sh
own in formula (8).
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 25
02-4
752
IJEECS
Vol.
1, No. 3, March 20
16 : 656 – 664
661
1
3
/
1
3
/
1
3
1
5
/
1
3
5
1
C
G
(8)
Acco
rdi
ng to
the judgm
ent
matrix
C
G
, the vector
T
)
4807
.
0
8434
.
0
4662
.
2
(
is
cal
c
ulate
d
. T
hen by
normalizin
g it, the eig
enve
c
tor
T
w
)
1268
.
0
2225
.
0
6507
.
0
(
is
obtaine
d. Th
e maximum
e
i
genvalue
2948
.
3
max
,
147
4
.
0
1
3
3
2948
.
3
1
max
n
n
CI
, and
the average
random
con
s
i
s
ten
c
y ind
e
x
52
.
0
RI
c
a
n
be
ac
qu
ir
e
d
.
It is
ne
ssa
r
y
to
a
d
j
us
t th
e
judgme
n
t matrix, beca
u
se the correcte
d
con
s
i
s
ten
c
y index
2835
.
0
52
.
0
1474
.
0
RI
CI
CR
does
not
sat
i
sf
y
1
.
0
CR
, which d
o
e
s
not
pass the co
n
s
iste
ncy test.
No
w the judg
ment matrix is adju
s
ted, a
s
sh
own in formula (9).
1
3
/
1
3
/
1
3
1
2
/
1
3
2
1
C
G
(9)
Acco
rdi
ng t
o
the a
d
ju
sted ju
dgm
e
n
t matrix,
= (1.817
1 1.144
7 0
.
4807)
T
,
w
= (0.527
8 0.3325 0.1
3
9
6
)
T
,
max
= 3.0537,
CI
=
0.0269, an
d
RI
= 0.52
ca
n be obtain
e
d
.
Becau
s
e of
CR
= 0.051
7
0.1, the judg
ment matrix passe
s
the consi
s
ten
c
y test. What’s m
o
re,
the eigenve
c
t
o
r
w
is the weig
ht vector.
In criterio
n-solution l
a
yer,
the j
udgm
e
n
t matrix
of
the crite
r
ion
C1
i
s
const
r
ucted, as
sho
w
n in formula (1
0).
1
3
/
1
4
/
1
3
1
3
/
1
4
3
1
1
P
C
(10
)
Acco
rdi
ng to
the jud
g
ment
matrix,
=
(2
.2894 1
0.4
3
68)
T
,
w
= (0.6
144 0.268
4
0
.
1172)
T
,
max
= 3.0
736
,
CI
=
0.036
8
,
and
RI
= 0.
52 can
be o
b
t
ained. Be
ca
use
of
CR
= 0.0708
0.1,
the
judgme
n
t ma
trix passe
s the con
s
iste
n
c
y test. Wh
a
t
’s more, the
eigenve
c
tor
w
is the
weight
vec
t
or
.
The judg
ment
matrix of the
crite
r
ion
C2 is con
s
tru
c
ted,
as sho
w
n in formul
a (11
)
.
1
2
5
4
3
1
4
2
/
1
1
1
1
2
3
3
5
/
1
1
1
1
3
2
3
4
/
1
1
1
1
3
2
2
3
/
1
2
/
1
3
/
1
3
/
1
1
2
/
1
1
1
3
/
1
2
/
1
2
/
1
2
1
1
4
/
1
3
/
1
3
/
1
2
/
1
1
1
1
2
P
C
(11
)
Acco
rdi
ng to
the judgm
ent
matrix,
=
(0.5428 0.774
2
0.512
3
1.1
699
1.2
008 1
.
3687
2.4
157
)
T
,
w
=(0.068
0 0
.
0970
0.064
2
0.146
5 0.1
5
04 0.1
714
0.
3026
)
T
,
max
= 7.5
785,
CI
= 0.09
64,
a
n
d
RI
=
1
.
3
6
c
an b
e
ob
ta
in
ed. Be
c
a
us
e o
f
CR
=
0.070
9
0.1, the
judgme
n
t ma
trix passe
s t
h
e
c
o
ns
is
tenc
y tes
t. What’s
m
o
re, the eige
n
v
ector
w
is the weig
ht vector.
