ABSTRACT
This chapter illustrates a case involving information risk assessment using the decision-making trial and evaluation laboratory (DEMATEL) and DEMATEL-based analytic network process (DANP) methods. The DEMATEL and DANP methods are expected to solve the problem of conflicting criteria with dependence and feedback on modeling. Information risk factors usually influence each other; the traditional risk assessment methods are constrained by the assumption of independence among the criteria or factors. To resolve this issue, an information security risk control assessment model that combines DEMATEL and ANP is adopted, which falls into the category of multiple attribute decision making. The risk management process comprises four stages: plan, do, check, and act. Since each department is requested to regularly examine and check its vulnerability to external threats, the plausible underperforming subgoals/aspects/criteria should be highlighted after each evaluation. The source factors can be identified by DEMATEL analysis and the management team may plan accordingly for the required actions.
