Evaluation of information security related risks of an organization: the application of the multicriteria decision-making method

In the wake of the fast popularization of information and the rise of electronic commerce, information security is gaining much attention. How to perform the evaluation of the value of assets, how to perform the analysis of the risks associated with assets, and how to protect information assets from sabotage, theft and tamper are important topics in the study of the management of information security. We address the aspects of confidentiality, integrity and availability of information and apply the Analytic Hierarchy Process (AHP) to consolidate expert's opinions on information risks, in order to construct an integrated framework for risk analysis. The BS7799 standard and the risk level matrix (RLM) are used accordingly to evaluate the effectiveness of and to categorize the risk management measures and to create a complete model for the assessment of information assets related risks. Finally, the research results are verified by a case study. The results can be used by organizations as references for information security planning and management process improvements.