A Study on Decision-Making Opinion Exploration in Windows-Based Information Security Monitoring Tool Development

: In the information era, information security monitoring tools would be helpful for enterprises/organizations to monitor employees’ computer usage behaviors and improve their information security protection. The Windows-based operating systems have the largest market share in the world. Therefore, the study target is the development of a Windows-based information security monitoring tool in this study. We proposed an assessment model for developing an information security tool in this study to explore the signiﬁcances of functionalities in a Windows-based information security monitoring tool and the decision-makers’ decision opinions. We adopted four steps with four study methods: the literature study method, the Delphi method, the analytic hierarchy process (AHP) method, and the analysis methods related to data-driven decision-making in the proposed model. In Step 1, we studied some literature about information security monitoring, and we discovered 26 functionalities as the decision criteria in this study. In Step 2, using the Delphi method, we conﬁrmed the decision criterion set with potential decision-makers and organized the decision criteria hierarchy. In Step 3, we designed an AHP questionnaire to get the criterion weight vectors from the 12 decision-makers. With the AHP method, this study received the weights of the decision criteria and found that the 16 functionalities among the 26 functionalities should receive their corresponding developing priority in a Windows-based information security monitoring tool. Finally, we used the Pearson correlation coefﬁcient and cosine distance to explore the correlations and similarities among the decision-makers’ decision opinions. This study found the relevance among the decision-makers’ decision opinions in a Windows-based information security monitoring tool developed with the Pearson correlation coefﬁcients/the cosine distances among all pairs of decision-makers’ decision opinions.


Introduction
With the advancement of information technology, enterprises/organizations widely use information software and hardware, and the resulting information security issues are also getting worse. Enterprises/organizations control their information security risks and ensure continued operations with information security policy formulations and relevant management measure implementations. In general, an enterprise/organization expects to reduce the occurrence of an information security incident, and it will depend on the effective operations of its information security management mechanism to appropriately reduce the incidence of related information security violations. Therefore, enterprises/organizations require the implementation of an information security monitoring tool.
The Global Data Exposure Report surveyed 1028 information security leaders and found that 69% of organizations said they were compromised because of an internal threat and confirmed that they had preventive measures in place at the time of the breach, 38% of companies admitted to data breaches in the past 18 months, half of which were due to employee behavior, and 78% of information security leaders believe prevention strategies and solutions are not enough to stop internal threats [1]. The 2020 Insider Threat Report showed that today's most destructive security threats originate from trusted insiders, both malicious insiders and negligent insiders who can access sensitive data and information systems. This report also found that 68% of organizations consider that internal attacks are moderate or extremely vulnerable, and 68% of organizations confirmed that internal attacks are becoming more frequent. From the aforementioned related reports, it is obvious that internal employees are often a primary hidden concern of information security in an enterprise/organization [2]. Therefore, how to reduce information security incidents from the internal threats is an issue for an enterprise/organization.
For an enterprise/organization, its major internal threats of information security come from its employees. Employees in an enterprise/organization usually use their personal computers over an intranet or the Internet to process business affairs. For an enterprise/organization, employees' personal computers might be the primary source of internal information security issues. Therefore, for enterprises/organizations, how to monitor employees' personal computers is an important issue. In practice, many enterprises/organizations use information security monitoring tools to collect information related to information security and monitor computer systems' operations. Therefore, it is a good solution for enterprises/organizations to monitor their computer systems, especially their employees' personal computers, with an information security monitoring tool.
In general, computers with different operating systems need to install their corresponding information security monitoring tools. The Desktop Operating System Market Share Worldwide (2020) report mentioned that Microsoft Windows operating system has the highest global market share: the average global market share of the Microsoft Windows operating system was 77.68% in the past year (2019/07~2020/06) [3]. Microsoft Windows is the most widely used operating system for desktop computers in the world now. Therefore, a Windows-based information security monitoring tool would be the most needed for enterprises/organizations. This study will explore developing priority for the functionalities in a Windows-based information security monitoring tool. For exploring this study topic, this study will adopt an assessment model for development of an information system tool to assess developing priorities for the functionalities in a windows-based information security monitoring tool. The assessment model for an information security tool development adopts several methods, such as the literature study method, the Delphi method, the analytic hierarchy process (AHP) method, and some data-driven decision-making analytical methods. Finally, we will rely on the study analysis results to propose developing priority for functionalities in a Windows-based information security monitoring tool and explore the decision opinions of decision-makers.
In this paper, Section 2 reviews the literature about information security monitoring to find functionalities in an information security monitoring tool and identify the decision criterion set related to a Windows-based information security monitoring tool. Section 3 introduces the assessment model for an information security tool development in this study, and the proposed model will use the literature study method, the Delphi method, the AHP method, and two data-driven decision-making analytical methods. Section 4 presents the main study results of the proposed assessment model, including the decisionmaking hierarchy determined by the Delphi method and the weight analytical results for functionality developing priorities in a Windows-based information security monitoring tool with the AHP method. Also, Section 4 presents the correlations and similarities among decision-making opinions in the development of a Windows-based information security a malicious script or some utilities, especially for information security tools [16]. Soubramanien et al. also mentioned that event information should include the username and computer name; usually, a malicious script can execute some malicious attacks on the computer with a specific computer name [17]. Moreover, users prefer to assign usernames on each computer system and they log on to a computer system with the usernames at any time [18]. Therefore, an information security monitoring tool should collect information about a computer name and usernames in a computer.
Generally, the hardware is the physical element of the supporting processes in a computer system: it may be several devices, including central processing unit (CPU), memory, disk drive, optical disk, and network interface card, etc. [19,20]. The software on a computer consists of the programs, such as operating system (OS), service, maintenance or administration software, package software, or standard software [4]. For software operating continually on a computer system, it is necessary to identify patches, fixes, new versions of existing software to update the computer, and make that software available to the computer [21]. Thus, an information security monitoring tool should collect hardware and software information in a computer. Network connectivity is a necessary feature for today's use of computer systems. Generally, the network connectivity of computer is based on its network interface card configuration [22] and its network routing settings [23]; thus, the network interface card configuration and the network routing settings of a computer are the critical essential information for a computer. Moreover, due to rapid growth in the use of electronic data processing in computer systems, information security monitoring tools require special attention to provide and deal with potential threats, vulnerabilities, and control functions [24]. Thus, an information security monitoring tool should collect the information related to network interface card configuration, network routing settings, and electronic data in a computer.
Examining the above literature, we can find that an information security monitoring tool should collect the "computer name", "username", "hardware information", "software information", "network information", and "electronic data" as essential information of a computer.

