Have a personal or library account? Click to login
Outsource or not? An AHP Based Decision Model for Information Security Management Cover

Outsource or not? An AHP Based Decision Model for Information Security Management

Organizacija
Volume 55 (2022): Issue 2 (May 2022)
By: Luka Jelovčan,  Anže Mihelič and  Kaja Prislan  
Open Access
|Jun 2022

References

  1. Aldya, A. P., Sutikno, S., & Rosmansyah, Y. (2019). Measuring effectiveness of control of information security management system based on SNI ISO/IEC 27004: 2013 standard. IOP Conference Series: Materials Science and Engineering, 550(1). https://doi.org/10.1088/1757-899X/550/1/012020
    Search in Google ScholarBack to article
  2. Atkinson, M. A., Bayazit, O., & Karpak, B. (2015). A case study using the Analytic Hierarchy Process for IT outsourcing decision making. International Journal of Information Systems and Supply Chain Management, 8(1), 60–84. https://doi.org/10.4018/ijisscm.2015010104
    Search in Google ScholarBack to article
  3. Atmojo, T. A., Prabowo, H., So, I. G., & Abdinagoro, S. B. (2019). Improving information security performance: the role of management support and security operation center. International Journal of Recent Technology and Engineering, 8(2), 4880–4886. https://doi.org/10.35940/ijrte.B3653.078219
    Search in Google ScholarBack to article
  4. Beckers, K., Côté, I., Faßbender, S., Heisel, M., & Hofbauer, S. (2013). A pattern-based method for establishing a cloud-specific information security management system: Establishing information security management systems for clouds considering security, privacy, and legal compliance. Requirements Engineering, 18(4), 343–395. https://doi.org/10.1007/s00766-013-0174-7
    Search in Google ScholarBack to article
  5. Beybutov, E. (2009). Managing of information security with outsource service provider. In International Siberian Conference on Control and Communications, SIBCON-2009, (pp. 62–66). Tomsk, Russia: IEEE10.1109/SIBCON.2009.5044831
    Search in Google ScholarBack to article
  6. Bojanc, R., Jerman-Blažič, B., & Tekavčič, M. (2012). Managing the investment in information security technology by use of a quantitative modeling. Information Processing and Management, 48(6), 1031–1052. https://doi.org/10.1016/j.ipm.2012.01.001
    Search in Google ScholarBack to article
  7. Božičević, J., Lovrić, I., Bartulović, D., Steiner, S., Roso, V., & Škrinjar, J. P. (2021). Determining optimal dry port location for seaport Rijeka using AHP decision-making methodology. Sustainability (Switzerland), 13(11). https://doi.org/10.3390/su13116471
    Search in Google ScholarBack to article
  8. Cezar, A., Cavusoglu, H., & Raghunathan, S. (2016). Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions. Production and Operations Management, 26(5), 860–879. https://doi.org/10.1111/ijlh.12426
    Search in Google ScholarBack to article
  9. Chu, A. M. Y., & So, M. K. P. (2020). Organizational information security management for sustainable information systems: An unethical employee information security behavior perspective. Sustainability (Switzerland), 12(8), 1–25. https://doi.org/10.3390/SU12083163
    Search in Google ScholarBack to article
  10. Cisco. (2018). Annual Cybersecurity Report (pp. 1-68). Retrieved from: https://www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf
    Search in Google ScholarBack to article
  11. Clement, J. (2020). Amount of monetary damage caused by reported cyber crime to the IC3 from 2001 to 2019. Retrieved from: https://www.statista.com/statistics/267132/total-damage-caused-by-by-cyber-crime-in-the-us/
    Search in Google ScholarBack to article
  12. Cybersecurity Insiders. (2018). Managed Security Report. Retrieved from: https://www.cybersecurity-insiders.com/download-reports/
    Search in Google ScholarBack to article
  13. Dibbern, J., Goles, T., Hirschheim, R., & Jayatilaka, B. (2004). Information Systems Outsourcing: A Survey and Analysis of the Literature. The Data Base for Advances in Information Systems, 35(4), 6–102. https://doi.org/10.1145/1035233.1035236
    Search in Google ScholarBack to article
  14. Eduardovich, D. V., & Vladimirovich, Y. A. (2016). Reputation risks through information security incidents. In Proceedings of the 2016 IEEE North West Russia Section Young Researchers in Electrical and Electronic Engineering Conference, EIConRusNW 2016, (pp. 194–198). St. Petersburg, Russia; St. Petersburg Electrotechnical University.10.1109/EIConRusNW.2016.7448152
