Subjectivity Reduction of Qualitative Approach in Information Security Risk Analysis

Qualitative information security risk assessments are somewhat subjective and the high degree of subjectivity associated with the perception of risk means that management is often skeptical of risk analysis results, and is unwilling to make important decisions based on that. Besides, the process of information security risk assessment is quite complex and rife with uncertainty and without taken into account the uncertainty of information security risk assessment the results can be misleading. Therefore, in this paper, the Fuzzy Multi Criteria Group Decision Making (FMCGDM) model is proposed to address the above-mentioned problems. The focus group method used to identify risk parameters and the Delphi method is used to construct a hierarchy for risk parameters. The findings of this research would be useful for the information security department to become more capable in analyzing the InfoSec risks and reducing the consequences of subjective assessment. A case study involving an actual information security risk management project was presented to illustrate the use of the proposed model. Computational results demonstrated the efficiency and effectiveness of the presented model that can assist InfoSec risk analyst to better evaluate InfoSec risk.