International Journal of Enterprise Information Systems, 11(4), 63-78, October-December 2015 63 Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Keywords: Analytic Hierarchy Process (AHP), Information Security Management System (ISMS), ISO/ IEC 27001, Monte-Carlo Simulation, Risk Assessment ABSTRACT In recent decades, information has become a critical asset to various organizations, hence identifying and preventing the loss of information are becoming competitive advantages for irms. Many international standards have been developed to help organizations to maintain their competitiveness by applying risk assessment and information security management system and keep risk level as low as possible. This study aims to propose a new quantitative risk analysis and assessment methodology which is based on AHP and Monte Carlo simula- tion. In this method, AHP is used to create favorable weights for Conidentiality, Integrity and Availability (CIA) as security characteristic of any information asset. To deal with the uncertain nature of vulnerabilities and threats, Monte Carlo simulation is utilized to handle the stochastic nature of risk assessment by taking into account multiple judges’opinions. The proposed methodology is suitable for organizations that require risk analysis to implement ISO/IEC 27001 standard. A Weighted Monte Carlo Simulation Approach to Risk Assessment of Information Security Management System Seyed Mojtaba Hosseini Bamakan, School of Economics and Management, Key Laboratory of Big Data Mining and Knowledge Management, University of Chinese Academy of Sciences, Beijing, China Mohammad Dehghanimohammadabadi, Department of Mechanical and Industrial Engineering, Northeastern University, Boston, MA, USA INTRODUCTION In today’s competitive business environment, information has a key role in any organization. Hence protecting, securing and managing information appropriately are crucial (Kritzinger & Smith, 2008). In last few decades, many firms completely were tied to information systems to handle their daily process with the lowest labor cost, materials and capital, and in return, gain more appropriate and efficient services. However, information security threats could jeopardize the information and must be given serious attention by organizations (Ou Yang, Shieh, & Tzeng, 2013). Information violation would negatively affect the organization by: losing time, manpower, DOI: 10.4018/IJEIS.2015100103