1. bookVolume 55 (2022): Issue 2 (May 2022)
Journal Details
First Published
17 Oct 2008
Publication timeframe
4 times per year
access type Open Access

Outsource or not? An AHP Based Decision Model for Information Security Management

Published Online: 23 Jun 2022
Volume & Issue: Volume 55 (2022) - Issue 2 (May 2022)
Page range: 142 - 159
Received: 03 Nov 2021
Accepted: 28 Apr 2022
Journal Details
First Published
17 Oct 2008
Publication timeframe
4 times per year

Purpose: Outsourcing information security has proven to be an efficient solution for information security management; however, it may not be the most suitable approach for every organization. This research aimed to develop a multi-criteria decision-making model that would enable organizations to determine which approach to information security management (outsourcing or internal management) is more suitable for their needs and capabilities.

Methods: Our study utilized several different research methods. First, the decision criteria were identified by reviewing related work and then selected by information security experts in a focus group. Second, a survey was conducted among information security practitioners to assign the criteria weights. Third, four use cases were conducted with four real-world organizations to assess the usability, ease of use, and usefulness of the developed model.

Results: We developed a ten-criteria model based on the analytic hierarchy process. The survey results promote performance-related criteria as more important than efficiency-focused criteria. Evidence from use cases proves that the decision model is useful and appropriate for various organizations.

Conclusion: To make informed decisions on approaching information security management, organizations must first conduct a thorough analysis of their capabilities and needs and investigate potential external contractors. In such a case, the proposed model can serve as a useful support tool in the decision-making process to obtain clear recommendations tailored to factual circumstances.


Aldya, A. P., Sutikno, S., & Rosmansyah, Y. (2019). Measuring effectiveness of control of information security management system based on SNI ISO/IEC 27004: 2013 standard. IOP Conference Series: Materials Science and Engineering, 550(1). https://doi.org/10.1088/1757-899X/550/1/012020 Search in Google Scholar

Atkinson, M. A., Bayazit, O., & Karpak, B. (2015). A case study using the Analytic Hierarchy Process for IT outsourcing decision making. International Journal of Information Systems and Supply Chain Management, 8(1), 60–84. https://doi.org/10.4018/ijisscm.2015010104 Search in Google Scholar

Atmojo, T. A., Prabowo, H., So, I. G., & Abdinagoro, S. B. (2019). Improving information security performance: the role of management support and security operation center. International Journal of Recent Technology and Engineering, 8(2), 4880–4886. https://doi.org/10.35940/ijrte.B3653.078219 Search in Google Scholar

Beckers, K., Côté, I., Faßbender, S., Heisel, M., & Hofbauer, S. (2013). A pattern-based method for establishing a cloud-specific information security management system: Establishing information security management systems for clouds considering security, privacy, and legal compliance. Requirements Engineering, 18(4), 343–395. https://doi.org/10.1007/s00766-013-0174-7 Search in Google Scholar

Beybutov, E. (2009). Managing of information security with outsource service provider. In International Siberian Conference on Control and Communications, SIBCON-2009, (pp. 62–66). Tomsk, Russia: IEEE10.1109/SIBCON.2009.5044831 Search in Google Scholar

Bojanc, R., Jerman-Blažič, B., & Tekavčič, M. (2012). Managing the investment in information security technology by use of a quantitative modeling. Information Processing and Management, 48(6), 1031–1052. https://doi.org/10.1016/j.ipm.2012.01.001 Search in Google Scholar

Božičević, J., Lovrić, I., Bartulović, D., Steiner, S., Roso, V., & Škrinjar, J. P. (2021). Determining optimal dry port location for seaport Rijeka using AHP decision-making methodology. Sustainability (Switzerland), 13(11). https://doi.org/10.3390/su13116471 Search in Google Scholar

Cezar, A., Cavusoglu, H., & Raghunathan, S. (2016). Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions. Production and Operations Management, 26(5), 860–879. https://doi.org/10.1111/ijlh.12426 Search in Google Scholar

Chu, A. M. Y., & So, M. K. P. (2020). Organizational information security management for sustainable information systems: An unethical employee information security behavior perspective. Sustainability (Switzerland), 12(8), 1–25. https://doi.org/10.3390/SU12083163 Search in Google Scholar

Cisco. (2018). Annual Cybersecurity Report (pp. 1-68). Retrieved from: https://www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf Search in Google Scholar

