Title: An Aggregated Fuzzy Model for the Selection of a Managed Security Service Provider
Authors: Alireza Shahrasbi, Mehdi Shamizanjani, M. H. Alavidoost and Babak Akhgar (A.shahrasbi@ut.ac.ir)
Subject: Information and knowledge management
Publish: 2017
Status: full text
Source: International Journal of Information Technology & Decision Making (DOI: 10.1142/S0219622017500158)
Preparation: Scientific Database Management Journal Articles www.SYSTEM.parsiblog.com
Abstract
In this study, by analyzing the related literature, the companies providing security services and, more importantly, the data provided by a group of experts, a novel set of 39 criteria is extracted which assists the Managed Security Service Provider (MSSP) selection process. The set is further categorized into eight general classes. The validity and weights of these criteria are measured by a group of experts in Iran. Due to the large number and often conflicting criteria, and the qualitative nature of the evaluations of the service providers, fuzzy multi-criteria decision-making methods (FMCDM) are adopted. In order to demonstrate the application of the proposed model, a numerical example is included, in which eight service providers are evaluated by four decision makers applying fuzzy TOPSIS, fuzzy VIKOR, fuzzy Group ELECTRE, and fuzzy SAW methods. Owing to the variations of the outputs of the applied MCDM methods, they are further analyzed by an aggregation method to propose a unique service provider. A comparison between the output of the aggregation method and the four applied Fuzzy MCDM methods is also made with the help of Euclidean, Hamming, Manhattan and Chebyshev distances. The comparison shows the minimum diversion between the outputs of the Fuzzy TOPSIS and the aggregation method, which indicates the appropriateness of the fuzzy TOPSIS method in this particular problem.
Key words: Managed security service provider selection; Information technology services outsourcing; Security outsourcing; Fuzzy multi-criteria decision making; Aggregation method; MCDM methods comparison

