Académique Documents
Professionnel Documents
Culture Documents
http://sites.google.com/site/journalofcomputing/
Using Fuzzy Methodology to Mapping ITIL
Security KPIs to ISMS
Nasibeh Mohammadi, Nasser Modiri, Pantea Arya, Afshin Rezakhani
Abstract Security management in Information Technology Infrastructure Library (ITIL) is a number of Key process Indicators (KPIs) that are
unclear. In this paper, we propose to create a new framework for mapping ITIL security KPIs to related KPIs in Information Security Management
System (ISMS). For this mapping is utilized from fuzzy algorithm as named fuzzy Analytic Hierarchy Process (fuzzy AHP). This algorithm obtains
the priority of ISMS KPIs that is related to ITIL security management KPIs. With this algorithm the Prioritization in the ISMS KPIs will be possible.
The most advantage of this method is creating the collaborative platform between ITIL and ISMS KPIs. Other benefit of this methodology is
improving the security in the enterprises that implement ITIL. With this approach, enterprises managers will be able to decide accurately in apply
ISMS KPIs in ITIL implementation.
Index Terms Fuzzy AHP, ISMS, ITIL, KPIs.
1. INTRODUCTION
ue to enhanced focus on the customer in the planning,
development and delivery of information services, IT
service management has become increasingly
important. These days IT management is focusing
particularly on the de facto standard ITIL (IT Infrastructure
Library) for implementing IT service management [1].
Unfortunately, the most of enterprises managers think that
they must get ISO 27000 standard (ISMS) into their
organization to implement security indicators directly; but
they dont know that can utilize ISMS KPIs beside ITIL
framework, because ITIL in security management scope have
several KPIs. But these KPIs are not clear and they are
described ambiguously. This article suggest a new
methodology for persuade the managers to apply ISMS KPIs
in the ITIL implementation. Because the enterprises
managers have some limitations in understanding the
meaning of each security KPI in ITIL, our method help
managers to decide for mapping each ITIL security KPI to
one or more KPIs in ISMS accurately and correctly.
A few researches have been done in creating collaborative
platform between ITIL and ISMS. For example, Jim Clinch in
his research considered ITIL KPIs and ISMS KPIs and
mapping all ITIL KPIs to ISMS generally [2]. James Doss also
considered approaches to integrating other Frameworks and
Methodologies Complementary to ITIL [3]. All of these
researches did their ideas in mapping ITIL KPIs to ISMS
ambiguously and without any clarity in implementation.
We propose a new method that is based on a fuzzy
algorithm (in decision) that enables the managers to have
accurate decision to mapping each security KPI in ITIL into
one or more KPIs in ISMS.
2. ITIL FRAMEWORK
ITIL (IT Infrastructure Library) provides a framework of Best
Practice guidance for IT Service Management and since its creation,
ITIL has grown to become the most widely accepted approach to IT
Service Management in the world.
Figure2.HierarchicalstructureofProblems
As it can be seen in above figure, hierarchical structure is
divided in three levels. This diagram shows the graphical
schemaofproblem.
4.2TheexplanationofStep2
Inthisstepisdeterminedthepairwisecomparisonmatrixin
basedontheideaofdecisionmaker.Thisworkisdonefor
eachlevelofcomponenttowardtheupperlevelinseparate
matrixesthatcanbeseenbelow:
Creating pair wise comparison matrix for each
alternativetowardeachcriteria.
Creating pair wise comparison matrix for each
criteriatowardgoal.
Each of elements in pairwise comparison matrix is shown
with the name ofo
,]
thatdetermine the relative importance
of element i toward element j. The values of o
,]
is
calculated from below table that these values are Triangular
fuzzynumbers.
Table2.Similarfuzzynumberswithpreferenceinthepaired
comparisons[16]
Statement Triangularfuzzy
number
AbsolutelyStronger
(
5
2
, 3 ,
7
2
)
VeryStronger
(2 ,
5
2
, 3 )
Stronger
(
3
2
, 2 ,
5
2
)
Low
(1 ,
3
2
, 2 )
ApproximatelyEqual
(
1
2
, 1 ,
3
2
)
ExactlyEqual (1 , 1 , 1 )
Twoexamplesofpairwisecomparisonmatrixarebelow:
Figure3.Anexampleofpairwisecomparisonmatrix
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 3, MARCH 2012, ISSN 2151-9617
https://sites.google.com/site/journalofcomputing
WWW.JOURNALOFCOMPUTING.ORG
2012 Journal of Computing Press, NY, USA, ISSN 2151-9617
http://sites.google.com/site/journalofcomputing/
(AlternativetowardCriteria)
Figure4.Anexampleofpairwisecomparisonmatrix
(Criteriatowardgoal)
4.3TheExplanationofStep3
For applying the process, according to the method of
Changs extent analysis [15], each criterion is taken and
extent analysis for each criterion, g
; is performed
respectively. Therefore, m extent analysis values for each
criterioncanbeobtainedbyusingfollowingnotation.