    Search in Google ScholarBack to article
  15. Faisal, M. N., & Raza, S. A. (2016). IT outsourcing intent in academic institutions in GCC countries: An empirical investigation and multi-criteria decision model for vendor selection. Journal of Enterprise Information Management, 29(3), 432–453. https://doi.org/10.1108/JEIM-05-2015-0042
    Search in Google ScholarBack to article
  16. Feng, N., & Chen, B. (2017). An Integrated Strategy for Information Security: Outsourcing and In-house. In E. Qi, J. Shen & R. Dou (Eds.), Proceedings of the 23rd International Conference on Industrial Engineering and Engineering Management 2016, (pp. 305–309). Bali, Indonesia: Atlantic Press.10.2991/978-94-6239-255-7_55
    Search in Google ScholarBack to article
  17. Feng, N., Chen, Y., Feng, H., Li, D., & Li, M. (2019). To outsource or not: The impact of information leakage risk on information security strategy. Information and Management, 57(5). https://doi.org/10.1016/j.im.2019.103215
    Search in Google ScholarBack to article
  18. Feng, N., Wang, M., Li, M., & Li, D. (2019b). Effect of security investment strategy on the business value of managed security service providers. Electronic Commerce Research and Applications, 35(March), 100843. https://doi.org/10.1016/j.elerap.2019.100843
    Search in Google ScholarBack to article
  19. Fenn, C., Shooter, R., & Allan, K. (2002). IT security outsourcing: How safe is your IT security? Computer Law and Security Report, 18(2), 109–111. https://doi.org/10.1016/S0267-3649(02)03009-1
    Search in Google ScholarBack to article
  20. Fusiripong, P., Baharom, F., & Yusof, Y. (2020). Analytic hierarchy process with firefly algorithm for supplier selection in IT project outsourcing. Journal of Theoretical and Applied Information Technology, 98(8), 1255–1269.
    Search in Google ScholarBack to article
  21. Georg, L. (2017). Information security governance: pending legal responsibilities of non-executive boards. Journal of Management and Governance, 21(4), 793–814. https://doi.org/10.1007/s10997-016-9358-0
    Search in Google ScholarBack to article
  22. Goepel, K. D. (2018). Implementation of an Online Software Tool for the Analytic Hierarchy Process (AHPOS). Journal of the Analytic Hierarchy Process, 10(3), 469–487. https://doi.org/10.13033/ijahp.v10i3.590
    Search in Google ScholarBack to article
  23. Gulla, U., & Gupta, M. P. (2011). Deciding the level of information systems outsourcing: Proposing a framework and validation with three Indian banks. Journal of Enterprise Information Management, 25(1), 28–59. https://doi.org/10.1108/17410391211192152
    Search in Google ScholarBack to article
  24. Harker, P. T., & Vargas, L. G. (1987). Theory of Ratio Scale Estimation: Saaty’s Analytic Hierarchy Process. Management Science, 33(1), 1383–1403. https://doi.org/10.1287/mnsc.33.11.1383
    Search in Google ScholarBack to article
  25. He, M. X., & An, X. (2016). Information security risk assessment based on analytic hierarchy process. Indonesian Journal of Electrical Engineering and Computer Science, 1(3), 656–664. https://doi.org/10.11591/ijeecs.v1.i3.pp656-664
    Search in Google ScholarBack to article
  26. Ishizaka, A., & Siraj, S. (2018). Are multi-criteria decision-making tools useful? An experimental comparative study of three methods. European Journal of Operational Research, 264(2), 462–471. https://doi.org/10.1016/j.ejor.2017.05.041
    Search in Google ScholarBack to article
  27. Jain, R. K., & Natarajan, R. (2011). Factors influencing the outsourcing decisions: A study of the banking sector in India. Strategic Outsourcing: An International Journal, 4(3), 294–322. https://doi.org/10.1108/17538291111185485
    Search in Google ScholarBack to article
  28. Kabir, G., Sadiq, R., & Tesfamariam, S. (2014). A review of multi-criteria decision-making methods for infrastructure management. Structure and Infrastructure Engineering, 10(9), 1176-1210. https://doi.org/10.1080/15732479.2013.795978
    Search in Google ScholarBack to article
  29. Karyda, M., Mitrou, E., & Quirchmayr, G. (2006). A framework for outsourcing IS/IT security services. Information Management & Computer Security, 14(5), 403–416. https://doi.org/10.1108/09685220610707421
    Search in Google ScholarBack to article
