A Multi-criteria Evaluation Method of Information Security Controls

Information management plays an increasingly important role in enterprises with the constant improvement of computer and communications technology. It is known that enterprises have diverse security requirements when implement information security, such as cost, effectiveness, environment, commitment to law and ethic and etc. In this paper, an information security risk management method is proposed to ranking available risk controls quantitatively with the help of PROMETHEE methodology and GAIA plane considering the criteria concerned. Given the preference function, the criteria values and criteria weights of decision-makers, "leaving flow" "entering flow" and "net flow" of each preparation program is calculated to compare advantages and disadvantages of control measurements, then the complete sequence is obtained. The sensitivity analysis and validation are conducted further. Finally, an example is given to illustrate the application of the proposed method. The major contribution of this work is to make available a control ranking model, considering multiple criteria analysis and the interests of different decision makers, for a security control plan to be carried out.