1-    INTRODUCTION
    Many researchers have focused on outsourcing for a long time. More or less, all agree on the definition of outsourcing; Outsourcing is the act of transferring one or more activities to external providers who will be responsible for managing and conducting that activity, on behalf of the outsourcer company [1].
    Outsourcing of IT/IS  services is another topic which has also interested experts and researchers during the last years [2]. Willcocks, Lacity and Fitzgerald defined it as “handing over to third-party management, for required result, some or all of an organization’s IT information systems and related services” [3]. In 1996, Grover and others presented it as “practice of turning over part or all of an organization’s IS function to external service provider(s).” Three common components can be derived from all these definitions. Firstly, all or part of an organization’s IS function will be delivered by an external provider; secondly, the external provider will be responsible for the outsourced activity; and finally, customer will transfer the responsibility of hiring employees and installing computer infrastructures to the external provider [4]. Researchers have mentioned the following points as the reasons for outsourcing of IS/IT activities: cost reduction [5], focus on company’s core competencies, gaining flexibility in face of rapid business and environmental changes, access to efficient and effective resources [5], improved productivity, coping with continuous improvements, exploiting the supplier’s deep expertise and knowledge, maximizing aggregate value for the firm, reducing risk, improving the quality of services, eliminating everyday problems and finally, focusing on IS strategic issues [6-8].
    Gartner defines managed security services as "the remote management or monitoring of IT security functions delivered via remote security operations centers (SOCs), not through personnel on-site" [9, 10]. According to the Gartner research, conducted in 2013, the managed security service (MSS) market is a fast-growing one compared to other security market segments with a compound annual growth rate of 16.6%. They have also estimated that the MSS market will grow from US12$ billion in 2013 to more than US22.5$ billion in 2017 [10]. In addition, they have claimed that the highest future growth rate will be in the emerging Asia/Pacific region. The reasons for this rapid expansion in the MSS market are as follows: advancing threats across the globe, major data breaches, the expanding regulatory environment [10], reducing costs, and improving security capabilities [11]. According to the Forrester’s research, a growth rate of 30% to 40% is estimated per year for the MSS market, and this prediction is based on three primary reasons: first, organizations can benefit from better resources, talent and lower price; second, the CIO’s  need for a strategic and long term relationship with a security provider partner , and third, is the client’s need for advanced technologies such as threat intelligence and correlation analysis, which requires experienced analysts [11].
    In the past two decades, many researchers have used different decision-making methods for evaluation and selection of the right supplier, but most of which have been conducted in production sector with only a few works in the field of services [12]. Results provided by Yang, Wang, Liou, Oke, Jain, Gewald, Chen, Feng, Hsu [8, 12-17] are examples of such models in the field of service provider selection. Although there are many emerging outsourcing trends, which academics have contributed to practice, a few works have been done specifically on the MSSP selection and they are just limited to introducing some selection criteria. Therefore, the absence of a comprehensive model which covers a complete set of criteria as well as a decision model has motivated authors for investigating this research area. The selection of such a partner is crucial and necessitates the consideration of many criteria. Due to the weakness of human mind in processing conflicting criteria and linguistic evaluations of the service providers, fuzzy multi-criteria decision-making methods should be applied in such a selection [18]. The aim of this paper is to propose a comprehensive set of criteria as well as a fuzzy-based model for the selection of an MSSP. The model can be used by the industry practitioners to facilitate the selection process. The proposed decision model encompasses the application of four popular FMCDM methods included by an aggregation method. When selecting the FMCDM methods, two factors have been considered; first, being widely used in the literature and second, being compatible with the problem conditions. Decision-making process is always expected to provide a unique output, whereas MCDM methods usually yield different results. In order to unify the different outputs of the methods, the aggregation method has also been applied.    
    The remainder of this paper is organized as follows. In section 2, authors have precisely defined the problem, the necessity and the importance of such a selection and the research methodology. In section 3, the fuzzy set theory, the four applied FMCDM methods as well as the aggregation method and the mathematical distances, used for comparing the results, have been explained step by step. The derived criteria within their related categories have been elaborated in section 4, according to their relative importance. In Section 5, the results of the numerical example have been illustrated to better understand the proposed method. Finally, the conclusion and the future works have been presented in section 6.

