Measuring the Information Security Maturity of Enterprises under Uncertainty Using Fuzzy AHP

Full Text (PDF, 908KB), PP.10-25

Views: 0 Downloads: 0


Adel A. Nasser 1,* Abdualmajed A. Al-Khulaidi 2 Mijahed N. Aljober 3

1. Sa'adah University/ Department of information system, Sa'adah, 1872, Yemen

2. Sana'a University/ Mareb Branch, Department of Com. Scince, Mareb, 764, Yemen

3. Hajjah University/ Department of Com. Science, Hajjah, 2445, Yemen

* Corresponding author.


Received: 23 Jan. 2018 / Revised: 6 Feb. 2018 / Accepted: 13 Feb. 2018 / Published: 8 Apr. 2018

Index Terms

Gap Analysis, Fuzzy Logic, ISO 27001:2013, Maturity level, Fuzzy Analytical Hierarchy process, IS assessment, Maturity model


Generally, measuring the Information Security maturity(ISM) is the first step to build a new knowledge information security management system in an organization. Knowing the ISM level helps organizations decide the type of protection strategies and policies will be taken and their priorities to strengthen their competitive ability. One of the possible ways to solve the problem is a using multiple criteria decision-making (MCDM) methodology. Analytic hierarchy process (AHP) is one of the most commonly used MCDM methods, which combines subjective and personal preferences in the information security assessment process. However, the AHP involves human subjectivity, which introduces vagueness type of uncertainty and requires the use of decision-making under those uncertainties. In this paper, the IS maturity is based on hierarchical multilevel information security gap analysis model for ISO 27001:2013 security standard. The concept of fuzzy set is applied to Analytic Hierarchical Process (AHP) to propose a model for measuring organizations IS maturity under uncertain environment. Using fuzzy AHP approach helps determine more efficiently importance weights of factors and indicators, especially deal with imprecise and uncertain expert comparison judgments. A case study is used to illustrate the better new method for IS evaluation.

Cite This Paper

Adel A. Nasser, Abdualmajed A. Al-Khulaidi, Mijahed N. Aljober, "Measuring the Information Security Maturity of Enterprises under Uncertainty Using Fuzzy AHP", International Journal of Information Technology and Computer Science(IJITCS), Vol.10, No.4, pp.10-25, 2018. DOI:10.5815/ijitcs.2018.04.02


[1]Renuka Nagpal, Deepti Mehrotra, Pradeep Kumar Bhatia and Arun Sharma, "Rank University Websites Using Fuzzy AHP and Fuzzy TOPSIS:  Approach on Usability", International Journal of Information Engineering and Electronic Business, Vol.7, No.1, pp.29-36, 2015. 

[2]Essaid EL HAJI , Abdellah Azmani, and Mohamed El Harzli, "Using AHP Method for Educational and Vocational Guidance", International Journal of  Information Technology and Computer Science, Vol.9, No.1, pp.9-17, 2017

[3]Rodney Alexander, "Using the Analytical Hierarchy Process Model in the Prioritization of Information Assurance Defense-In-Depth Measures?—A Quantitative Study,"Journal of Information Security, 2017, 8, 166-173

[4]Kanyarat Phudphad, Bunthit Watanapa, Worarat Krathu and Suree Funilkul,"Rankings of the security factors of human resources information system (HRIS) influencing the open climate of work: using analytic  hierarchy process (AHP)," 8th International Conference on Advances in Information Technology, IAIT2016, 19-22 December 2016, Macau, China

[5]Juhyeon Lee, Youngin You, Kyungho Lee,"A study on the priority decision making of IT goals in COBIT 5 goals cascade", in pros.. of the 9th international conference of information management and engineering, ICIME 2017, 221-225, October 2017, Barcelona, Spain. 

[6]Zhengbing Hu, Vadym Mukhin, Yaroslav Kornaga,Yaroslav Lavrenko, Oleg Barabash, OksanaHerasymenko, "Analytical Assessment of Security Level of Distributed and Scalable Computer Systems", International Journal of Intelligent Systems and Applications (IJISA), Vol.8, No.12, pp.57-64, 2016. 

[7]Zhengbing Hu, Yulia Khokhlachova, Viktoriia Sydorenko and Ivan Opirskyy,"Method for Optimization of Information Security Systems Behavior under Conditions of Influences, "International Journal of  Intelligent Systems and Applications, Vol.9, No.12, pp.46-58, 2017. 

