Information security risk analysis model using fuzzy decision theory
Introduction
According to Kiyomoto, Fukushima, and Miyake (2014), Information Technology (IT) systems consist of computing resources and networks, which support the performance of critical functions in organizations. Moreover, IT systems have improved how business is executed, making organizations more dependent on their computer systems (Magklaras & Furnell, 2002).
However, despite the benefits and advantages of IT systems, many issues regarding IT infrastructure exhibit security flaws that render them susceptible to abuse.
Security abuses, according to Bojanc & Jerman-Blazic (2008), are related to technical failures, system vulnerabilities, human failures, fraud, and external events. Financial losses are often a consequence of security abuse (Sun, Srivastava, & Mock, 2006). Rasheed (2014) reported many companies identifying security concerns as the remaining barrier to adopting cloud computing services and Brender and Markov (2013) claim that those risks need to be carefully evaluated before any engagement in this area. Thus, the IT industry has provided a variety of security tools (e.g., anti-virus and firewalls) that help users and system administrators prevent, detect, and counteract IT abuse, according to Magklaras and Furnell (2002).
Information security has become crucial to the survival of institutions. Thus, several security solutions have been developed to minimize risks that endanger organizations’ operations and to maintain the confidentiality, integrity, and availability of information. These solutions mainly focus on analysing vulnerabilities and threats to the IT systems and deciding what countermeasures reduce risk to an acceptable level (Feng, Wang, & Li, 2014). However, these solutions are not simple tasks due to the complex and dynamic environment.
This same assessment is pointed out in Feng and Li (2011), in which information system security (ISS) risk analysis is a difficult task and involves uncertainty, which is considered to be the main factor that influences the effectiveness of the ISS risk assessment. However, these authors also argued that several existing approaches for ISS risk analysis have some difficulties in dealing with the uncertainty. To overcome this problem, considering the uncertainty inherent to the context, this paper developed an approach that combines decision theory and fuzzy logic by incorporating the vision of the work developed by Shamala, Ahmad, and Yusoff (2013), which not only identified and ranked potential systems vulnerabilities but also identified and monitored specific threat levels of deliberate and external data center attacks.
Therefore, the objective of this paper is to assess the risk, which is the first step in the risk management methodology for information technology systems (NIST, 2002). The risk assessment, in turn, encompasses nine primary steps: System Characterization, Threat Identification, Vulnerability Identification, Control Analysis, Likelihood Determination, Impact Analysis, Risk Determination, Control Recommendations, and Results Documentation. The event tree analysis (ETA) methodology in this paper will support the step of System Characterization through the identification of the vulnerabilities of the organization and consequently, the potential accidents and possible scenarios. The Risk Determination step will be supported by decision theory and fuzzy logic through determination of the chances of occurrence and judgments about these elements. Thus, this article proposes the use of specific methodologies in crucial stages of risk assessment in information security. Both mathematical rigor, which is necessary to ensure the robustness of the model, and the judgments of those involved in the process, given the subjective characteristic of the types of assessments made, are considered in this model. In this way, this new approach of dealing with information security in IT systems enables managers to better understand the problem by estimating the level of threat that is likely to originate from a particular scenario in an uncertain environment.
The first section of the paper discusses information security risks in IT systems. Then, a discussion follows of the existing methodologies on information security and the background information necessary to develop the proposed approach. Next, we introduce the methodology and present a real case illustrating how the methodology validates the proposed approach. Finally, the discussion turns to limitations of the research, suggested further studies and concluding remarks.
Section snippets
Information security risk analysis
This section presents a brief summary of related works in information security risk management models. The necessity of information security in organizations has increased as huge changes in structure and type of information technologies implemented have generated greater risk (Shamala et al., 2013). As a result, several risk management frameworks and methodologies in information security literature have been developed.
Lo and Chen (2012) compared the advantages and disadvantages of qualitative
Information security risk assessment proposed model
The proposed information security model includes four phases (Fig. 4): expert identification, determination of scenarios and events, fuzzy evaluation and ordering.
The aim of the proposed model is to evaluate the consequence of each alternative in terms of financial loss, an easily perceived variable, considering the different possible scenarios (possible nature states). As outlined in Section 2, the alternatives detailed below represent a potential accident regarding information security in the
Illustrative example
This section presents an example that illustrates the applicability of the proposed model. This application is based on a real context. Although real data, regarding the information required, have not been used, the data, which used to give an overview of the model, are nevertheless realistic.
Following the steps of the proposed model (Fig. 4), explained in Section 3, the information required (realistic data) was provided by an expert in the security risk to information area, based on his
Discussion
In this study, a model for information security risk management was formulated and illustrated by means of an illustrative example developed in a data center. This model makes a contribution to information security practices by addressing some critical aspects; evaluation and analysis of possible scenarios, origins and potential failure modes.
The ETA methodology was used to identify the alternatives of interest, which were defined from the taxonomy of events and scenarios and thereafter, a risk
Conclusions
This paper proposes an information security risk model using fuzzy decision theory, which encompasses four phases: expert identification, determination of scenarios and events, fuzzy evaluation, and ordering. The paper aims to evaluate the consequence of each alternative in terms of an easily perceived variable – financial loss – considering the different possible states of nature (scenarios). To achieve this goal, this work described a taxonomy of events and scenarios using the ETA
Acknowledgements
This research was partially supported by the Universidade Federal de Pernambuco and GPSID—Decision and Information Systems Research Group.
References (67)
- et al.
