Identification and Prioritization of Parameters Affecting Information Security Management System (Case Study: Social Security Branches of Guilan Province)
Subject Areas : GeneralAsadollah Shahbahrami 1 , ramin rafizadeh kasani 2 , hossein pour yousefi dargah 3
1 - عضو هیات علمی
2 -
3 -
Keywords: Information Security, Information Security Management System, Fuzzy Hierarchical Analysis, Soft Factors, Hard Factors,
Abstract :
Information and its protection is one of the most important pillars of survival of today's organizations. Defines and considers many ISMS implementation failures to be rooted in organizational issues and disregard for the organization's readiness prior to implementation. Therefore, assessing the situation and prioritizing information security risks and creating an overview and hierarchy of it, is important in the successful establishment of the information security system. However, in terms of dimensions, effects and various causes of security risks and considering the multiplicity of indicators and effective parameters of ISMS implementation, it is necessary to use multi-criteria decision-making models in their evaluation and ranking. . In this study, an attempt has been made to classify the factors affecting the information security management system into two groups of soft and hard factors and in order to accurately rank and focus more, especially in conditions of uncertainty that is inherent in human decision making, Fuzzy hierarchical analysis (FAHP) was performed. Based on this and with the help of a questionnaire to quantify the results, the opinions of technical experts including academic experts, managers and employees of the information technology department of social security branches in Guilan province have been used as a case study of this research. The results show that soft factors including managerial and cultural / social factors are more important than hard factors including financial and technical / technological factors in information security management system and management factors are more important than other soft factors as well as technical / technological factors. They are more important than other difficult factors.
1. تاج¬فر، امیرهوشنگ، محمد محمودي ميمند، فاطمه رضاسلطاني و پوريا رضاسلطاني. (1393). رتبه¬بندي موانع پياده¬سازي سيستم مديريت امنيت اطلاعات و بررسي ميزان آمادگي مديريت اكتشاف. مدیریت فناوری اطلاعات. 6 (4): 551-566.
2. قرایی، حسین و مهسا آقا محی الدین. (1393). بهبود رتبه¬بندی مخاطرات امنیت اطلاعات با استفاده از مدل¬های تصمیم¬گیری چندشاخه. پردازش علائم و داده¬ها. 2 (22): 3-14.
3. آرام، محمدرضا. (1388). بررسي و سنجش مؤلفههاي مؤثر بر مديريت امنيت اطلاعات در فناوري اطلاعات شركت گاز پارس جنوبي. پاياننامه كارشناسي ارشد، دانشگاه شهيد بهشتي.
4. بهرامی، مجتبی. (1390). ارائه روشی مناسب برای بهبود و توسعه شاخص های مدیریت امنیت اطلاعات جهت طراحی و پیاده سازی در سازمان ها. هشتمین کنفرانس بین المللی انجمن رمز ایران.
5. صالحیان، مهران. (1388). بررسی استقرار سیستم مدیریت امنیت اطلاعات (ISMS) در دستگاه¬های دولتی. پایان¬نامه کارشناسی ارشد. دانشگاه شیراز.
6. طاهري، مهدي. (1386). ارائه چارچوبي براي نقش عوامل انساني در امنيت سيستم¬هاي اطلاعاتي. پایان¬نامه کارشناسی ارشد. دانشگاه تربيت مدرس. تهران.
7. زنده دل نوبري، بابك. (1389). ارائه مدلي جهت رتبهبندي سازمانها بر مبناي اندازهگيري و شناسايي ميزان بلوغ امنيت اطلاعات در آنها. پاياننامه كارشناسي ارشد. دانشگاه آزاد اسلامي واحد علوم تحقيقات. تهران.
8. شاه بهرامی، اسدا.. رفیع زاده کاسانی، رامین. (1394). امنیت منابع فناوری اطلاعات، انتشارات جهاد دانشگاهی-تهران.
9. مومني، منصور (1385)، مباحث نوين تحقيق در عمليات، انتشارات دانشکده مديريت، دانشگاه تهران.
10. Buckley, J. (1985). Fuzzy Hierarchial Analysis. Fuzzy Sets and Systems. 17. 233-247.
11. Chang, E., Lin, C. (2007). Exploring organizational culture for information security Management. Industrial Management & Data Systems. 107. 1-10.
12. Choi, N. Dan, K and Jahyun G. (2008). Knowing is doing: An empirical validation of the relationship between managerial information security awareness and action, Information Management & Computer Security. 16. 484-485.
13. Deng, H.(1999). Multicriteria analysis with fuzzy pairwise comparisons. International Journal of Approximate Reasoning. 21. 231–215.
14. Hua, B. (2008). A Fuzzy AHP Based Evaluation Method for Vendor-Selection. Shenzhen Tourism College. Jinan University. Shenzhen. 518053. China.
15. ISO/IEC 27001. (2005). Information technology-Security techniques-Information security management systems–Requirements (First edition).
16. ISO/IEC 27005. (2008). Information technology - Security techniques-Information security risk management (First edition).
17. Hubacek, K. Dabo G. and Anamika B. (2007). Changing Lifestyles and Consumption Patterns in Developing Countries: A Scenario Analysis for China and India. Sustainability Research Institute (SRI). 45-62.
18. Kritzinge, E and Elme S. (2008). Information security management: An information security retrieval and awareness model for industry. Computer & security. 27. 224-231.
19. Kruger, H and Kearney, W. D. (2006). A prototype for assessing information security awareness, Computer & security, 25, 289-296.
20. Lau, H. C. and Mohd Awang, I. (2001). The Soft Foundation of The Critical SuccessFactors on TQM Implementation in Malaysia, The TQM magazine , Vol.13 , No. 1, PP. 51-62.
21. Lewis W. Pun, K. Fai. L. (2006). Exploring Soft versus Hard Factors for TQM Implementation in Small and Medium-Sized Enterprises, International Journal of Productivity and Performance Management, Vol. 55, No. 7, PP. 539-554.
22. Nikrerk, J. and Solms, V. (2009). Information security culture: a management perspective, Computer & security, 5, 142-144.
23. Saaty, T.L., (1980). The Analytic Hierarchy Process, New York, Mc GrawHill.
24. Saaty, T.L.(1994).How to Make a
Decision:The Analytic Hierarchy Process, Interfaces 24(6):19-43.
25. Chang, D. (1996). Applications of the Extent Analysis Method on Fuzzy AHP. European Journal of Operational Research. 95(3). 649-655.
26. Sungho, K. Jang, S. Lee, J and Kim,S.(2007).Common defects in information security management system of Korean companies. The Journal of Systems and Software. 80(10). 1631–1638.
27. Broderick, J. S. (2006). ISMS, security standards and security regulations, information security technical report. 11: 26 –31.
28. Meer, J. van der (Jeroen). (2012). Multi-criteria decision model inference and application in information security risk classification