Evaluation Warning : The document was created with Spire.PDF for Python.
IJEECS
ISSN:
2502-4
752
Inform
ation Secu
rity Ri
sk Assessm
ent Base
d
on Anal
ytic Hi
era
r
ch
y Proce
s
s (Min
gxia
ng He)
662
The judg
ment
matrix of the
crite
r
ion
C3 is con
s
tru
c
ted,
as sho
w
n in formul
a (12
)
.
1
3
/
1
1
2
2
4
3
1
1
1
3
3
1
1
1
1
1
2
2
/
1
1
1
1
2
1
2
/
1
3
/
1
1
2
/
1
1
1
4
/
1
3
/
1
2
/
1
1
1
1
3
P
C
(12
)
Acco
rdi
ng to
the ju
dgm
e
n
t matrix,
= (0.5
888
0.6609
1 1.1
225 1.732
1 1.3218
)
T
,
w
= (0.09
16
0.1028 0
155
6 0.1747
0.2
695 0.20
57
)
T
,
max
= 6.4119,
CI
= 0.08
2
4
, and
RI
=
1
.
26
can b
e
obtai
ned. Becau
s
e of
CR
= 0.0654
0.1,the judgme
n
t matrix passe
s the con
s
ist
ency
test. What’s
more, the eig
envecto
r
w
is the wei
ght vector.
3.2. The Calc
ulation of
Co
mprehensiv
e Index Weig
ht
The combin
e
d
weig
ht vector
W
of all elements in th
e
solution laye
r to the crite
r
i
on layer
is sh
own in formula (13
)
.
2057
.
0
0
0
2695
.
0
0
0
1747
.
0
0
0
0
3026
.
0
0
1556
.
0
1714
.
0
0
1028
.
0
1504
.
0
0
0916
.
0
1465
.
0
0
0
0642
.
0
1172
.
0
0
0970
.
0
2684
.
0
0
0680
.
0
6144
.
0
)
,
,
(
3
2
1
Q
Q
Q
W
(13
)
Acco
rdi
ng to
the combin
ation weight ve
ctor
W
an
d th
e wei
ght ve
ctor
C
, the ve
ct
or
U
can
be cal
c
ul
ated
, as sho
w
n in
formula (14
)
.
0287
.
0
0376
.
0
0244
.
0
1006
.
0
0787
.
0
0644
.
0
0615
.
0
0832
.
0
1739
.
0
3469
.
0
1396
.
0
3325
.
0
5278
.
0
2057
.
0
0
0
2695
.
0
0
0
1747
.
0
0
0
0
3026
.
0
0
1556
.
0
1714
.
0
0
1028
.
0
1504
.
0
0
0916
.
0
1465
.
0
0
0
0642
.
0
1172
.
0
0
0970
.
0
2684
.
0
0
0680
.
0
6144
.
0
C
W
U
(14
)
The vecto
r
U
represents t
he com
p
rehe
nsive weight
of all element
s of the soluti
on layer
to the target layer. The weight of each
element
in the sol
u
tion la
yer to the target is sho
w
n
in
Table 3.
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 25
02-4
752
IJEECS
Vol.
1, No. 3, March 20
16 : 656 – 664
663
Table 3. The
weig
ht of elements in the
solutio
n
layer to the target
The elements in t
he solution layer
The
w
e
ight of
elements
environmental securit
y
0.3469
device security
0.1739
media securit
y
0.0832
net
w
o
rk monitori
ng
0.0615
vulnerability
scan
n
ing
0.0644
virus prevention
0.0787
data backup
0.1006
access control
0.0244
information encr
y
ption
0.0376
intrusion detection
0.0287
As can
be
se
en fro
m
Ta
bl
e 3, envi
r
on
mental
se
curi
ty, device se
curity a
nd
dat
a ba
ckup
have a
comp
aratively
gre
a
t
propo
rtion i
n
the ta
r
get,
whi
c
h
sho
w
s
that they hav
e great influ
e
n
ce
on the ri
sk a
nd mea
s
u
r
e
s
sho
u
ld be ta
ken to
so
lve t
hese problem
s. In additio
n
, becau
se the
r
e
are to
o m
any
eleme
n
ts
rel
a
ted to th
e
risk, the
s
e i
m
po
rtant indi
cato
rs
can
be
u
s
e
d
a
s
in
put
wh
en
cal
c
ulatin
g the risk to simpl
i
fy the calcula
t
ion of risk.