[8]A. A. Nasser, “Information security gap analysis based on ISO 27001: 2013 standard: A case study of the Yemeni Academy for Graduate Studies, Sana'a, Yemen, ” International Journal of scientific research in Multidisciplinary Studies, Vol. 3, Issues 11, pp. 5 – 14, DEC. 2017

[9]A. A. Nasser, “Hierarchical Multilevel Information security gap analysis models based on ISO 27001: 2013, ” International Journal of scientific research in Multidisciplinary Studies, Vol. 3, Issues 11, pp. 15 – 24, DEC. 2017

[10]A. Itrada , S.  Sultan , M.  Al-Junaidi , R. Qaffaf , F. Mashal, and F. Daas, “Developing an ISO27001 Information Security Management System for an Educational Institute: Hashemite University as a case study, ” Jordan Journal of Mechanical and Industrial Engineering, Vol. 8, no. 2, pp.102 – 118, April. 2014

[11]C Candiwan, "Analysis of ISO27001 Implementation for Enterprises and SMEs in Indonesia". In: Proceedings of the International Conference on Cyber-Crime Investigation and Cyber Security (ICCICS2014), pp. 50-58, Nov.2014, Kuala Lumpur, Malaysia.

[12]I Al-Mayahi and S. P. Mansoor, " ISO 27001 gap analysis – case study ". In: Proceedings of the International Conference on  Security and Management (SAM ’12), Las Vegas, 2012.

[13]B. Karabacak and I. A Sogukainar, “quantitative method for iso 17799 gap analysis, ” Computers and Security Journal, Elsevier, vol. 25(6), pp. 413–419, 2006

[14]M. Dey, " Information security management - a practical approach, " In Proceedings of  AFRICAN 2007, Member, IEEE

[15]ISO/IEC 17799:2000, Information technology – Security techniques – Code of practice for information security management, Geneva, Switzerland: International Organization for Standardization, 2000

[16]B. Stevanović, “Maturity Models in Information Security, ” International Journal of Information and Communication Technology Research, vol.1,no.2,2011

[17]Project Management Institute (PMI), “Organizational project management maturity model knowledge foundation(OPM3)”, Newtown Square, Pennsylvania USA,.2003

[18]T. Mettler and P. Rohner," Situational Maturity Models as Instrumental Artifacts for Organizational Design, " In Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology,  Bew York, 2009.

[19]M. F. Saleh," Information Security Maturity Model," International Journal of Computer Science and Security (IJCSS), Vol.5, Issue 3, pp: 316-337

[20]K. Judev, J. Thomas, "Project management maturity models: The milver bullets of competitive advantage?" Project Management Journal, vol. 33, 2002.

[21]G. Klimko, "Knowledge management and maturity models: Building common understanding," In Proc. of the 2nd European Conference on Knowledge Management, 2001.

[22]S. E. Chang and C. S. Lin, "Exploring organizational culture for information security management," Industrial Management & Data Systems, vol.107, issue 3, pp. 438 – 458, 2007

[23]A. Anderson, D. Longley and L.F. "Kwok, Security modeling for organizations, " In Proceedings of the 2nd ACM Conference on Computer and communications security, p. 241- 250, New York, 1994.

[24]M. S. Saleh, A. Alrabiah, and S. H. Bakry, "Using ISO 17799:2005 information security management: a STOPE view with six sigma approach, " International Journal of network management, v. 17, 2007, pp.85- 97.

[25]DNB Framework Information Security, point to consider: Available from

[26]T. L. Saaty, The analytical hierarchy process.Pittsburg: PWS Publications, 1990.

[27]T. L. Saaty, "How to Make a Decision: The Analytic Hierarchy Process," Interfaces, vol. 24, no. 6, pp. 19-43, Nov.-Dec. 1994.

[28]S. t. Phanaru and  T.Wannasiri," Applying Fuzzy Analytic Hierarchy Process to Evaluate and Select Product of Notebook Computers, " International Journal of Modeling and Optimization, Vol. 2, No. 2, April 2012

[29]T. L. Saaty, The Analytic Hierarchy Process, Planning, Priority Setting, Resource Allocation. McGraw-Hill, New York, 1980.

[30]Y. C. Erensal, T. Oncan, and M. L.  Dernircan. " Determining Key Capabilities in Technology Management using Fuzzy Analytic Hierarchy Process: A Case Study of Turke, " In Proceedings of Information Science, vol. 176, no. 18, pp. 2755-2770, Sep. 2006

[31]J. J. Buckley, "Ranking Alternatives using Fuzzy Numbers, " FuzzySets and Systems, vol. 15, no. 1, pp. 21-31, Feb. 1985. 

[32]J. J. Buckley, "Fuzzy Hierarchical Analysis, "Fuzzy Sets and Systems, vol. 17, no. 3, pp. 233-247, Dec. 1985. 

[33]D. Dubois and H. Prade, Fuzzy Sets and Systems: Theory and Applications, New York: Academic Press, 1980.