||Baca, M. (2004). “The risk assessment of information system security”, In: CUC．2004 6th CARNet Users Conference, Sep. 27-29.|
Bandyopadhyay, K., Mykytyn, P.P. and Mykytyn, K. (1999). “A framework for integrated risk management in information technology”, Management Decision, 37(5), 437–445.
Biery, K. (2006). “Aligning an information risk management approach to BS 7799-3:2005”, SANS Institute InfoSec Reading Room.
Bodin, L., Gordon, L., and Loeb, M. (2005). “Evaluating information security investments using the analytic hierarchy”, Communications of the ACM, 48 (2), 78–83.
Bodin, L., Gordon, L., and Loeb, M. (2008). “Information security and risk management”, Communications of the ACM, 51 (4), 65–68.
Bradbury, M.E. and Rouse, P. (2002). “An application of data envelopment analysis to the evaluation of audit risk”, Abacus, 38(2), 263-279.
Broderick, J.S. (2006). “ISMS, security standards and security regulations”, Information Security Technical Report, 11(1), 26–31.
BSI (1999). Information security management - Part 2: specification for information security management systems, BS 7799-2:1999, British Standards Institution, London.
Carroll, J.M. (1996). Computer Security (Third Edition), Butterworth-Heinemann, Boston, MA, USA.
Central Computer and Telecommunication Agency (CCTA) (2001). CCTA Risk analysis and management method, CRAMM User Guide, Issue 2.0.
Chiu, Y.J., Chen, H.C., Tzeng, G.H., and Shyu, J.Z. (2006). “Marketing strategy based on customer behavior for the LCD-TV”, International Journal of Management and Decision Making, 7(2/3), 143–165.
Commission of the European Communities Security Investigation Project (January 1993). Claims structure for the selection and development of risk analysis methods, Version 1.0.
C&A Systems Security Limited (2000). COBRA consultant products for Windows, Evaluation & User Guide.
Douglas, M. (1990). “Risk as a forensic resource”, Daedalus, 119(4), 1-16.
Duckstein, L. and Opricovic, S. (1980). “Multiobjective optimization in river basin development”, Water Resources Research, 16 (1), 14–20.
Eloff, J.H.P. and Eloff, M.M. (2005). “Information security architecture”, Computer Fraud & Security, 2005(11), 10-16.
Farn, K.J., Lin, S.K. and Lo, C.C. (2008). “A study on e-Taiwan information system security classification and implementation”, Computer Standards & Interfaces, 30 (1/2) 1–7.
Fontela, E. and Gabus, A. (1974). DEMATEL, innovative methods, Report no. 2, Structural analysis of the world problematique, Battelle Geneva Research Institute.
Fontela, E. and Gabus, A. (1976). The DEMATEL observer, Battelle Institute, Geneva Research Center.
Freimer, M. and Yu, P.L. (1976). “Some new results on compromise solutions for group decision problems”, Management Science, 22 (6) 688–693.
Frosdick, S. (1997). “The techniques of risk analysis are insufficient in themselves”, Disaster Prevention and Management, 6(3), 165–177.
Flowerday, S., Blundell, A.W. and Von Solms, R. (2006). “Continuous auditing technologies and models: A discussion”, Computers & Security, 25(5), 325-331.
Gabus, A. and Fontela, E. (1972). World problems an invitation to further thought within the framework of DEMATEL, Battelle Geneva Research Centre, Geneva, Switzerland.
Gabus, A. and Fontela, E. (1973). Perceptions of the world problematique: communication procedure, communicating with those bearing collective responsibility (DEMATEL Report No. 1), Battelle Geneva Research Centre, Geneva, Switzerland.
Gerber, M. and von Solms, R. (2005). “Management of risk in the information age”, Computers and Security, 24(1), 16–30.
Gordon, J. (1992). “Security modeling”, Risk Analysis Methods and Tools, IEE Colloquium on, 6/1-6/5.
Hori, S., and Shimizu, Y. (1999). “Designing methods of human interface for supervisory control systems”, Control Engineering Practice, 7(11), 1413–1419.
Huang, C.Y., Shyu, J.Z. and Tzeng, G.H. (2007). “Reconfiguring the innovation policy portfolios for Taiwan's SIP Mall industry”. Technovation, 27(12), 744–765.
Huang, J.J., Tzeng, G.H. and Ong, C.S. (2005). “Multidimensional data in multidimensional scaling using the analytic network process”, Pattern Recognition Letters, 26(6), 755–767.
