matrix in columns and rows 2– 4 in the table (for more, see [ 1]).
In establishing this pairwise comparison matrix, the assumption in the example is that the expected loss (E[X]) and expected severe loss (E[X|X T]) are equally important criteria, both slightly more preferred than the standard-deviation-of-loss ( ) criterion. The pairwise comparisons that represent this judgment are realized by setting a12 = 1, a21 = 1, a13 = 2, a23 = 2, a31 = 1/2, and a32 = 1/2. Further, the diagonal elements, a11, a22, and a33, are set equal to 1, since a criterion is equally important as itself.
For a given decision maker for which AHP reveals these weights—A = 0.4, B = 0.4, and C = 0.2—here is the value of the PCR for Proposal 1:
Probability of Loss Proposal 1
Probability of Loss Proposal 2
Probability of Loss Proposal 3
Probability of Loss Proposal 4
Losses from an information security breach (in $ millions)
0 12 345678 9
. 1. 1. 1. 1. 1. 1. 1. 1. 1. 1
0 0 . 2 0 0 . 5 0 . 1. 2 0
. 3. 2 0 0 0 0 .05 .05 . 1. 3
.0 .0 0 0 0 0 0 . 45. 45. 1
Other values
0
0
0
0
Table 2. Probability of losses under three information security project proposals.
PCR (Proposal 1) = $4.5+[.4/. 4]
[$1.7M]+[.2/. 4].[$2.872M]=$4.5M+$1.7M+$1.43
6M=$7.636M
Expected Loss E[X]
Expected Severe Loss E[X|X T]
1. 7
1. 6
3. 5
4. 5
EVALUATING FOUR
PROPOSALS
In order to demonstrate Proposal 1 14. 5
PCR use, assume that the Proposal 2 5. 2
CISO must select from Proposal 3 4. 35 among four equal cost Proposal 4 7. 65 proposals for enhancing Bold indicates column minimums an organization’s information security. Suppose the CISO and his/her staff have estimated the loss probabilities associated with the three proposed sets of information security activities. The estimated loss probabilities associated with each proposal are broken down into the 10 discrete amounts in Table 2.
We continue to assume that the threshold level, T, of a severe loss is $8 million. Table 3 lists the values of
the three risk measures for each of the three proposals; it also lists the value of the PCR for each proposal, assuming that A = 0.4, B = 0.4, and C = 0.2.
Some problems with using the popular metric of
expected loss as a sole measure of risk are apparent by
examining Tables 2 and 3. According to the expected
loss metric, Proposal 3 is the preferred proposal, fol-
lowed in order by Proposal 1, Proposal 2, and Pro-
posal 4. Note that although Proposal 3 minimizes the
expected loss, it also generates the seco
nd highest probability of threatening the surviv-
ability of the organization (Pr [X 8]=0.4) and gener-
ates the highest standard deviation of loss.
Table 3 also indicates that based on the expected severe loss criterion, Proposal 2 is the preferred proposal, followed in order by Proposal 1, Proposal 3, and Proposal 4. Further, based on the standard deviation criterion, Proposal 4 is the preferred proposal, followed in order by Proposal 2, Proposal 1, and Proposal 3. Thus, a decision maker interested in minimizing the risk of a breach could
rationally select Proposal 2, Proposal 3, or Proposal 4, depending on the risk metric being considered.
The PCR combines the three risk measures through a procedure that determines the decision maker’s relative weighting of the risk criteria. The
Standard
Deviation of
Loss
2.872
1.990
4.028
0.654
Perceived
Composite Risk
PCR
7.636
7.795
9.864
12.477
Table 3. Risk measures for the three proposals (where T= 8, A=0.4, B=0.4, and C=0.2.
References:
Archives