Decision Support System for Determining Cyber Risk Mitigation Priorities in Higher Education Using the Fuzzy TOPSIS Method

Authors

  • Fristi Riandari Manajemen Informatika, Politeknik Negeri Medan, Indonesia
  • Hengki Tamando Sihotang Sains Data, Universitas Pembangunan Nasional Veteran Jakarta

Keywords:

Decision Support System, Cyber Risk Management, Fuzzy TOPSIS, Higher Education, Cybersecurity

Abstract

The increasing frequency and sophistication of cyber threats have made higher education institutions attractive targets for cyberattacks, posing significant risks to information assets, academic operations, and institutional reputation. Universities rely heavily on digital technologies, including academic information systems, e-learning platforms, cloud services, and research databases, making effective cybersecurity risk management essential. However, limited cybersecurity resources often prevent institutions from addressing all potential threats simultaneously, highlighting the need for a systematic approach to prioritizing cyber risk mitigation efforts. This study aims to develop a Decision Support System (DSS) for determining cyber risk mitigation priorities in higher education institutions using the Fuzzy Technique for Order Preference by Similarity to Ideal Solution (Fuzzy TOPSIS) method. Six evaluation criteria were considered, namely probability of occurrence, financial impact, operational impact, reputation damage, data sensitivity, and recovery complexity. Expert assessments were expressed using linguistic variables and converted into Triangular Fuzzy Numbers (TFNs) to accommodate uncertainty in the decision-making process. The Fuzzy TOPSIS method was then applied to evaluate and rank cyber risks according to their mitigation priorities. The results demonstrated that the proposed DSS successfully generated a prioritized ranking of cyber risks, with ransomware and data breach risks receiving the highest mitigation priorities due to their substantial impacts on university operations, financial resources, and information security. The findings suggest that the developed DSS effectively supports cybersecurity decision-making by handling uncertainty in expert assessments and providing systematic recommendations for cyber risk mitigation. Consequently, the proposed framework can assist higher education institutions in allocating cybersecurity resources more efficiently and enhancing their overall cybersecurity resilience.

Downloads

Download data is not yet available.

References

Alberts, C. J., & Dorofee, A. J. (2003). Managing information security risks: the OCTAVE approach. Addison-Wesley Professional.

Alexei, L. A. (2021). Network security threats to higher education institutions. Central and Eastern European EDem and EGov Days, 323–333.

Amin, Z. (2019). A practical road map for assessing cyber risk. Journal of Risk Research, 22(1), 32–43.

Ansari, M. T. J., Al-Zahrani, F. A., Pandey, D., & Agrawal, A. (2020). A fuzzy TOPSIS based analysis toward selection of effective security requirements engineering approach for trustworthy healthcare software development. BMC Medical Informatics and Decision Making, 20(1), 236.

Aya?, Z., & Özdemir, R. G. (2006). A fuzzy AHP approach to evaluating machine tool alternatives. Journal of Intelligent Manufacturing, 17(2), 179–190.

Baig, Z., & Zeadally, S. (2019). Cyber-Security Risk Assessment Framework for Critical Infrastructures. Intelligent Automation & Soft Computing, 25(1).

Barfod, M. B., Salling, K. B., & Leleur, S. (2011). Composite decision support by combining cost-benefit and multi-criteria decision analysis. Decision Support Systems, 51(1), 167–175.

Çelen, A. (2014). Comparative analysis of normalization procedures in TOPSIS method: with an application to Turkish deposit banking market. Informatica, 25(2), 185–208.

Chapman, J. (2019). How safe is your data?: Cyber-security in higher education (Vol. 12). Higher Education Policy Institute Oxford.

Erdo?an, M., Kara?an, A., Kaya, ?., Budak, A., & Colak, M. (2019). A fuzzy based MCDM methodology for risk evaluation of cyber security technologies. International Conference on Intelligent and Fuzzy Systems, 1042–1049.

Ferdous, R., Khan, F., Sadiq, R., Amyotte, P., & Veitch, B. (2011). Fault and event tree analyses for process systems risk analysis: uncertainty handling formulations. Risk Analysis: An International Journal, 31(1), 86–107.

Ganin, A. A., Quach, P., Panwar, M., Collier, Z. A., Keisler, J. M., Marchese, D., & Linkov, I. (2020). Multicriteria decision framework for cybersecurity risk assessment and management. Risk Analysis, 40(1), 183–199.

Goel, R., Kumar, A., & Haddow, J. (2020). PRISM: a strategic decision framework for cybersecurity risk assessment. Information & Computer Security, 28(4), 591–625.

Hidayat, S., Tulus, & Sirait, P. (2019). Weighting optimization of decision matrix in fuzzy TOPSIS using SMARTER method. Journal of Physics: Conference Series, 1235(1), 12034.

Kabak, M. (2013). A Fuzzy DEMATEL-ANP Based Multi Criteria Decision Making Approach For Personnel Selection. Journal of Multiple-Valued Logic & Soft Computing, 20.

Kumar, R., Khan, A. I., Abushark, Y. B., Alam, M. M., Agrawal, A., & Khan, R. A. (2020). A knowledge-based integrated system of hesitant fuzzy set, AHP and TOPSIS for evaluating security-durability of web applications. IEEE Access, 8, 48870–48885.

Nguyen, H. V. (2019). Cybersecurity strategies for universities with bring your own device programs. Walden University.

Ouma, Y. O., Opudo, J., & Nyambenya, S. (2015). Comparison of fuzzy AHP and fuzzy TOPSIS for road pavement maintenance prioritization: methodological exposition and case study. Advances in Civil Engineering, 2015(1), 140189.

Safari, H., Faghih, A., & Fathi, M. R. (2012). Fuzzy multi-criteria decision making method for facility location selection. African Journal of Business Management, 6(1), 206–212.

Sarkar, S. (2012). The role of information and communication technology (ICT) in higher education for the 21st century. Science, 1(1), 30–41.

Tan, Y., Shen, L., Langston, C., & Liu, Y. (2010). Construction project selection using fuzzy TOPSIS approach. Journal of Modelling in Management, 5(3), 302–315.

Torlak, N. G., Demir, A., & Budur, T. (2021). Using VIKOR with structural equation modeling for constructing benchmarks in the Internet industry. Benchmarking: An International Journal, 28(10), 2952–2976.

Ulven, J. B., & Wangen, G. (2021). A systematic review of cybersecurity risks in higher education. Future Internet, 13(2), 39.

Umunnakwe, A., Sahu, A., Narimani, M. R., Davis, K., & Zonouz, S. (2021). Cyber?physical component ranking for risk sensitivity analysis using betweenness centrality. IET Cyber?Physical Systems: Theory & Applications, 6(3), 139–150.

Zhang, D., Chen, X., & Yao, H. (2015). Development of a prototype web-based decision support system for watershed management. Water, 7(2), 780–793.

Downloads

Published

2026-05-30

How to Cite

Riandari, F., & Sihotang , H. T. (2026). Decision Support System for Determining Cyber Risk Mitigation Priorities in Higher Education Using the Fuzzy TOPSIS Method. Jurnal Teknik Informatika C.I.T Medicom, 18(2), 64–78. Retrieved from https://medikom.iocspublisher.org/index.php/JTI/article/view/1645

Issue

Vol. 18 No. 2 (2026): May: Intelligent Decision Support System (IDSS)

Section

Decision Support System

License

Copyright (c) 2026 Fristi Riandari, Hengki Tamando Sihotang

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

Most read articles by the same author(s)

1 2 3 > >>