Usage Behaviors
In general, computer usage behaviors refer to users' operations involved in the period from power on/logon to power off/logoff, and an information security monitoring tool should collect the events related to those operations. We explore related literature in the following paragraphs.
Reference [25] mentioned that users can watch the execution behavior of application software with "process ID". For improving the information security in an enterprise/organization, an information security monitoring tool should monitor, adjust, and document the process names and process IDs of implemented application software [26]. The file name, file path, and file type are primary information for a computer to store data, and users can access specific files from computer storage devices with that information. Also, applications use file names and file paths as the primary attributes to identify files [27]. Therefore, as well as the file name, file path, operation type, and file type are information related to user access file behavior, too [28]. Besides, software licensing uses a digital certificate [29], and some information security operations are also based on the required certificate [30]. With collected installed certificate information, information security monitoring tools can know the installed software and the handled information security operations, and indirectly understand user behavior on a computer. CPU utilization is one indicator for us to understand users' operation behaviors on a computer; when a malicious program invades a computer system, its operation will be different from a legitimate application related to CPU utilization [31]. Moreover, an information security management system should monitor system performance, such as hard disk utilization and input/output (I/O) load [32]. Therefore, an information security monitoring tool can detect possible information security attacks with information about CPU utilization and disk utilization.
Lim et al. identified that booting and uptime of a computer would be helpful to respond effectively to an information security incident [33]. Sbeyti used several kinds of information to observe user behavior on mobile devices, where power on/off is one such observation information [34]. Moreover, for establishing an audit trail, information security should record user operations, and the operations include user login/off a computer system [35]. Further examining user behaviors on computers, users might use mobile media devices, such as compact disc (CD), universal serial bus (USB) disk, and Digital Versatile Disc (>DVD), to improve their operations on computers, and these peripheral devices should be controlled and protected [19].
The authors of Reference [36] emphasized that users should use the system log and related logs to identify threats and detect malicious activities. Therefore, an information security tool should have functions to enable/disable system logs and related logs; then, it can access these logs to analyze users' behaviors. Besides, when users operate computers, they often involve official information related to the business information of enterprises/organizations. Opponents can easily read such information that may be confidential through users' careless operations. For an information security monitoring tool, keyword monitoring [37] is one possible measure to prevent classified information leakage from user operations.
From the above-discussed literature, we can find that an information security monitoring tool should record several kinds of information to understand users' usage behaviors on a computer. That information includes "process IDs", "file and path", "CPU utilization", "disk utilization", "power on/off and logon/out", "peripheral input/output devices", "log", "keyword", and "certificate".

Information Security Control
Information security control in a computer system may involve several control areas, such as hardware/software control, storage control, Internet control, screen control, and biometrics control.
The authors of Reference [38] thought the information security control scope for a computer should include the hardware and software of the computer. The hardware-related information security control should provide essential information on a hardware device, such as device type, device name [39], and manipulation capabilities, to enable, disable, start, and stop [40]. The software information security control should collect the information about installed software in a computer [41] and permit installing/uninstalling specified software. Moreover, the storage control involves disk drive operation and shared directory operation, the disk drive operation includes listing, adding, or removing disk drives [42], and the shared directory operation may consist of creating, deleting, and modifying a shared directory [43].
Internet control is an important information security control in an enterprise/organization. A computer system can connect to the Internet only through its network interface card(s) [44]; moreover, different types of network applications have to go through several ports to connect to the Internet [45]. Thus, Internet control should know the network interface card number in a computer and port-related information. For manipulating the Internet connections in a computer, Internet control should enable/disable some specified ports. Besides, in some enterprises/organizations, their computers prohibit connecting to the Internet; therefore, Internet control should be able to detect a specific IP address to know whether the Internet connection is available or not.
Generally, through the installation and use of the screen saver [46], users can avoid leaving their computers for a long time to prevent unauthorized persons from operating their computers. Moreover, screen capture is a usual function that can be used to capture the screen of information security incidents or monitor employees' computer operation behaviors [47]. Because of this, the screen control should support the screen saver and screen capture functions. At last, biometrics [48] becomes more available on different types of information platforms; usually, it can be based on voice, fingerprint, iris, or face to identify the user's identity. Since biometrics feature copying is not easy, it is a good function for a computer login operation. Therefore, biometrics may be a control function in information security control.
According to the literature related to information security control, it is significant that an information security monitoring tool should implement five functions to support the information security control in a computer system. Those functions include "hardware/software control", "storage control", "Internet control", "screen control", and "biometrics control".

Network Behaviors and Printing Control
The authors of Reference [49] thought a computer's traffic volume is critical information to observe user network behaviors on a computer. Some network anomalies, including flooding attacks and certain types of Denial of Service (DoS) attacks, trigger significant traffic volume changes [50]. As more web-based applications are available over the Internet, browsing history information can display the various activities performed by users on a specific website; usually, it contains a URL, a reference to a private file, or URL parameters [51]. Therefore, an enterprise/organization needs to record and analyze user browsing histories; then, it can understand the users' browsing behaviors. Also, connection time is important information to know network applications' connection situations, and it can show user network behaviors and detect abnormal connection behaviors over a network [52]. Thus, an information security monitoring tool should monitor the connection time of network applications. From the above literature related to network behaviors, it is significant that an enterprise/organization can observe its employees' network behaviors with network traffic volume, browsers' browsing history records, and the length of network connection time.
Several schemes are available for printing control, and watermark is one of the famous printing control schemes. A watermark is a specific image (mark) printed on a document periodically and repeatedly; usually, when a printer prints documentation with a watermark, the watermark shows a "confidential" string or one specific printer ID [53]. In general, users adopt a watermark scheme to control document printing in a printing apparatus, and users require to have some printing settings for watermark; usually, these settings include font, style, size, color, character set, and printing content, such as "FOR INTERNAL USE ONLY" [54]. Then, users can depend on their requirements to control the watermark on their printing apparatus. Therefore, an information security monitoring tool should have functions to manipulate watermark settings and control (e.g., enable/disable). Besides, a printing permission scheme would request user information, such as ID and password, to determine whether to permit the execution of printing or not [55]. Thus, the printing permission control might be a good scheme for an information security monitoring tool to control the printing process.
Examining the literature related to network behaviors and printing control, it is significant for an information security monitoring tool to record the information about "current network traffic volume", "browsers' history records", and "connection time" to understand users' network behaviors. Also, an information security monitoring tool should implement the "watermark setting", "watermark control", and "printing permission control" functions to do printing control jobs in a computer system.

Methodology
This study proposes an assessment model for an information security tool development to explore functionality implementation in a Windows-based information security monitoring tool. We will describe the proposed assessment model and the methods adopted in the proposed assessment model in the following subsections.