Clement, J. (2020). Amount of monetary damage caused by reported cyber crime to the IC3 from 2001 to 2019. Retrieved from: https://www.statista.com/statistics/267132/total-damage-caused-by-by-cyber-crime-in-the-us/ Search in Google Scholar

Cybersecurity Insiders. (2018). Managed Security Report. Retrieved from: https://www.cybersecurity-insiders.com/download-reports/ Search in Google Scholar

Dibbern, J., Goles, T., Hirschheim, R., & Jayatilaka, B. (2004). Information Systems Outsourcing: A Survey and Analysis of the Literature. The Data Base for Advances in Information Systems, 35(4), 6–102. https://doi.org/10.1145/1035233.1035236 Search in Google Scholar

Eduardovich, D. V., & Vladimirovich, Y. A. (2016). Reputation risks through information security incidents. In Proceedings of the 2016 IEEE North West Russia Section Young Researchers in Electrical and Electronic Engineering Conference, EIConRusNW 2016, (pp. 194–198). St. Petersburg, Russia; St. Petersburg Electrotechnical University.10.1109/EIConRusNW.2016.7448152 Search in Google Scholar

Faisal, M. N., & Raza, S. A. (2016). IT outsourcing intent in academic institutions in GCC countries: An empirical investigation and multi-criteria decision model for vendor selection. Journal of Enterprise Information Management, 29(3), 432–453. https://doi.org/10.1108/JEIM-05-2015-0042 Search in Google Scholar

Feng, N., & Chen, B. (2017). An Integrated Strategy for Information Security: Outsourcing and In-house. In E. Qi, J. Shen & R. Dou (Eds.), Proceedings of the 23rd International Conference on Industrial Engineering and Engineering Management 2016, (pp. 305–309). Bali, Indonesia: Atlantic Press. Search in Google Scholar

Feng, N., Chen, Y., Feng, H., Li, D., & Li, M. (2019). To outsource or not: The impact of information leakage risk on information security strategy. Information and Management, 57(5). https://doi.org/10.1016/j.im.2019.103215 Search in Google Scholar

Feng, N., Wang, M., Li, M., & Li, D. (2019b). Effect of security investment strategy on the business value of managed security service providers. Electronic Commerce Research and Applications, 35(March), 100843. https://doi.org/10.1016/j.elerap.2019.100843 Search in Google Scholar

Fenn, C., Shooter, R., & Allan, K. (2002). IT security outsourcing: How safe is your IT security? Computer Law and Security Report, 18(2), 109–111. https://doi.org/10.1016/S0267-3649(02)03009-1 Search in Google Scholar

Fusiripong, P., Baharom, F., & Yusof, Y. (2020). Analytic hierarchy process with firefly algorithm for supplier selection in IT project outsourcing. Journal of Theoretical and Applied Information Technology, 98(8), 1255–1269. Search in Google Scholar

Georg, L. (2017). Information security governance: pending legal responsibilities of non-executive boards. Journal of Management and Governance, 21(4), 793–814. https://doi.org/10.1007/s10997-016-9358-0 Search in Google Scholar

Goepel, K. D. (2018). Implementation of an Online Software Tool for the Analytic Hierarchy Process (AHPOS). Journal of the Analytic Hierarchy Process, 10(3), 469–487. https://doi.org/10.13033/ijahp.v10i3.590 Search in Google Scholar

Gulla, U., & Gupta, M. P. (2011). Deciding the level of information systems outsourcing: Proposing a framework and validation with three Indian banks. Journal of Enterprise Information Management, 25(1), 28–59. https://doi.org/10.1108/17410391211192152 Search in Google Scholar

Harker, P. T., & Vargas, L. G. (1987). Theory of Ratio Scale Estimation: Saaty’s Analytic Hierarchy Process. Management Science, 33(1), 1383–1403. https://doi.org/10.1287/mnsc.33.11.1383 Search in Google Scholar

He, M. X., & An, X. (2016). Information security risk assessment based on analytic hierarchy process. Indonesian Journal of Electrical Engineering and Computer Science, 1(3), 656–664. https://doi.org/10.11591/ijeecs.v1.i3.pp656-664 Search in Google Scholar

Ishizaka, A., & Siraj, S. (2018). Are multi-criteria decision-making tools useful? An experimental comparative study of three methods. European Journal of Operational Research, 264(2), 462–471. https://doi.org/10.1016/j.ejor.2017.05.041 Search in Google Scholar