H
g
i
1
, H
g
i
2
, H
g
i
3
, , H
g
i
m
isthegoalset(i=1,2,3,4,5,,n)andalltheH
g
i
]
(] =
1, 2, S, 4, S, . . . . . . . . , m)areTriangularFuzzyNumbers(TFNs).
The steps of Changs analysis can be given as in the
following:
Substep1: The fuzzy synthetic extent value with respect
totheithcriterionisdefined.
Si = N
g
j
m
j=1
|N
g
j
m
j=1
n
I=1
]
-1
ANDIF N
G
I
]
=(LIJ,MIJ,UIJ)THEN
N
G
I
] M
]=1
=(LI1,MI1,UI1) (LI2,MI2,UI2) (LIM,MIM,
UIM)=( li], mi]
m
]=1
m
]=1
, ui]
m
]=1
)=(lt
, mt , ut )
_N
g
j
m
j=1
n
I=1
_
-1
= _
1
ut
n
I=1
,
1
mt
n
I=1
,
1
lt
n
I=1
_
THEREFORE: SI =( lt
, mt , ut ) (
1
ui
N
I=1
,
1
mi
N
I=1
,
1
Ii
N
I=1
) =(LI, MI,
UI)
Substep2: The degree of conceivability of S
on S
k
If S
on S
k
is calculated as follows:
V (S
S
k
) =SUP (min|p
S
i
(x), p
S
k
(y)]) that for Triangular fuzzy
numbers as follows:
V(S
S
k
)=p
S
i
(u) = _
1
1
Ik-u
(m,-u)-(mk-Ik)
if ( mi mk)
if ( lk ui)
otheiwise
Figure5.IntersectionPointBetween
S
k
and
S
|
[17]
AscanbeseeninFigure5,disthelargestintersectionpoint
betweenp
S
k
andp
S
i
.
= i = 1, , kisdefinedasfollows:
V(S S
1,
S
2,
, S
k,
)=V((S S
1,
),(S S
2
),,(S S
k
))=minV(S
S
k,
)i = 1, , k
ifJ
(A
)= minV(S
S
k
) for (k=1,2,,n k= i) Then the
weightvectorisgiven:
w =(J
(A
1
), J
(A
2
), , J
(A
n
))
Table3.AnExampleofMappingITILKPItoISMSKPIs
ITILKPI ISMSKPIs[18]
Theproduction,
maintenance,
distributionand
enforcementof
anInformation
SecurityPolicy
andsupporting
securitypolicies
1. Establishacomprehensive
informationsecuritypolicy.
2. Makesurethatyourinformation
securitypolicyprovidescleardirection
foryourinformationsecurityprogram.
3. Makesurethatyourinformation
securitypolicyshowsthatyour
managementiscommittedto
informationsecurity.
4. Makesurethatyourmanagement
supportsyourorganizationsinformation
securitypolicy.
5.2.UseofFuzzyAHP
FuzzyAHPprocessisexplainedinbelowsubsections:
5.2.1 .CreatingHierarchicalStructure
AfterfindingtheISMSKPIsinlastsection,wemustcreatea
hierarchical structure of each category.The goal level is the
priorityofISMSKPIsineachcategory.Also,Criterialevelis
filled by effective factors on ISMS KPIs in each category.
Finally alternatives are completed by ISMS KPIs that is
obtained from above section. Further explanation is that
effectivefactorsareobtainedbyinterviewwithmanagers.
Now, we consider a real example. Because the ISMS KPIs in
eachcategoryarealot,weassumethatexistbelowmapping.
So,wecreatehierarchicalstructurefortheseKPIsonlyinone
category.
