Available online at www.sciencedirect.

com
Available online at www.sciencedirect.com
ScienceDirect
ScienceDirect
Available online at www.sciencedirect.com
Procedia Computer Science 00 (2018) 000–000
Procedia Computer Science 00 (2018) 000–000
www.elsevier.com/locate/procedia
ScienceDirect www.elsevier.com/locate/procedia

Procedia Computer Science 134 (2018) 365–370

The 5th International Symposium on Emerging Inter-networks, Communication and Mobility

The 5th International Symposium on Emerging Inter-networks, Communication and Mobility
(EICM 2018)
(EICM 2018)
A Novel Approach for Optimizing Governance, Risk management and
A Novel Approach for Optimizing Governance, Risk management and
Compliance for Enterprise Information security using DEMATEL and FoM
Compliance for Enterprise Information security using DEMATEL and FoM

Dharmalingam Ramalingamaa* Shivasankarappa ArunbbNeelamegam Anbazhagancc

Dharmalingam Ramalingam * Shivasankarappa Arun Neelamegam Anbazhagan
a
Assistant Professor, Faculty of Information Technology, Majan University College, Muscat, Oman
b a
Assitant Professor,
Assistant Head,Faculty
Professor, Department of Planning
of Information and Development,
Technology, Middle East
Majan University College,
College, Muscat,
Muscat, OmanOman
b c
Assitant Professor,
Professor, HeadHead, Department
of Department, of Planning
Department and Development,
of Mathematics, Middle
Alagappa East College,
University, Muscat,
Karaikudi, Oman
India
c
Professor, Head of Department, Department of Mathematics, Alagappa University, Karaikudi, India

Abstract
Abstract
Information technology Governance, Risk management and Compliance (IT-GRC) are critical in the contemporary
Information
business technologysince
environment Governance,
most ofRiskthe management and Compliance
business processes (IT-GRC) are
rely on information critical in However,
technology. the contemporary
studies
business environment since most of the business processes rely on information technology.
indicate that off-the-shelf IT-GRC products are unsuitable for measuring the effectiveness and efficiency of IT-GRC However, studies
indicate that
controls. Thisoff-the-shelf IT-GRC
article proposes products
a novel are unsuitable
approach for measuring
of measuring the effectiveness
effectiveness and efficiencyandofefficiency of IT-GRC
IT-GRC controls by
controls.
using the This article
Decision proposes
Making Triala and
novel approachLaboratory
Evaluation of measuring effectiveness
(DEMATEL) and efficiency
methodology of IT-GRC
and arriving controls
at the Figure by
of
using the
Merit Decision
(FoM) Making
to find Trial and
the optimal Evaluation
value Laboratory
of effectiveness and(DEMATEL)
efficiency. Themethodology and arriving
proposed method at the Figure
quantifies of
the input
Merit
values (FoM) to find the
by calculating the optimal value of effectiveness
relative influence and cause of and efficiency.
the controls. TheThe proposed
efficiency andmethod quantifies
effectiveness are the input
analysed
valueson
based bythe
calculating the relative
key metrics influence and the
such as performance, cause of theof
strength controls.
securityThe efficiency
controls, ease and effectiveness
of use and cost. Theare proposed
analysed
based
methodonhas
the been
key metrics
appliedsuch as performance,
to various scenariosthe strength
with varyingof security
controls controls, ease ofand
for evaluation use then
and cost. The proposed
the optimal value
method hasMerit)
(Figure of been isapplied
found byto various scenarios
an iterative method.with varying
This methodcontrols
can be for evaluation
extended to anyand
typethen
of ITthesecurity
optimalcontrol
value
(Figure of Merit) is found by an iterative method. This method
standards and frameworks such as ISO 27001, COBIT 5, ITIL and PCI-DSS. can be extended to any type of IT security control
standards and frameworks such as ISO 27001, COBIT 5, ITIL and PCI-DSS.
© 2018 The Authors. Published by Elsevier Ltd.
© 2018 The Authors. Published by Elsevier Ltd.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/)
© 2018
This The
is an Authors.
open accessPublished by Elsevier
article under thethe Ltd.
CCscientific
BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/).
Peer-review under responsibility of committee of the 13th International Conference on Future Networks and
This is an open access
Communications, article under
FNC-2018 and thethe CCInternational
15th BY-NC-NDConference
license (http://creativecommons.org/licenses/by-nc-nd/3.0/).
on Mobile Systems and Pervasive Computing, MobiSPC 2018.
Keywords:IT-GRC optimization, Mathematical model for Optimizing IT-GRC, DEMATEL method for IT-GRC
Keywords:IT-GRC
optimization, optimization,
DEMATEL Mathematical
and FoM method formodel for optimization,
IT-GRC Optimizing IT-GRC,
a HybridDEMATEL
method formethod
IT-GRCfor IT-GRC
optimization
optimization, DEMATEL and FoM method for IT-GRC optimization, a Hybrid method for IT-GRC optimization