The Assessment Model for an Information Security Tool Development: Overview
The proposed assessment model organizes four fundamental steps through a systematic process and it helps explore the function's implementation in a Windows-based information security monitoring tool. The proposed assessment model adopts several wellknown methods applied to multi-attribute decision-making studies, and these methods include the literature study method, the Delphi method, the AHP method, and two datadriven decision-making analytical methods. Figure 1 shows the systematic process diagram of the assessment model for development of an information security tool, and Table 1 displays the illustration of the methods applied to each step. Besides, the following paragraphs describe how the proposed assessment model uses these famous methods.  Two data-driven decision-making analytical (Pearson correlation and cosine similarity) methods To understand the correlations and similarities among all decision-makers' preferential decision opinions Step one identified the decision criteria set for the study. It depended on the literature study method to survey literature related to information security monitor functions, especially for the Windows operating system. After reviewing the literature, we attempted to find out possible functionalities in a Windows-based information security monitoring tool as the decision criteria set for the proposed assessment model.
Step two confirmed the decision organization hierarchy for this study. It adopted the Delphi method to identify the relationships among the decision criteria and decision constructs first. This step consulted potential decision-makers to confirm decision criteria under each construct by email/instant message apps or face-to-face interviews. Then, it established a decision organization hierarchy for the proposed assessment model.
Step three consisted of decision-makers' preferential opinion investigation with an AHP expert questionnaire survey and group-based assessment of the decision criteria priorities. This step used face-to-face interviews with the decision-makers and asked the decision-makers to fill out the designed AHP expert questionnaire based on the decision hierarchy. After an expert questionnaire survey, this step received each decision-maker's preferential opinions presented by pairwise comparison matrices. This step also had a consistency check for each decision-maker's answers; if the check result is inconsistent, this step will re-interview the decision-maker to fix his/her preferential opinions. Following the decision-maker's preferential opinion survey, this step performed the decision criteria prioritizing phase of the AHP method to assess the relative weights of the constructs w.r.t. the total decision goal, and the relative weights of the criteria with respect to (w.r.t.) each construct, for each decision-maker. Finally, this step received the absolute weights of the criteria w.r.t. the total decision goal for all decision-makers with the AHP method.
Step four consisted of all the decision-makers' preferential opinions analysis with two data analytical (statistical and geometrical) methods in the data-driven decision-making field. The purpose of this step is to comprehensively understand the individual preferential opinions of all decision-making experts and discover the correlations and similarities of preferential opinions of all decision-makers. This step applied the Pearson correlation and cosine distance to analyze the preferential opinions of all decision-maker experts.

The Literature Study Method
A literature review can let readers understand a researcher's study ideas, where those study ideas include all the main aspects of a research topic and the researcher's different viewpoints. Besides, a literature review should present all the critical and relevant thinking on certain specific study topics, and it can provide obvious evidence that the researcher has understood the previously discussed contents of literature and the researcher has made unique contributions to this research field [56]. Usually, the literature review has four purposes, as described below. First of all, a literature review helps researchers to establish the credibility of the research. Next, it allows researchers to set their research work on the research results of other researchers. Third, the citation of other researchers' studies will make a wide variety of readers accept the researcher's study results. Finally, the literature review determines the theoretical orientation of the study [57]. Kruse and Warbel presented a comprehensive literature study that summarizes the current research of a topic to provide new insights into the subject of a further study. In short, the purpose of a literature study is to form a framework for researchers to complete their research. That framework will provide a theoretical basis for the study, the previous studies, and the discovery of the same research topic. Researchers may adopt several different processes to write a literature review and produce a quality literature review [58]. About the literature review, Machi and McEvoy proposed six steps to help researchers successfully process a literature review [59], and the following paragraphs describe these six steps.

•
Step one: selecting the topic Researchers should choose a study interest, then specify and focus the study interest. This step will emphasize the study topic's description and the study framework's setting.

•
Step two: searching the literature Researchers should discover and select literary works through the Internet. For selected literature, the researchers may have a mapping of the study framework and refine/expand the subject of the study. The focus of this step is to explore and classify literature.

•
Step three: developing the argument Researchers should base on the above two steps to build some arguments, evaluate them, and propose some claims for the study. The researchers may qualify and rationalize the proposed claims/arguments. The emphasis of this step is to propose the arguments/claims related to the study.

•
Step four: doing the literature survey Researchers should assemble and record the searched literature first; next, they should integrate and analyze the literature to build evidence, claims, and reason patterns. Then, the researchers may have mappings among the arguments of discovery and analyze these arguments. Providing the arguments' supporting profile related to the study and discovering the research's results is the focus of this step.

•
Step five: the literature critique Researchers should look for consensus, dissent, inconsistencies, limitations, or gaps among the searched literature, and researchers can explore the support for the study and find out the fallacy with the searched literature. This step focuses on identifying useful arguments for research and disclosing some research problems in the searched literature.

•
Step six: writing the review After completing the survey and the searched literature's critique, researchers can write the literature review. In general, a literature review may include several parts, such as an introduction and a body of the literature review, a background about the research, the study's arguments, and a summary of the literature review.

The Delphi Method
In the US-sponsored military program, Norman Dalkey of the RAND Corporation developed the Delphi method in the 1950s [60]. Dalki and Helmer described the project as seeking expert advice to select the best industrial target system in the United States and estimate the number of atomic bombs needed to reduce the production of a specific quantity of ammunition [61]. The Delphi method is an iterative process, and researchers use it to collect and extract experts' judgments with a series of questionnaires and responses. Typically, for the study design questionnaire, each subsequent questionnaire will be based on the results of the last questionnaire, and when the study gets the question's answer, the process stops. Many industries, including medical, defense, commerce, education, information technology, transportation, and engineering, have accepted the Delphi method [60]. The Delphi method is a way to construct a group communication process that effectively allows a group of individuals to deal with complex problems as a whole. For completing this "structured communication", the Delphi method provides several ways to deal with it: some feedback on personal information and knowledge contribution, some evaluations on group judgment or opinion, some opportunities for individuals to modify his/her views, and a certain degree of anonymity for individual reactions [62].
Reference [63] described the classical Delphi method with four main features: 1.
The anonymity of Delphi participants: it allows participants to express their opinions freely without undue social pressure to conform to others' views in the group.

2.
Iteration: based on the progress of the group's work from one round to another, it allows participants to refine their views. 3.
Controlled feedback: it informs participants of other participants' views and provides Delphi participants with an opportunity to clarify or change their views.

4.
Statistical aggregation of group responses: it allows quantitative analysis and data interpretation.
Typically, the Delphi method should be adopted when an application issue has one or more of the following properties [62]:

•
The question is not suitable for precise analytical technology but can benefit from collective subjective judgment. • Individuals who need to contribute to the study do not have a well-communicated history and may represent different backgrounds in terms of experience or expertise.

•
In face-to-face communication, more people need to interact effectively. • Time and cost make frequent group meetings infeasible.

•
Supplementing the group communication process can improve the efficiency of faceto-face meetings. • Differences among individuals are very serious or politically unpopular; thus, it is necessary to adjudicate the communication process and (or) be anonymous.

•
It is necessary to maintain the heterogeneity of the participants to ensure the effectiveness of the outcome.
The Delphi method's research process will be done through data collection, data analysis (based on nonparametric statistical technology), and result reporting. The Delphi method's application scope in a research process includes research topic determination, research issue specifications, research theoretical perspective determination, interest variable selection/proposition generation, preliminary causality determination, and constructs definition and creation of a common language for discourse. A primary advantage of this method is that it avoids confrontation among experts [64].