Table4.AsamplerealExampleofMappingITILKPItoISMS
inacategory
ITILSecurityKPI ISMSKPIs[18]
ITIL_KPI(The
production,maintenance,
distributionand
enforcementofan
InformationSecurity
Policyandsupporting
securitypolicies)
KPI_1(Establisha
comprehensive
informationsecurity
policy)
KPI_2(Makesurethat
yourinformationsecurity
policyprovidesclear
directionforyour
informationsecurity
program)
KPI_3(Makesurethat
yourinformationsecurity
policyshowsthatyour
managementiscommitted
toinformationsecurity)
Figure7showsthehierarchicalstructureforaboveKPIs.For
clearexplanation,weuseabbreviationformofaboveKPIs.
Figure6.CreatingHierarchicalStructure
5.2.2.CreatingPairwiseComparisonMatrix
For doing this step, we must create four matrixes that is
shown in below figures. Matrixes values are determined by
table2andinterviewwithmanagers.
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 3, MARCH 2012, ISSN 2151-9617
https://sites.google.com/site/journalofcomputing
WWW.JOURNALOFCOMPUTING.ORG
2012 Journal of Computing Press, NY, USA, ISSN 2151-9617
http://sites.google.com/site/journalofcomputing/
Matrix1: The KPIs Pair wise
Comparison Matrix according to
Cost
Matrix2: The KPIs Pair wise
Comparison Matrix according to
Stability
Matrix3: The KPIs Pair wise
Comparison Matrix according to
Risk Management
Matrix4: The Criterias Pair wise
Comparison Matrix according to
goal
Figure7.TheMatrixofPairwiseComparison(Alternatives
andCriteria)
RelativeWeightsofMatrix2:
RelativeWeightsofMatrix3:
The relative weight of KPI_1 according to risk
management(S1)=(0.342,0.528,0.572)
The relative weight of KPI_2 according to risk
management(S2)=(0.144,0.24,0.272)
The relative weight of KPI_3 according to risk
management(S3)=(0.144,0.230,0.308)
RelativeWeightsofMatrix4:
The relative weight for criteria of cost toward goal (S1) =
(0.342,0.528,0.078)
The relative weight of stabilitys criteria according to
goal(S2)=(0.136,0.230,0.360)
The relative weight of risk managements criteria according
togoal(S3)=(0.152,0.240,0.432)
5.2.4.Calculatingtheconceivabilitydegree
Accordingtoformulasthatwereexplainedinsection4.4,the
conceivabilitydegreesofMatrixesarelikethese:
TheconceivabilitydegreeofMatrix1:
V(S
1
S
2
)=1
V(S
2
S
1
)=
0.208-0.825
(0.240-0.825)-(0.528-0.208)
=0.352
V(S
1
S
3
)=1V(S
3
S
1
)=0.652
V(S
2
S
3
)=1V(S
3
S
2
)=0.925
TheconceivabilitydegreeofMatrix2:
V(S
1
S
2
)=0.873V(S
2
S
1
)=1V(S
1
S
3
)=1
V(S
3
S
1
)=0.819V(S
2
S
3
)=1V(S
3
S
2
)=0.603
TheconceivabilitydegreeofMatrix3:
V(S
1
S
2
)=1V(S
2
S
1
)=1V(S
1
S
3
)=1
V(S
3
S
1
)=1V(S
2
S
3
)=1V(S
3
S
2
)=0.942
TheconceivabilitydegreeofMatrix4:
V(S
1
S
2
)=1V(S
2
S
1
)=0.056V(S
1
S
3
)=1
V(S
3
S
1
)=0.238V(S
2
S
3
)=0.954V(S
3
S
2
)=1
5.2.5.Calculatingtheconceivabilitydegreeforaconvex
fuzzynumbers
Theconceivabilitydegreeforconvexfuzzynumbersin
Matrix1:
V(S
1
S
2,
S
3
)=min(V(S
1
S
2
),V(S
1
S
3
))=min(1,1)=1
V(S
2
S
1,
S
3
)=min(V(S
2
S
1
),V(S
2
S
3
))=min(0.352,1)=0.352
V(S
3
S
1,
S
2
)=min(V(S
3
S
1
),V(S
3
S
2
))=min(0.652
,0.925)=0.652
Then,w
iscalculatedfromthreeabovelines.
