Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory

https://doi.org/10.1016/j.ijinfomgt.2018.08.008Get rights and content

Highlights

  • A model to evaluate cybersecurity risk of particular applications is proposed.

  • Fault Tree Analysis, Decision Theory and Fuzzy Theory comprise the model.

  • An illustrative example was applied to a website, e-commerce and enterprise resource planning (ERP).

  • Results demonstrate that e-commerce may be more vulnerable to cybersecurity attacks.

Abstract

Cybersecurity, which is defined as information security aimed at averting cyberattacks, which are among the main issues caused by the extensive use of networks in industrial control systems. This paper proposes a model that integrates fault tree analysis, decision theory and fuzzy theory to (i) ascertain the current causes of cyberattack prevention failures and (ii) determine the vulnerability of a given cybersecurity system. The model was applied to evaluate the cybersecurity risks involved in attacking a website, e-commerce and enterprise resource planning (ERP), and to assess the possible consequences of such attacks; we evaluate these consequences, which include data dissemination, data modification, data loss or destruction and service interruption, in terms of criteria related to financial losses and time for restoration. The results of the model application demonstrate its usefulness and illustrate the increased vulnerability of e-commerce to cybersecurity attacks, relative to websites or ERP, due partly to frequent operator access, credit transactions and users’ authentication problems characteristic of e-commerce.

Introduction

The recent boom of network-based technologies has produced a multitude of challenges to security and privacy (Gai, Qiu, Chen, Zhao, & Qiu, 2017; Gai, Qiu, Ming, Zhao, & Qiu, 2017; Gai, Qiu, Xiong, & Liu, 2018; Rahmani, Amine, Hamou, Boudia, & Bouarara, 2016). Indeed, cybersecurity and the attacks it aims to avert are regarded as among the most critical issues derived from the extensive use of networks (Gan & Brendlen, 1992); network security is a major problem because of the manifestations of threats in the forms of viruses, worms and botnets (Yang & Lui, 2014).

Ben-Asher and Gonzalez (2015) observe that one common target for cyberattacks is the public web server that connects a corporate network to the Internet; this public web server acts as a bridge, and enables attackers to access and deface the corporate web site. After gaining control of the web server, an attacker can also launch a Denial of Service (DoS) attack from within the network. However, (Huang et al., 2009) emphasize that the potential consequences of cyberattacks are not merely technical and can have broader implications. As such, cyberattacks represent an important issue for all organizations concerned with economic impacts, and interested in protecting its full scope of digital.

In terms of sheer numbers, cybercrime has been on the rise, with more than 59 million registered in 2015 (Bendovschi, 2015; Gartner Group, 2018); the level of damage sustained by its victims has also increased (Bendovschi, 2015). Cyber threats refer to internet-based attempts to damage or disrupt Information Systems (IS) and hack critical information; this means that one factor contributing to the surge in cyberattacks is, quite simply, the increased number of individual users accessing the internet. Most of the 3 billion people who access the internet annually do so in the absence of the proper training and protection that a technical security staff provides; therefore, individual internet users represent a significant point of weakness in cybersecurity (Anderson & Agarwal, 2010; Bang, Lee, Bae, & Ahn, 2012).

Thus, risk analysis is an important activity that organizations must perform, to prevent the attacks and/or negative consequences that can arise from them. Indeed, many researchers have already proposed cybersecurity models intended to help organizations counter cyberattacks. However, two critical gaps symptomatic to several of these proposals ultimately motivated the development of this paper and will be fully articulated in the next section, which is dedicated to giving an account of related works, but generally speaking, they involve the following: (i) a lack of structured methods for identifying the causes of cyberattack scenarios, and (ii) a lack of quantitative measures for the impacts associated with cyberattacks, including metrics that would facilitate analyses of financial risk and restoration time.

To fill these two gaps, account for the association between risk analysis and decision theory (Borgonovo, Cillo, & Smith, 2018) and in recognition of the multiplicity of criteria usable for a given risk analysis (Almeida et al., 2015; Medeiros, Alencar, & De Almeida, 2017), this paper proposes a multicriteria approach to cybersecurity risk analysis. More precisely, it considers the construction and analyses of payoff matrices reflecting effects obtained via different combinations of alternatives and scenarios. The resulting proposed approach provides the opportunity to comment about an evaluation of the particular criteria, as well as the aggregated multicriteria risks. For the construction of scenarios, this paper proposes the use of fault tree analysis (FTA), to determine the vulnerability of cybersecurity and identify the potential consequences of cyberattacks. The alternatives evaluation process was developed using decision theory and fuzzy analysis. Therefore, the main contributions of this paper are twofold:

  • (1)

    • (1)

      We propose a structured approach to characterizing the causes of cyberattack scenarios that relies on the FTA method.

