Information Security Management: ANP Based Approach for Risk Analysis and Decision Making

DOI 10.7160/aol.2016.080102
No 1/2016, March
pp. 13-23

Brožová, H., Šup, L, Rydval, J., Sadok, M. and Bednar, P. (2016) “Information Security Management: ANP Based Approach for Risk Analysis and Decision Making", AGRIS on-line Papers in Economics and Informatics, Vol. 8, No. 1, pp. 13 - 23. ISSN 1804-1930. DOI 10.7160/aol.2016.080102.


In information systems security, the objectives of risk analysis process are to help to identify new threats and vulnerabilities, to estimate their business impact and to provide a dynamic set of tools to control the security level of the information system. The identification of risk factors as well as the estimation of their business impact require tools for assessment of risk with multi-value scales according to different stakeholders’ point of view. Therefore, the purpose of this paper is to model risk analysis decision making problem using semantic network to develop the decision network and the Analytical Network Process (ANP) that allows solving complex problems taking into consideration quantitative and qualitative data. As a decision support technique ANP also measures the dependency among risk factors related to the elicitation of individual judgement. An empirical study involving the Forestry Company is used to illustrate the relevance of ANP.


Information security, Risk factors, Semantic networks, Analytical network process, Multi-criteria decision making, Case Study.


  1. Adams, B. (2011) "SuperDecisions Limit Matrix Calculations". USA: Decision Lens Inc.
  2. Bartoš, J. and Walek, B. (2013) "A methodology for testing of information system under uncertainty." In: Proc. 36th International Conference on Telecommunications and Signal Processing (TSP), Faculty of Electrical Engineering and Communication, Brno University of Technology, Brno, pp. 20-22.
  3. Bednar, P. and Katos, V. (2010) "Digital forensic investigations: a new frontier for Informing Systems, in D'Atri, A. and Sacca, D." (Ed.) Information Systems: People, Organizations, Institutions and Technologies, Springer Physica-Verlag, Berlin Heidelberg. ISBN 978-3-7908-2147-5.
  4. Briš, R. (2009) "Reliability, Risk and Safety: Theory and Applications". CRC Press / Balkema, Leiden, 2009, ISBN 978-0-415-55509-8.
  5. Brožová, H., Šup, L., Rydval, J., Sadok, M. and Bednar, P. "Security risk factors: ANP model for risk management decision making." In: Proceedings of the 33st International conference on Mathematical Methods in Economics. University of West Bohemia, Cheb, pp. 74-79. ISBN 978-80- 261-0539-8.
  6. Hlavatý, R. (2014) "Saaty`s matrix revisited: Securing the consistency of pairwise comparisons", In: Proceedings of the 32st International conference on Mathematical Methods in Economics. Palacký University, Olomouc, pp. 83–88. ISBN 978-80-244-4209-9.
  7. IEC/ISO (2009) "Risk management – Risk assessment techniques IEC/ISO 31010". 1st ed. Geneva: ISO. ISBN 2-8318-1068-2.
  8. Klimeš, C. and Bartoš, J. (2015) "IT/IS Security Management with Uncertain Information", Kybernetika, Vol. 51, pp. 408-419. DOI 10.14736/kyb-2015-3-0408.
  9. Procházková, D. (2011) "Analýza a řízení rizik". Czech Technical University in Prague, Prague. ISBN 978-80-01-04841-2.
  10. Procházková, D. (2011) "Metody, nástroje a techniky pro rizikové inženýrství". Karolinum, Prague. ISBN 978-80-01-04842-9.
  11. Rydval, J. and Bartoška, J. (2013) "Quantification of Framing Effect in the Meat Distribution by ANP, Mathematical Methods in Economics", College of Polytechnics Jihlava. ISBN 978-80-87035-76-4.
  12. Rydval, J. and Brožová, H. (2011) "Quantification of Framing effect in education Process using ANP". In: Proceedings of Efficiency and Responsibility in Education International Conference 2011, Prague, CULS. ISBN 978-80-213-2183-0.
  13. Rydval, J. (2011) "Quantification of Framing Effect using ANP and AHP". In Mathematical Methods in Economics 2011, Janska Dolina, Slovakia, Professional Publishing. ISBN 978-80-7431-058-4.
  14. Saaty, T. L. (2001) "Decision Making with Dependence and Feedback: The Analytic Network Process, The Analytic Hierarchy Process Series". Pittsburgh, Vol. IX, RWS Publications.
  15. Saaty, T. L. (2003) "The Analytic Hierarchy Process (AHP) for Decision Making and the Analytic Network Process (ANP) for Decision Making with Dependence and Feedback". Creative Decisions Foundation.
  16. Saaty, T. L. (2008) "Relative Measurement and Its Generalization in Decision Making: Why Pairwise Comparisons are Central in Mathematics for the Measurement of Intangible Factors: The Analytic Hierarchy/Network Process", Rev. R. Acad. Cien. Serie A. Mat., Vol. 102, No. 2, pp. 251–318. DOI 10.1007/BF03191825.
  17. Sadok, M., Katos, V. and Bednar, P. (2014) "Developing contextual understanding of information security risks", International Symposium on Human Aspects of Information Security & Assurance (HAISA 2014), Plymouth University.
  18. Sowa, J. F. (2000) "Knowledge Representation: Logical, Philosophical, and Computational Foundations", Brooks/Cole Publishing Co., Pacific Grove, CA. ISBN-13: 978-0534949655.
  19. Steyvers, M. and Tenenbaum, J. B. (2005) "The Large-Scale Structure of Semantic Networks: Statistical Analyses and a Model of Semantic Growth", Cognitive Science, Vol. 29, pp. 41–78. ISSN 1551-6709. DOI 10.1207/s15516709cog2901_3.
  20. SuperDecisions: Software for Decision-Making. [Online] Available: http://www.superdecisions. com/ [Accessed 25 October 2015].
  21. Walek, B., Bartoš, J. and Žáček, J. (2013) "Proposal of The Expert System for Conducting Information Security Risk Analysis", Proceedings of the International Conference on Electrical and Electronics Engineering, Clean Energy and Green Computing. The Society of Digital Information and Wireless Communications, pp. 58-68.
  22. Xia, Z. Y. and Bu, Z. (2012) "Community detection based on a semantic network," Knowledge- Based Systems, Vol. 26, pp. 30-39. ISSN 0950-7051.

Full paper

  Full paper (.pdf, 2.87 MB).