Presenting a Model for Ranking Organizations Based on the Level of the Information Security Maturity

Undoubtedly, in today’s new business information has donated the most competitive advantage for the organizations. Although just collecting, processing and retrieving of data were significant in the past, the subject of information security is turned into a serious challenge in micro and macro levels of organizational management. Indeed, observance of the information security principals is counted as a critical infrastructure in today’s knowledge based organizations. In order to realize this purpose, we need to make a strategic plan for IT security. However, we cannot expect to design a comprehensive plan, if we don’t have accurate statistics about the level of the information security maturity in current organizations. The goal of this paper is ranking organizations about the level of the information security maturity by presenting a model based on the knowledge of multi criteria decision making. So, first of all, in the literature review, the models and different standards presented in the information security maturity were studied. After determining information security criteria in technical and managerial forms, considering the triple criteria of security, safety and stability, weight devoting was performed by using the expert’s views in the IT departments of three chosen organizations A, B and C. Ultimately, ranking of these organizations based on the level of information security maturity was done by applying the algorithm of PROMETHEE II. In the final step there was a comparison between the result of this model and two other security maturity models. The same results show reliability and validity of proposed ranking model.


Introduction
The most valuable property of today's organizations is information. In order to move to the knowledge based society, accessing the accurate and on time information can help. The more valuable information has the organization, the more sensible will be the subject of the information security. In fact, the observance of the information security principles is counted as a critical infrastructure in today's knowledge based organizations.
To access the goals and the missions, an organization will be more successful if the level of the information security maturity increases. Because this level will be different for varied organizations, studying and evaluating of the level of this maturity in these institutes can help verify successful organizations in this field. The aim of this paper is presenting a model for ranking different organizations based on the level of the information security maturity.
First of all, it is essential to explain and review some of the key definitions used in this research.

Confidentiality:
Guarantees that the data only can be accessed by authorized personnel.

Integrity:
Safeguarding of the accuracy and completeness of data and data processing methods.

Accessibility:
Guarantees that data can be accessed through authorized personnel and used when needed. (Andrew Ren-Wei Funga, et al., 2003) 1.5 Safety: means resistance vs. rigid and semi rigid physical threats.
1.6 Stability: is the continuity of products and services presentation in different circumstances.

Security Maturity Model
A maturity model is a structured collection of elements that describe certain aspects of maturity in an organization. This type of security model indicates the degree of development and the strength of the organization's security measures, and provides an organization with a distinct security framework. The development and application of Security Maturity Models enable organizations to (Lessing, 2008):  Generate reproducible and valid measurements;  Establish actual progress in the security milieu;  Rank themselves against a range of organizations;  Determine the order in which security controls should be applied; and  Determine the resources needed to apply to the security program (Chapin & Akridge, 2005) This research was performed in three main phases: 1) Verifying the criteria for evaluating of the level of the information security maturity 2) Criteria weighting 3) Ranking organizations based on the level of the information security maturity These steps will be discussed later.

Step 1: Verifying the criteria for evaluating of the level of the information security maturity
After writing the review of literature, the evaluation criteria of the information security maturity were studied.

division of criteria based on being managerial or technical
Via the first viewpoint, Information security discusses the technical parts (i.e. encryption algorithms, communication protocols, security hardware and software, etc) while it considers human and managerial subjects (i.e. organizing, organizational culture, organizational policies, hazards management, standards, legal rights, etc) by the second viewpoint.

division of criteria based on three general aspects of security, safety, stability
For a comprehensive coverage of criteria from the information security maturity in an organization, first of all, the information security standards (such as ISO 17799 and ISO 27001) were studied and then the information security maturity models in organizations (i.e. COBIT model, Derek Schatz model) were studied carefully. Finally, twelve main criteria that covered the subject of the research comprehensively were chosen by using Delphi method and expert's views of information security. One sub criterion that related more to it was gained for each of these main criteria. Of course, it should be noted that although these two viewpoints study the information security maturity evaluation criteria from different aspects, aggregation criteria in each of these viewpoints lead to a unified collection. Table 1 shows the criteria gained from these two viewpoints by separated classifications. The criteria were derived from Derek Schatz Maturity Model (Schatz, 2008).

Step 2: criteria weighting
In decision making sciences, there are different methods for criteria weighting that can be used in circumstances of decision problem. In this paper, according to the number of criteria and considering all of experts' votes, "Group Method" is used. The algorithm of this method is described here.
3.1 After the criteria being verified and completed by "Delphi Method", the information security experts' ideas of every organization about the importance of each criterion by using Semi Metric Scale(between 0 to 100) in a format of a questionnaire were assessed. In fact, every expert expressed his or her idea about the significance of each criterion by a percent scale. Completing 6 to 7 questionnaire was needed in every studied organization. In this step, gained percents for each criterion are turned in to a constant percent for that criterion by using Geometric mean and the equation (1). (1) Indeed, by applying this method, not only the information security experts' different ideas are used in the percent of the importance of each criterion, but also this application can help gain a constant percent W j for every criterion. Now, the weight of each criterion is obtained by using normalization with the equation (2). (2) Before ranking being started, a decision matrix should be formed. For the experts' ideas being considered, the best way is using "Group Method".

