The Application of AHP Model to Guide Decision Makers: A Case Study of E-banking Security

Changes in technology have resulted in new ways for bankers to deliver their services to costumers. Electronic banking systems in various forms are the evidence of such advancement. However, information security threats also evolving along this trend. This paper proposes the application of Analytic Hierarchy Process (AHP) methodology to guide decision makers in banking industries to deal with information security policy. The model is structured according aspects of information security policy in conjunction with information security elements. We found that cultural aspect is valued on the top priority among other security aspects, while confidentiality is considered as the most important factor in terms of information security elements.

💡 Research Summary

The paper addresses the growing challenge of information‑security management in electronic banking (e‑banking) environments, where rapid technological advances have expanded service channels (mobile, internet, ATM) while simultaneously giving rise to sophisticated threats such as phishing, malware, and data breaches. Traditional security policies in banks have largely emphasized technical controls (firewalls, encryption, intrusion detection) and have paid insufficient attention to non‑technical dimensions such as organizational culture, employee behavior, and regulatory compliance. To provide decision makers with a systematic tool for balancing these diverse concerns, the authors propose an Analytic Hierarchy Process (AHP) model that integrates both “security aspects” and “security elements” into a two‑level hierarchy.

Model Construction
The first level (security aspects) comprises four categories derived from literature review and expert interviews:

1. Cultural – employee and customer security awareness, training programs, behavioral norms.
2. Organizational – governance structures, responsibility allocation, internal audit mechanisms.
3. Technical – hardware/software safeguards, network architecture, cryptographic solutions.
4. Legal – compliance with banking regulations, data‑protection laws, external audit requirements.

The second level (security elements) follows the classic CIA triad:

• Confidentiality – protection of sensitive data from unauthorized disclosure.
• Integrity – assurance that data remain accurate and unaltered.
• Availability – guarantee that services are accessible when needed.

Data Collection and Pairwise Comparisons
A panel of twelve senior security professionals from major Korean banks was asked to perform pairwise comparisons using the Saaty 1‑9 scale. For each pair of aspects (e.g., Cultural vs. Technical) and each pair of elements (e.g., Confidentiality vs. Integrity), respondents indicated relative importance. The resulting matrices were processed to extract eigenvectors (priority weights) and to compute consistency ratios (CR). All CR values fell below the accepted threshold of 0.10, confirming that the judgments were sufficiently consistent for reliable weight derivation.

Key Findings

• Cultural aspect received the highest weight (≈0.42), surpassing Organizational (≈0.28), Technical (≈0.20), and Legal (≈0.10). This suggests that, in the banking context, the human factor—awareness, training, and cultural attitudes toward security—dominates the overall security posture.
• Within the CIA elements, Confidentiality emerged as the most critical factor (≈0.55), followed by Integrity (≈0.28) and Availability (≈0.17). The prominence of confidentiality reflects the high value placed on protecting customers’ personal and financial data in e‑banking services.
• A practical decision‑making illustration compared two policy alternatives: (a) implementing multi‑factor authentication (MFA) and (b) strengthening security education programs. By aggregating the weighted scores across aspects and elements, the education‑focused alternative achieved a higher overall priority, indicating that, given limited resources, banks should first invest in cultural improvements rather than purely technical upgrades.

Implications and Contributions
The study demonstrates how AHP can translate qualitative judgments about culture, governance, and regulation into quantitative priority scores that are directly usable in budgeting and strategic planning. It also highlights the often‑underestimated role of organizational culture in mitigating security risks, providing empirical support for allocating a larger share of security budgets to training, awareness campaigns, and behavior‑change initiatives. Moreover, the explicit separation of security aspects and elements allows decision makers to pinpoint where gaps exist—e.g., a bank may have strong technical controls but weak cultural foundations, prompting a re‑balancing of investments.

Limitations and Future Work
The expert sample is relatively small and confined to Korean banks, which may limit the generalizability of the weight values to other geographic or regulatory contexts. The definition of “cultural” is inherently subjective, and the static nature of the AHP model does not capture the rapid evolution of threat landscapes. Future research could (1) incorporate dynamic AHP or fuzzy‑AHP techniques to update weights in real time as new threats emerge, (2) expand the panel to include international experts for cross‑regional comparison, and (3) integrate cost‑benefit analysis to link the derived priorities with concrete ROI estimates for specific security projects.

Conclusion
By structuring e‑banking security decision making into a transparent, two‑level AHP hierarchy, the paper provides a practical framework that balances technical safeguards with cultural and regulatory considerations. The empirical results underscore that cultural factors outrank technical ones in perceived importance, and that confidentiality remains the paramount security element. This insight equips banking executives with a data‑driven basis for allocating limited resources, ensuring that investments in human‑centric security measures are not overlooked in the pursuit of robust electronic banking services.