Information security management framework suitability estimation for small and medium enterprise

    Laima Kaušpadienė Affiliation
    ; Simona Ramanauskaitė   Affiliation
    ; Antanas Čenys Affiliation


Information security is one of the key concerns of an enterprise or organization. To assure suitable management of information security a list of information security management frameworks has been developed by a number of institutions and authors. A condensed information in information security management framework is very important to a small and medium enterprise as this type of enterprise usually lacks resources for information security expertise and deep analysis. Despite the fact, the information security management process and its frameworks, on the other hand, are very complex and require a big number of different elements. At the moment the comparison it is very shallow, as all properties of the comparison are treated equally important. In real life, the importance of different criteria of information security management framework and their suitability for small and medium enterprise vary. Therefore we use the Analytic Hierarchy Process to construct a hierarchy of information security management frameworks quality and applicability in small and medium enterprise and define the weights for each of the criteria. Weighted criteria express the importance of the criteria and executed the final comparison of alternatives (five information security management frameworks) is more realistic (similar to experts opinion) comparing to existing comparisons.

First published online 20 June 2019

Keyword : information security management framework, suitability, small and medium enterprise, SME, multi criteria, MCDM, AHP

How to Cite
Kaušpadienė, L., Ramanauskaitė, S., & Čenys, A. (2019). Information security management framework suitability estimation for small and medium enterprise. Technological and Economic Development of Economy, 25(5), 979-997.
Published in Issue
Jun 20, 2019
Abstract Views
PDF Downloads
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.


Abdel-Basset, M., Manogaran, G., & Mohamed, M. (2018). Internet of Things (IoT) and its impact on supply chain: A framework for building smart, secure and efficient systems. Future Generation Computer Systems, 86, 614-628.

Alnuem, M., Alrumaih, H., & Al-Alshaikh, H. (2015). A comparison study of information security risk management frameworks in cloud computing. In Cloud computing (pp. 103-109). Retrieved from

Aminnezhad, A., Mahmod, R., & Abdullah, M. T. (2016). Survey on economics of information security. International Journal of Computer Science and Network Security (IJCSNS), 16(7), 99-116.

Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610-613.

Baudry, G., Macharis, C., & Vallée, T. (2018). Range-based Multi-Actor Multi-Criteria Analysis: A combined method of Multi-Actor Multi-Criteria Analysis and Monte Carlo simulation to support participatory decision making under uncertainty. European Journal of Operational Research, 264(1), 257-269.

Bose, P. A., Biswas, S., Nandi, S., & Chakraborty, S. (2018). MATEM: A unified framework based on trust and MCDM for assuring security, reliability and QoS in DTN routing. Journal of Network and Computer Applications, 104, 1-20.

Bradley, D., & Josang, A. (2004). Mesmerize: an open framework for enter-prise security management. In Proceedings of the Second Workshop on Australasian Information Security, Data Mining and Web Intelligence, and Software Internation-Alisation (Vol. 32, pp. 37-42). Australian Computer Society, Inc.

Brauers, W. K. M., & Zavadskas, E. K. (2010). Project management by MULTIMOORA as an instrument for transition economies. Technological and Economic Development of Economy, 16(1), 5-24.

Chemane, L. A., Ekenberg, L., Popov, O., Carrilho, S., Floor, R., & Mozambique, M. (2005). Government network and information security MCDM framework for the selection of security mechanisms. In CNIS 2005, 14–16 November, Phoenix, AZ, USA. Acta Press.

Chen, T., Li, Y., & Wang, H. (2011). A dissonance reduction method for intuitionistic fuzzy multicriteria decision-making problems. Pan-Pacific Management Review, 14(1), 1-27.

Dayanandan, U., & Kalimuthu, V. (2018). Software architectural quality assessment model for security analysis using Fuzzy Analytical Hierarchy Process (FAHP) method. 3D Research, 9(3), 31.

Eloff, M. M., & von Solms, S. H. (2000). Information security management: a hierarchical framework for various approaches. Computers & Security, 19(3), 243-256.

Eze, S. C., Olatunji, S., Chinedu-Eze, V. C., & Bello, A. O. (2018). Key success factors influencing SME managers’ information behaviour on emerging ICT (EICT) adoption decision-making in UK SMEs. The Bottom Line, 31(3/4), 250-275.

Health Information Trust Alliance. (2014). Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53: Why Choosing the CSF is the Best Choice. Retrieved from csf_rmf_related/CSFComparisonWhitpaper.pdf

Hwang, C. L., & Lin, M. J. (2012). Group decision making under multiple criteria: methods and applications (Vol. 281). Springer Science & Business Media.

International Organization for Standardization. (2013). ISO/IEC 27001:2013. Information technology -- Security techniques -- Information security management systems -- Requirements. Retrieved from

Kauspadiene, L., Cenys, A., Goranin, N., Tjoa, S., & Ramanauskaite, S. (2017). High-level self-sustaining information security management framework. Baltic Journal of Modern Computing, 5(1), 107.

Keršuliene, V., Zavadskas, E. K., & Turskis, Z. (2010). Selection of rational dispute resolution method by applying new stepwise weight assessment ratio analysis (SWARA). Journal of Business Economics and Management, 11(2), 243-258.

Keshavarz Ghorabaee, M., Zavadskas, E. K., Olfat, L., & Turskis, Z. (2015). Multicriteria inventory classification using a new method of evaluation based on distance from average solution (EDAS). Informatica, 26(3), 435-451.

Kim, E. Y., & Kim, K. W. (2014). A theoretical framework for cognitive and non-cognitive interventions for older adults: stimulation versus compensation. Aging & Mental Health, 18(3), 304-315.

Knapp, K. J., Morris Jr, R. F., Marshall, T. E., & Byrd, T. A. (2009). Information security policy: An organizational-level process model. Computers & Security, 28(7), 493-508.

Lopes, I., & Oliveira, P. (2014). Understanding information security culture: a survey in small and medium sized enterprises. In New Perspectives in Information Systems and Technologies (Vol. 1, pp. 277-286). Cham: Springer.

Mardani, A., Jusoh, A., Zavadskas, E. K., Khalifah, Z., & Nor, K. M. (2015). Application of multiplecriteria decision-making techniques and approaches to evaluating of service quality: a systematic review of the literature. Journal of Business Economics and Management, 16(5), 1034-1068.

McLaughlin, M. D., & Gogan, J. (2018). Challenges and best practices in information security management. MIS Quarterly Executive, 17(3), 12.

Miloslavskaya, N., & Tolstaya, S. (2017). Organization’s business continuity in cyberspace. In First International Early Research Career Enhancement School on Biologically Inspired Cognitive Architectures (pp. 289-295). Cham: Springer.

Oliveira, T., Alhinho, M., Rita, P., & Dhillon, G. (2017). Modelling and testing consumer trust dimensions in e-commerce. Computers in Human Behavior, 71, 153-164.

Pamučar, D., & Ćirović, G. (2015). The selection of transport and handling resources in logistics centers using Multi-Attributive Border Approximation area Comparison (MABAC). Expert Systems with Applications, 42(6), 3016-3028.

Rebollo, O., Mellado, D., Sánchez, L. E., & Fernández-Medina, E. (2011). Comparative analysis of information security governance frameworks: a public sector approach. In The Proceedings of the11th European Conference on eGovernment–ECEG (pp. 482-490). Academic Conferences Limited.

Saaty, T. L. (1980). The analytic hierarchy process: Planning, priority setting, resources allocation. New York, NY: McGraw.

Saaty, T. L., Ozdemir, M. S., & Shang, J. S. (2015). The rationality of punishment–measuring the severity of crimes: an AHP-based orders-of-magnitude approach. International Journal of Information Technology & Decision Making, 14(01), 5-16.

SABSA Institute. (2019). Welcome to the official SABSA website. Retrieved from

Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82.

Salminen, M., & Hossain, K. (2018). Digitalisation and human security dimensions in cybersecurity: an appraisal for the European High North. Polar Record, 54(2), 108-118.

Sherwood, J., Clark, A., & Lynas, D. (1995). Enterprise security architecture [white paper, 2009]. SABSA.

Singh, S., & Misra, S. C. (2018). Migration of PLM systems to cloud. International Journal of Communication Systems, 31(18), 3815.

Trcek, D. (2006). Managing information systems security and privacy. Springer Science & Business Media.

Turskis, Z., Goranin, N., Nurusheva, A., & Boranbayev, S. (2019). A fuzzy WASPAS-based approach to determine critical information infrastructures of EU sustainable development. Sustainability, 11(2), 424.

Udroiu, A., & Vevera, V. (2018). Lifelong learning for raising cybersecurity awareness. In 12th International Technology, Education and Development Conference (INTED), 2018.

Vasiu, I., & Vasiu, L. (2018). Cybersecurity as an essential sustainable economic development factor. European Journal of Sustainable Development, 7(4), 171-178.

Vinogradova, I., Podvezko, V., & Zavadskas, E. K. (2018). The recalculation of the weights of criteria in MCDM methods using the bayes approach. Symmetry, 10(6), 205.

Zavadskas, E. K., & Turskis, Z. (2010). A new additive ratio assessment (ARAS) method in multicriteria decision‐making. Technological and Economic Development of Economy, 16(2), 159-172.

Zavadskas, E. K., Stević, Ž., Tanackov, I., & Prentkovskis, O. (2018). A novel multicriteria approach– rough step-wise weight assessment ratio analysis method (R-SWARA) and its application in logistics. Studies in Informatics and Control, 27(1), 97-106.