Abstract

Information security risk can be measured by probability of the potential risk incident and its impact. Various quantitative methodologies are given to compute information security risks, but among the existed research, seldom of them considered the difficulties of obtaining data of risk probability and risk impact. Considering the efficiency and operability of collecting data, as well as the effectiveness of output for risk management support, this paper presents a risk assessment methodology for information systems security with the application of group decision making and analytic hierarchy process methods. Procedure of this methodology is provided, and a test case is given to illustrate the effectiveness of this methodology.