Abstract
The increased reliance on information technology systems and communications networks in support of the core organizational processes creates an environment where significant, and potentially catastrophic, losses can result from a loss or corruption of a critical information resource. Risk assessment is the widely accepted process used to understand, quantify, and document the effects of undesirable events on organizational objectives so that risk management, continuity of operations planning, and contingency planning can be performed. In this paper, we present the application of a simulation-based hybrid analytic dynamic forecasting methodology that combines the techniques of analytic hierarchy process, factor analysis, and spanning tree to the problem of selecting among a set contingency measures following events which place the organizational mission at risk. The methodology makes use of qualitative subjective assessments by subject matter experts at multiple levels of the organization and uses historical event occurrences (when available) to provide the decision maker with a ongoing recommendation of the best contingency measures to employ to assure the organizational mission objectives. The method is novel because it augments the decision maker’s experiential knowledge with a probabilistic forecast of the best contingency measure to take in response to events based upon subject matter expert knowledge, historical evidence, and the real-time status critical resources. The methodology provides a structured approach to mitigate operational risk in complex environments and decreases the time required to make decisions under conditions of uncertainty.
Similar content being viewed by others
References
Badiru AB, Pulat PS, Kang M (1993) DDM: decision support system for hierarchical dynamic decision making. Decis Support Syst 10(1):1–18
Banai-Kashani AR (1985) Building systems innovations in urban housing production: a planning application of the analytic hierarchy process. Archit Sci Rev 29:99–109
Banai-Kashani R (1989) Discrete mode-choice analysis of urban travel demand by the analytic hierarchy process. Transp 16:81–96
COBIT (2007) Governance, control and audit for information and related technology. IT Governance Institute/ISACA/ISACF, 4th ed
Dyer JS (1990) Remarks on the analytic hierarchy process. Manag Sci 36(3):249–258
Endsley MR (1995) Toward a theory of situation awareness in dynamic systems. Hum Factors J 37(1):32–64
Golden BL, Wasil EA, Harker PT (eds) (1989) The analytic hierarchy process: applications and studies. Springer-Verlag, New York
Grimaila MR, Fortson LW, Sutton JL (2009) Design considerations for a cyber incident mission impact assessment (CIMIA) process. In Proc. Intl. Conf. on security and management, Las Vegas, NV, 13–16
Harker PT, Vargas LG (1987) The theory of ratio scale estimation: Saaty’s analytic hierarchy process. Manag Sci 33(11):1383–1403
ISO 73 (2009) ISO GUIDE 73: risk management—vocabulary. International organisation for standardisation (ISO), 1st Ed
ISO/PAS 22399 (2007) ISO/pas societal security—guideline for incident preparedness and operational continuity management. International Organisation for Standardisation (ISO), 1st Ed
Liberatore MJ (1987) An extension of the analytic hierarchy process for industrial R&D project selection and resource allocation. IEEE Trans on Eng Manag EM-34(1):12–18
Masuda T (1990) Hierarchical sensitivity analysis of priority used in analytic hierarchy process. Int J Syst Sci 21(2):415–427
Mustafa MA (1989) An integrated hierarchical programming approach for industrial planning. Comput Ind Eng 16(4):525–534
OCTAVE (2005) Operationally critical threat, asset, and vulnerability evaluation (OCTAVE). CERT coordination center, software engineering institute at Carnegie Mellon University
QDR (2010) Quadrennial defense review report. United States Department of Defense
Rahman S, Frair LC (1984) A hierarchical approach to electric utility planning. Energy Res 8:185–196
Saaty TL (1977) A scaling method for priorities in hierarchical structures. J Math Psychol 15:57–68
Saaty TL (1980) The analytic hierarchy process. McGraw-Hill, New York
Saaty TL (1986) Axiomatic foundations of the analytic hierarchy process. Manag Sci 32(7):841–855
Saaty TL (1990) An exposition of the AHP in reply to the paper ‘remarks on the analytic hierarchy process’. Manag Sci 36(3):259–268
Saaty TL (2000) Fundamentals of decision making with the analytic hierarchy process. RWS Publications, Pittsburg
Saaty TL (2004) Super decisions software. RWS Publications, Pittsburg
Saaty TL (2005) Theory and applications of the analytic network process. Decision making with benefits, opportunities, costs and risks. RWS Publications, Pittsburg
Saaty TL, Alexander JM (1989) Conflict resolution: The analytic hierarchy approach. praeger, New York
Saaty TL, Vargas LG (1984) Inconsistency and rank preservation. J Math Psychol 18:205–214
Saaty TL, Vargas LG (1987) The analytic hierarchy process: theoretic developments and some applications. Math Model 9:3–5
Saaty TL, Vargas LG, Wendell R (1983) Assessing attribute weights by ratios. Omega 11(1):9–13
Stoneburner G, Goguen A, Feringa A (2002) Risk management guide for information technology systems. National institute of standards and technology special publication 800–30
Swanson M, Wohl A, Pope L, Grance T, Hash J, Thomas R (2002) NIST special publication 800–34 contingency planning guide for information technology systems. National Institute of Standards and Technology, Washington
Wabalickis RD (1988) Justification of FMS with the analytic hierarchy process. J Manuf Syst 7(3):175–182
Wind Y, Saaty TL (1980) Marketing applications of the analytic hierarchy process. Manag Sci 26(7):641–658
Winkler RL (1990) Decision modeling and rational choice: AHP and utility theory. Manag Sci 36(3):247–248
Zahedi F (1986) The analytic hierarchy process: a survey of the method and its applications. Interfaces 16:96–108
Acknowledgments
This work was supported by a research grant from the Air Force Research Laboratory (F4FBBA9067J001).
Disclaimer
The views expressed in this article are those of the authors and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the United States Government.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Grimaila, M.R., Badiru, A. A hybrid dynamic decision making methodology for defensive information technology contingency measure selection in the presence of cyber threats. Oper Res Int J 13, 67–88 (2013). https://doi.org/10.1007/s12351-010-0102-2
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12351-010-0102-2