  30. Khan, G. M., Khan, S. U., Khan, H. U., & Ilyas, M. (2022). Challenges and practices identification in complex outsourcing relationships: A systematic literature review. PLoS ONE, 17(January). https://doi.org/10.1371/journal.pone.0262710
    Search in Google ScholarBack to article
  31. Ključnikov, A., Mura, L., & Sklenár, D. (2019). Information security management in SMEs: Factors of success. Entrepreneurship and Sustainability Issues, 6(4), 2081–2094. https://doi.org/10.9770/jesi.2019.6.4(37)
    Search in Google ScholarBack to article
  32. Lacity, M. C., & Willcocks, L. P. (2013). Legal process outsourcing: the provider landscape. Strategic Outsourcing: An International Journal, 6(2), 167–183. https://doi.org/10.1108/SO-11-2012-0021
    Search in Google ScholarBack to article
  33. Leszczyna, R., & Litwin, A. (2020). Estimating the Cost of Cybersecurity Activities with CAsPeA: A Case Study and Comparative Analysis. In S. Kanhere, In T. Patil, S. Sural, & M. S. Gaur (Eds.), 16th International Conference on Information Systems Security, ICISS 2020, (pp. 267–287). Springer.10.1007/978-3-030-65610-2_17
    Search in Google ScholarBack to article
  34. Liu, C. W., Huang, P., & Lucas, H. C. (2018). IT Centralization, Security Outsourcing, and Cybersecurity Breaches: Evidence from the U.S. Higher Education. In Y. J. Kim, R. Agarawal & J. K. Lee (Eds.), ICIS 2017: Transforming Society with Digital Innovation, (pp. 1–18). Seul, South Korea: Association for Information Systems.10.2139/ssrn.2850178
    Search in Google ScholarBack to article
  35. Marcikić, A., & Radovanov, B. (2011). A Decision Model for Outsourcing Business Activities. International Symposium Engineering Management and Competitiveness, 69–74.
    Search in Google ScholarBack to article
  36. MarketsAndMarkets. (2020). Managed Security Services Market by Type (Managed IAM, Antivirus/Antimal-ware, SIEM, and UTM), Deployment Mode, Organization Size, Vertical (BFSI, Government, Retail, Healthcare, Telecom, Utilities, and Manufacturing), and Region - Global Forecast to 2025. Retrieved from: https://www.marketsandmarkets.com/Market-Reports/managed-security-services-market-5918403.html
    Search in Google ScholarBack to article
  37. Moisiadis, F. (1999). Case Study on the Use of Scaling Methods for Prioritising Requirements. INCOSE International Symposium, 9(1), 1451–1457.10.1002/j.2334-5837.1999.tb00329.x
    Search in Google ScholarBack to article
  38. Pakpahan, J., Eryadi, R. A., Budiman, A., Sunandar, N., Syahid, L. M., & Shihab, M. R. (2021). Critical Success Factors of IT Outsourcing in Indonesian Public Sectors: A Case Study at Employment Social Security Agency. ICOIACT 2021 - 4th International Conference on Information and Communications Technology: The Role of AI in Health and Social Revolution in Turbulence Era, (pp. 47–52). Online: IEEE.10.1109/ICOIACT53268.2021.9563920
    Search in Google ScholarBack to article
  39. Ponemon Institute. (2019). The Cost of Third-Party Cybersecurity Risk Management. Retrieved from: https://www.cybergrx.com/resources/research-and-insights/ebooks-and-reports/the-cost-of-third-party-cybersecurity-risk-management
    Search in Google ScholarBack to article
  40. Ponsard, C., Grandclaudon, J., & Dallons, G. (2018). Towards a cyber security label for SMEs: A european perspective. In P. Mori, S. Furnell & O. Camp (Eds.). ICISSP 2018 - Proceedings of the 4th International Conference on Information Systems Security and Privacy, (pp. 426–431). Madeira, Portugal: Springer.10.5220/0006657604260431
    Search in Google ScholarBack to article
  41. Popp, N., Jensen, J. A., McEvoy, C. D., & Weiner, J. F. (2020). An examination of the effects of outsourcing ticket sales force management. International Journal of Sports Marketing and Sponsorship, 21(2), 205–223.10.1108/IJSMS-04-2019-0046
    Search in Google ScholarBack to article
  42. Prakash, S., Soni, G., Mittal, S., & Singh Rathore, A. P. (2014). Information Risks Modeling in e-business Supply Chain using AHP. In Recent Advances in Engineering and Computational Sciences (RAECS), (pp. 1-5). Chandigarh, India: IEEE.10.1109/RAECS.2014.6799634
    Search in Google ScholarBack to article
  43. Rajaeian, M. M., Cater-Steel, A., & Lane, M. (2015). IT outsourcing decision factors in research and practice: A case study. In F. Burstein, H. Scheepers & G. Deegan (Eds.). ACIS 2015 Proceedings - 26th Australasian Conference on Information Systems, (pp. 1–12). Adelaide, Australia: University of South Australia.
