Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory
Introduction
The recent boom of network-based technologies has produced a multitude of challenges to security and privacy (Gai, Qiu, Chen, Zhao, & Qiu, 2017; Gai, Qiu, Ming, Zhao, & Qiu, 2017; Gai, Qiu, Xiong, & Liu, 2018; Rahmani, Amine, Hamou, Boudia, & Bouarara, 2016). Indeed, cybersecurity and the attacks it aims to avert are regarded as among the most critical issues derived from the extensive use of networks (Gan & Brendlen, 1992); network security is a major problem because of the manifestations of threats in the forms of viruses, worms and botnets (Yang & Lui, 2014).
Ben-Asher and Gonzalez (2015) observe that one common target for cyberattacks is the public web server that connects a corporate network to the Internet; this public web server acts as a bridge, and enables attackers to access and deface the corporate web site. After gaining control of the web server, an attacker can also launch a Denial of Service (DoS) attack from within the network. However, (Huang et al., 2009) emphasize that the potential consequences of cyberattacks are not merely technical and can have broader implications. As such, cyberattacks represent an important issue for all organizations concerned with economic impacts, and interested in protecting its full scope of digital.
In terms of sheer numbers, cybercrime has been on the rise, with more than 59 million registered in 2015 (Bendovschi, 2015; Gartner Group, 2018); the level of damage sustained by its victims has also increased (Bendovschi, 2015). Cyber threats refer to internet-based attempts to damage or disrupt Information Systems (IS) and hack critical information; this means that one factor contributing to the surge in cyberattacks is, quite simply, the increased number of individual users accessing the internet. Most of the 3 billion people who access the internet annually do so in the absence of the proper training and protection that a technical security staff provides; therefore, individual internet users represent a significant point of weakness in cybersecurity (Anderson & Agarwal, 2010; Bang, Lee, Bae, & Ahn, 2012).
Thus, risk analysis is an important activity that organizations must perform, to prevent the attacks and/or negative consequences that can arise from them. Indeed, many researchers have already proposed cybersecurity models intended to help organizations counter cyberattacks. However, two critical gaps symptomatic to several of these proposals ultimately motivated the development of this paper and will be fully articulated in the next section, which is dedicated to giving an account of related works, but generally speaking, they involve the following: (i) a lack of structured methods for identifying the causes of cyberattack scenarios, and (ii) a lack of quantitative measures for the impacts associated with cyberattacks, including metrics that would facilitate analyses of financial risk and restoration time.
To fill these two gaps, account for the association between risk analysis and decision theory (Borgonovo, Cillo, & Smith, 2018) and in recognition of the multiplicity of criteria usable for a given risk analysis (Almeida et al., 2015; Medeiros, Alencar, & De Almeida, 2017), this paper proposes a multicriteria approach to cybersecurity risk analysis. More precisely, it considers the construction and analyses of payoff matrices reflecting effects obtained via different combinations of alternatives and scenarios. The resulting proposed approach provides the opportunity to comment about an evaluation of the particular criteria, as well as the aggregated multicriteria risks. For the construction of scenarios, this paper proposes the use of fault tree analysis (FTA), to determine the vulnerability of cybersecurity and identify the potential consequences of cyberattacks. The alternatives evaluation process was developed using decision theory and fuzzy analysis. Therefore, the main contributions of this paper are twofold:
- (1)
- (1)
We propose a structured approach to characterizing the causes of cyberattack scenarios that relies on the FTA method.
- (2)
We propose an approach to measuring cyberattack scenarios that considers the risk of financial losses and analysis of restoration time analysis via the fuzzy theory decision.
