Multi-criteria decision model inference and application in information security risk classification

In this thesis a method for risk classification in the information security domain is described. Using a set of classification examples, an ELECTRE TRI multi-criteria decision aid model is constructed. This model is capable of classifying organizations in risk classes based on company characteristics and results of technical assessment. The construction process of this model consisted of gathering the classification examples, determining the criteria to measure the performance of the organizations on, and solving a mixed integer program capable of eliciting the parameters for the ELECTRE TRI model. The resulting model is implemented as a web application that allows security experts at Ernst & Young, who have assisted in the overall process, to make more confident conclusions about the risk level of their clients.