8/17/2019 Baden-baden_Vukelic.pdf

1/7

Vukeli! B., Polytechnic of Rijeka, Bo"i! Pavleti! Z., VPS Minerva Dugopolje,

Mati! Vukeli! U., Astrila Translation Services

Using multicriteria decision making method

PROMETHEE&GAIA for information security risk managmentstandards selection

Introduction

Information technology risk is any risk related to information technology. This is a

relatively new term due to an increasing awareness that information security is simply one

facet of a multitude of risks that are relevant to IT and the real-world processes it supports.

Generally speaking, risk is the product of the likelihood of an event occurring and the impact

that event could have on an information technology asset.

Due to this problem, companies look for standards organizations to provide guidance

when it comes to best practices in information security. But, the choice of the best standard is

a challenge. There are numerous standards available and many factors to evaluate, such as

scope, usage and maturity. In the recent years several decision aid methods or decision

support systems have been proposed to help in the selection of the best compromise

alternatives.

The following paper compares the three leading standards (ISO 27005, NIST SP 800-30 & OCTAVE) using multicriteria decision method PROMETHEE & GAIA. The purpose of

this paper is not to explain in details the PROMETHEE methodology, only the results provided by the Visual PROMETHEE software on the abovementioned example. It is the

only PROMETHEE-based software developed and supported by the authors of the

PROMETHEE & GAIA methodology.

PROMETHEE & GAIA Method

PROMETHEE & GAIA is a multi-criteria decision aid methodology that has been

developed by Jean-Pierre Brans and Bertrand Mareschal at the ULB and VUB universities

since 1982. The GAIA descriptive approach appeared in 1989. [1]

It is a ranking method quite simple in conception and application compared to other

methods for multi-criteria analysis. It is well adapted to problems where a finite number of

alternative actions are to be ranked considering several, sometimes conflicting, criteria. [2].

The PROMETHEE method (preference ranking organization method for enrichment

evaluation) is appropriate to treat the multi-criteria problem of the following type:

max{f1(a), ... , fn(a)|a \A}, (1)

where A is a finite set of possible alternatives, and fj are n criteria to be maximized. For each

alternative, fj(a) is an evaluation of this alternative. When we compare two alternatives a, b \

 A, we must be able to express the result of these comparisons in terms of preference.

8/17/2019 Baden-baden_Vukelic.pdf

2/7

One of the advantages of usages of PROMETHEE methods is the possibility of

geometrical interpretation of the results by the GAIA method (geometrical analysis for

interactive aid). In 1989 the introduction of GAIA added a descriptive complement to the

PROMETHEE rankings. A graphical representation of the multi-criteria problem enables the

decision maker to understand the available choices better and the necessary compromises he

or she will have to make in order to make the best decision. GAIA can also be used to see the

impact of the criteria weights on the PROMETHEE rankings.

The PROMETHEE & GAIA methods are based on the Preference Modeling method,

which increases the efficiency of any complex decision-making and is also based on the

Pairwise Comparison method, where alternatives are compared to each other. It is highly

recommended to read both more about both methods, to understand how it impacts the final

decision. [3]

Rather than pointing out the "right" decision, the PROMETHEE & GAIA method

helps decision makers find the alternative that best suits their goal and their understanding of

the problem. It provides a comprehensive and rational framework for structuring a decision

 problem, for identifying and quantifying its conflicts and synergies, clusters of actions and

highlight the main alternatives and the structured reasoning behind. [3]

Decision situations to which the PROMETHEE & GAIA can be applied include: [4]

Choice – The selection of one alternative from a given set of alternatives, usually where there

are multiple decision criteria involved.

 Prioritization – Determining the relative merit of members of a set of alternatives, as opposedto selecting a single one or merely ranking them.

 Resource allocation – Allocating resources among a set of alternatives

 Ranking  – Putting a set of alternatives in order from most to least preferred

Conflict resolution  – Settling disputes between parties with apparently incompatible

objectives

Criteria and alternatives

Many companies have problems with information security. Because of lack of

expertise, they look for consultation and guidance from standards organizations, which will

help them find the best possible solution. Risk management encompasses three processes: risk

assessment, risk mitigation, and evaluation and assessment. Risk management is the process

that allows IT managers to balance the operational and economic costs of protective measures

and achieve gains in mission capability by protecting the IT systems and data that support

their organizations’ missions. This process is not unique to the IT environment; indeed it

 pervades decision-making in all areas of our daily lives. [6]

8/17/2019 Baden-baden_Vukelic.pdf

3/7

 

Figure 1. Risk management process [4] 

After having defined the problem, the first step in PROMETHEE & GAIA method is

defining the objective, which is the choice of an optimal security standard. Furthermore, it is

necessary to define criteria and alternatives, ISO 27005, NIST SP 800-30 & OCTAVE, which

will be shortly described.

 ISO/IEC 27005:2008

ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial

enterprises, government agencies, non-profit organizations) which intend to manage risks that

could compromise the organization’s information security. ISO 27005 is widely accepted

methodology and it covers technology, people and process in risk assessment. Risk

assessment is defined through identification, estimation and evaluation. The framework of

ISO 27005 consists of two elements – risk analysis and risk evaluation. ISO/IEC

27002:2005 Code of practice for information security management recommends to examine

the following during a risk assessment: security policy, organization of information security,

asset management, human resources security, physical and environmental security,

communications and operations management, access control, information systems acquisition,

development and maintenance, information security incident management, business

continuity management and regulatory compliance. [5]

 NIST SP 800- 30

The purpose of NIST SP 800-30 is to provide guidance for conducting riskassessments of federal information systems and organizations. Risk assessments, carried out

at all three tiers in the risk management hierarchy, are part of an overall risk management process – providing senior leaders/executives with the information needed to determine

appropriate courses of action in response to identified risks. It provides guidance for carrying

out each of the steps in the risk assessment process (i.e., preparing for the assessment,

conducting the assessment, communicating the results of the assessment, and maintaining theassessment) and how risk assessments and other organizational risk management processes

8/17/2019 Baden-baden_Vukelic.pdf

4/7

complement and inform each other. Special Publication 800-30 also provides guidance to

organizations on identifying specific risk factors to monitor on an ongoing basis, so that

organizations can determine whether risks have increased to unacceptable levels (i.e.,

exceeding organizational risk tolerance) and different courses of action should be taken. [7]

 NIST SP 800-30 is most suited for technology related risk assessment aligned with common

criteria. The risk assessment methodology encompasses nine primary steps: SystemCharacterization, Threat Identification, Vulnerability Identification, Control Analysis,

Likelihood Determination, Impact Analysis, Risk Determination, Control Recommendationsand Results Documentation.

 

According to NIST SP 800-30, risk assessment is the analysis of

threats in conjunction with vulnerabilities and existing controls.

OCTAVE

OCTAVE is a set of tools, techniques and methods for risk assessment and strategic planning of information security. OCTAVE is an acronym of the following English words: O 

= Operationally, C = Critical, T = Threat, A = Asset, VE = Vulnerability Evaluation.

According to OCTAVE standard, a risk assessment will provide information necessary

for making risk managment decisions regarding the degree of security remediation. OCTAVE

methods are founded on the OCTAVE criteria, a standard approach for a risk-driven and practice-based information security evaluation. The OCTAVE criteria establish the

fundamental principles and attributes of risk management that are used by the OCTAVE

methods. The OCTAVE methods are self-directed, which means that small teams of

organizational personnel across business units and IT work together to address the security

needs of the organization. They are also flexible, which means that each method can be

tailored to the organization's unique risk environment, security and resiliency objectives, andskill level. Another important feature of OCTAVE methods is that they are evolved, which

means that OCTAVE moved the organization toward an operational risk-based view ofsecurity and addresses technology in a business context.

After defining and describing the alternatives, it is necessary to define criteria. There

were 7 criteria, which will be explained below. Although PROMETHEE & GAIA method

enable using quantitative and qualitative criteria, cost was intentionally left out as a

quantitative value. It is one of the most important criteria, but it depends on the scope of

implementation and the size of the organization. The qualitative criteria were compared.

