Introduction
Literature review
Study | Version of fuzzy set | Applied MCDA method | Application area | Additional traditional RA method used |
---|---|---|---|---|
Gul and Ak [28] | Pythagorean fuzzy set | AHP, TOPSIS | Mining | 5 × 5 risk matrix |
Gul [31] | Pythagorean fuzzy set | AHP, VIKOR | Manufacturing | – |
Oz et al. [21] | Pythagorean fuzzy set | TOPSIS | Pipeline construction | 2-Dimensional risk matrix |
Karasan et al. [33] | Pythagorean fuzzy set | AHP | Construction | FMEA, Fine–Kinney |
Ilbahar et al. [32] | Pythagorean fuzzy set | AHP | Construction | FMEA, Fine–Kinney |
Carpitella et al. [29] | Trapezoidal fuzzy set | AHP, TOPSIS | Environment | FMECA |
Gul et al. [18] | Trapezoidal fuzzy set | AHP, VIKOR | Manufacturing | Fine–Kinney |
Gul et al. [42] | Triangular fuzzy set and Pythagorean fuzzy set | AHP | Transportation | – |
Fattahi and Khalilzadeh [50] | Triangular fuzzy set | AHP, MULTIMOORA | Manufacturing | FMEA |
Wang et al. [43] | Triangular fuzzy set | Choquet integral | Transportation | FMEA |
Wang et al. [44] | Triangular fuzzy set | Choquet integral, MULTIMOORA | Marine | Fine–Kinney |
Can and Toktas [45] | Triangular fuzzy set | DEMATEL, MABAC | Manufacturing | Fine–Kinney |
Can [46] | Intuitionistic fuzzy set | WASPAS | Manufacturing | FMEA |
Gul et al. [13] | Triangular fuzzy set | AHP, VIKOR | Healthcare | – |
Gul et al. [14] | Triangular fuzzy set | AHP, VIKOR | Marine | Fine–Kinney |
Ozdemir et al. [22] | Interval type-2 fuzzy set | AHP, VIKOR | Education | FMEA |
Yazdi [47] | Triangular fuzzy set | AHP | Chemistry | HAZOP, FTA |
Yazdi and Kabir [48] | Fuzzy possibility score | AHP | Chemistry | FTA, Bayesian Network |
Current study | Pythagorean fuzzy set | AHP, TOPSIS | Information security | – |
Method | Definition | Advantages |
---|---|---|
FTOPSIS | A MCDM technique based on the concept of choosing the solution with the shortest distance from the ideal solution and the farthest distance from the negative ideal solution by considering concept of fuzzy sets | It has more capability in handling uncertainties, simultaneous consideration of the positive and the negative ideal points, simple computation, and logical concept |
IFTOPSIS | A MCDM technique based on the concept of choosing the solution with the shortest distance from the ideal solution and the farthest distance from the negative ideal solution by considering concept of fuzzy sets whose elements have degrees of membership and non-membership | It uses a special case of the membership and non-membership functions considering the positive and the negative ideal points. Handling vagueness and uncertainty is over FTOPSIS because it considers three different grades of membership degree, hesitancy degree and non-membership degree |
PFTOPSIS | A MCDM technique based on the concept of choosing the solution with the shortest distance from the ideal solution and the farthest distance from the negative ideal solution by considering concept of fuzzy sets whose elements have degrees of membership, non-membership and description of the sum of the degree is bigger than 1, but their square sum is equal to or less than 1 | It has a membership grade which is greater than the space of the membership grade of intuitionistic FTOPSIS |
Methodology
Pythagorean fuzzy sets and related notations
Proposed integrated approach
PAHP
PFTOPSIS
Overall picture of the proposed approach
Case study: information security RA for corrugated cardboard sector
The observed facility and risks
Risk ID | Description of the hazard | Description of associated risk |
---|---|---|
ISR1 | Loss of repairing papers | Historical data loss, delay in the plans of past jobs |
ISR2 | Loss of breakdown forms | Non-execution of analysis on changing parts and failures |
ISR3 | Non-execution of maintenance | Production stops, additional cost |
ISR4 | Intervention to electrical faults late | Increase in downtime |
ISR5 | Loss of scheduled maintenance papers | Failure in manufacturing, error, stops as a result of non-execution of daily, weekly, monthly and annual maintenance plans of the machines |
ISR6 | Loss of authorized staff, working with inexperienced staff | Increase in downtime |
ISR7 | Non-availability of spare parts | Increase in downtime, production stops |
ISR8 | Extension of spare parts procurement period | Customer loss, production stops due to non-availability of no spare parts in a possible failure |
ISR9 | Not to record all improvements, dependence on person, not to follow | Not having an organizational memory |
ISR10 | The absence of an area where copies of investment projects and copies of all the documents in all facilities are not available, not followed, no backup of soft documents on the common server | Declassifying of investment plans |
Application of the proposed approach
Linguistic term | Interval-valued Pythagorean fuzzy numbers | |||
---|---|---|---|---|
µ
L
|
µ
U
|
v
L
|
v
U
| |
Certainly low important (CLI) | 0.00 | 0.00 | 0.90 | 1.00 |
Very low important (VLI) | 0.10 | 0.20 | 0.80 | 0.90 |
Low important (LI) | 0.20 | 0.35 | 0.65 | 0.80 |
Below average important (BAI) | 0.35 | 0.45 | 0.55 | 0.65 |
Average important (AI) | 0.45 | 0.55 | 0.45 | 0.55 |
Above average important (AAI) | 0.55 | 0.65 | 0.35 | 0.45 |
High important (HI) | 0.65 | 0.80 | 0.20 | 0.35 |
Very high important (VHI) | 0.80 | 0.90 | 0.10 | 0.20 |
Certainly high important (CHI) | 0.90 | 1.00 | 0.00 | 0.00 |
Exactly equal (EE) | 0.1965 | 0.1965 | 0.1965 | 0.1965 |
Risk parameter | Interval-valued Pythagorean fuzzy numbers: 〈[degree of membership],[degree of non-membership]〉 〈[µL, µu], [vL, vU]〉 | ||
---|---|---|---|
Likelihood | Severity | Value of information | |
Likelihood | 〈[0.197, 0.197], [0.197, 0.197]〉 | 〈[0.349, 0.416], [0.382, 0.449]〉 | 〈[0.281, 0.314], [0.281, 0.314]〉 |
Severity | 〈[0.382, 0.449], [0.349, 0.416]〉 | 〈[0.197, 0.197], [0.197, 0.197]〉 | 〈[0.500, 0.600], [0.400, 0.500]〉 |
Value of information | 〈[0.281, 0.314], [0.281, 0.314]〉 | 〈[0.400, 0.500], [0.500, 0.600]〉 | 〈[0.197, 0.197], [0.197, 0.197]〉 |
Risk parameter | Likelihood | Severity | Value of information |
---|---|---|---|
Likelihood | 〈[0.000, 0.000]〉 | 〈[− 0.080, 0.027]〉 | 〈[− 0.020, 0.020]〉 |
Severity | 〈[− 0.027, 0.080]〉 | 〈[0.000, 0.000]〉 | 〈[0.000, 0.200]〉 |
Value of information | 〈[− 0.020, 0.020]〉 | 〈[− 0.020, 0.000]〉 | 〈[0.000, 0.000]〉 |
Risk parameter | Likelihood | Severity | Value of information |
---|---|---|---|
Likelihood | 〈[1.000, 1.000]〉 | 〈[0.759, 1.096]〉 | 〈[0.934, 1.071]〉 |
Severity | 〈[0.912, 1.317]〉 | 〈[1.000, 1.000]〉 | 〈[1.000, 1.995]〉 |
Value of information | 〈[0.934, 1.071]〉 | 〈[0.501, 1.000]〉 | 〈[1.000, 1.000]〉 |
Risk parameter | Likelihood | Severity | Value of information |
---|---|---|---|
Likelihood | 1.000 | 0.894 | 0.960 |
Severity | 0.894 | 1.000 | 0.800 |
Value of information | 0.960 | 0.800 | 1.000 |
Risk parameter | Likelihood | Severity | Value of information |
---|---|---|---|
Likelihood | 1.000 | 0.829 | 0.963 |
Severity | 0.996 | 1.000 | 1.198 |
Value of information | 0.963 | 0.601 | 1.000 |
Linguistic term | Corresponding Pythagorean fuzzy number (u, v) |
---|---|
Extremely low (EL) | (0.10, 0.99) |
Very little (VL) | (0.10, 0.97) |
Little (L) | (0.25, 0.92) |
Middle little (ML) | (0.40, 0.87) |
Middle (M) | (0.50, 0.80) |