The AHP Method
The AHP method [65] is a well-known multiple attribute decision-making research method, proposed by Saaty. The standard AHP method allows researchers to use a hierarchical organization to present the overall decision-making goals and related decision constructs with decision evaluation criteria. The popularity of the AHP method is mainly due to its effectiveness in solving real-world decision-making issues, and many hybrid models also involve the use of AHP. Recent related studies have also expanded hierarchical analysis with fuzzy set logic, for example, intuitionistic fuzzy sets.
For evaluating the preferential structure of the entire opinion group, the AHP method performs several procedures for each decision-maker, including an expert questionnaire survey, a standard criterion weight vector determination, and a consistency analysis of the decision criteria. In general, AHP assumes that comparing two criteria pairwise at one time during a questionnaire survey can state the relative importance of the involved criteria, which can be used to represent a decision construct or decision goal [66]. Therefore, users can follow the following four steps to obtain the criterion weight vectors in a pairwise comparison matrix.
Step one, the evaluation results will form a pair of comparison matrices, M nxn , where n is the number of decision evaluation criteria, as shown in Equation (1): Step two, users can use the following process to determine the criterion weight vector (i.e., where the element is a standard weight of a criterion concerning the constructs/goal). From the data shown in the above-mentioned square matrix, M, the expression shown in Equation (2) can calculate the columns and vectors of this matrix [66]: Step three, users can use these vector elements to divide each column in the square matrix, M, to get another square matrix, M', as shown in Equation (3): Step four, users can obtain the criterion weight vector of a pairwise comparison matrix, M, by calculating the row sum vector of M' [66]. Equation (4) shows the expression of the criterion weight vector: Also, consistency analysis is a critical part of the AHP method. It checks whether the decision-maker's opinions on the expert questionnaire are consistent or not; through the transitive logic, we can check the consistency of the surveyed expert questionnaire. If the decision-maker states that C1 > C2 and C2 > C3 on the questionnaire and the pairwise comparison matrix records these decision-making results, we will hope that we can find in the matrix that C1 > C3, that preserves the transitive property, where C1, C2, and C3 are some decision criteria to be compared. If we find C3 > C1, then this situation would be called inconsistent [67].
About AHP consistency analysis, Saaty only accepted a pairwise comparison matrix as consistent if the consistency ratio (CR) < 0.1 (CR < 10%) of the pairwise comparison matrix. For calculating decision-maker opinion consistency, Saaty suggested that users can use the right eigenvector to measure the consistency with the following equations [68]: where CR is the consistency ratio, CI is the consistency index, RI is the random index, λmax is the maximum eigenvalue of the pairwise comparison matrix, N is the number of elements being compared to the pairwise comparison matrix, RI is the average value of CI for randomly generated matrixes of the same order.
Although the AHP method has been proposed for 50 years, it is still one of the primary methods for multiple attribute decision-making types of research in recent years because of the method's long-lasting popularity. Therefore, the AHP method remains an appropriate method for this study to explore the primary quantitative knowledge of information security monitoring functionality, as it has been and remains a reliable method.

The Pearson Correlation Coefficient and the Cosine Distance
In the multiple criteria decision-making studies, the Pearson correlation coefficient and the cosine distance are well-known tools to explore correlation and similarity among decision-makers' decision opinions. This study used these two analytical tools to explore correlation and similarity among decision-makers' decision opinions in a Windows-based information security monitoring tool.

The Pearson Correlation Coefficient
Pearson correlation coefficient, also known as Pearson r, is a statistical data tool used to measure the linear correlation between two variables, X and Y, with values between 1 and -1, 1 for total positive linear correlation, 0 for no linear correlation, and -1 for totally negative linear correlation. The Pearson correlation coefficient was defined by Karl Pearson in 1895 [69]. The Pearson correlation coefficient's definition is the product of two variables' covariance divided by their standard deviation. When applying the Pearson correlation coefficient to a sample, we use r xy to represent a sample correlation coefficient (Pearson correlation coefficient). We can obtain formula r xy by replacing the sample-based covariance and variance estimates in the following formula. Given that the paired data {(x 1 , Y 1 ),..., (X n , Y n )} consists of n pairs, Equation (7) shows the definition of r xy : where {\displaystyle n}n is sample size, x i , y i {\displaystyle x_{i},y_{i}} are the individual sample points indexed with I, Zhou et al. mention that the value of the Pearson correlation coefficient is between -1 and 1. Y increases with X when the Pearson correlation coefficient value is equal to 1, Y decreases with X when the Pearson correlation coefficient value is equal to -1, and there is no linear relationship between X and Y when its value is equal to 0 [70]. Furthermore, Pearson correlation coefficients are positive if X i and Y i fall on the same side of their respective averages. Pearson's correlation coefficients are negative if X i and Y i tend to fall on opposite sides of their respective averages. Therefore, if the Pearson correlation coefficient sign is positive, there is a positive correlation between X and Y, and if the Pearson correlation coefficient sign is negative, there is a negative correlation between X and Y [71]. Table 2 lists the Pearson correlations' strength.

The Cosine Distance
The cosine distance is one of the similarity measures widely used in information retrieval applications, and it also measures cohesion within clusters in the data-mining field. Cosine similarity is an indicator of distance measurement, and cosine matching measures the similarity of two non-zero vectors. The parametric cosine model is a similarity function, not a distance function. In general, a higher value of a cosine model means closer similarity among the two vectors. The basic concept behind the parametric cosine model comes from the cosine function used in the text database [73]. The principle of cosine measurement is that two vectors in the same direction have a cosine similarity of 1, two vectors with a relative 90 degrees have a similarity of 0, and two opposed vectors have a similarity of −1. Therefore, when measuring 0 or no angle, the highest value of cosine is 1. If it has an angle, its value is lower than 1. When two values are parallel, the angle difference is 0, the two vectors have similarities, and there is no similarity when they are vertical. In some studies, they used the cosine method to compare the data impostor with the real data generated from test data or evaluation data [74]. The following equation displays the formula of cosine distance: where X = (x 1 . . . x n ) and Y = (y 1 . . . y n ). In general, cosine distance is an indicator that considers the relevance of feature vectors; it is a similarity function, where a higher value implies a closer similarity [75]. Therefore, the cosine similarity is close to 1.0 when the two feature vectors become more similar; otherwise, the cosine distance is close to 0.0 when the two feature vectors become less similar [76].

Study Results of the Assessment Model for Development of an Information Security Tool
With decision-makers' preferential opinions, this study follows the study steps of the proposed assessment model in Section 3 to explore functionalities in a Windowsbased information security monitoring tool. In the following subsections, we will present the study results of the proposed assessment model's steps.

The Decision Criteria Hierarchy Establishment in the Proposed Assessment Model
In this subsection, this study followed steps one and two in the proposed assessment model to establish the decision criteria hierarchy for the proposed assessment model with the literature study method and the Delphi method. First, this study depended on the literature study method to collect the literature related to information security monitoring functionality. Through the literature survey, this study found that the Windows-based information security monitoring tool should implement twenty-six critical monitoring functions to monitor the computer use behavior of employees in enterprises/organizations. The study then used the Delphi method to consult several experts/potential decisionmakers on 26 monitoring functions in a literature survey to see if they could become a set of decision criteria in the proposed assessment model. This study identified that the Windows-based information security monitoring tool should cover the five main functions, "computer basic information", "user's PC operation behavior", "information security control", "network behavior", and "printing control". Those five main functions would be the decision constructs in the proposed assessment model. Finally, this study used the Delphi method to determine the corresponding relationship between the five main functions and the twenty-six monitoring functions. According to this mapping relationship, this study organized the decision criteria hierarchy for the proposed assessment model. Table 3 lists the operational definitions of these 26 decision criteria, and Figure 2 shows the decision criteria hierarchy diagram in the proposed assessment model.

