Multicriteria analysis of the compliance for the improvement of information security

Pedro Solana-González, Adolfo Alberto Vanti, Karen Hackbart Souza Fontana


Information security is a current issue of protection of information assets that considers significant variables of a strategic, organizational and IT governance nature, and that requires to analyze the compliance with international standards that regulate business actions. In this way, the work analyzes institutional compliance to improve information security applying the Analytic Hierarchy Process methodology to the specific practices defined in ISO/IEC 27002:2013. Expert Choice has been used as Decision Support Systems that has generated as a result the ranking of priorities of the criteria and alternatives used in the decisional process, been applied later in a medium-sized Brazilian industrial company. The results identify the main security practice related to the independent critical analysis of information security.


Information security, Compliance, Security practices, Analytic hierarchy process, Decision support system

Full Text:



Awad, A. I. (2018). Introduction to information security foundations and applications. In: Information Security: Foundations, Technologies and Applications, pp. 3-11. The Institution of Engineering and Technology (IET).

Bianchini, A. (2018). 3PL provider selection by AHP and TOPSIS methodology. Benchmarking: An International Journal, 25(1).

BS7799-2 (2002). Specification for information security management systems. London, UK: British Standard Institute.

Botha, R. A., & Gaadingwe, T. G. (2006). Reflecting on 20 SEC conferences. Computers & Security, 25(4).

Buccafurri, F., Fotia, L., Furfaro, A., Garro, A., Giacalone, M., & Tundis, A. (2015). An analytical processing approach to supporting cyber security compliance assessment. In: Proceedings of the 8th International Conference on Security of Information and Networks, pp. 46-53. ACM.

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), 523-548.

COM (2006). The availability, reliability and security of networks and information systems are increasingly central to our economies and to the fabric of society. Commission of the European Communities.

Cong, H., Dang, D., Brennan, L., & Richardson, J. (2017). Information security and people: A conundrum for compliance. Australasian Journal of Information Systems, 21, 1-16.

Dhillon, G., & Backhouse, J. (2000). Technical opinion: Information system security management in the new millennium. Communications of the ACM, 43(7), 125-128.

Dimopoulos, V., Furnell, S. M., Jennex, M., & Kritharas, I. (2004). Approaches to IT security in small and medium enterprises. In: Proceedings of the 2nd Australian Information Security Management Conference 2004, Perth, Australia.

Doherty, N. F., & Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25(1), 55-63.

Ferreira, E., Matos, F., Matos, D., Bugarim, M. C., & Machado, D. (2014). Governança corporativa na saúde suplementar: estudo de caso em uma operadora de plano de saúde. Pensamento & Realidade. Revista do Programa de Estudos Pós-Graduados em Administração-FEA, 29(3), 19-39.

Gao, F., Rau, P. L. P., & Zhang, Y. (2018). Perceived Mobile Information Security and Adoption of Mobile Payment Services in China. In Mobile Commerce: Concepts, Methodologies, Tools, and Applications, pp. 1179-1198. IGI Global.

Giannakouris, K., & Smihily, M. (2010). ICT security in enterprices, 2010. Eurostat, European Commision.

Gordon, L. A., & Loeb, M. P. (2006). Economic aspects of information security: an emerging field of research. Information Systems Frontiers, 8(5), 335-337.

Griffith, S. J., Thel, S., Baer, M., Miller, G. P., Manwah, G., Breslow, S., ... & Baxter Jr, T. C. (2016). The changing face of corporate compliance and corporate governance. Fordham Journal of Corporate & Financial Law, 21(1), 1-69.

Hasbini, M. A., Eldabi, T., & Aldallal, A. (2018). Investigating the information security management role in smart city organisations. World Journal of Entrepreneurship, Management and Sustainable Development, 14(1), 86-98.

Hina, S., & Dominic, P. D. D. (2018). Information security policies’ compliance: a perspective for higher education institutions. Journal of Computer Information Systems, 1-11,

Hogue, J. T. (1987). A Framework for the examination of management involvement in decision support systems. Journal of Management Information Systems, 4(1), 96-110.

Hone, K., & Eloff, J. H. P. (2002). Information security policy – what do international security standards say? Computers & Security, 21(5), 402-409.

Hubbard, D. W. (2010). How to measure anything: finding the value of intangibles in business. 2nd Edition. New York: John Wiley & Sons.

Ishijaza, A., & Siraj, S. (2018). Are multi-criteria decision-making tools useful? An experimental comparative study of three methods. European Journal of Operational Research, 264(2), 462-471.

ISO/IEC 27001:2007. Information technology, security techniques, information security management systems: requirements. International Standard Organization.

ISO/IEC 27002:2013. Information technology - Security techniques - Code of practice for information security controls. International Standard Organization.

Kim, S., Leem, C. S., & Lee, H. J. (2005). An evaluation methodology of enterprise security management systems. International Journal of Operations and Quantitative Management, 11(4), 303-312.

Knuplesch, D., & Reichert, M. (2017). A visual language for modeling multiple perspectives of business process compliance rules. Software & Systems Modeling, 16(3), 715-736.