4. Conclusio
n
This
pap
er
solves the
pro
b
lem of too
many
elem
en
ts in the
process of
risk a
s
se
ssm
ent
by usin
g the
AHP. The
r
ef
ore,
seve
ral
element
s
whi
c
h
have g
r
e
a
t
impact
on t
he ri
sk
can
be
obtaine
d fro
m
the
nume
r
ous ri
sk el
em
ents,
whi
c
h
g
r
eatly redu
ce
the n
u
mb
er
of eleme
n
ts,
and
provide the in
put for the ne
xt st
ep to calculate the risk
value.
In this
pap
e
r
, the
elem
ents
relate
d
to the
ri
sk in the
exa
m
ple m
a
inly
incl
ude
environ
menta
l
security, device secu
rit
y
, media
se
curity, netwo
rk mo
nitorin
g
, vulnerabili
ty
scanni
ng, virus p
r
eventio
n, data
backup, acce
ss
control, inform
ation en
crypti
on and int
r
usion
detectio
n
. By
usin
g the AHP, the weight of them
to th
e risk ca
n be obtaine
d. It is
con
c
lude
d that
the weig
ht of environm
ent
al se
cu
rity, device se
curit
y
, and data b
a
ckup i
s
larg
er, whi
c
h
sho
w
s
that they ha
ve great infl
uen
ce on th
e risk
, an
d
sho
u
ld be
consi
dered a
s
the input when
cal
c
ulatin
g the value of ri
sk. And the co
mpany s
houl
d focu
s on th
ese i
s
sue
s
in
orde
r to re
d
u
ce
the possibility
of occu
rrence of the risk.
Ackn
o
w
l
e
dg
ements
This work is
suppo
rted by Taish
an Scho
la
r Clim
bing
Program of Shand
ong Pro
v
ince in
Shando
ng Un
iversity of Science and Te
chnolo
g
y.
Referen
ces
[1]
R Bo
janc,
B
Jerma
n-Blaž
i
č
. Quantitativ
e Mo
del
for
Informatio
n
Securit
y
Risk
Man
agem
ent
.
Engi
neer
in
g Mana
ge
me
nt Jo
urna
l
. 201
3; 25
(2): 267-2
75.
[2]
Li Z
han
g, Jia
n
fen Pen
g
, Yuge D
u
. A Summar
y
of the Compr
ehe
n
s
ive Assessm
ent Method
of
Information Securi
t
y
Risk
As
sessment.
Jo
u
r
nal
of T
s
in
gh
ua
Univ
ersity
(Scienc
e a
n
d
T
e
chno
logy)
.
201
2; 52(1
0
): 1364-
136
9.
[3] Zhihu
Wang,
H
a
i
w
en
Ze
ng
.
Study on the
Risk Assess
me
nt Quant
ita
t
ive Metho
d
o
f
Informatio
n
Security
. 2
010
3
rd
Intern
ati
ona
l Co
nfere
n
c
e on A
d
van
c
ed Com
puter
T
heor
y
an
d
Engi
neer
ing
(ICACT
E). Chengd
u. 201
0; 6: 529-
533.
[4]
Igor V Anikin.
Informatio
n
Sec
u
rity Risk Asse
ssme
n
t and M
ana
ge
me
nt Me
thod in C
o
mp
uter Netw
orks
.
201
5 Internati
o
nal Si
beri
an C
onfere
n
ce o
n
Cont
ro
l and C
o
mmunicati
ons (
S
IBCON). Omsk. 2015: 1-5.
[5]
Liji
an W
a
n
g
, Bin W
ang, Y
ong
jun P
eng.
Researc
h
the Information Security Ris
k Assessm
ent
T
e
chni
que B
a
s
ed on Bay
e
si
a
n
Netw
ork
. 2010 3
rd
Internati
ona
l Confer
en
ce on Adva
nc
ed Com
puter
T
heor
y
an
d En
gin
eeri
ng (ICA
CT
E). Cheng
d
u
. 2010; 3: 60
0
-
604.