A new approach for ranking of trapezoidal fuzzy numbers
Computers & Mathematics with Applications
(2009) Fuzzy decision trees
Fuzzy Sets and Systems
(1980)- et al.
A general, but readily adaptable model of information system risk
Communications of the AIS
(2004) Why information security is hard: An economic perspective
- et al.
Economics of information security
(2005) - et al.
Event-tree analysis using binary decision diagrams
IEEE Transactions on Relialability
(2000) - et al.
A risky business or a safe BET? A fuzzy set event tree for estimating hazard in biotelemetry studies
Animal Behavior
(2014) - et al.
An economic modelling approach to information security risk management
International Journal of Information Management
(2008) - et al.
A review of some methods for ranking fuzzy numbers
Fuzzy Sets Systems
(1985) - et al.
Risk perception and risk management in cloud computing: results from a case study of Swiss companies
International Journal of Information Management
(2013)
Multi-attribute risk assessment for risk ranking of natural gas pipelines
Reliability Engineering and Systems Safety
Analyzing fuzzy risk based on a new fuzzy ranking method between generalized fuzzy numbers
Expert Systems with Applications
Model of information security risk assessment based on improved wavelet neural network
Journal of Networks
A new approach for ranking fuzzy numbers by distance method
Fuzzy Sets Systems
A hybrid information security risk assessment procedure considering interdependences between controls
Expert Systems with Applications
Hazard analysis techniques for system safety
On the performance of social network and likelihood-based expert weighting schemes
Reliability Engineering & System Safety
Multicriteria and multiobjective models for risk, reliability and maintenance decision analysis
International series in operations research & management science
Ranking of fuzzy intervals seen through the imprecise probabilistic lens
Fuzzy Sets and Systems
Fuzzy sets systems: theory and applications
Ranking of fuzzy numbers in the setting of possibility theory
Information Sciences
The use of fuzzy numbers in decision analysis
Information security landscape and maturity level: case study of Malaysian public service (MPS) organizations
Government Information Quarterly
Algorithms of discrete optimization and their application to problems with fuzzy coefficients
Information Sciences
A general approach to solving a wide class of fuzzy optimization problems
Fuzzy Sets and Systems
Multicriteria analysis in decision making under information uncertainty
Applied Mathematics and Computation
A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis
Information Sciences
An information systems security risk assessment model under uncertain environment
Applied Software in Computetrs
Handling data uncertainties in event tree analysis
Process Safety and Environmental Protection
A risk measurement tool for an underground electricity distribution system considering the consequences and uncertainties of manhole events
Reliability Engineering & Systems Safety
Multidimensional risk assessment of manhole events as a decision tool for ranking the vaults of an underground electricity distribution system
IEEE Transactions on Power Delivery
Risky business: perceptions of e-business risk by UK small and medium sized enterprises (SMEs)
International Journal of Information Management
Quantitative risk evaluation based on event-tree analysis technique: application to the design of shield TBM
Tunnelling and Underground Space Technology
Cited by (50)
Forty years of the International Journal of Information Management: A bibliometric analysis
2021, International Journal of Information ManagementCitation Excerpt :During 2000–2009, the most studied theories were resource-based view (Kim, Kang, Lawrence Sanders, & Tom Lee, 2008), structuration theory (Brooks, Atkinson, & Wainwright, 2008), theory of planned behavior (Hansen, Jensen, & Solgaard, 2004), technology acceptance model (Lean, Zailani, Ramayah, & Fernando, 2009), and social psychological theories (Evans & Brooks, 2005; Magni & Pennarola, 2008; Sherif, Song, & Wilcox, 2009). During 2010–2019, the most studied theories were unified theory of acceptance and use of technology (Martins, Oliveira, & Popovič, 2014), institutional theory (Gupta, Kar, Baabdullah, & Al-Khowaiter, 2018), social cognitive theory (Kim, Song, & Jones, 2011), social exchange theory (Huang, Cheng, Huang, & Teng, 2018), and fuzzy decision theory (De Gusmão, E Silva, Silva, Poleto, & Costa, 2016). The theories published in the journal overtime indicate a shift of focus from information systems to the information management with increasing focus on technology adoption and decision making.
Mis-spending on information security measures: Theory and experimental evidence
2021, International Journal of Information ManagementCitation Excerpt :In this research we investigate the cognitive reasons leading to this strong bias. Information security investment decisions, including the ones discussed above, are essentially about managing risk (Gusmão, Silva, Silva, Poleto, & Costa, 2016), and research performed over several decades by decision scientists provides solid evidence that behavioral factors play a prominent role in managing and mitigating risk in various contexts (Slovic, 2010). Despite these well-established findings, factors related to risk behaviors have remained mostly unexplored in the literature of security investment.
Performance analysis of healthcare supply chain management with competency-based operation evaluation
2020, Computers and Industrial EngineeringCitation Excerpt :Moreover, they provide a reliable means for integrating both quantitative and qualitative knowledge. Many researchers have applied fuzzy methods and systems to diminish the subjective nature of qualitative assessments (de Gusmão & e Silva, Silva, Poleto, & Costa, 2016). These methods have been widely used in many areas such as nature, society, economics, energy, medicine, material, pharmacology sciences, agriculture, chemistry, computer science, engineering, physics, geology, finance, military and entertainment (Lan et al., 2017).
A Machine Learning-based Method for Cyber Risk Assessment
2023, Proceedings - IEEE Symposium on Computer-Based Medical SystemsFIRE: A Finely Integrated Risk Evaluation Methodology for Life-Critical Embedded Systems
2022, Information (Switzerland)