Jain, R. K., & Natarajan, R. (2011). Factors influencing the outsourcing decisions: A study of the banking sector in India. Strategic Outsourcing: An International Journal, 4(3), 294–322. https://doi.org/10.1108/17538291111185485 Search in Google Scholar

Kabir, G., Sadiq, R., & Tesfamariam, S. (2014). A review of multi-criteria decision-making methods for infrastructure management. Structure and Infrastructure Engineering, 10(9), 1176-1210. https://doi.org/10.1080/15732479.2013.795978 Search in Google Scholar

Karyda, M., Mitrou, E., & Quirchmayr, G. (2006). A framework for outsourcing IS/IT security services. Information Management & Computer Security, 14(5), 403–416. https://doi.org/10.1108/09685220610707421 Search in Google Scholar

Khan, G. M., Khan, S. U., Khan, H. U., & Ilyas, M. (2022). Challenges and practices identification in complex outsourcing relationships: A systematic literature review. PLoS ONE, 17(January). https://doi.org/10.1371/journal.pone.0262710 Search in Google Scholar

Ključnikov, A., Mura, L., & Sklenár, D. (2019). Information security management in SMEs: Factors of success. Entrepreneurship and Sustainability Issues, 6(4), 2081–2094. https://doi.org/10.9770/jesi.2019.6.4(37) Search in Google Scholar

Lacity, M. C., & Willcocks, L. P. (2013). Legal process outsourcing: the provider landscape. Strategic Outsourcing: An International Journal, 6(2), 167–183. https://doi.org/10.1108/SO-11-2012-0021 Search in Google Scholar

Leszczyna, R., & Litwin, A. (2020). Estimating the Cost of Cybersecurity Activities with CAsPeA: A Case Study and Comparative Analysis. In S. Kanhere, In T. Patil, S. Sural, & M. S. Gaur (Eds.), 16th International Conference on Information Systems Security, ICISS 2020, (pp. 267–287). Springer.10.1007/978-3-030-65610-2_17 Search in Google Scholar

Liu, C. W., Huang, P., & Lucas, H. C. (2018). IT Centralization, Security Outsourcing, and Cybersecurity Breaches: Evidence from the U.S. Higher Education. In Y. J. Kim, R. Agarawal & J. K. Lee (Eds.), ICIS 2017: Transforming Society with Digital Innovation, (pp. 1–18). Seul, South Korea: Association for Information Systems. Search in Google Scholar

Marcikić, A., & Radovanov, B. (2011). A Decision Model for Outsourcing Business Activities. International Symposium Engineering Management and Competitiveness, 69–74. Search in Google Scholar

MarketsAndMarkets. (2020). Managed Security Services Market by Type (Managed IAM, Antivirus/Antimal-ware, SIEM, and UTM), Deployment Mode, Organization Size, Vertical (BFSI, Government, Retail, Healthcare, Telecom, Utilities, and Manufacturing), and Region - Global Forecast to 2025. Retrieved from: https://www.marketsandmarkets.com/Market-Reports/managed-security-services-market-5918403.html Search in Google Scholar

Moisiadis, F. (1999). Case Study on the Use of Scaling Methods for Prioritising Requirements. INCOSE International Symposium, 9(1), 1451–1457.10.1002/j.2334-5837.1999.tb00329.x Search in Google Scholar

Pakpahan, J., Eryadi, R. A., Budiman, A., Sunandar, N., Syahid, L. M., & Shihab, M. R. (2021). Critical Success Factors of IT Outsourcing in Indonesian Public Sectors: A Case Study at Employment Social Security Agency. ICOIACT 2021 - 4th International Conference on Information and Communications Technology: The Role of AI in Health and Social Revolution in Turbulence Era, (pp. 47–52). Online: IEEE. Search in Google Scholar

Ponemon Institute. (2019). The Cost of Third-Party Cybersecurity Risk Management. Retrieved from: https://www.cybergrx.com/resources/research-and-insights/ebooks-and-reports/the-cost-of-third-party-cybersecurity-risk-management Search in Google Scholar

Ponsard, C., Grandclaudon, J., & Dallons, G. (2018). Towards a cyber security label for SMEs: A european perspective. In P. Mori, S. Furnell & O. Camp (Eds.). ICISSP 2018 - Proceedings of the 4th International Conference on Information Systems Security and Privacy, (pp. 426–431). Madeira, Portugal: Springer. Search in Google Scholar