2-     PROBLEM DEFINITION AND THE RESEARCH METHODOLOGY
    Data breach reports demonstrate that many companies in financial or retail sector may be the victims of attacks despite adopting security considerations [19]. The fact that every company can be considered as a target for an attack implies the necessity for adopting security implications. Hence, selecting the right service provider is a critical issue on which many researchers have focused in recent years. However, it is clear that when it comes to the security outsourcing, a complete set of criteria should be considered.
    Apart from advantages of outsourcing [20], it has some disadvantages and risks [21], which professionals believe can be substantially reduced by considering a set of initial points. Probably the most important concern is MSSP’s access to organization’s mission-critical and sensitive information assets, which can be misused to ruin the company’s reputation, and leave employees with a feeling of untrustworthiness [22, 23]. Ignoring the rational process of considering the service providers can lead to outsourcing failure. It is widely accepted that the high failure rate of IT/IS outsourcing projects, to a large extent, happens mostly as a result of wrong selection and incorrect decision-making. Many researchers have focused on IT/IS outsourcing decision-making models, and have proposed invaluable models for making this kind of intricate and critical decisions [4-7, 13, 24-27], which if not made cautiously, can cause a company to lose its competencies, reputation, and customer trust.
    Authors have exhaustively reviewed the literature for a comprehensive model which can cover all aspects of the necessary evaluation for such a selection. Unfortunately, aside from some scattered efforts to define a complete set of criteria, there has been no complete and convergent set proposed by research groups and the companies working in this field. This gap in academic literature has triggered the authors to look for a reliable comprehensive model for helping the decision makers.
    In order to gather data for this research, content analysis methodology has been adopted. In the first step, the authors have reviewed articles regarding IT service outsourcing and IT service provider selection in general and not limited to security in order to find all researchers’ proposed models and criteria. In the second step, the articles dealing with the reasons, advantages, and disadvantages of security outsourcing have been studied.  Unfortunately, there has been only some scattered research performed by industry experts in the field of security service provider selection and very few has been done by academic researchers, although this is a field which demands a considerable amount of care and attention from academia. Based on this academic research gap, the authors have gathered related articles, along with performing reviews on products, services, and features of the leading MSSPs’ services in North America (such as IBM, Dell Secure Works, Symantec, Verizon, TrustWave, CSC, and AT&T, which are ranked as the leaders by the Forrester research [11]). A set of criteria for the selection of the right MSSP has also been extracted. This set is first, validated by a group of experts. Then, it is further evaluated by another group of professionals in terms of their level of importance and effective weights in decision-making process. The detailed information of the experts and their affiliations has been demonstrated in Appendix 1.
    Imprecision in MCDM models can be demonstrated using fuzzy set theory to define criteria weights and their levels of importance [28]. In this paper, authors have applied Fuzzy MCDM methods to solve the MSSP selection problem. Due to the variety of the MCDM models, choosing the most appropriate method is another MCDM problem by itself [29]. Actually, it is impossible to determine which MCDM model is the best amongst others; owing to the fact that they perform the selection operation by different algorithms [29]. However, virtually all MCDM methods, aside from their alternative selection algorithms, consist of common procedures of generating the alternatives, devising the related criteria, defining their weights and applying the ranking method [28].
    In order to increase decision-making process reliability, some researchers apply different MCDM methods and aggregate their outputs [29]. Typical aggregation methods, which are further elaborated, includes average function, Borda and the Copeland.
    Due to the criticality of the issue, in this paper, Fuzzy TOPSIS , Fuzzy VIKOR , Fuzzy Group ELECTRE  and the Fuzzy SAW  approaches have been applied. As expected, the methods have yielded different results [30]. Hence, an aggregation method, which is proposed by Jahan et al. [29], is applied to propose a unique reliable result. Furthermore, in order to compare the outputs, the Euclidean, Manhattan, Chebyshev and Hamming distances between the outputs of the mentioned FMCDM methods and the aggregation method are calculated. The overall procedure of this study is described through a series of steps depicted in Fig.1

    3- FUZZY SET THEORY AND THE FUZZY MULTI-CRITERIA DECISION-MAKING METHODS
    When adopting different MCDM approaches [31-33] in the context of service provider selection [34], it is very hard for decision makers to determine the exact performance value of the alternatives in terms of each criterion. In addition, since the human perception is always vague and difficult to measure, the use of crisp data cannot actually present the real situation [18]. Statistical decision-making methods can only model some insufficient knowledge about the external environment [18]. Fuzzy set theory is the approach to help decision makers to deal with aforementioned vagueness, which plays a pivotal role in decision-making process to represent the decision makers’ subjective means [35].
    The fuzzy set theory handles the mentioned vagueness ambiguities by its membership degree which is calculated from the membership function [18, 36]. The membership degree can be a number between 0 and 1, which is different from the classical sets that are represented by either 0 or 1 [18]. There are different kinds of fuzzy numbers and membership functions. In this paper, triangular fuzzy numbers which is shown by the triplet (a_1,a_2,a_3) has been adopted [37]. After deriving a set of criteria in terms of the eligibility of an MSSP, the experts were asked to determine the weights of the criteria by a number from 1 to 10, which are also converted to fuzzy numbers [table 1]. While experts are capable of determining the weights of the criteria by a definite number, it will be very hard to exactly represent the status of a service provider by a crisp number for each criterion. Hence, the experts have applied linguistic evaluations of the alternatives, which are then converted to fuzzy numbers for the necessary calculations [table 2].

.

.

.