So,w=(1,0.352,0.652)
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 3, MARCH 2012, ISSN 2151-9617
https://sites.google.com/site/journalofcomputing
WWW.JOURNALOFCOMPUTING.ORG
2012 Journal of Computing Press, NY, USA, ISSN 2151-9617
http://sites.google.com/site/journalofcomputing/
Theconceivabilitydegreeforconvexfuzzynumbersin
Matrix2:
V(S
1
S
2,
S
3
)=min(V(S
1
S
2
),V(S
1
S
3
))=min(0.873,1)=0.873
V(S
2
S
1,
S
3
)=min(V(S
2
S
1
),V(S
2
S
3
))=min(1,1)=1
V(S
3
S
1,
S
2
)=min(V(S
3
S
1
),V(S
3
S
2
))=min(0.819
,0.603)=0.603
So,w
=(0.873,1,0.603)
Theconceivabilitydegreeforconvexfuzzynumbersin
Matrix3:
V(S
1
S
2,
S
3
)=min(V(S
1
S
2
),V(S
1
S
3
))=min(1,1)=1
V(S
2
S
1,
S
3
)=min(V(S
2
S
1
),V(S
2
S
3
))=min(1,1)=1
V(S
3
S
1,
S
2
)=min(V(S
3
S
1
),V(S
3
S
2
))=min(1,0.942)=0.942
So,w
=(1,1,0.942)
Theconceivabilitydegreeforconvexfuzzynumbersin
Matrix4:
V(S
1
S
2,
S
3
)=min(V(S
1
S
2
),V(S
1
S
3
))=min(1,1)=1
V(S
2
S
1,
S
3
)=min(V(S
2
S
1
),V(S
2
S
3
))=min(0.056,0.954)=0.056
V(S
3
S
1,
S
2
)=min(V(S
3
S
1
),V(S
3
S
2
))=min(0.238,1)=0.238
So,w
=(1,0.056,0.238)
5.2.6.TheNormalizationw vector
Iftheweightvectorw
isdefinedasbelow:
w
=(J(A
1
)
, J(A
2
)
, J(A
3
)
, J(A
n
)
)thatJ(A
i
)
=minV(S
I
S
k
)k=1,,n,k=i
Then,theNormalizedvectorwiscalculatedofthebelow
formula[19]:
W=(J(A
1
), J(A
2
), , J(A
n
)) =
d(A
i
)
=mInV(S
>S
R
) k=1,,n ,k=I
d(A
i
)
k
i=1
Normalizationw vectorformatrix1:
w
=(1,0.352,0.652)J(A
1
)=
1
(1+0.352+0.652)
=0.499
J(A
2
)=
0.352
(1+0.352+0.652)
=0.175
J(A
3
)=
0.652
(1+0.352+0.652)
=0.325
Then,thenormalvectorofWisobtainedfromabovelines.
So,W=(0.499,0.175,0.325)
normalizationw vectorformatrix2:
W=(0.352,0.403,0.243)
normalizationw vectorformatrix3:
W=(0.339,0.339,0.320)
normalizationw vectorformatrix4:
W=(0.556,0.031,0.132)
5.2.7.CalculatethefinalweightofKPIs
Finally,thecalculatedweightsinabovesectionsareshown
inhierarchicalstructure.
Figure8.Showingtheweightsinhierarchicalstructure
ThefinalweightofKPI_1is:
(0.499*0.556)+(0.352*0.031)+(0.339*0.132)=0.331
ThefinalweightofKPI_2is:
(0.175*0.556)+(0.403*0.031)+(0.339*0.132)=0.153
ThefinalweightofKPI_3is:
(0.325*0.556)+(0.243*0.031)+(0.320*0.132)=0.229
Thus,thepriorityofISMSKPIsisasbelow:
KPI_1>KPI_3>KPI_2
As can be seen, our methodology able to prioritize the ISMS
KPIs that is need to implement ITIL security KPIs according
to the idea of managers. The determined priority in above
show the priority of KPI_1 in the enterprise is more than
KPI_3 in implementation. Also the priority of KPI_3 is more
than KPI_2 in implementation. So, the manager is able to
elect more important KPIs and implementing them.
5.3.TheadvantageofProposedApproach
We consider the advantages of suggested methodology. The
mostadvantagesofproposedapproachareasbelow:
CreatingcollaborativeplatformbetweenITILandISMS.
Establishing better information security by
implementationISMSinITIL.
Managers can decide better in implementing
informationsecurityscopeinenterprise.
CreatingclearviewsinITILsecurityKPIs.