- (1)
The significance of our work hinges on the fact that our model was specifically developed to facilitate the quantitative evaluation of the cybersecurity risks associated with particular applications, instead of prioritizing potential risks, as previously proposed in several papers (Abdo, Kaouk, Flaus, & Masse, 2017; Grant, Edgar, Sukumar, & Meyer, 2014; Lopez-nicolas & Jose, 2008; Mik, 2012). As such, this paper analyzed website, e-commerce and enterprise resource planning (ERP) attacks, respectively (although it is possible to evaluate other applications), acknowledging each application’s importance to the organizational context and its vulnerability to attacks, and considering possible consequences such as data dissemination, data modification, data loss or destruction and service interruption, in terms of criteria related to both financial losses and time for restoration.
The remainder of this paper is organized as follows: Section 2 presents an account of related literature regarding cybersecurity and cybersecurity risk models; Section 3 provides a methodological background on fault tree analysis, fuzzy theory, and decisions under uncertainty; then, Section 4 introduces the methodology explaining the mechanism of the proposed approach, followed by Section 5, which provides a numerical example validating the proposed approach; discussions of the main findings, along with the implications for theory and practice, are presented in Section 6; and finally, Section 7 is dedicated to conclusions, limitations of the study, and suggestions for future works.
Section snippets
Related works
This section presents related works regarding cybersecurity and cyberattack risk assessment models. It also outlines the limitations of these previous approaches and, consequently, details the main contributions of this paper.
Methodological background
A brief description of the framework of fault tree analysis (FTA) is given in the next subsection. Subsequently, the fuzzy theory and its properties are presented, followed by a subsection dedicated to decisions under conditions of uncertainty.
Proposed model
The aim of the proposed model is to evaluate the consequences of potential cyberattacks, considering such possibilities as data dissemination, data modification, data loss or destruction and service interruption, in terms of criteria of both financial losses and time for restoration.
The proposed cybersecurity model includes five phases: expert identification, understanding the causes of possible attack scenarios, definition of criteria, fuzzy assessment and finally, aggregation and ordering.
Numerical application
This section provides an example, based on a real-life context, to illustrate the applicability of the present proposal. Although actual data (in terms of the required information) have not been used, the data used to provide an overview of the model are, nevertheless, realistic and were provided by an information security expert. According to Purba (2014), an expert is someone with multiple skills, who understands the working environment and has substantial training in and knowledge of the
Discussion
It is well-established that, in the field of information security, threats change rapidly, rendering many traditional approaches to security obsolete or indeed, unworkable, in terms of e-commerce and Business to Business (B2B) models. E-commerce involves several functional requirements, such as transacting data, transacting payments or marketing information, as well as using credit card numbers when consumers make purchases from a retailer. In fact, due to the complex nature of e-commerce
Conclusion
Faced with the Conclusions ongoing increase in the use of digital media by organizations that support their business and, consequently, their possible associated risks, those organizations must adopt methodologies that enable them to analyze and measure potential internal impacts that may result from cyberattacks. It is worth noting that, despite two decades of research in the area, extant approaches suffer from serious limitations, as shown in the mains findings of Shameli-Sendi et al. (2014).
Acknowledgements
This research was partially supported by the Universidade Federal de Pernambuco, and the GPSID – Decision and Information Systems Research Group. The authors would like to thank CNPQ – the Brazilian National Council for Scientific and Technological Development. We would also like to thank the two anonymous referees for their valuable comments, which improved the quality of the paper.
References (80)
- et al.
Cloud-based business services innovation : A risk management model
International Journal of Information Management
(2017) - et al.
Improving information security management : An analysis of ID – password usage and a new login vulnerability measure
International Journal of Information Management
(2012) - et al.
Enforcing privacy in e-commerce by balancing anonymity and trust
Computers & Security
(2011) - et al.
Effects of cyber security knowledge on attack detection
Computers in Human Behavior
(2015) Cyber-attacks – Trends, patterns and security countermeasures. Procedia economics and finance 28
7th International Conference on Financial Criminology
(2015)- et al.
Managing the investment in information security technology by use of a quantitative modeling
Information Processing & Management
(2012) - et al.
A systematic approach for detecting and clustering distributed cyber scanning
Computer Networks
(2013) - et al.