Humphreys, T. (May-June 2006). “How to implement an ISO/IEC 27001 information security management system”, ISO Management Systems, 40-44, Available from: www.iso.org/ims [Cited on December 22, 2008].
Hwang, C.L., Yoon, K. (1981). Multi-objective decision making–methods and application–A state-of-the-art study, Springer-Verlag, New York.
International Register of ISMS Certificates (2009). Certificate Register, Available from: http://www.ISO27001certificates.com [Cited on April 26, 2009].
Information Security Forum (ISF) (1997). Simplified practical risk analysis methodology (SPRINT) user guide, pp. 43-57.
ISACA (2006). CISA Review Manual 2006, Information Systems Audit and Control Association, pp. 85, ISBN 1-933284-15-3.
ISO/IEC (2000). Information Technology— Code of Practice for Information Security Management, ISO/IEC 17799:2000(E).
ISO/IEC (2005a). Information Technology－Security techniques－Code of Practice for Information Security Management, ISO/IEC 17799:2005(E).
ISO/IEC (2005b). Information Technology－Security techniques－Information Security Management System－Requirements, ISO/IEC 27001:2005(E).
ISO/IEC (2002). Risk management－ Vocabulary － Guidelines for use in standards, ISO/IEC Guide 73:2002.
ISO/IEC (1996). Information technology － Guidelines for the management of IT Security－Part 1: Concepts and models for IT Security, ISO/IEC TR 13335-1:1996.
Jacobson, R.V. (2002). Using CORA to implement the NIST risk management guide, Available from: http://www.ist-usa.com/Downloads/UsingCORAwithNISTSP800-30.zip [Retrieved December 22, 2006].
Jenkins, B.D. (1998). Security risk analysis and management White Paper, Countermeasures Inc. Available from: http://www.cs.kau.se/~albin/Documents/RA_by%20Jenkins.pdf [Retrieved April 15, 2005].
Jung, C., Han, I. and Suh, B. (1999). “Risk analysis for electronic commerce using case-based reasoning”, International Journal of Intelligent Systems in Accounting, Finance & Management, 8(1), 61–73.
Kamaike, M. (2001). “Design elements in the passenger car development: the classification and the influence analysis in case of recreational vehicle”, Bulletin of Japanese Society for Science of Design, 48(1), 29–38.
Kang, J.B. (2001). Internet Revolution and Internet Security, Triangle press.
Kailay, M.P. and Jarratt, P. (1995). “RAMeX: a prototype expert system for computer security analysis and management”, Computers and Security, 14(5), 449-463.
Karabacak, B. and Sogukpinar, I. (2005). “ISRAM: information security risk analysis method”, Computers & Security, 24(2), 147-159.
Karabacak B and Sogukpinar I. (2006). “A quantitative method for ISO 17799 gap analysis”, Computers & Security, 25(6), 413 – 419.
Karsak, E.E., Sozer, S. and Alptekin, S.E. (2002). “Product planning in quality function deployment using a combined analytic network process and goal programming approach”, Computers & Industrial Engineering, 44(1), 171–190.
Kim, S. and Leem, C.S. (2005a). “Security of the internet-based instant messenger: risks and safeguards”, Internet Research, 15(1), 88–98.
Kim, S. and Leem, C.S. (2005b). “Implementation of the security system for instant messengers”, Lecture Notes in Computer Science, Vol.3314, pp. 739-744.
Kim, S. and Leem, C.S. (2004). “An information engineering methodology for the security strategy planning”, Lecture Notes in Computer Science, Vol.3043, pp. 597-607.
Kim, S., Lee, H.J. and Leem, C.S. (2004). “Applying the ISO17799 baseline controls as a security engineering principle under the Sarbanes-Oxley Act”, Lecture Series on Computer Science and Computational Sciences, Vol.1, pp. 900-903.
Kirkwood, A.S. (1994). “Why do we worry when scientists say there is no risk?”, Disaster Prevention and Management, 3(2), 15-22.
Kruger, H.A. and Kearney, W.D. (2006). “A prototype for assessing information security awareness”, Computers & Security, 25(4), 289-296.
Krutz, R.L. and Vines, R.D. (2003). The CISSP Prep Guide: Gold Edition, Wiley Publishing, Inc.
Lee, J.W. and Kim, S.H. (2000). “Using analytic network process and goal programming for interdependent information system project selection”, Computers & Operations Research, 27(4), 367–382.
Leem, C.S., Kim, S. and Lee, H.J. (2005). “Assessment methodology on maturity level of ISMS”, Lecture Notes in Artificial Intelligence, Vol. 3683, pp. 609–615.