    Search in Google ScholarBack to article
  44. Ren, Z. J., & Zhou, Y. P. (2008). Call center outsourcing: Coordinating staffing level and service quality. Management Science, 54(2), 369–383. https://doi.org/10.1287/mnsc.1070.0820
    Search in Google ScholarBack to article
  45. Russo, R. D. F. S. M., & Camanho, R. (2015). Criteria in AHP: A systematic review of literature. Information Technology and Quantitative Management, 55, 1123–1132. https://doi.org/10.1016/j.procs.2015.07.081
    Search in Google ScholarBack to article
  46. Saaty, T. L. (1980). The Analytic Hierarchy Process. Mc-Graw Hill.10.21236/ADA214804
    Search in Google ScholarBack to article
  47. Saaty, T. L. (1990). How to make a decision: The analytic hierarchy process. European Journal of Operational Research, 48(1), 9–26. https://doi.org/10.1016/0377-2217(90)90057-I
    Search in Google ScholarBack to article
  48. Saaty, T. L., & Tran, L. T. (2007). On the invalidity of fuzzifying numerical judgments in the Analytic Hierarchy Process. Mathematical and Computer Modelling, 46(7–8), 962–975. https://doi.org/10.1016/j.mcm.2007.03.022
    Search in Google ScholarBack to article
  49. Shahrasbi, A., Shamizanjani, M., Alavidoost, M. H., & Akhgar, B. (2017). An aggregated fuzzy model for the selection of a managed security service provider. International Journal of Information Technology and Decision Making, 16(3), 625–684. https://doi.org/10.1142/S0219622017500158
    Search in Google ScholarBack to article
  50. Sung, W., & Kang, S. Y. (2017). An empirical study on the effect of information security activities: Focusing on technology, institution, and awareness. In C. C. Hinnant & O. Adegboyega (Eds.). ACM International Conference Proceeding Series, (pp. 84–93). New York, New York: Association for Computing Machinery.10.1145/3085228.3085242
    Search in Google ScholarBack to article
  51. Wang, G., Qin, L., Li, G., & Chen, L. (2009). Landfill site selection using spatial information technologies and AHP: A case study in Beijing, China. Journal of Environmental Management, 90(8), 2414–2421. https://doi.org/10.1016/j.jenvman.2008.12.008
    Search in Google ScholarBack to article
  52. Wang, J. J., Lin, Z. K., & Zhang, G. Q. (2008). A decision model for IS outsourcing based on AHP and ELECTREIII. In 2008 International Conference on Wireless Communications, Networking and Mobile Computing, WiCOM 2008, (pp. 1–4). Dalian, China: IEEE.10.1109/WiCom.2008.2763
    Search in Google ScholarBack to article
  53. Wu, Y., Duan, J., Dai, T., & Cheng, D. (2020). Managing security outsourcing in the presence of strategic hackers. Decision Analysis, 17(3), 235–259. https://doi.org/10.1287/deca.2019.0406
    Search in Google ScholarBack to article
  54. Wu, Y., Fung, R. Y. K., Feng, G., & Wang, N. (2017). Decisions making in information security outsourcing: Impact of complementary and substitutable firms. Computers and Industrial Engineering, 110, 1-12. https://doi.org/10.1016/j.cie.2017.05.018
    Search in Google ScholarBack to article
  55. Zammani, M., Razali, R., & Singh, D. (2019). Factors contributing to the success of information security management implementation. International Journal of Advanced Computer Science and Applications, 10(11), 384–391. https://doi.org/10.14569/IJACSA.2019.0101153
    Search in Google ScholarBack to article
  56. Zúñiga, A. R. R., & Jaatun, M. G. (2016). Passing the buck: Outsourcing incident response management. In Proceedings of 7th International Conference on Cloud Computing Technology and Science, CloudCom 2015, (pp. 503–508). Vancouver, Canada: IEEE.
    Search in Google ScholarBack to article
DOI: https://doi.org/10.2478/orga-2022-0010 | Journal eISSN: 1581-1832 | Journal ISSN: 1318-5454
Journal RSS Feed
Language: English
Page range: 142 - 159
Submitted on: Nov 3, 2021
Accepted on: Apr 28, 2022
Published on: Jun 23, 2022
Published by: University of Maribor
In partnership with: Paradigm Publishing Services
Publication frequency: 4 issues per year
Keywords:
Information security,
Decision model,
Analytic hierarchy process,
AHP,
Management,
Outsourcing
Related subjects:
Business and economics,
Business management,
Management, organization, corporate governance

© 2022 Luka Jelovčan, Anže Mihelič, Kaja Prislan, published by University of Maribor
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.

Previous articleVolume 55 (2022): Issue 2 (May 2022)Next article