* Corresponding author. Tel.: +968 92729055; fax: +968 24730490

E-mail address:author.
* Corresponding Ramalingam.d@majancollege.edu.om
Tel.: +968 92729055; fax: +968 24730490
E-mail address: Ramalingam.d@majancollege.edu.om
1877-0509© 2018 The Authors. Published by Elsevier Ltd.
This is an open
1877-0509© 2018access article Published
The Authors. under thebyCC BY-NC-ND
Elsevier Ltd. license (http://creativecommons.org/licenses/by-nc-nd/3.0/).
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/).
1877-0509 © 2018 The Authors. Published by Elsevier Ltd.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/)
Peer-review under responsibility of the scientific committee of the 13th International Conference on Future Networks and
Communications, FNC-2018 and the 15th International Conference on Mobile Systems and Pervasive Computing, MobiSPC 2018.
10.1016/j.procs.2018.07.197
366 Dharmalingam Ramalingam et al. / Procedia Computer Science 134 (2018) 365–370
2 Dharmalingam Ramalingam/ Procedia Computer Science 00 (2018) 000–000

1. Introduction

The information security focuses on dimensions such as management & decision making, risk assessment and
security compliance. These three dimensions are consolidated into Governance, Risk management and Compliance
(GRC) processes through which management strategically identifies, analyzes, and, where necessary responds
appropriately to risks that might adversely affect the realization of an organization’s business objectives[1].

IT-GRC implementation becomes complex and time-consuming due to changing IT landscape and difficulties in
measuring the efficiency and effectiveness of the control objectives. Issue arises in the use of off-the-shelf IT-GRC
tools. Studies indicate that due to the nature of organizations and its internal environment and operational factors
these commercial IT-GRC tools do not provide optimized solutions [2].

This article aims to arrive at an optimized IT-GRC by introducing a novel mathematical model for optimizing
information security by implementing optimized IT-GRC using Decision Making Trial and Evaluation Laboratory
(DEMATEL) method and arriving at an optimal Figure of Merit (FoM).

2. Literature review

Most enterprises adopt information security standards for managing its IT related issues for ensuring a conducive
environment for its operation[3]. In spite of these measures, data breaches are evident and evolve from new
dimensions. For Instance, cloud computing has led to new security risks due to changes in the functions of client
organizations[4]. Even though information security of cloud computing has many similarities with the traditional IT
services deployed in a company, it is worth noting that it introduces significant threats which are to be re-evaluated
[5]. Risk management is a significant issue in information security which strives to strike a balance between costs
and security measures[6]. The underpinning problem is identifying and prioritizing potential risks from massive risk
surface.
Researchers suggest that periodic risk assessments coupled with continuous monitoring of evolving risks may
decrease threats. Today, organisations are acknowledging that several heterogeneous technologies and processes
working in silos inevitably leads to inefficiency, increased costs and present higher risk factors [7]. In order to
overcome these limitations, information security experts are focusing on the comprehensive, adaptive policy-based
framework covering IT-GRC solution[8 ].

IT-GRC’s success depends on its synchronization within the organization. IT-GRC functions are to be coupled
with each other in such a way that each one compliments the other. For example, governance programs help in
devising IT strategy by evaluating the required controls for IT compliance. Similarly, a compliance program
explores and exploits risk factors to justify the necessary controls. Finally, risk management assesses the risk based
on IT governance and compliance mechanisms to normalize the organization’s risk profile.

From the above discussion, it’s evident that IT-GRC implementation’s success depends on its mutual
coordination. Adopting a common control framework to implement IT-GRC program is necessary to achieve such
synchronization. A wide variety of IT security control standards and frameworks are available for organizations to
explore and exploit its benefits. Some of the standards, such as ISO 27001 define operational controls whereas some
standards such as COSO's framework defines the strategies that are to be adopted for enterprise risk management
[9]. Burton Group recommends that the organization must choose the control standard or framework that it can
implement, measure, and provides an environment to explore and exploit the new opportunities and threats with an
acceptable cost that can justify the return of investment[10].