    • (2)

      We propose an approach to measuring cyberattack scenarios that considers the risk of financial losses and analysis of restoration time analysis via the fuzzy theory decision.

The significance of our work hinges on the fact that our model was specifically developed to facilitate the quantitative evaluation of the cybersecurity risks associated with particular applications, instead of prioritizing potential risks, as previously proposed in several papers (Abdo, Kaouk, Flaus, & Masse, 2017; Grant, Edgar, Sukumar, & Meyer, 2014; Lopez-nicolas & Jose, 2008; Mik, 2012). As such, this paper analyzed website, e-commerce and enterprise resource planning (ERP) attacks, respectively (although it is possible to evaluate other applications), acknowledging each application’s importance to the organizational context and its vulnerability to attacks, and considering possible consequences such as data dissemination, data modification, data loss or destruction and service interruption, in terms of criteria related to both financial losses and time for restoration.

The remainder of this paper is organized as follows: Section 2 presents an account of related literature regarding cybersecurity and cybersecurity risk models; Section 3 provides a methodological background on fault tree analysis, fuzzy theory, and decisions under uncertainty; then, Section 4 introduces the methodology explaining the mechanism of the proposed approach, followed by Section 5, which provides a numerical example validating the proposed approach; discussions of the main findings, along with the implications for theory and practice, are presented in Section 6; and finally, Section 7 is dedicated to conclusions, limitations of the study, and suggestions for future works.

Section snippets

Related works

This section presents related works regarding cybersecurity and cyberattack risk assessment models. It also outlines the limitations of these previous approaches and, consequently, details the main contributions of this paper.

Methodological background

A brief description of the framework of fault tree analysis (FTA) is given in the next subsection. Subsequently, the fuzzy theory and its properties are presented, followed by a subsection dedicated to decisions under conditions of uncertainty.

Proposed model

The aim of the proposed model is to evaluate the consequences of potential cyberattacks, considering such possibilities as data dissemination, data modification, data loss or destruction and service interruption, in terms of criteria of both financial losses and time for restoration.

The proposed cybersecurity model includes five phases: expert identification, understanding the causes of possible attack scenarios, definition of criteria, fuzzy assessment and finally, aggregation and ordering.

Numerical application

This section provides an example, based on a real-life context, to illustrate the applicability of the present proposal. Although actual data (in terms of the required information) have not been used, the data used to provide an overview of the model are, nevertheless, realistic and were provided by an information security expert. According to Purba (2014), an expert is someone with multiple skills, who understands the working environment and has substantial training in and knowledge of the

Discussion

It is well-established that, in the field of information security, threats change rapidly, rendering many traditional approaches to security obsolete or indeed, unworkable, in terms of e-commerce and Business to Business (B2B) models. E-commerce involves several functional requirements, such as transacting data, transacting payments or marketing information, as well as using credit card numbers when consumers make purchases from a retailer. In fact, due to the complex nature of e-commerce

Conclusion

Faced with the Conclusions ongoing increase in the use of digital media by organizations that support their business and, consequently, their possible associated risks, those organizations must adopt methodologies that enable them to analyze and measure potential internal impacts that may result from cyberattacks. It is worth noting that, despite two decades of research in the area, extant approaches suffer from serious limitations, as shown in the mains findings of Shameli-Sendi et al. (2014).

Acknowledgements

This research was partially supported by the Universidade Federal de Pernambuco, and the GPSID – Decision and Information Systems Research Group. The authors would like to thank CNPQ – the Brazilian National Council for Scientific and Technological Development. We would also like to thank the two anonymous referees for their valuable comments, which improved the quality of the paper.

References (80)

  • R.M. Cooke et al.

    On the performance of social network and likelihood-based expert weighting schemes

    Reliability Engineering & System Safety

    (2008)
  • J.A. Cowley et al.