Modeling security in cyber-physical systems
International Journal of Critical Infrastructure Protection
(2012) - et al.
Firms’ information security investment decisions: Stock market evidence of investors’ behavior
Decision Support Systems
(2011) - et al.
Graphical fault tree analysis for fatal falls in the construction industry
Accident; Analysis and Prevention
(2014)
On the performance of social network and likelihood-based expert weighting schemes
Reliability Engineering & System Safety
Effect of network infrastructure factors on information system risk judgments
Computers & Security
Immuno-inspired autonomic system for cyber defense
Information Security Technical Report
Combining task analysis and fault tree analysis for accident and incident analysis: A case study from Bulgaria
Accident; Analysis and Prevention
Multicriteria analysis in decision making under information uncertainty
Applied Mathematics and Computation
Methodology for computer aided fuzzy fault tree analysis
Process Safety and Environmental Protection
Privacy-preserving multi-channel communication in Edge-of-Things
Future Generation Computer Systems
Risky business: Perceptions of e-business risk by UK small and medium sized enterprises (SMEs)
International Journal of Information Management
Analytical propagation of uncertainties through fault trees
Reliability Engineering & System Safety
Semi-quantitative fault tree analysis for process plant safety using frequency and probability ranges
Journal of Loss Prevention in the Process Industries
Understanding the physical and economic consequences of attacks on control systems
International Journal of Critical Infrastructure Protection
Software measure in cyber-attacks on production control system
Computers & Industrial Engineering
Detecting fake anti-virus software distribution webpages
Computers & Security
A hybrid information security risk assessment procedure considering interdependences between controls
Expert Systems With Applications
Customer Knowledge Management and E-commerce : The role of customer perceived risk
International Journal of Information Management
Risk analysis and assessment methodologies in the work sites: On a review, classification and comparative study of the scientific literature of the period 2000-2009
Journal of Loss Prevention in the Process Industries
Multidimensional risk evaluation of natural gas pipelines based on a multicriteria decision mo del using visualization tools and statistical tests for global sensitivity analysis
Reliability Engineering & System Safety
Mistaken identity, identity theft and problems of remote authentication in e-commerce
Computer Law & Security Report
Quantitatively assessing the vulnerability of critical information systems : A new method for evaluating security enhancements
International Journal of Information Management
A fuzzy-based reliability approach to evaluate basic events of fault tree analysis for nuclear power plant probabilistic safety assessment
Annals of Nuclear Energy
Cyber security risk assessment for SCADA and DCS networks
ISA Transactions
Continuance use intention of cloud computing : Innovativeness and creativity perspectives
Journal of Business Research
Multiple attack localization and identification in all-optical networks
Mitigating the risk of cyber attack on smart grid systems
Procedia Computer Science
Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools
Computer Science Review
Dynamic risk-based decision methods for access control systems
Computers & Security
Taxonomy of intrusion risk assessment and response system
Computers & Security
Development of a cyber security risk model using Bayesian networks
Reliability Engineering & System Safety
A multidimensional approach to information security risk management using FMEA and fuzzy theory
International Journal of Information Management
Information security management needs more holistic approach: A literature review
International Journal of Information Management
Cited by (64)
Full title: A novel approach for determining the reliability of sprinkler systems: A case study
2023, Results in EngineeringLCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs)
2022, International Journal of Information Management Data InsightsArtificial intelligence, digital transformation and cybersecurity in the banking sector: A multi-stakeholder cognition-driven framework
2022, Research in International Business and FinanceHybrid ontology for safety, security, and dependability risk assessments and Security Threat Analysis (STA) method for industrial control systems
2022, Reliability Engineering and System SafetyExploring factors influencing technology adoption rate at the macro level: A predictive model
2022, Technology in SocietyFuzzy attack tree analysis of security threat assessment in an internet security system using algebraic t-norm and t-conorm
2022, Engineering Reliability and Risk Assessment