The popular proverb “what gets measured gets done” is perfectly suitable for IT security controls[11]. A security
metric is an attribute, which can quantify the effectiveness of an organization’s security control
measures[12].Another study reports that enterprises perceive the security metrics as one of the essential parts of
information security evaluation, however; accuracy in such measuring is considered as a difficult
 Dharmalingam Ramalingam et al. / Procedia Computer Science 134 (2018) 365–370 367
Dharmalingam Ramalingam/ Procedia Computer Science 00 (2018) 000–000 3

process[13].Several researchers also argue that difficulty exist there in deciding what to measure and how to report it
across the organization so that it can be meaningful for strategic decision-making[14]. Further, the quantitative
metrics are often not placed in proper context, thus making it underutilized; even some studies simply try to measure
the easier features such as a number of login failures, fails to correlate and study the interdependencies among the
various controls thus making ineffective for decision making[14].Another researcher argues that the binary value
styled (yes or no) questionnaire used to study the existence of controls might be useful to find the existence of
controls but it fails to measure the performance of such controls. Use of statistical techniques such as averaging the
values might not be suitable in some cases as it can simply ignore the underperforming controls as the average
results meet the desirable result[15]. The above-said points conclude that theirproblem exists there to measure the
effectiveness and efficiencies of IT security measures.

3. Problem statement

Attaining successful information security implementation with optimally balanced governance, risk management
and compliance is a cumbersome task as there are various challenges that are to be addressed by decision makers.
The primary issues that this article focuses on are stated below.

3.1. The report submitted by security managers often do not facilitate decision making since numeric values
that are obtained by qualitative methods tends to conceal its nature and does not inform the actual
influence and cause.
3.2. Qualitative measurement techniques are considered the standard practice in many organizations which is
often based on subjective information but unfortunately is not suitable for measuring the effectiveness of
the controls. Further, monitoring and enhancement of these controls will not be realistic.
3.3. Quantitative metrics derived from commercial IT-GRC platforms does not reflect the real situation since
they do not adopt scientifically proven methodology in proper context and does not indicate any
correlation which makes it unsuitable for decision making.
3.4. Researchers argue that the balancedscorecard (BSC) method is not originally meant for information
security measures, and is subject to debate[16].
3.5. Since emerging risks are not considered realistically, business strategies and operational plans do not
synchronize and that makes it impossible to predict the effectiveness of security controls.

4. Methodology

This research is built on the combination of qualitative and, quantitative research methods coupled with
optimization methods adopting well-established mathematical methods. The major and important security metrics
that are much suitable to evaluate the efficiency and effectiveness of the information security controls are identified.
The identified metrics were measured by collecting security expert’s opinion in the form of “cause and influence”
using DEMATEL method. The optimal solution set is arrived by computing the Figure of Merit of various solutions
set and finding the best FoM.

5. Proposed approach

5.1. Deciding the candidate metrics

Performance measurement for information security published by NIST reinstates that metrics should be
developed based on goals and objectives of an organization [17]. Jansen states that “A few well-chosen metrics can
be a huge help in monitoring controls and measuring their effectiveness”[18]. Authors have chosen the following
information security metrics such as performance, ease of use, usability, strength of control measure and cost.
368 Dharmalingam Ramalingam et al. / Procedia Computer Science 134 (2018) 365–370
4 Dharmalingam Ramalingam/ Procedia Computer Science 00 (2018) 000–000

5.2. Constructing the optimal solution

5.2.1. Selecting the control framework

There is various information security control frameworks/ standards available such as COBIT, PCI-DSS, COSO,
SOX, HIPAA and ISO 27001. The authors had selected the International Organization for Standardization’s (ISO)
ISO 27001 standards based on its popularity and wide coverage of process and domains.

5.2.2. Classify controls into IT-GRC

The classification of controls is primarily done in order to avoid unnecessary duplication of security controls
which may lead to duplicate activities which lack coordination between the control objectives.

5.2.3. Apply DEMATEL method

Battelle Memorial Institute (BMI) of the Geneva Research Center developed Decision-Making Trial and
Evaluation Laboratory (DEMATEL) method in 1971 to solve a variety of problems such as racism, hunger,
environmental protection, energy etc., [19]. The process flow diagram of DEMATAL method given in fig-1 is
explained in the following steps.

Figure 1 DEMATEL Process Flow Diagram

Subject expert’s role is crucial in DEMATEL method. It forms the source of information for the entire analysis.
Subject experts provide a 𝑁𝑁𝑋𝑋𝑁𝑁 matrix in which they are requested to scale ( 0 = no influence; 1 = low influence; 2
= high influence; 3 = very high influence) the influence of factor 𝑁𝑁𝑖𝑖 to all other factors.

Direct-influence matrix (D) is derived by selecting the influencing factors. To normalize the D, first calculate the
maximum value of all rows or columns of the direct influence matrix (D), as defined in equation (1) and then
multiply the sum (s) with the matrix D as given in equation (2).