6- CONCLUSION
      There are many managerial and technical concerns regarding the outsourcing of security services, whether off-shore or in-shore. Unfortunately, the literature in this field, which is usually proposed by the industry practitioners, is often limited to a number of technical criteria. In this paper, a comprehensive set of managerial and technical criteria is proposed by reviewing both the general IS/IT service outsourcing models, and the related security literature published in recent years. Authors have extracted 39 criteria in 8 general categories with the aid of the literature and the experts’ opinions. Each criterion in this list has its own weight in decision-making process, which has been obtained by averaging the experts’ scores about the level of importance of the criteria. The list of the criteria and their weights, sorted by their relative rankings, has been demonstrated in tables 10 and 11.

Table 10. The list of the derived categories and their level of importance according to the experts’ opinions

Table 11. The list of the 39 criteria (regardless of the category they are located in) sorted by their weights

    As most of the MSSPs’ appraisals are vague and expressed by linguistic variables, the fuzzy approach has been adopted. Different MCDM methods often yield different results which are really confusing for the decision makers. In order to increase the accuracy of decision-making process, we have adopted Fuzzy TOPSIS, Fuzzy VIKOR, Fuzzy Group ELECTRE and Fuzzy SAW. These FMCDM methods are the ones which in addition to having consistency with the problem conditions, have a wide application and acceptance in supplier selection problems. As expected, the methods yielded different results. These variations happen as a result of the different algorithms of the FMCDM methods, and no one can claim that one method is always better than the others. Consequently, authors have used the aggregation method to obtain a unique reliable result. In order to have a comparison between the outcome of the aggregation and the FMCDM methods, the Euclidean, Hamming, Manhattan and Chebyshev distances have been calculated. The comparisons demonstrate the minimum divergence between the outputs of the aggregation and the fuzzy TOPSIS, which displays the suitability of this method for this particular problem.
    The selection model provided by this paper can facilitate the selection of a managed security service provider by the industry decision makers. Adding more managerial and technical criteria to the proposed set of criteria to make it more exhaustive; determining the criteria weights by a larger group of experts; building a multi-criteria decision support system on the basis of the model, are some improvements that can be investigated in future works.


REFERENCES
[1]    K. Altinkemer, A. Chaturvedi, and R. Gulati, "Information systems outsourcing: Issues and evidence," International Journal of Information Management, vol. 14, pp. 252-268, 1994/08/01 1994.
[2]    L. Willcocks, "Machiavelli, management and outsourcing: still on the learning curve," Strategic Outsourcing: An International Journal, vol. 4, pp. 5-12, 2011.
[3]    L. Willcocks, M. Lacity, and G. Fitzgerald, "Information technology outsourcing in Europe and the USA: Assessment issues," International Journal of Information Management, vol. 15, pp. 333-351, 1995/10/01 1995.
[4]    C. Yang and J.-B. Huang, "A decision model for IS outsourcing," International Journal of Information Management, vol. 20, pp. 225-239, 6// 2000.
[5]    A. A. Bush, A. Tiwana, and H. Tsuji, "An empirical investigation of the drivers of software outsourcing decisions in Japanese organizations," Information and Software Technology, vol. 50, pp. 499-510, 5// 2008.
[6]    Y.-H. Chen, T.-C. Wang, and C.-Y. Wu, "Strategic decisions using the fuzzy PROMETHEE for IS outsourcing," Expert Systems with Applications, vol. 38, pp. 13216-13222, 9/15/ 2011.
[7]    M. C. Lacity, S. A. Khan, and L. P. Willcocks, "A review of the IT outsourcing literature: Insights for practice," The Journal of Strategic Information Systems, vol. 18, pp. 130-146, 9// 2009.
[8]    D.-H. Yang, S. Kim, C. Nam, and J.-W. Min, "Developing a decision model for business process outsourcing," Computers & Operations Research, vol. 34, pp. 3769-3778, 12// 2007.

[9]    K. M. Kavanagh, "Magic Quadrant for MSSPs, North America," Gartner Group 2012.

[10]    L. Pingree, "Market Trends: Managed Security Services Worldwide," Gartner Group 2013..

فایل متن کامل این مقاله را در کانال تلگرام مدرسه مدیریت دانلود نمایید:

TELEGRAM: @Mschool