Kwon, S., Jang, S., Lee, J., & Kim, S. (2007). Common defects in information security management system of Korean companies. Journal of Systems and Software, 80(10), 1631-1638.

Luftman, J., Kempaiah, R., & Nash, E. (2006). Key issues for IT executives. MIS Quarterly Executive, 5(2), 81-99.

Mateescu, R. A. (2015). Corporate governance disclosure practices and their determinant factors in European emerging countries. Accounting and Management Information Systems, 14(1), 170-192.

May, C. (2003). Dynamic corporate culture lies at the heart of effective security strategy, Computer Fraud & Security, 2003(5), 10-13.

May, J., & Dhillon, G. (2010). A holistic approach for enriching information security analysis and security policy formation. In: ECIS 2010 Proceedings, Paper 146.

Melville, N., Kraemer, K., & Gurbaxani, V. (2004). Review: information technology and organizational performance: an integrative model of IT business value. MIS Quarterly, 28(2), 283-322.

Nasir, A., & Arshah, R. A. (2018). Information security culture dimensions in information security policy compliance study: A review. Advanced Science Letters, 24(2), 943-946.

Navarro, M. (2006). Security evolves towards maturity. Universia Business Review, 2nd quarter, 10, 96-103.

Nazari, S., Fallah, M., Kazemipoor, H., & Salehipour, A. (2018). A fuzzy inference- fuzzy analytic hierarchy process-based clinical decision support system for diagnosis of heart diseases. Expert Systems with Applications, 95(1), 261-271.

Ngo, L., & Zhou, W. (2005). The Multifaceted and Ever-Changing Directions of Information Security – Australia Get Ready! In: 3rd International Conference on Information Technology and Applications (ICITA 2005), Sydney, Australia: IEEE Press.

OECD (2005). The promotion of a culture of security for information systems and networks in OECD countries. Organisation for Economic Cooperation and Development.

OECD (2009). The impact of the global crisis on SME and entrepreneurship financing and policy responses. Organisation for Economic Cooperation and Development.

Oliveira, D., Silva, M. P., Lima, T. A., & Souza, M. M. (2015). Um estudo exploratório da gestão de pessoas na integração e disseminação da governança corporativa. Augusto Guzzo Revista Acadêmica, 2(16), 241-268.

Park, M., & Chai, S. (2018). Internalization of information security policy and information security practice: A comparison with compliance. In: Proceedings of the 51st Hawaii International Conference on System Sciences, pp. 4723-4731.

Park, S., & Ruighaver, T. (2008). Strategic approach to information security in organizations. In: Proceedings of the 2008 International Conference on Information Science and Security, Seoul, South Korea: IEEE Press.

Parsons, K. M., Young, E., Butavicius, M. A., McCormac, A., Pattinson, M. R., & Jerram, C. (2015). The influence of organizational information security culture on information security decision making. Journal of Cognitive Engineering and Decision Making, 9(2), 117-129.

Pérez-González, D., & Solana-González, P. (2006). Intranets: medición y valoración de sus beneficios en las organizaciones. El Profesional de la Información, 15(5), 331-341.

Rios, O. K. L., de Almeida Teixeira Filho, J. G., & da Silva Rios, V. P. (2017). Melhores práticas do COBIT, ITIL e ISO/IEC 27002 para implantação de política de segurança da informação em Instituições Federais do Ensino Superior. Revista Gestão & Tecnologia, 17(1), 130-154.

Saaty, T. L. (1980). The analytical hierarchy process: Planning, priority setting, resource allocation. New York: Mc Graw-Hill.

Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53, 65-78.

Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82.

Sêmola, M. (2014). Gestão da segurança da informação: uma visão executiva. 2ª edição, Brasil: Elsevier.

Shamala, P., Ahmad, R., Zolait, A. H., & bin Sahib, S. (2015). Collective information structure model for Information Security Risk Assessment (ISRA). Journal of Systems and Information Technology, 17(2), 193-219.

Singh, V., & Margam, M. (2018). Information security measures of libraries of Central Universities of Delhi: A study. DESIDOC Journal of Library & Information Technology, 38(2), 102-109.

Siponen, M., & Willison, R. (2009). Information security management standards: problems and solutions. Information & Management, 46(5), 267-270.

Smith, S., & Jamieson, R. (2006). Determining key factors in e-government information system security. Information Systems Management, 23(2), 23-32.

Solana-González, P., & Pérez-González, D. (2011). Security model applied to electronic records management: experiences and results in the nuclear sector. International Journal of Technology Management, 54(2/3), 204-228.

Sprague, R., & Carlson, E. (1982). Building effective decision support systems. Englewood Cliff: Prentice Hall.

Uddin, M., & Preston, D. (2015). Systematic Review of Identity Access Management in Information Security. Journal of Advances in Computer Networks, 3(2), 150-156.

Von Solms, B., & Von Solms, R. (2005). From information security to…business security? Computers & Security, 24(4), 271-273.

Ward, J. L., & Peppard, J. (2002). Strategic Planning for Information Systems. Chichester, England: John Wiley & Sons.


Copyright (c) 2019 Journal of Information Systems and Technology Management

Licensed under