Security risk factors: ANP model for risk management decision making

Information is a valuable asset supporting management decisions and business operations within the enterprise. Consequently, securing the company critical information assets from sophisticated insider threats and outsider attacks is essential to ensure business continuity and compliance with regulatory frameworks. Security risk management is the process that identifies threats and vulnerabilities of an enterprise information system, evaluates the likelihood of their occurrence and estimates their potential business impact. It is a continuous process that allows cost effectiveness of implemented security controls and provides a dynamic set of tools to monitor the security level of the information system. Given the uncertainty and complexity of security risks analyses, the identification of risk factors as well as the estimation of their business impact require tools for assessment of risk with multi-value scales according to different stakeholders' point of view. Therefore, the purpose of this paper is to model risk factors using semantic network to develop the decision network and the Analytical Network Process (ANP) to evaluate factors of complex problems taking into consideration quantitative and qualitative data. As a decision support technique ANP also measures the dependency among risk factors related to the elicitation of individual judgement.