Popp, N., Jensen, J. A., McEvoy, C. D., & Weiner, J. F. (2020). An examination of the effects of outsourcing ticket sales force management. International Journal of Sports Marketing and Sponsorship, 21(2), 205–223.10.1108/IJSMS-04-2019-0046 Search in Google Scholar

Prakash, S., Soni, G., Mittal, S., & Singh Rathore, A. P. (2014). Information Risks Modeling in e-business Supply Chain using AHP. In Recent Advances in Engineering and Computational Sciences (RAECS), (pp. 1-5). Chandigarh, India: IEEE. Search in Google Scholar

Rajaeian, M. M., Cater-Steel, A., & Lane, M. (2015). IT outsourcing decision factors in research and practice: A case study. In F. Burstein, H. Scheepers & G. Deegan (Eds.). ACIS 2015 Proceedings - 26th Australasian Conference on Information Systems, (pp. 1–12). Adelaide, Australia: University of South Australia. Search in Google Scholar

Ren, Z. J., & Zhou, Y. P. (2008). Call center outsourcing: Coordinating staffing level and service quality. Management Science, 54(2), 369–383. https://doi.org/10.1287/mnsc.1070.0820 Search in Google Scholar

Russo, R. D. F. S. M., & Camanho, R. (2015). Criteria in AHP: A systematic review of literature. Information Technology and Quantitative Management, 55, 1123–1132. https://doi.org/10.1016/j.procs.2015.07.081 Search in Google Scholar

Saaty, T. L. (1980). The Analytic Hierarchy Process. Mc-Graw Hill. Search in Google Scholar

Saaty, T. L. (1990). How to make a decision: The analytic hierarchy process. European Journal of Operational Research, 48(1), 9–26. https://doi.org/10.1016/0377-2217(90)90057-I Search in Google Scholar

Saaty, T. L., & Tran, L. T. (2007). On the invalidity of fuzzifying numerical judgments in the Analytic Hierarchy Process. Mathematical and Computer Modelling, 46(7–8), 962–975. https://doi.org/10.1016/j.mcm.2007.03.022 Search in Google Scholar

Shahrasbi, A., Shamizanjani, M., Alavidoost, M. H., & Akhgar, B. (2017). An aggregated fuzzy model for the selection of a managed security service provider. International Journal of Information Technology and Decision Making, 16(3), 625–684. https://doi.org/10.1142/S0219622017500158 Search in Google Scholar

Sung, W., & Kang, S. Y. (2017). An empirical study on the effect of information security activities: Focusing on technology, institution, and awareness. In C. C. Hinnant & O. Adegboyega (Eds.). ACM International Conference Proceeding Series, (pp. 84–93). New York, New York: Association for Computing Machinery. Search in Google Scholar

Wang, G., Qin, L., Li, G., & Chen, L. (2009). Landfill site selection using spatial information technologies and AHP: A case study in Beijing, China. Journal of Environmental Management, 90(8), 2414–2421. https://doi.org/10.1016/j.jenvman.2008.12.008 Search in Google Scholar

Wang, J. J., Lin, Z. K., & Zhang, G. Q. (2008). A decision model for IS outsourcing based on AHP and ELECTREIII. In 2008 International Conference on Wireless Communications, Networking and Mobile Computing, WiCOM 2008, (pp. 1–4). Dalian, China: IEEE. Search in Google Scholar

Wu, Y., Duan, J., Dai, T., & Cheng, D. (2020). Managing security outsourcing in the presence of strategic hackers. Decision Analysis, 17(3), 235–259. https://doi.org/10.1287/deca.2019.0406 Search in Google Scholar

Wu, Y., Fung, R. Y. K., Feng, G., & Wang, N. (2017). Decisions making in information security outsourcing: Impact of complementary and substitutable firms. Computers and Industrial Engineering, 110, 1-12. https://doi.org/10.1016/j.cie.2017.05.018 Search in Google Scholar

Zammani, M., Razali, R., & Singh, D. (2019). Factors contributing to the success of information security management implementation. International Journal of Advanced Computer Science and Applications, 10(11), 384–391. https://doi.org/10.14569/IJACSA.2019.0101153 Search in Google Scholar

Zúñiga, A. R. R., & Jaatun, M. G. (2016). Passing the buck: Outsourcing incident response management. In Proceedings of 7th International Conference on Cloud Computing Technology and Science, CloudCom 2015, (pp. 503–508). Vancouver, Canada: IEEE. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo