Establishing the Business Value of Network Security Using Analytical Hierarchical Process
Susan J. Chinburg (Oklahoma State University, USA), Ramesh Sharda (Oklahoma State University, USA) and Mark Weiser (Oklahoma State University, USA)
Copyright: © 2003
Information technology (IT) has become a critical functionality for business today. Choosing the appropriate network security that will protect IT functions and meet business needs can be a bewildering but necessary process. The problem is deciding what and how much to do. The objective of this paper is to propose a new process that will facilitate the mapping of network security to the business’s priorities using well-known classification schemes and decision support systems. Establishing a relationship between such diverse functions requires that the two areas be described in terms that can be related. Network security is described in terms of services and mechanisms that provide the functionality using the Open System Interconnection (OSI) Security Architecture classification. Business value and activities are described using Michael Porter’s business value chain. First, the classification schemes for each area are subjectively related to establish an initial functionality/business value relationship. Second, a decision support tool called analytic hierarchy process (AHP) is used to establish an analytical and more objective relationship between the two classification schemes. The result of this work is a prioritized list of security services related to business needs instead of just being driven by technological criteria. An example that illustrates this concept is described in the paper. To the best of the authors knowledge, this is the first application of using AHP in the decision-making process of choosing network security in relationship to business needs.