Identifying Organizational Information Security Risks Using Fuzzy Delphi

Document Type: Research Paper


1 MSc. Student, Information Technology Management, Faculty of Accounting and Management, Kharazmi University of Tehran

2 Assistant Prof., Faculty of Accounting and Management, Kharazmi University, Tehran, Iran


Most organizations need to information systems to survive and thrive. Therefore, they should seriously protect their information assets. Creating structured and justifiable exchanges between cost, security and mission control systems security risks is essential. This is important in the planning and development of such systems. Initial appropriate decisions can reduce costs and increase ease of control risk. The first step in the risk management process is the identification of risk. The purpose of this study is identifying the most important enterprise information security risks. This study is application and view research method is descriptive. In this study, a model is presented to identify information security risks, according to ISO 27002 and cobit 4 and study the documents and using by fuzzy Delphi method and opinions of experts, which include 10 of the IT professionals of the Bank, have been presented. In this template 6 factors and 20 subfactors of information security risk factors have been identified for the Bank.


Main Subjects

Avalincharsooghi, S. Doostari, M. Yazdianvarjani, A. & Mahdaviardestani, A. (2013). Use of artificial neural networks in the information security risk assessment. Journal of Electronic & Cyber Defense, 1(1): 1-14. (in Persian)

Biglarian, P. (2012). Compilation of information security evaluation criteria's (Case Study: Exchange Organization of Tehran). Master Thesis, Azahra, Iran.
(in Persian)

Broderick, J. S. ISMS. (2006). security standards and security regulations. Information Security Technical Report.

BS 7799-2, BS ISO/IEC27001. (2005). Information technology-Security techniques-Information security management systems. Available in: /iso/catalogue_ detail?csnumber=42103.

BS ISO/IEC27005. (2008). Information technology-Security techniques-Information security risk management. Available in: detail? csnumber=42107.

Cheng, CH. & Hsue, Y. (2002). Evaluating the best mail battle tank using fuzzy decision theory. European Journal of Operational Research, 142 (1): 174-186.

Chin, K.S., Tang, D.W., Wong, Sh. Y., Wang, H. (2009).  Assessing new product development project risk by Bayesian network with a systematic probability generation methodology. Expert Systems with Applications, 36 (6):  9879-9890.

Crossler, R., Johnston, A., Lowry, P., Warkentin, M., Baskerville, R. & Qing, H. (2013). Future directions for behavioural information security research. Computers & security, 32: 90-101.

Feng, N., Jiannan Wang, H. & Li, M. (2014). A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information Sciences, 256: 57-73.

GE Xiao, Y., Yuan,Y.,  &  Lu Li, L. (2011).  An Information Security Maturity Evaluation Model. Procedia Engineering, 24: 335 – 339.

Ghazanfari, M., Fathian, M. & Raeissafari, M. (2008). COBIT framework  useful tool for measuring the maturity of IT governance in organizations (public banks in case study). The Association Information and Communication Technology of Iran, 1 (1&2): 55-64. (in Persian)

Houmb, S., Franqueira, V. & Erlend A. (2010).  Quantifying security risk level from CVSS estimates of frequency and impact. The Journal of Systems and Software, 83(9): 1622-1634.

Iesavi, H. (2011). Evaluation of operational risks related to information security in the modern banking system. Master Thesis, Gilan, Iran. (in Persian)

IT Governance Institute, (2007). CobiT 4.1: Control Objectives, Management Guidelines,  Maturity Models.

Jafarnejad, A. & yousefizenouz, R. (2008). The risk Ranking fuzzy Model in the drilling project of Petropars. Journal of Industrial Management of Tehran University, 1(1): 21-38. (in Persian)

Jamali, GH., Hashemi, M. (2012). Assessment of risk factors on the bank's IT projects Bushehr techniques using fuzzy Dematel. Journal of Information Technology Management, 3(9): 21-40. (in Persian)

Karimi, Z. (2006). Conceptual Model of information security risk assessment. (Case Study: Bank Sepah). Master Thesis, Azahra, Iran. (in Persian)

Lo, Ch. & Chen, W. (2012).  Hybrid information security risk assessment procedure considering interdependences between controls. Expert Systems with Applications, 39: 247-257.

Malekalkalami, M. (2013). Evaluating the performance of information security management at the central libraries of public universities in Tehran, according to the international standard-ISO / IEC. Journal of Information Processing and Management, 28 (4): 895-916. (in Persian)

Mirbaha, M. (2008). IT Governance in Financial Services and Manufacturing, Industrial Information and Control Systems at the Royal Institute of Technology ITGI. Master Thesis, Stockholm, Sweden.

Mireskandari, M. (2010). Information Security Management System and the necessity of its use in organizations. Processor magazine. 11(107 ): 30-39.
(in Persian)

Niekerk, J.F. & Solms, R. (2010).  Information security culture: A management perspective. Computers & security, 29(4): 476 -486.

Ozkan, S. & Karabacak, B. (2010).  Collaborative risk method for information security management practices: A case context within Turkey.  International Journal of Information Management, 30: 567-572.

Saleh, M. & Alfantookh, A. (2011).A new comprehensive framework for enterprise information security risk management. Computing and Informatics, 9: 107-118.

Sanayeei, A. Ghazifard, A. & Sobhanmanesh, F. (2011). Factors affecting the development of identification technology by radio frequency in Electronic supply chain management. Journal of New Marketing Research, 1(1): 41-70. (in Persian)

Shafieinikabadi, M., Jafarian, A. & Jalilibolhasani, A. (2010). Impact of information security management on the integrity of organizational processes in the supply chain. Journal of Information Processing and Management, 27(2): 27-44. (in Persian)

Shahrivari, SH. (2011). Providing the model of information security governance maturity for supply chain management. Master Thesis, Tarbiyat modares, Iran. (in Persian)

Shaw, N. E., Burgess, T. F. & Mattos, C. D. (2005). Risk assessment of option performance for new product and process development projects in the chemical industry: A case study. Journal of Risk Research, 8(7-8): 693-711.

Standard Institute and Industrial Research of Iran. (2008). IT- security technologies- and information security management procedures. (in Persian)

Sungho, K, S., Jang, J.L. & Kim, S. (2007). Common defects in information security management system of Korean companies. The Journal of Systems and Software, 80(10):1631-1638.

Taghva,M., izadi,M. (2013). Security investigate in security system developed using service-oriented architecture. Journal of Information Technology Management of Tehran University, 5(3): 25-42. (in Persian)

Wu, DD., Kefan, X., Gang, C. & Ping, G. (2010). A risk analysis model in concurrent engineering product development. Journal of Risk Analysis, 30 (9): 1440-1453.

yuan, T.  & Chen, P. (2012).  Data Mining Applications in E-Government Information Security. Procedia Engineering, 29: 235–240.

Yue, W.T., Cakanyildirim, M., Ryu, Y.U., & Liu, D. (2007).Network externalities, layered protection and IT security risk management. Decision Support Systems, 44(1): 1-16.