Information gathering  refers to different methods of data gathering from the employees

(interview, questionnaire etc.).

Simplicity of use.  It evaluates whether the method is applicable for the organization and

whether the method can be adapted for needs of a specific field. It also describes the amount

of human and technical resources necessary for implementation.

Spread of use.  This criterion evaluates the importance of maturity of the standard as a

selection criterion. It encompasses the spread of use of the method, such as how long the

method exists, how often it is updated and its geographical spread of use, along withavailability of open market or licensed consultants. 

8/17/2019 Baden-baden_Vukelic.pdf

5/7

Software and Tools. This criterion evaluates the availability of software and tools which are

necessary for the implementation.

Documentation.  It refers to available documentation, available helplines, manuals and

instruction guides.

Risk assessment.  It evaluates how well the standard solves identification, analysis and

evaluation of risks.

Risk treatment.  It involves selecting and implementing measures to modify risk. Risk

treatment measures can include avoiding, optimizing, transferring or retaining risk.

Each criterion was explained in a verbal scale, that is, through the following values:

very bad, bad, average, good and very good .

Verbal scale

Very bad

BadAverage

Good

Very good

The abovementioned criteria and alternatives were processed in Visual PROMETHEE

software. Figure 2 shows main window. The spreadsheet contains three collapsible sections:

Preferences, Statistics and Evaluations. 

Figure 2. The VisualPROMETHEE main spreadsheet 

Table 1. Verbal scale 

8/17/2019 Baden-baden_Vukelic.pdf

6/7

Figure 3 shows that the PROMETHEE I Partial Ranking is based on the comparison of

the leaving flow (Phi+) and the entering flow (Phi-). The left column corresponds to the Phi+

scores and the right column to the Phi- scores. They are oriented such that the best scores are

upwards. This way the middle column corresponds to the net flow (Phi- scores). On the left

side you can see the ranking of the actions according to Phi+.On the right side you can see the

ranking of the actions according to Phi-. For each action a line is drawn from its Phi+ score toits Phi- score.

When a line is completely on top of another one, it means that the corresponding

action is better on both Phi+ and Phi-. This action is thus preferred to the other in thePROMETHEE I Partial Ranking.

Figure 4 indicates that the percentage of information retained in the GAIA display is

shown. A color code is used to differentiate results: green indicates a satisfying quality level

while red corresponds to a too low level.

Figure 3. PROMETHEE I Partial ranking

Figure 4. GAIA Visual analysis 

8/17/2019 Baden-baden_Vukelic.pdf

7/7

Conclusion

The abovementioned standards differ from each other in various organizational and

technical aspects, such as methodology, human resources and software tools. The

PROMETHEE-GAIA methodology, which was used in this paper, has several advantages in

relation to some other methods of multiple criteria because it provides a complete ranking of

alternatives (from best to worst) and criteria and alternative analysis. The paper has shown

that this method can help us choose optimal security standard. In this case, it turned out to be

ISO 27005.

Literature

[1] PROMETHEE & GAIA method,http://homepages.ulb.ac.be/~bmaresc/PROMETHEE.htm

[2] Prvulovic S. et al.: Application of Promethee-Gaia Methodology in the Choice of Systems for Drying Paltry-Seeds and Powder Materials, Strojni#ki vestnik - Journal of Mechanical Engineering 57(2011)10, p. 778-784

[3] D-Sight PROMETHEE & GAIA Methodology, http://www.d-sight.com/learning-center/promethee-gaia-

software

[4] Preference ranking organization method for enrichment evaluation,

http://en.wikipedia.org/wiki/Preference_ranking_organization_method_for_enrichment_evaluation

[5] COMPARISON BETWEEN ISO 27005, OCTAVE & NIST SP 800-30,

http://sisainfosec.com/blog/comparison-between-iso-27005-octave-nist-sp-800-30-2/

[6] Gary Stoneburner, Alice Goguen, and Alexis Feringa: Risk Management Guide for Information TechnologySystems, NIST Special publication 800-30

[7] Guide for Conducting Risk Assessments, NIST, September 2012,

http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf