Assessing Information Security Risks using Pairwise Weighting

Henrik Karlzén, Johan Bengtsson, Jonas Hallberg


In practice, assessing information security risks is difficult since available methods lack specificity on how to perform the assessments as well as what input should be used. Thus, the process becomes resource demanding with fairly large rater-dependency. An established way of facilitating rating processes is to weight objects against each other, rather than rating each object independently on an absolute scale. In this paper, we investigate whether such a method, inspired by the Analytic Hierarchy Process, can be useful for assessing information security risks. However, the new method did not result in higher inter-rater reliability or lower cognitive load. This result was true both for experts and non-experts, as well as among raters with different cognitive styles.


  1. Deleeuw, K. & Mayer, R., 2008. A Comparison of Three Measures of Cognitive Load: Evidence for Separable Measures of Intrinsic, Extraneous, and Germane Load. Journal of Educational Psychology, Vol. 100, No. 1, 223-234.
  2. Fenz, S., Heurix, J., Neubauer, T., & Pechstein, F., 2014. Current challenges in information security risk management. Information Management & Computer Security, 22, 410-430.
  3. Fink, A., & Neubauer, A., 2001. Speed of information processing, psychometric intelligence, and time estimation as an index of cognitive load. Personality & Individual Differences, 30, 1009-1021.
  4. Gwet, K. L., 2014. Handbook of Inter-Rater Reliability: The Definitive Guide to Measuring The Extent of Agreement Among Raters (4th ed.). Advanced Analytics, LLC.
  5. Holm, H., Sommestad T., Ekstedt M., & Honeth, N., 2014. Indicators of expert judgement and their significance: an empirical investigation in the area of cyber security. Expert Systems. Volume 31, Issue 4, pages 299-318.
  6. Ishizaka, A., & Labib, A., 2011. Review of the main developments in the analytic hierarchy process. Expert Systems with Applications, 38(11), 14336-14345.
  7. Ishizaka, A., & Lusti, M., 2004. An expert module to improve the consistency of AHP matrices. International Transactions in Operational Research, 11(November), 97-105.
  8. Korman, M., Sommestad, T., Hallberg, J., Bengtsson, J., & Ekstedt, M., 2014. Overview of Enterprise Information Needs in Information Security Risk Assessment. Proceedings of the 18th IEEE International Enterprise Distributed Object Computing Conference (EDOC). pp. 42-51.
  9. Krippendorff, K., 2004. Reliability in content analysis: Some common misconceptions and recommendations. Human Communication Research. Vol. 30, pp. 411- 433.
  10. Luca, L., 2014. Formalising Human Mental Workload as a Defeasible Computational Concept. A Dissertation submitted to the University of Dublin, Trinity College.
  11. Marcus, N., Cooper, M., & Sweller, J., 1996. Understanding Instructions. Journal of Educational Psychology. Vol. 88, No. 1, 49-63.
  12. McShane, S., 2006. Activity 8.8: Decision Making Style Inventory. In Canadian Organizational Behaviour. McGraw-Hill Education.
  13. Paas, F., 1992. Training strategies for attaining transfer of problem-solving skill in statistics: A cognitive-load approach. Journal of Educational Psychology, 84, 429-434.
  14. Paas, F., Tuovinen, J., Tabbers, H. & Van Gerven, P., 2003. Cognitive Load Measurement as a Means to Advance Cognitive Load Theory. Educational Psychologist, 38(1), 63-71.
  15. Paas, F., van Merriënboer, J., & Adam, J., 1994. Measurement of cognitive load in instructional research. Perceptual and Motor Skills, 79, 419-430.
  16. Saaty, T. L., 1990. How to make a decision: The analytic hierarchy process. European Journal of Operational Research, 48(1), 9-26.
  17. Shanteau, J., 2015. Why Task Domains (Still) Matter for Understanding Expertise. Journal of Applied Research in Memory and Cognition, July 2015.
  18. Sommestad, T., Karlzén, H., Nilsson, P., & Hallberg, J., 2016. An empirical test of the perceived relationship between risk and the constituents severity and probability. Information & Computer Security. Volume 24, Issue 2.
  19. Sweller, J., van Merriënboer, J., & Paas, F., 1998. Cognitive Architecture and Instructional Design. Educational Psychology Review, Vol. 10, No. 3.
  20. Weinstein, N., 2000. Perceived probability, perceived severity, and health-protective behavior. Health psychology?: official journal of the Division of Health Psychology, American Psychological Association, 19(1), pp.65-74.

Paper Citation

in Harvard Style

Karlzén H., Bengtsson J. and Hallberg J. (2017). Assessing Information Security Risks using Pairwise Weighting . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 318-324. DOI: 10.5220/0006138203180324

in Bibtex Style

author={Henrik Karlzén and Johan Bengtsson and Jonas Hallberg},
title={Assessing Information Security Risks using Pairwise Weighting},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},

in EndNote Style

JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Assessing Information Security Risks using Pairwise Weighting
SN - 978-989-758-209-7
AU - Karlzén H.
AU - Bengtsson J.
AU - Hallberg J.
PY - 2017
SP - 318
EP - 324
DO - 10.5220/0006138203180324