This will produce the normalized direct influence matrix (X).

n n
s = max⁡ {max⁡
{ j=1 aij, max i=1 aij} (1)
X = s. D (2)
Total relation matrix is calculated by continuous reduction of the indirect effects of problems along the powers of
matrix X. This can be calculated as follows:
A continuous decrease of the indirect effects of problems along the powers of X, e.g.,
𝑋𝑋2 , 𝑋𝑋3 , 𝑋𝑋4 … 𝑋𝑋𝑘𝑘 , 𝑎𝑎𝑛𝑛𝑑𝑑 lim𝑘𝑘→∞ 𝑋𝑋𝑘𝑘 = 0 𝑛𝑛𝑥𝑥𝑛𝑛 where, 0 ≤ 𝑥𝑥𝑖𝑖𝑗𝑗 < 1 and 0 ≤ 𝑖𝑖 𝑋𝑋𝑖𝑖𝑗𝑗 or 𝑗𝑗 𝑋𝑋𝑖𝑖𝑗𝑗 < 1 only one column or sum
equals 1.

The totalinfluence matrix is listed as follows:

𝑇𝑇 = 𝑋𝑋 + 𝑋𝑋 2 +...+𝑋𝑋𝑘𝑘 =𝑋𝑋(𝐼𝐼 + 𝑋𝑋 + 𝑋𝑋 2 +. . . +𝑋𝑋 𝑘𝑘−1 )(𝐼𝐼 −X)(𝐼𝐼 − 𝑋𝑋)−1 =𝑋𝑋(𝐼𝐼 − 𝑋𝑋 𝑘𝑘 )(𝐼𝐼 − 𝑋𝑋 −1 )
−1
Then T = X I − X Where I am the identity matrix (3)
 Dharmalingam Ramalingam et al. / Procedia Computer Science 134 (2018) 365–370 369
Dharmalingam Ramalingam/ Procedia Computer Science 00 (2018) 000–000 5

The total effects (D) and total causes(R) can be calculated from the total influence matrix (T) using the formula 4
and 5.

n
D= j=1 Tij n x 1 = ti nx1 (4)
n
R= j=1 Tij 1 x n = JTi (5)
nx1

D demonstrates the total effects, both direct and indirect, given by criterion “i” to the other criteria j = 1, 2 …n, and
R represents total causes, direct and indirect, received by criterion j from the other criteria i = 1, 2, ..., n. DEMATEL
is the most important method that is applied in the multi-criteria decision making (MCDM) method to visualize and
construct interrelations between criteria and sub-criteria [20].

5.2.4. Calculate Figure of Merit

The figure of Merit (FoM) is the quantitative attribute that defines the “fair value” for each set of solutions. This
value helps in effective decision making. Let’s consider the system (X) for which the FoM needs to be calculated by
improving security strength(S), usability (U) and performance (P) by reducing the cost(C). In this example, the
desirable factors are S, U and P whereas the undesirable factor is C. The function of FoM (F) can be defined as
follows:

𝐹𝐹 𝑋𝑋 = [𝑆𝑆 𝑋𝑋 + 𝑈𝑈(𝑋𝑋) + 𝑃𝑃 𝑋𝑋 − 𝐶𝐶(𝑋𝑋)] (6)

Where
S(X) is the strength of the security mechanism of the system,
U(X) is the indicator of usability of the system (effectiveness)
P(X) is the performance measure (efficiency)
C(X) is the overall cost of the controls

The above function given in eq. 6 can be further enhanced by applying relative weights (w) associated with each
factor. For example, security strength can be given more priority than usability. Process owners or direct stake
holders input are essential in providing such weights. Then the FoM function F can be calculated as follows:

𝑤𝑤 1 𝑆𝑆 𝑋𝑋 + 𝑤𝑤 2 𝑈𝑈 𝑋𝑋 +𝑤𝑤 3 𝑃𝑃 𝑋𝑋 −𝑤𝑤 4 𝐶𝐶 𝑋𝑋
𝐹𝐹 𝑋𝑋 = 𝑤𝑤 𝑖𝑖
(7)

The individual functions S(X), U(X), P(X) and C(X) can be calculated either by exhaustive enumeration method or
nonlinear programming method depending on the number of solution sets [21].

6. Application of the proposed method in a realistic case

The proposed method has been tested with four different scenarios and the working files are available on request
from the corresponding author due to the page limit of this paper.