Middle high (MH) | (0.60, 0.71) |
Big (B) | (0.70, 0.60) |
Very tall (VT) | (0.80, 0.44) |
Tremendously high (TH) | (0.10, 0.00) |
Risk ID | Likelihood | Severity | Value of information |
---|---|---|---|
ISR1 | P (0.1, 0.977) | P (0.15, 0.957) | P (0.1, 0.977) |
ISR2 | P (0.125, 0.965) | P (0.125, 0.962) | P (0.125, 0.965) |
ISR3 | P (0.125, 0.965) | P (0.517, 0.782) | P (0.2, 0.937) |
ISR4 | P (0.125, 0.968) | P (0.383, 0.863) | P (0.225, 0.928) |
ISR5 | P (0.1, 0.977) | P (0.225, 0.928) | P (0.1, 0.973) |
ISR6 | P (0.225, 0.928) | P (0.3, 0.903) | P (0.225, 0.928) |
ISR7 | P (0.225, 0.935) | P (0.358, 0.872) | P (0.3, 0.903) |
ISR8 | P (0.325, 0.895) | P (0.458, 0.817) | P (0.433, 0.847) |
ISR9 | P (0.1, 0.987) | P (0.125, 0.965) | P (0.458, 0.817) |
ISR10 | P (0.125, 0.965) | P (0.15, 0.953) | P (0.567, 0.737) |
Risk ID | D (Xi, X+) | D (Xi, X−) | ξ (Xi) | ||
---|---|---|---|---|---|
ISR1 | D (X1, X+) | 0.287 | D (X1, X−) | 0.083 | − 3.605 |
ISR2 | D (X2, X+) | 0.276 | D (X2, X−) | 0.088 | − 3.443 |
ISR3 | D (X3, X+) | 0.143 | D (X3, X−) | 0.222 | − 1.148 |
ISR4 | D (X4, X+) | 0.190 | D (X4, X−) | 0.176 | − 1.960 |
ISR5 | D (X5, X+) | 0.265 | D (X5, X−) | 0.105 | − 3.228 |
ISR6 | D (X6, X+) | 0.192 | D (X6, X−) | 0.161 | − 2.036 |
ISR7 | D (X7, X+) | 0.161 | D (X7, X−) | 0.196 | − 1.494 |
ISR8 | D (X8, X+) | 0.073 | D (X8, X−) | 0.278 | 0.000 |
ISR9 | D (X9, X+) | 0.213 | D (X9, X−) | 0.163 | − 2.316 |
ISR10 | D (X10, X+) | 0.154 | D (X10, X−) | 0.211 | − 1.336 |
Comparison of the results
Value | Description of the likelihood parameter |
---|---|
1 | Very low; there is no threat to be tested |
2 | Low; the threat can rarely occurr |
3 | Medium; the threat can occurr |
4 | High; the threat is often repeated. |
5 | Very high; the threat is not to be avoided |
Value | Description of the severity parameter |
---|---|
1 | Very low; damage that does not directly affect the operation |
2 | Low; damage that affects activity but does not interrupt |
3 | Medium; damage that interrupts activity in an insignificant level |
4 | High; damage that disrupts the activity to a loss of reputation |
5 | Very high; damage that endangers institutional sustainability |
Value | Privacy descriptions | Integrity descriptions | Accessibility descriptions |
---|---|---|---|
1 | Critical information will not be released if there is damage to the asset. The level of criticality of the information that emerges does not affect the institution | In the event of a damage to the asset, the critical information changes out of control. The level of criticality of the information that changes outside of control is not affected | Critical information can be accessed if there is damage to the asset. The level of criticality of information that hurts accessibility does not affect the organization |
2 | Critical information will not be released if there is damage to the asset. The level of criticality of the information that emerges affects the institution. Impact can be compensated in the short term | In the event of a damage to the asset, the critical information does not change out of control. The level of criticality of information that changes outside control is affecting the organization. Impact can be compensated in the short term | Critical information can be accessed if there is damage to the asset. The level of criticality of information that hurts accessibility impacts the organization. Impact can be compensated in the short term |