Formation of Decision Matrix by Group Method
Before ranking being started, first, a decision matrix should be formed. Because Group Method is applied for weighting in this study, this method should also be used for obtaining the values of decision

Step 3: Ranking of Organizations Based on the Maturity of Information Security
Basically, to rank options in multi criteria decision making, there are two general compensatory and non compensatory approaches. Compensatory models include methods in which exchange is allowed among criteria.
Non compensatory models include methods in which exchange is not allowed among criteria, therefore every criterion is not dependent on the others and comparisons are done based on the criteria one by one.
The PROMETHEE method (Preference Ranking Organization Method for Enrichment Evaluations) is one of the most recent MCDA methods that was developed by Brans (1982) and further extended by Vincke and Brans (1985). ( Behzadian et al., 2009) PROMETHEE is an outranking method for a finite set of alternative actions to be ranked and selected among criteria, which are often conflicting. PROMETHEE is also a quite simple ranking method in conception and application compared with the other methods for multi-criteria analysis (Brans et al., 1986) Regarding the circumstances of the problem, in this study, the algorithm of PROMETHEE II that is used, is counted as a compensatory model. Then, the stages of this method will be described briefly.

Determining the threshold value for each criterion:
First, a threshold value is determined for every criterion in the decision matrix, by using equation (3). (3)

Calculation of the difference between the elements of the decision matrix to the threshold:
The difference between the values of both elements of the decision matrix to the related threshold is calculated in this step.

Applying Preference Function with 0
In this stage, according to the status of criteria being positive or negative, one of Preference Functions 4 or 5 is used for all elements of the forth step matrix: For Negative Criteria (5)

Applying Preference Function With 1
In this step, Preference function with 1(equation 6) is applied on the fifth step matrix: (6)

Creating Weighted Matrix
The sixth step matrix is weighted by the first step weighting vector in this stage. In fact, each column of the matrix is weighted by the weight of its related criterion.

Formation of Collective Utility Function
In this step, the collective Utility function is calculated by the equation (7): In fact, the collective Utility function will have members to the numbers of options.

Ranking of alternatives
In this step, alternatives (the studied organizations) are ranked based on the seventh equation Utility function.
Indeed, each option that has the highest Utility is ranked higher. In the other word, the studied organizations are ranked in the order of accessing to different levels of the information security maturity by using the algorithm of PROMETHEE II.
Table2 is declaring the result of performing this model in three studied organizations: A, B, and C. (It is shown by alias names because of security considerations.) As it is observed in table 2, after ranking the organizations based on Utility, Organization A is the most secure alternative than the others. That shows that the level of the information security maturity is higher than the other organizations. Organization B has also better position in the security levels than Organization C. Additionally there is a comparison between our proposed model results and the other reliable and valid security maturity models. Simply, it is observed, there is a descending rank order in the three sample organizations. For example Organization B, has the second position in final results in all models. Same ranking orders can be considered as the best assessment tool, for validity and reliability of our proposed security maturity ranking model.

Results
The results of this research are expressed briefly here: 1-1-4: the first tangible result of this research is careful classification of criteria that is mentioned in the first step.(Table1) Because these criteria are obtained by the information security maturity standards (i.e. ISO 27001, ISO 17799, etc) based on the studies upon the available information security maturity models (i.e. COBIT Model , Derek Schatz) and are consolidated by using the expert's views of information security with the help of Delphi Technique and interviews, they can be used as references in practical researches.
2-1-4: Weighting Vector has not entered in none of information security maturity models yet. This research tries to join multi criteria decision making concepts to the information security maturity evaluation problems by a different approach and using mathematics. In fact the experts of information security can consider the criteria in the information security maturity evaluation according to their value and importance and by entering the weighting element.
3-1-4: By studying literature review section about the information security maturity, it was understood that any research has not performed yet about ranking organizations based on the level of the information security maturity. This ranking will help decision makers adopt strategic information technology security decisions and edit strategic plans of information systems.

Suggestions
Here are some suggestions for practical usages of the result of this research and also some approaches for the future researchers.
1-2-4: Ranking organizations based on the information security criteria and finding threshold values for the classification of the organizations in this part (excellent, average, poor organizations in the information security criteria) 2-2-4: Classifying of organizations based on the type of business and the purposes and obtaining related weights to each category of these organizations based on the expert's views of that category 3-2-4: studying the relationship between the result of this model and other reference models such as COBIT for organizations at the country level