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 3, MARCH 2012, ISSN 2151-9617
https://sites.google.com/site/journalofcomputing
WWW.JOURNALOFCOMPUTING.ORG
2012 Journal of Computing Press, NY, USA, ISSN 2151-9617
http://sites.google.com/site/journalofcomputing/
The ability of giving rate as quantitative values, on
ISMSKPIs.and
6.Conclusion
In this paper, we proposed a new methodology to create a
new framework for mapping ITIL security KPIs that is
related to KPIs in Information Security Management System
(ISMS). We applied fuzzy algorithm to obtain the priority of
ISMSKPIsthatisrelatedtoITILsecurity managementKPIs.
Theadvantageofthismethodwascreatingthecollaborative
platform between ITIL and ISMS KPIs and improving the
security in the enterprises that implement ITIL. With this
approach, managers able to decide in apply ISMS KPIs in
ITILimplementation.
References
[1] Hochstein, A.; Zarnekow, R.; Brenner, W.: ITIL as common practice
reference model for IT service management: formal assessment and
implications for practice. In Proceedings of the e-Technology, e-
Commerce and e-Service, 2005. EEE '05. Proceedings. The 2005 IEEE
International Conference, Gallen, Switzerland, 704 - 710. (2005)
[2] Jim Clinch: ITIL V3 and Information Security. Best Management Practice
website managed and published by TSO in conjunction with the Cabinet
Office (part of HM Government) and APMG , White Paper. (2009)
[3] James Doss, Integrating other Frameworks and Methodologies
Complementary to ITIL, TSO information & publishing solutions, White
Paper. (2010)
[4] An Introductory Overview of ITIL V3, itSMF, The IT Service
Management Forum, published in the UK by the IT Service Management
Forum Limited, ISBN 0-9551245-8-1.
[5] http://www. pmtrainingonline.com, last visited on 2012.
[6] ITIL Version 3 Service Strategy, Crown copyright 2007 Produced under
license from OGC. (2007)
[7] ITIL Version 3 Service Design, Crown copyright 2007 Produced under
license from OGC. (2007)
[8] ITIL Version 3 Service Transition, Crown copyright 2007 Produced under
license from OGC. (2007)
[9] ITIL Version 3 Service Operation, Crown copyright 2007 Produced under
license from OGC. (2007)
[10] ITIL Version 3 Service Operation, Crown copyright 2007 Produced under
license from OGC. (2007)
[11] http://www.iso.org
[12] Zadeh, L.A.. "Fuzzy sets", Information and Control 8 (3): 338353. (1965)
[13] Saaty, T.L. The Analytic Hierarchy Process, New York: McGraw Hill.
International, Translated to Russian, Portuguese, and Chinese, Revised
editions, Paperback (1996, 2000), Pittsburgh: RWS Publications. (1980)
[14] T.L. Saaty, Multicriteria decision making: The analytic hierarchy process,
RWS Publications, Pittsburgh PA. (1988)
[15] Chang, D. Y., Extent Analysis and Synthetic Decision, Optimization
Techniques and Applications, World Scientific, Singapore, 1, 352. (1992)
[16] Nfer Yasin Ate, Sezi evik, Cengiz Kahraman, Murat Glbay and S.
Aya Erdoan, "Multi Attribute Performance Evaluation Using a
Hierarchical Fuzzy TOPSIS Method ", Istanbol Technical University,
Department of Industrial Engineering 34367 Macja Istanbul, Turkey.
(2006)
[17] Akn ZDAOLU, Gzin ZDAOLU, "COMPARISON OF AHP
AND FUZZY AHP FOR THE MULTICRITERIA DECISION MAKING
PROCESSES WITH LINGUISTIC EVALUATIONS", stanbul Ticaret
niversitesi Fen Bilimleri Dergisi Yl: 6 Say:11Bahar 2007/1 s. 65-85.
(2007)
[18] PRAXIOM RESEARCH GROUP LIMITED, 9619 - 100A Street,
Edmonton, Alberta, T5K 0V7, Canada, http://www.praxiom.com.
[19] M.H. Vahidniaa, A. Alesheikhb, A. Alimohammadic, A. Bassirid, FUZZY
ANALYTICAL HIERARCHY PROCESS IN GIS APPLICATION, The
International Archives of the Photogrammetry, Remote Sensing and
Spatial Information Sciences. Vol. XXXVII. (2008)