[6]
Hon
g
she
ng
Lu
o, Yon
g
ju
n Sh
en, Gui
don
g Z
han
g.
Infor
m
at
ion S
e
cur
i
ty Risk Assess
m
e
nt Based
on
T
w
o Stages D
e
cisio
n
Mo
del
w
i
th Grey Synthetic Me
asur
e
. 201
5 6th In
ternatio
nal
Co
nferenc
e o
n
Soft
w
a
re Eng
i
n
eeri
ng an
d Ser
v
ice Scie
nce (ICSESS). Beiji
n
g
. 2015: 7
95-7
98.
[7]
Xi
aomi
n
g
Yan
g
, He
ngfen
g
L
uo, C
hen
g
y
u
F
an.
The A
nalysis of Infor
m
ation System
Security Risk
Assessment T
e
chn
o
lo
gy. Co
mp
uter App
lica
t
ions
. 200
8; 28
(8): 1920-
19
23
.
[8] Baoh
ua
Z
h
a
o
.
Information S
ystem Risk Assessment Bas
e
d on
An
al
ytic H
i
erarch
y Pr
oce
ss and Ne
ura
l
Net
w
ork.
Microelectronics & Computer
. 20
15;
32(10): 16
3-1
66.
Evaluation Warning : The document was created with Spire.PDF for Python.
IJEECS
ISSN:
2502-4
752
Inform
ation Secu
rity Ri
sk Assessm
ent Base
d
on Anal
ytic Hi
era
r
ch
y Proce
s
s (Min
gxia
ng He)
664
[9]
Lon
g
Xi
ao, Y
o
ng Qi, Qia
n
mu
Li. T
he Informa
tion S
e
curit
y
R
i
sk Assessment
Base
d o
n
AH
P an
d F
u
zz
y
Compre
he
nsiv
e Evalu
a
tio
n
.
Computer En
gi
n
eeri
ng an
d App
licatio
ns
. 20
09;
45(22): 82-
85.
[10]
Qiong S
un, Z
hengr
an Gao. T
he
Smal
l an
d
Medi
um-size
d
Enterpris
e
s Pe
rformance Eva
l
uatio
n Mod
e
l
base
d
o
n
DEA
and
AHP Met
hod.
T
E
LKOM
NIKA Indo
nesi
an Jo
urn
a
l of
Electrical
Eng
i
neer
ing
. 201
3;
11(1
1
): 640
0-6
405.
[11]
Z
i
qiu W
e
i, Mi
ngfan
g Li.
Informatio
n
Secu
rity Risk Asse
ssme
n
t Mode
l
Base on F
SA and AHP
.
Internatio
na
l
C
onfere
n
ce on Machi
ne Lear
n
i
ng an
d
C
y
b
e
r
netics (ICML
C
). Qingda
o. 2
0
10; 5: 2
2
5
2
-
225
5.
[12]
Z
h
iming F
e
ng,
Guofu Yin, H
a
ifen
g Li
n. Co
mpreh
ensiv
e E
v
alu
a
tion
of C
NC Mach
in
e T
ools Acc
u
rac
y
Based on AHP
.
T
E
LKOMNIKA Indones
ia
n Journ
a
l
of Electr
ical En
gin
eeri
n
g
. 2014; 1
2
(3): 165
8 –1
667.
[13]
Linl
in L
i
u, Hon
g
Che
n
, Rui
x
i
n
Z
hang. Com
p
re
h
ensiv
e Evalu
a
tion of E
x
amin
ation Qua
lit
y
b
a
se
d
o
n
Fuzz
y
AHP.
T
E
LKOMNIKA Indo
nesi
an Jo
u
r
nal of Electric
al Eng
i
ne
eri
n
g
.
2013; 1
1
(9): 5
384-
539
4.
[14]
Baol
i Li
u, Xia
o
chu
n
Zha
ng,
Gendu Zh
an
g. In
formation
S
y
stem V
u
ln
erab
ilit
y Asses
s
ment Metho
d
base
d
on An
al
ytic Hi
erarch
y
Process.
Co
mputer Scie
nce
.
200
6; 33(1
2
): 62-64.
Evaluation Warning : The document was created with Spire.PDF for Python.