Lin, C.-J. and Wu, W.-W. (2008). “A causal analytical method for group decision-making under fuzzy environment”, Expert Systems with Applications, 34(1), 205–213.
Lin, M., Wang, Q. and Li, J. (2005). “Methodology of quantitative risk assessment for information system security”, Lecture Notes in Computer Science, Vol. 3802, pp. 526–531.
Liou, J.J.H., Tzeng, G.-H. and Chang, H.-C. (2007). “Airline safety measurement using a hybrid model”, Air Transport Management, 13(4), 243–249.
Liu, F., Dai, K., Wang, Z. and Ma, J. (2005). “Research on fuzzy group decision making in security risk assessment”, Lecture Notes in Computer Science, Vol. 3421, pp. 1114–1121.
McEvoy, N and Whitcombe, A. (2002). “Structured risk analysis”, Lecture Notes in Computer Science, Vol. 2437, pp. 88–103.
Meade, L.M. and Presley, A. (2002). “R&D project selection using the analytic network process”, IEEE transactions on engineering management, 49(1), 59–66.
Momoh, J.A. and Zhu, J. (2003). “Optimal generation scheduling based on AHP/ANP”, IEEE Transactions on Systems, Man and Cybernetics—Part B: Cybernetics, 33(3), 531–535.
Moses, R. (1992). “Risk analysis and management”, In: Jackson, K.M., Hruska, J., editors, Computer security reference book, Oxford: Butterworth-Heinemann Ltd. pp. 227–263.
National Information and Communication Security Taskforce (NICST), Background (2001), Available from: http://www.nicst.nat.gov.tw/content/application/nicst/eng_background/guest-cnt-browse.php?cnt_id=56 [Retrieved February 2, 2007]
National Institute of Standards and Technology (NIST) (1995). An Introduction to Computer Security, NIST Special Publication 800-12, Washington: U.S. Department of Commerce.
National Institute of Standards and Technology (NIST) (2001). Risk management guide for information technology systems, NIST Special Publication 800-30, Washington: U.S. Department of Commerce.
National Institute of Standards and Technology (NIST) (2002). Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30.
National Institute of Standards and Technology (NIST) (2005a). Creating a Patch and Vulnerability Management Program - Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-40.
National Institute of Standards and Technology (NIST) (2005b). Information Security, NIST Special Publication 800-53.
Opricovic, S. (1998). Multicriteria Optimization of Civil Engineering Systems, Faculty of Civil Engineering, Belgrade.
Opricovic, S. and Tzeng, G.H. (2002). “Multicriteria planning of post-earthquake sustainable reconstruction”, Computer-Aided Civil and Infrastructure Engineering, 17(3), 211–220.
Opricovic, S. and Tzeng, G.H. (2004). “Compromise solution by MCDM methods: A comparative analysis of VIKOR and TOPSIS”, European Journal of Operational Research, 156(2), 445–455.
Opricovic, S. and Tzeng, G.H. (2007). “Extended VIKOR method in comparison with outranking methods”, European Journal of Operational Research, 178(2), 514–529.
Ou Yang, Yu-Ping, Shieh, H.-M. and Tzeng, G.-H. (2009a). “A VIKOR Technique with Applications Based on DEMATEL and ANP”, MCDM 2009, Springer-Verlag Berlin Heidelberg, Communications in Computer and Information Science (CCIS) 35, 780-799.
Ou Yang, Y.-P., Shieh, H.-M., Leu, J.-D. and Tzeng, G.-H. (2009b). “A VIKOR-based multiple criteria decision method for improving information security risk”, International Journal of Information Technology & Decision Making, 8(2), 267-287.
Ou Yang, Y.-P., Shieh, H.-M., Leu, J.-D. and Tzeng, G.-H. (2008). “A novel hybrid MCDM model combined with DEMATEL and ANP with applications”, International Journal of Operations Research, 5(3), 160-168.
Owens, S. (1998). Information Security Management: An Introduction, British Standards Institution, London.
Reid, R.C. and Floyd, S.A. (2001). “Extending the risk analysis model to include market-insurance”, Computers & Security, 20(4), 331-339.
René, S.-G. (2005) “Information security management best practice based on ISO/IEC 17799”, The Information Management Journal, 39(4), 60–66.
Saaty, R.W. (2003). The Analytic Hierarchy Process (AHP) for Decision Making and the Analytic Network Process (ANP) for Decision Making with Dependence and Feedback, Creative Decisions Foundation.