The AHP Survey Works in the Proposed Assessment Model
This study followed step three in the proposed assessment model to survey decisionmakers' preferential opinions of the decision criteria. First, this study depended on the confirmed decision criteria hierarchy to design an AHP expert questionnaire. This study used the AHP expert questionnaire to survey all decision-makers and fill in the two by two comparison matrix of decision criteria as the source of the analysis dataset, and analyze the consistency of each decision-maker's preferential opinions. From 17 June to 20 July 2020, this study interviewed twelve decision-makers to answer the AHP expert questionnaire. The twelve decision-makers work in the government, academic, research and development (R&D) institutions, and the information industry. They all have a Ph.D. in informationrelated fields and have professional knowledge and background in information security. Therefore, those decision-makers can provide professional preferential opinions for the proposed assessment model to explore the decision-making structure and decision-making criteria for a Windows-based information security monitoring tool's development. Eight of them are male and four are female. One is a supervisor in an information department, five are professors, and six are information professionals, and their ages are between 31 and 65. Finally, as for service time, seven of them have between 1 and 21 years, and five have over 21 years. Table 4 lists the background statistics of the twelve interviewed decision-makers. In each interview, this study asked each decision-maker to answer the six designed AHP-style expert questionnaires, one for comparing the importance in the main decision constructs set, while five for comparing the significance in the decision criteria under each decision construct. In each face-to-face interview, this study brought a notebook computer with the Expert Choice software installed. In each round of interviews, this study recorded the pairwise comparison questions' answers in the AHP expert questionnaires directly with the Expert Choice. After receiving six pairwise comparison matrixes from each decision-maker in each round of interviews, this study used the Expert Choice to perform a consistency analysis for each pairwise comparison matrix. If there was inconsistency in a pairwise comparison matrix, i.e., inconsistency index > 0.10 (default threshold), this study would ask the decision-maker to adjust his/her decision criteria preferential opinions and have a consistency test with the Expert Choice again. This adjusting decision criteria preferential opinion process would continue with the decision-maker until we got a consistent result for each pairwise comparison matrix. In each decision-maker interview, the pairwise comparison matrices of the six designed AHP-style expert questionnaires should have passed the consistency check.
The interview result showed that all decision-makers had 1~5 rounds of interviews to pass all AHP questionnaires' consistency checks. After reviewing all decision-makers interview processes, we can find that most decision-makers could pass the consistency check easily in a round of interviews when they answered their preferential opinions with less than five decision criteria. Otherwise, most decision-makers passed the consistency check in 2~5 rounds of interviews, especially for the "user's PC operation behavior" construct (9 decision criteria in this construct).

The AHP Analysis Results
This study obtained the priority vectors of the construction and decision criteria under each decision construct in the proposed evaluation model's decision criteria hierarchy after the AHP investigation. In this step, the study used the "synthesize" function in the Expert Choice to aggregate all decision-makers' individual preferential opinions. This study received the relative weight value of decision criteria in the decision criteria hierarchy of the proposed evaluation model, and the relative weight value of decision criteria under each decision construct, as well as the overall priority and absolute weight value of all decision criteria in the proposed assessment model's decision criteria hierarchy.

The AHP Analytical Result about the Main Decision Constructs
This study received the aggregated criterion weight vectors for/among the five decision constructs under the total design decision goal. Table 5 lists the relative weights of these five decision constructs (i.e., decision construct CA, CB, CC, CD, and CE). Examining Table 5, we can find that the CC, CD, and CB are the three most significant decision constructs for the proposed assessment model-the relative weight sum of those three decision constructs is over 86%. Relatively, the CE and CA are less critical decision constructs for the proposed assessment model-the relative weight sum of those two constructs is less than 14%. From this analytical assessment result, we can see that the three main functions, "information security control", "network behavior", and "user's PC operation behavior", should get higher developing priorities in the development of a Windows-based information security monitoring tool.

The AHP Analytical Result about the Decision Criteria under the Construct CA
This study obtained the aggregated criterion weight vectors for/among the six decision criteria under the construct CA. Table 6 lists the relative weights of these six decision criteria (i.e., ac−1, ac−2, ac−3, ac−4, ac−5, and ac−6). Looking over Table 6, we can find that the ac-5, ac-4, ac-3, and ac-1 are the four most significant decision criteria, and the relative weight sum of those four decision criteria is 89.7%, and the ac-6 and ac-2 are less critical decision criteria, and the relative weight sum of those two decision criteria is 10.3%. This result shows that the functionalities related to "network information", "software information", "hardware information", and "computer name" should receive higher development priority in the "computer basic information" main function.

The AHP Analytical Result about the Decision Criteria under the Construct CB
This study obtained the aggregated criterion weight vectors for/among the nine decision criteria under the construct CB. Table 7 lists the relative weights among these nine decision criteria (i.e., bc-1, bc-2, bc-3, bc-4, bc-5, bc-6, bc-7, bc-8, and bc-6). Examining Table 7, we can find that the bc-7, bc-1, bc-2, bc-9, bc-5, and bc-6 are the six most significant decision criteria, and the relative weight sum of those six decision criteria is 89.4%, and the bc-8, bc-3, and bc-4 are less critical decision criteria, and the relative weight sum of those three decision criteria is 10.6%. This result means that the functionalities, "log", "process", "file and path", "certificate", "power on/off and log in/out", and "peripheral input/output devices", should get a higher developing priority in the "user's PC operation behavior" main function.

The AHP Analytical Result about the Decision Criteria under the Construct CC
This study obtained the aggregated criterion weight vectors for/among the five decision criteria under the construct CC. Table 8 lists the relative weights of these five decision criteria (i.e., cc-1, cc-2, cc-3, cc-4, and cc-5). Looking over Table 8, we can see that the cc-3, cc-1, cc-2, and cc-4 are the top four significant decision criteria, and the relative weight sum of those four decision criteria is 94.6%, and the cc-5 is less critical decision criterion, and the relative weight of this decision criterion is 5.4%. This result reveals that the "Internet control", "hardware/software control", "storage control", and "screen control" decision criteria should receive higher developing priorities in the "information security control" main function.

The AHP Analytical Result about the Decision Criteria under the Construct CD
This study obtained the aggregated criterion weight vectors for/among the three decision criteria under the construct CD. Table 9 lists the relative weights of these three decision criteria (i.e., dc-1, dc-2, and dc-3). Looking over Table 9, we can find that the dc-2 and dc-1 decision criteria are the top two significant decision criteria, and the relative weight sum of these two decision criteria is 91.7%, and the dc-3 is the least significant decision criterion, and the relative weight of this decision criterion is 8.3%. This result means that the functionalities, "browser's history record" and "current network traffic volume", should receive a higher developing priority in the "network behaviors" main function.

The AHP Analytical Result about the Decision Criteria under the Construct CE
This study obtained the aggregated criterion weight vectors for/among the three decision criteria under the construct CE. Table 10 lists the relative weights of these three decision criteria (i.e., ec-1, ec-2, and ec-3). Examining Table 10, we can find that the ec-2 and ec-1 are the two most significant decision criteria, and the relative weight sum of those two decision criteria is 88.3%, and the ec-3 is the least critical decision criterion, and the relative weight of this decision criterion is 11.7%. This result means that the functionalities, "watermark control" and "watermark setting", should get higher developing priorities in the "printing control" main function.

The AHP Analytical Result about the Overall Decision Criteria Priority
This study used the "synthesize" function in the Expert Choice to obtain the aggregated criterion weight vectors for/among the overall decision criteria under the decision goal. Table 11 shows the sorted absolute weights of the total decision criteria under the decision goal. Depending on the decision criteria's absolute weights shown in Table 11, we divide all decision criteria into five groups. The dc-2, cc-3, cc-1, bc-7, and cc-2 decision criteria are the most critical group-all the absolute weights of these five decision criteria are >7%, and the absolute weight sum of these five decision criteria is 54.5%. The functionalities ("browser's history record", "Internet control", "hardware/software control", "log", and "process") related to these five decision criteria should receive the first developing priority. The dc-1, bc-1, cc-4, bc-2, and ec-2 decision criteria are the second most significant groupall the absolute weights of these five decision criteria are >3%, and the absolute weight sum of these five decision criteria is 21.0%. The functionalities ("current network traffic volume", "process, screen control", "file and path", and "watermark control") related to these five decision criteria should receive the second developing priority. The ac-5, bc-9, ac-4, dc-3, bc-5, and bc-6 decision criteria are the third most significant group-all the absolute weights of these six decision criteria are >2%, and the absolute weight sum of these six decision criteria is 14.5%. The functionalities ("network information", "certificate", "software information", "connection time", "power on/off and log in/out", and "peripheral input/output devices") related to these six decision criteria should receive the third developing priority. The ec-1, cc-5, bc-8, and ac-3 decision criteria are the second least significant group-all the absolute weights of these four decision criteria are >1%, and the absolute weight sum of these four decision criteria is 6.4%. The ac-1, bc-3, bc-4, ac-6, ec-3, ac-6, and ac-2 decision criteria are the least significant group-all the absolute weights of these six decision criteria are <1%, and the absolute weight sum of these five decision criteria is 3.9%. The functionalities related to the less critical groups should receive a lower developing priority. Therefore, for a Windows-based information security monitoring tool, the functionalities should be based on their significances, i.e., the absolute weights of the decision criteria, to receive their corresponding developing priorities.

The Decision Opinion Correlation and Similarity Analysis
In this subsection, this study depended on the criterion weight vectors of decisionmakers (i.e., the priorities of decision constructs and the priorities of relevant decision criteria in the five decision constructs) to analyze the similarities and differences among decision-makers. First, this study took the AHP analysis results of all decision-makers (shown in Table 12) recorded in the Expert Choice to convert the xlsx file type. Then, this study received six xlsx files about whole decision-makers' criterion weight vectors: one is about the decision goal and the other five are about the CA~CE decision constructs. With these six xlsx files, this study used the Orange software tool, a well-known data-mining software, to perform correlation and similarity analysis in the decision-makers' decision opinions and visually present the analytical results.

The Correlation Analysis for the Decision-Makers' Decision Opinions
In this subsection, this study was based on six xlsx files shown in Table 12 to analyze all decision-maker decision-making opinions. First, this study used the "correlation" function in Orange to obtain the Pearson correlation coefficients of all decision-makers' decision opinions related to the decision goal and the five decision constructs. Then, this study used the "heat map" function in Orange to show the correlation between the decision-making opinions of the decision-makers on the decision goal and the five decision constructs. Figure 3 shows the heat maps and the Pearson correlation coefficients upon the correlations between decision-makers' opinions (criterion weight vectors) in the decision goal and under the five decision constructs. Looking at Figure 3a, we can find that all decision-makers' decision opinions in the decision goal are positively correlated, and there exist two decision opinion groups: group 1 contains the DM-8, DM-10, DM-6, DM-11, DM-3, and DM-5, and group 2 includes the DM-2, DM-7, DM-9, DM-1, DM-4, and DM-12. Table 13 lists the correlation proportion among all the decision-makers' decision opinions in the decision goal. It shows that all the decision-makers' decision opinions are positively correlated in the decision goal, and very high/high/moderate positive correlations exist among nearly three-quarters of decision-makers' decision opinions. Finally, the top five Pearson correlation coefficient rankings of pairs of decision-makers in the decision goal are the (3,5), (6,11), (5,6), (4,12), and (3,6).
Examining Figure 3b, we can see that only the DM-12 s decision opinions are negative in a correlation, while the other eleven decision-makers' decision opinions are positively correlated under the decision construct CA. There exist two decision opinion groups among the eleven decision-makers: group 1 contains the DM4, DM-6, DM-7, DM-5, DM-8, and DM-9, and group 2 contains the DM-3, DM-11, DM-1, DM-2, and DM-10. Table 14 lists the correlation proportion among all decision-makers' decision opinions under the decision construct CA. It shows that only one decision-maker (the DM-12) has little/low negative correlation with the other eleven decision-makers, while there are very high/high/moderate positive correlations among those eleven decision-makers. Finally, the top five Pearson correlation coefficient rankings of pairs of decision-makers under the decision construct CA are the (8,9), (5,9), (6,8), (4,6), and (6,9).