    Effect of network infrastructure factors on information system risk judgments

    Computers & Security

    (2015)
  • D. Dasgupta

    Immuno-inspired autonomic system for cyber defense

    Information Security Technical Report

    (2007)
  • D.E. Doytchev et al.

    Combining task analysis and fault tree analysis for accident and incident analysis: A case study from Bulgaria

    Accident; Analysis and Prevention

    (2009)
  • P.Y. Ekel et al.

    Multicriteria analysis in decision making under information uncertainty

    Applied Mathematics and Computation

    (2008)
  • R. Ferdous et al.

    Methodology for computer aided fuzzy fault tree analysis

    Process Safety and Environmental Protection

    (2009)
  • K. Gai et al.

    Privacy-preserving multi-channel communication in Edge-of-Things

    Future Generation Computer Systems

    (2018)
  • K. Grant et al.

    Risky business: Perceptions of e-business risk by UK small and medium sized enterprises (SMEs)

    International Journal of Information Management

    (2014)
  • U. Hauptmanns

    Analytical propagation of uncertainties through fault trees

    Reliability Engineering & System Safety

    (2002)
  • U. Hauptmanns

    Semi-quantitative fault tree analysis for process plant safety using frequency and probability ranges

    Journal of Loss Prevention in the Process Industries

    (2004)
  • Y.L. Huang et al.

    Understanding the physical and economic consequences of attacks on control systems

    International Journal of Critical Infrastructure Protection

    (2009)
  • T. Kawanaka et al.

    Software measure in cyber-attacks on production control system

    Computers & Industrial Engineering

    (2014)
  • D.W. Kim et al.

    Detecting fake anti-virus software distribution webpages

    Computers & Security

    (2015)
  • C.C. Lo et al.

    A hybrid information security risk assessment procedure considering interdependences between controls

    Expert Systems With Applications

    (2012)
  • C. Lopez-nicolas et al.

    Customer Knowledge Management and E-commerce : The role of customer perceived risk

    International Journal of Information Management

    (2008)
  • P.K. Marhavilas et al.

    Risk analysis and assessment methodologies in the work sites: On a review, classification and comparative study of the scientific literature of the period 2000-2009

    Journal of Loss Prevention in the Process Industries

    (2011)
  • C.P. Medeiros et al.

    Multidimensional risk evaluation of natural gas pipelines based on a multicriteria decision mo del using visualization tools and statistical tests for global sensitivity analysis

    Reliability Engineering & System Safety

    (2017)
  • E. Mik

    Mistaken identity, identity theft and problems of remote authentication in e-commerce

    Computer Law & Security Report

    (2012)
  • S.C. Patel et al.

    Quantitatively assessing the vulnerability of critical information systems : A new method for evaluating security enhancements

    International Journal of Information Management

    (2008)
  • J.H. Purba

    A fuzzy-based reliability approach to evaluate basic events of fault tree analysis for nuclear power plant probabilistic safety assessment

    Annals of Nuclear Energy

    (2014)
  • P.A.S. Ralston et al.

    Cyber security risk assessment for SCADA and DCS networks

    ISA Transactions

    (2007)
  • V. Ratten

    Continuance use intention of cloud computing : Innovativeness and creativity perspectives

    Journal of Business Research

    (2016)
  • R. Rejeb et al.

    Multiple attack localization and identification in all-optical networks

    (2006)
  • E.B. Rice et al.

    Mitigating the risk of cyber attack on smart grid systems

    Procedia Computer Science

    (2014)
  • E. Ruijters et al.

    Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools

    Computer Science Review

    (2015)
  • R.A. Shaikh et al.

    Dynamic risk-based decision methods for access control systems

    Computers & Security

    (2012)
  • A. Shameli-Sendi et al.

    Taxonomy of intrusion risk assessment and response system

    Computers & Security

    (2014)
  • J. Shin et al.

    Development of a cyber security risk model using Bayesian networks

    Reliability Engineering & System Safety

    (2015)
  • M.M. Silva et al.

    A multidimensional approach to information security risk management using FMEA and fuzzy theory

    International Journal of Information Management

    (2014)
  • Z.A. Soomro et al.

    Information security management needs more holistic approach: A literature review

    International Journal of Information Management

    (2016)
  • Cited by (64)

    View all citing articles on Scopus
    View full text