Saaty, T.L. (1977). “A scaling method for priorities in hierarchical structures”, Journal of Mathematical Psychology, 15(3), 234-281.
Saaty, T.L. (1980). The Analytic Hierarchy Process, McGraw-Hill, New York.
Saaty, T.L. (1996). Decision Making with Dependence and Feedback: Analytic Network Process, RWS, Pittsburgh.
Saaty, T.L. (1999). “Fundamentals of the analytic network process”, International Symposium on the Analytic Hierarchy Process, Kobe, Japan.
Saaty, T.L. (2004). “The analytic network process: Dependence and feedback in decision making (Part 1): Theory and validation examples, SESSION 4B: Theory and development of the analytic hierarchy process/analytic network process”, In: The 17th International Conference on Multiple Criteria Decision Making, August 6-11, 2004 at The Whistler Conference Centre, Whistler, British Columbia, Canada.
Sarkis, J. (2003). “A strategic decision framework for green supply chain management”, Journal of Cleaner Production, 11(4), 397–409.
Scarff, F., Carty, A. and Charette, R. (1993). Introduction to the Management of Risk, CCTA Library, HSMO Publication Center, London.
Scott, M.J. and Antonsson, E.K. (2000). “Using indifference points in engineering decisions”, In: ASME Design Engineering Technical Conferences, Baltimore, USA.
Sekitani, K. and Takahashi, I. (2001). “A unified model and analysis for AHP and ANP”, Journal of the Operations Research Society of Japan, 44(1), 67–89.
Shin, D.J. (2001). Internet Information Security. Dongil Press.
Spinellis, D., Kokolakis, S. and Gritzalis, S. (1999). “Security requirements, risks and recommendations for small enterprise and home-office environments”, Information Management & Computer Security, 7(3), 121–128.
Sueyoshi, T., Shang, J. and Chiang, W.-C. (2009). “A decision support framework for internal audit prioritization in a rental car company: A combined use between DEA and AHP”, European Journal of Operational Research, 199(1), 219-231.
Swanson and Guttman, (1996). Generally Accepted Principles and Practices for Securing Information Technology Systems. NIST, September 1996.
Tamura, M., Nagata, H., and Akazawa, K. (2002). “Extraction and systems analysis of factors that prevent safety and security by structural models”, In: The 41st SICE annual conference, Osaka, Japan.
Tzeng, G.H., Teng, M.H., Chen, J.J and S. Opricovic (2002). “Multicriteria selection for a restaurant location in Taipei”, International Journal of Hospitality Management, 21(2), 171–187.
Tzeng, G.H., Lin, C.W. and Opricovic, S. (2005). “Multi-criteria analysis of alternative-fuel buses for public transportation”, Energy Policy, 33(11), 1373–1383.
Tzeng, G.H., Chiang, C.H. and Li, C.W. (2007). “Evaluating intertwined effects in e-learning programs: a novel hybrid MCDM model based on factor analysis and DEMATEL”, Expert Systems with Applications, 32(4), 1028–1044.
United States General Accounting Office (USGAO) (1999). Information Security Risk Assessment, Available from: http://www.gao.gov/special.pubs/ai00033.pdf [Cited on October 11, 2008].
von Solms, S.H. (Basie) (2005). “Information security governance - compliance management vs operational management”, Computers & Security, 24(6), 443-447.
Warfield, J.N. (1976). Societal Systems: Planning, Policy and Complexity, John Wiley & Sons, New York.
Woodroof, J and Searcy, D. (2001). “Continuous audit: model development and implementation within a debt covenant compliance domain”, International Journal of Accounting Information Systems, 2(3), 169–191.
Wright, M. (1999). “Third generation risk management practices”, Computer Fraud & Security, 1999(2), 9–12.
Wu, W.-W. and Lee, Y.-T. (2007). “Developing global managers’ competencies using the fuzzy DEMATEL method”, Expert Systems with Applications, 32(2), 499–507.
Yilmaz, A. K. (2007). “Application of analytic network process in the enterprise risk management: An example of the selecting best operator in the airport business”, European Journal of Social Sciences, 5(3), 61-76.
Yoon, K. (1987). “A reconciliation among discrete compromise solutions”, The Journal of Operational Research Society, 38(3), 277–286.
Yu, P.L. (1973). “A class of solutions for group decision problems”, Management Science, 19(8), 936–946.
Yu, P.L. (1985). Multiple-Criteria Decision Making: Concepts, Techniques, and Extensions, Plenum Publishing Corporation, New York.
Zeleny, M. (1982). Multiple Criteria Decision Making, McGraw-Hill, New York.