The Similarity Analysis for the DMs' Decision Opinions
In this subsection, this study depended on the six xlsx files shown in Table 12 to analyze cosine similarity in all decision-makers' decision opinions. First, this study used the "distance" function in Orange to get the cosine distance coefficient matrix of all decisionmakers' decision opinions related to the decision goal and the five decision constructs. Also, this study used the "distance map" function in Orange to display the cosine distances among all decision-makers' decision opinions about the decision goal and the five decision constructs in a visual way. Figure 5 shows the distance maps and distance matrix upon the cosine distances among pairs of decision-makers' decision opinions (criterion weight vectors) in the decision goal and under the five decision constructs. Examining Figure 5a, we can find that the cosine distance range among all pairs of decision-makers decision opinions in the decision goal is from 0 to 0.372-this cosine distance range is relatively narrow. It shows that all pairs of the decision-makers' decision opinions are positive similarities and the cosine similarities among all decision-makers' decision opinions are relatively close in the decision goal. This means that the cosine similarities of most of the decision-makers' decision opinions in the decision goal are relatively convergent. Table 19 lists the closest and farthest cosine distances among pairs of decision-makers' decision opinions in the decision goal.    Looking over Figure 5b, under the decision construct CA, we can find that the cosine distance range of all pairs of decision-makers' decision opinions is from 0 to 0.492. This cosine distance range is relatively narrow and shows that the decision opinions of all pairs of the decision-makers are positive similarities under the decision construct CA. We also can see that, except the pairs of the DM-12 s decision opinions, the pairs of the other eleven decision-makers' decision opinions received closer cosine distances. That means that the cosine similarities of all pairs of the eleven decision-makers' decision opinions are closer than the pairs of the DM-12 s decision opinions. Table 20 lists the closest and farthest cosine similarities among pairs of decision-makers' decision opinions under the decision construct CA.  (4,6), (6,8), (8,9) 0.003 (3,12) 0.492 1 (5,8), (5,9), 0.004 (6,12) 0.466 2 (4,8) 0.006 (5,12) 0.457 3 (7,9) 0.007 (4,12) 0.447 4 (5,6), (6,9) 0.010 (8,12) 0.438 5 Examining Figure 5c, under the decision construct CB, we can see that the cosine distance range among all pairs of decision-makers' decision opinions is from 0 to 0.346-this cosine distance range is also relatively narrow. This cosine distance range shows that the decision opinions of all pairs of the decision-makers are positive similarities, and the cosine similarities among all decision-makers' decision opinions are relatively close. That means that the cosine similarities of most decision-makers' decision opinions under the decision construct CB are relatively convergent. We can also see that, except the decision opinions of the DM-10 and DM-12, the pairs of the other ten decision-makers' decision opinions receive closer cosine distances. That means that the cosine similarities of all pairs of the ten decision-makers' decision opinions are closer than the pairs of the decision opinions of the DM-10 and DM-12. Table 21 lists the closest and farthest cosine distances among pairs of decision-makers' decision opinions under the decision construct CB.  (3,6) 0.008 (4,10) 0.346 1 (6,9) 0.014 (10,11) 0.344 2 (3,5), (5,7), (7,9) 0.016 (4,12) 0.309 3 (5,6) 0.017 (11,12) 0.236 4 (2,7) 0.023 (1,10), (8,10) 0.232 5 Examining Figure 5d, under the decision construct CC, we can find that the cosine distance range among all pairs of decision-makers' decision opinions is from 0 to 0.526. This cosine distance range is relatively wide, which shows that all pairs of the decisionmakers' decision opinions under the decision construct CC are positive similarities and the cosine similarities among all decision-makers' decision opinions are relatively far. That means that the cosine similarities of most of the decision-makers' decision opinions under the decision construct CC are relatively divergent. Also, looking at the distance map in Figure 5d, in addition to the decision-making opinions of the DM-3, DM-10, and DM-11, we can see that the decision-making opinions of the other nine decision-makers receive closer cosine distances. That means that the cosine similarity of nine decision-makers' decision opinions is closer than that of DM-3, DM-10, and DM-11 decision opinions. Table  22 shows the closest and farthest cosine distance between decision-making opinion pairs under decision structure CC. Looking over Figure 5e, we can see that the cosine distance range among all pairs of decision-makers' decision opinions under the decision construct CD is from 0 to 0.028-this cosine distance range is very narrow. This cosine distance range shows that the decision opinions of all pairs of the decision-makers under the decision construct CD are positive similarities. The cosine similarities among all decision-makers' decision opinions are relatively very close, which means that the cosine similarities of most of the decisionmakers' decision opinions under the decision construct CD are relatively very convergent. In addition, we can find that the cosine distances of the twenty-two pairs of decision opinions of decision-makers ( (4,5), (4,6), (4,7), (4,8), (4,11), (4,12), (5,6), (5,7), (5,8), (5,11), (5,12), (6,7), (6,8), (6,11), (6,12), (7,8), (7,11), (7,12), (8,11), (8,12), (9,10), and (11,12)) are 0 and the decision opinions of those pairs of DMs have a similarity.

Discussion
In this section, for developing a Windows-based information security monitoring tool, this study further explores the weights of the decision constructs and decision criteria; moreover, this study also discusses the Pearson correlations and cosine similarities among decision-makers' decision opinions further.

Further Explorations on the Absolute Weights of Decision Criteria for the Development of a Windows-Based Information Security Monitoring Tool
The range of the decision criteria's absolute weight is from 0.177 to 0.004 (please see Table 11), and the most significant decision criterion's absolute weight is 44.25 times that of the least critical decision criterion. This study uses those absolute weights to divide the twenty-six decision criteria into five groups, and the absolute weight sum of these five groups separately is 54.5%, 21%, 14.5%, 6.4%, and 3.9% (see Section 4.3.7). There exist considerable differences among those five groups' absolute weight sums. Looking over these five groups, we can find that the top three significant groups contain sixteen decision criteria, and the sum of these sixteen decision criteria's absolute weights is 90%. Those sixteen decision criteria in those three groups cover the most critical features in a Windowsbased information security monitoring tool. They should be based on their absolute weights to obtain their corresponding development priorities in the Windows-based information security monitoring tools. Therefore, more exploration would focus on these sixteen decision criteria, and we describe two analytical results in the following paragraphs:

•
The absolute weight sums of these sixteen decision criteria under the five decision constructs, CC, CD, CB, CA, and CE, are 32.2%, 26.2%, 23.2%, 5.3%, and 3.1%, respectively. We can find that the decision construct weight ranking based on the absolute weights of these sixteen decision criteria in the top three significant groups is the same as the ranking of the decision constructs' relative weights (please see Table 5).

•
Looking over the distribution of these sixteen decision criteria under the five decision constructs, CC, CD, CB, CA, and CE, the ratios of decision criteria to decision construct are 4/5, 3/3, 2/3, 2/6, and 1/3, respectively. Those ratios imply that the decision constructs CC, CD, and CB should receive more developing priorities in a Windowsbased information security monitoring tool. Table 24 summarizes the Pearson correlation coefficients and cosine distances among all pairs of decision-makers' decision opinions shown in Figures 3 and 5. Examining Table 24, we can see that the decision construct CD obtained the maximum Pearson correlation coefficient and the minimum cosine distance, and the decision goal and the two decision constructs, CB and CA, also received larger Pearson correlation coefficients and closer cosine distances. Relatively, the decision constructs CC and CE obtained smaller Pearson correlation coefficients and the farther cosine distances. This result means that the pairs of decision-makers' decision opinions under the decision goal and the decision constructs CA, CB, and CD are more convergent than the pairs of decision-makers' decision opinions under the decision constructs CC and CE. Furthermore, we also found that there does not exist a positive correlation between the size of the decision criterion set and the Pearson correlation coefficients/cosine distances among all pairs of decision-makers' decision opinions. That means that the pairs of decision-makers' decision opinions do not necessarily receive larger Pearson correlation coefficients or closer cosine distances in a smaller decision criterion set. Looking over all tables and figures in Section 4.4, we can see that most of the pairs of decision-makers' decision opinions have positive Pearson correlation coefficients and all the pairs of decision-makers' decision opinions also have positive cosine distances under the decision goal and all decisions constructs. However, we examined the Pearson correlation coefficients and cosine distances among all the decision-makers' decision opinions in detail, under the decision goal and all decision constructs, and we did not find that the two decision-makers' decision opinions always received very high/high Pearson correlation coefficients and closer cosine distance. That means that no two or more decision-makers have very close decision opinions under the decision goal and all decision constructs.

Further Discussions on the Pearson Correlations and Cosine Similarities among Decision-Makers' Decision Opinions
Next, this study tries to understand the relationship between the Pearson correlation coefficients and cosine similarities among all pairs of decision-makers' decision opinions. Figure 6 shows six diagrams that show the changes between the Pearson correlation coefficients and cosine similarities among all pairs of decision-makers' decision opinions under the decision goal and decision constructs CA, CB, CC, CD, and CE. Looking over the six diagrams in Figure 6, we can see a corresponding change between Pearson correlation coefficient and cosine similarity. That means that when a pair of decision-makers' decision opinions get a large Pearson correlation coefficient; then, this pair of decisionmakers' decision opinions would also receive a close cosine similarity. Relatively, a pair of decision-makers' decision opinions would receive a far cosine similarity when this pair of decision-makers' decision opinions have a small Pearson correlation coefficient.