7. Conclusion

The authors were able to solve the above mentioned problems that arose in qualitative measurements of security
controls which are unsuitable for measuring the effectiveness of the security controls. Hence, decision making was
difficult and unrealistic. A scientifically proven methodology called DEMATEL is used for analysis of expert’s
opinion thereby calculating the “Influence and Cause” of security controls of the overall system. Further, FoM
attribute was calculated to gives the “Fair Value” for each set of solutions in which the maximum value is
considered as an optimal value. The approach gives one the liberty to choose any suitable information security
control framework/standard and predict the effectiveness of the security control thus enabling informed decision
making.
370 Dharmalingam Ramalingam et al. / Procedia Computer Science 134 (2018) 365–370
6 Dharmalingam Ramalingam/ Procedia Computer Science 00 (2018) 000–000

References

[1] E. Humphreys, “Information security management standards: Compliance, governance and risk management,” information security technical
report, vol. 13, no. 4, pp. 247–255, 2008.
[2] H. Trent, “Products for managing governance, risk, and compliance: market fluff or relevant stuff,” Burton Group. Mar, vol. 18, 2008.
[3] S. Ernest Chang and C.-S. Lin, “Exploring organizational culture for information security management,” Industrial Management & Data
Systems, vol. 107, no. 3, pp. 438–458, 2007.
[4] L. Sumter, “Cloud computing: security risk,” in Proceedings of the 48th Annual Southeast Regional Conference, 2010, p. 112.
[5] J. Formu, “Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration. April, 2009.” .
[6] K. J. S. Hoo, How much is enough? A risk management approach to computer security. Stanford University, 2000.
[7] R. D. Galliers and D. E. Leidner, Strategic information management: challenges and strategies in managing information systems. Routledge,
2014.
[8] V. Casola, A. De Benedictis, and M. Rak, “On the Adoption of Security SLAs in the Cloud,” in Accountability and Security in the Cloud,
Springer, 2015, pp. 45–62.
[9] S. Sahibudin, M. Sharifi, and M. Ayat, “Combining ITIL, COBIT and ISO/IEC 27002 in order to design a comprehensive IT framework in
organizations,” in Modeling & Simulation, 2008. AICMS 08. Second Asia International Conference on, 2008, pp. 749–753.
[10] B. Blakley, “Security Compliance Orchestration: A Market Emerges Out of the IT-GRC Fog,” Burton Group, 7090 Union Park Center, Suite
200, Midvale, Utah USA 84047-4169, ISSN 1048-4620, Aug. 2008.
[11] S. R. Ranji, “What Gets Measured Gets (Micro) managed,” JAMA, vol. 312, no. 16, pp. 1637–1638, 2014.
[12] D. Dalalah, M. Hayajneh, and F. Batieha, “A fuzzy multi-criteria decision making model for supplier selection,” Expert systems with
applications, vol. 38, no. 7, pp. 8384–8391, 2011.
[13] C.-W. Li and G.-H. Tzeng, “Identification of a threshold value for the DEMATEL method using the maximum mean de-entropy algorithm
to find critical services provided by a semiconductor intellectual property mall,” Expert Systems with Applications, vol. 36, no. 6, pp. 9891–
9898, 2009.
[14] J. L. Yang and G.-H. Tzeng, “An integrated MCDM technique combined with DEMATEL for a novel cluster-weighted with ANP method,”
Expert Systems with Applications, vol. 38, no. 3, pp. 1417–1424, 2011.
[15] M. L. Frigo and R. J. Anderson, “A strategic framework for governance, risk, and compliance,” Strategic Finance, vol. 90, no. 8, pp. 20–61,
2009.
[16] W. K. Brotby and G. Hinson, PRAGMATIC Security Metrics: Applying Metametrics to Information Security. CRC Press, 2013.
[17] A. Jaquith, Security metrics. Pearson Education, 2007
[18] J. Serey, I. Soto, L. Quezada, R. Carrasco, and L. Sun, “Development of a Competition Model for Selecting Information Security Methods,”
in LISS 2013, Springer, 2015, pp. 1287–1292.
[19]E. Falatoonitoosi, Z. Leman, S. Sorooshian, and M. Salimi, “Decision-making trial and evaluation laboratory,” Research Journal of Applied
Sciences, Engineering and Technology, vol. 5, no. 13, pp. 3476–3480, 2013.
[20] G. Büyüközkan and G. Çifçi, “A novel hybrid MCDM approach based on fuzzy DEMATEL, fuzzy ANP and fuzzy TOPSIS to evaluate
green suppliers,” Expert Systems with Applications, vol. 39, no. 3, pp. 3000–3011, 2012.
[21] S.-J. J. Lee, “Figures of Merit in Engineering Design.” Mar-2011.