3 | Critical information will not be released if there is damage to the asset. The level of criticality of the information that emerges affects the institution. The effect can be compensated in the medium term | In the event of a damage to the asset, the critical information changes out of control. The level of criticality of information that changes outside control is affecting the organization. Impact can be compensated in the short term | Critical information can be accessed if there is damage to the asset. The level of criticality of information that hurts accessibility impacts the organization. Impact can be compensated in the short term |
4 | Critical information comes to light if there is damage to the asset. The level of criticality of the information that emerges affects the institution. The effect can be compensated in the medium term | In the event of a damage to the asset, the critical information changes out of control. The level of criticality of information that changes outside control is affecting the organization. The effect can be compensated in the medium term | Critical information is inaccessible if there is damage to the asset. The level of criticality of information that hurts accessibility impacts the organization. The effect can be compensated in the medium term |
5 | Critical information comes to light if there is damage to the asset. The level of criticality of the information that emerges affects the institution. The effect cannot be compensated or compensated in the long run | In the event of a damage to the asset, the critical information changes out of control. The level of criticality of information that changes outside control is affecting the organization. The effect cannot be compensated, but it can be compensated in the long run | Critical information is inaccessible if there is damage to the asset. The level of criticality of information that hurts accessibility impacts the organization. The effect cannot be compensated or compensated in the long run |
Risk ID | Value of information (VofI) | (VofI) = (P) + (I) + (A) | Severity (S) | Likelihood (L) | Risk score value (S)*(L)*[(P) + (I) + (A)] | ||
---|---|---|---|---|---|---|---|
Privacy (P) | Integrity (I) | Accessibility (A) | |||||
ISR1 | 2 | 2 | 2 | 6 | 2 | 1 | 12 |
ISR2 | 2 | 2 | 2 | 6 | 2 | 1 | 12 |
ISR3 | 2 | 2 | 2 | 6 | 4 | 2 | 48 |
ISR4 | 3 | 3 | 3 | 9 | 4 | 2 | 72 |
ISR5 | 2 | 2 | 2 | 6 | 2 | 1 | 12 |
ISR6 | 2 | 2 | 2 | 6 | 3 | 3 | 54 |
ISR7 | 3 | 2 | 2 | 7 | 4 | 3 | 84 |
ISR8 | 3 | 3 | 3 | 9 | 3 | 4 | 108 |
ISR9 | 4 | 4 | 4 | 12 | 2 | 2 | 48 |
ISR10 | 4 | 4 | 4 | 12 | 4 | 2 | 96 |
Classical method | Proposed approach (PFAHP–PFTOPIS) | PFAHP–PFVIKOR | PFAHP–PFMOORA | |
---|---|---|---|---|
Classical method | 1 | |||
Proposed approach (PFAHP–PFTOPIS) | 0.91 | 1 | ||
PFAHP–PFVIKOR | − 0.92 | − 0.97 | 1 | |
PFAHP–PFMOORA | 0.91 | 0.99 | − 0.964 | 1 |
Conclusion
-
A new risk parameter for information security RA called value of knowledge is considered for the first time in the literature.
-
The PFAHP and PFTOPSIS, which are commonly used MADM methods with Pythagorean fuzzy sets, are applied integrally to the assessment of risks for the first time in the literature. By doing this, an upgraded fuzzy MADM-based RA approach using linguistic terms with Pythagorean fuzzy set theory has been implemented. Use of Pythagorean fuzzy sets successfully managed the uncertainty and vagueness of the expert teams’ perceptions during the subjective judgment process.
-
A comparative analysis with classical RA method, PFAHP–PFVIKOR, PFAHP–PFMOORA approach that the observed facility followed is carried out. Results of this analysis proved that the proposed approach can produce reasonable results and provide suitable information to assist management in the risk assessment problems.