Conclusions
In the era of information technology, information assurance is a key issue for enterprises/organizations. Information security monitoring tools are critical tools for enterprises/organizations to improve their information security performance. Since most computer operating systems are Windows-based operating systems; thus, developing a Windows-based information security monitoring tool is an important study topic. This study proposed an assessment model to explore the development of a Windows-based information security monitoring tool and all decision-makers' decision opinions. First, this study collected literature related to information security monitoring to identify the twenty-six functionalities that a Windows-based information security monitoring tool might have. Those twenty-six functionalities were also treated as the decision criteria in the proposed assessment model. Then, this study used the Delphi method to consult the potential decision-makers with the twenty-six decision criteria. After consulting potential decision-makers, this study identified that the twenty-six decision criteria can be divided into five decision constructs, "computer basic information", "user's PC operation behavior", "information security control", "network behavior", and "printing control". This study also confirmed the decision criteria hierarchy for the development of a Windows-based information security monitoring tool (see Figure 2). This study designed the AHP questionnaire with the decision criteria hierarchy and interviewed the twelve decision-makers to obtain their preference opinions. With the AHP analytical method, this study found that the "information security control", "network behavior", and "user's PC operation behavior" are more significant decision constructs for developing Windows-based information security monitoring tools; moreover, this study also found that the "browser's history record", "Internet control", "hardware/software control", "log", "storage control", "current network traffic volume", "process", "screen control", "file and path", "watermark control", "network information", "certificate", "software information", "connection time", "power on/off and log in/out", and "peripheral input/output devices" are the more significant decision criteria for developing a Windows-based information security monitoring tool, which are given an absolute weighting of 90%, and the functionalities related to these sixteen decision criteria should receive developing priorities in a Windows-based information security monitoring tool; especially, functionalities related to "browser's history record", "Internet control", "hardware/software control", "log", and "storage control" should obtain the first developing priority in a Windows-based information security monitoring tool.
This study explored the correlations and similarities among decision-makers' decision opinions with the Pearson correlation coefficient and cosine distance. We summarize the Pearson correlation coefficients and cosine distances of decision-makers' decision opinions in the following paragraphs:

•
The decision-makers' decision opinions under the decision construct CD have the closest Pearson correlation coefficients and cosine similarity. The decision-makers' decision opinions have larger Pearson correlation coefficients and closer cosine similarities in the decision goal and decision constructs CB and CA, but the decision-makers' decision opinions in decision constructs CC and CE have smaller Pearson correlation coefficients and far cosine similarities. Therefore, the decision-makers' decision opinions under the decision goal and the decision constructs CD, CB, and CA are more convergent than the decision-makers' decision opinions under the decision constructs CD and CB.

•
In the decision goal and the five decision constructs, no two or more decision-makers had very close decision opinions in the Pearson correlation coefficient and cosine similarity. • Among all pairs of decision-makers' decision opinions, there does not exist a positive correlation between the size of the decision criterion set and Pearson correlation coefficients/cosine similarities. However, a corresponding change exists between the Pearson correlation coefficients and cosine similarities (see Figure 6).
Informatization is the cornerstone of the sustainable operation and growth of modern enterprises/organizations. Information security is the necessary mechanism to ensure that information systems in enterprises/organizations can operate normally and continuously. For enterprises/organizations, an information security monitoring tool is an important measure to strengthen their information security protection. For improving enterprise/organization's information security for effective and sustainable operation, this study understands the importance of developing an information security monitoring tool. Therefore, this paper proposed an assessment model of information security tool development, through the systematic study steps, to assist information security professional personnel in effectively completing the development of information security monitoring tools. Through the proposed assessment model, R&D personnel can also understand the similarities and differences among decision-making opinions, which can help the R&D personnel to explore decision-making opinions deeply to ensure the effectiveness of information security monitoring tools and also enhance the sustainability of enterprise/organizational operation.

Recommendations
This study explored the functionalities developed in a Windows-based information security monitoring tool, and it also analyzed decision-makers' decision opinions using the steps in the proposed assessment model. Researchers can explore many issues related to the multi-criteria decision-making field according to the main steps, including the literature study method, the Delphi method, the AHP method, and some data-driven decisionmaking methods, in the proposed assessment model. First, with the literature study method, researchers can collect the literature in a specific professional field, and by studying the collected literature, researchers can understand the domain knowledge and discover possible decision criteria for their studies. Second, with the Delphi method, the researchers can consult domain experts or potential decision-makers to identify the decision criterion set for their studies and organize a decision criteria hierarchy with the confirmed decision criteria. Third, with the constructed decision criteria hierarchy, the researchers can design an AHP questionnaire for their study and interview the decision-makers with the designed AHP questionnaire to obtain decision-makers' decision opinions. With the AHP analytical method, the researchers can receive the criterion weight vectors of decision criteria; then, the researchers can depend on the decision criteria's priority weights to receive possible solutions for their study. Finally, the researchers can use some data-driven decisionmaking measures to analyze the criterion weight vectors in detail if they want to explore the decision-makers' decision opinions further. In general, researchers should present the results of data-driven decision-making analysis intuitively, and visual analysis results will help them to explore the decision-makers' opinions and find more exploration results in their research.
We found that the above study steps can be used as a study template to explore some multi-criteria decision-making research issues from the above description. Especially, for the study issues related to multiple choices required to implement but only with limited resources, which is quite common in some large-scale research and development cases. Usually, with limited budgets and human resources, these R&D cases cannot implement all possible choices, and they need to invest their valuable limited resources to the more significant R&D choices; then, they can receive better R&D results with limited R&D resources. However, for those R&D cases, it is difficult for R&D staff to determine the significant R&D choices in their R&D case. The above study steps can help R&D staff to identify the critical R&D choices in their R&D case. Then, those R&D staff can receive better R&D results with limited R&D resources. Finally, many data-driven decision-making methods are available for researchers to explore relationships among data. Researchers can depend on their requirements to choose proper data-driven decision-making methods and receive better exploration results that they want. Generally speaking, data-driven decisionmaking methods usually need a large amount of data for analysis. Therefore, it is helpful for researchers to use data-driven decision-making methods to explore the relationship between data quickly and conveniently through proper data visualization.
Author Contributions: Conceptualization, methodology, investigation, visualization, and writing, Chen-Hua Fu; Validation, project administration, writing (review and editing), and supervision, Chih-Yung Chen. All authors have read and agreed to the published version of the manuscript.

Funding:
The funding institutions of this study are temporarily blinded.
Institutional Review Board Statement: Not applicable.

Informed Consent Statement: Not applicable.
Data Availability Statement: Not applicable.

Acknowledgments:
The authors thank Zheng-Yun Zhuang for his suggestions about decisionmakers' decision opinion analysis in Section 4.

Conflicts of Interest:
The authors declare no conflict of interest.