A multidimensional approach to information security risk management using FMEA and fuzzy theory

We proposed an approach to information security risk management, encompassing Failure Mode and Effects Analysis (FMEA) and fuzzy theory.This approach analyses five dimensions of information security.A numerical application was undertaken. Because of the evolution and widespread use of the Internet, organisations are becoming more susceptible to attacks on Information Technology Systems. These attacks result in data losses and alterations, and impact services and business operations. Therefore, to minimise these potential failures, this paper presents an approach to information security risk management, encompassing Failure Mode and Effects Analysis (FMEA) and fuzzy theory. This approach analyses five dimensions of information security: access to information and systems, communication security, infrastructure, security management and secure information systems development. To illustrate the proposed model, it was applied to a University Research Group project. The results show that the most important aspects of information security risk are communication security, followed by infrastructure.

[1]  Mincong Tang,et al.  Information Security Engineering: a Framework for Research and Practices , 2013, Int. J. Comput. Commun. Control.

[2]  J. Adamo Fuzzy decision trees , 1980 .

[3]  Saeid Abbasbandy,et al.  Ranking of Fuzzy Numbers, Some Recent and New Formulas , 2009, IFSA/EUSFLAT Conf..

[4]  Heinrich Rommelfanger,et al.  Fuzzy Decision Theory Intelligent Ways for Solving Real-World Decision Problems and for Solving Information Costs , 2003, Planning Based on Decision Theory.

[5]  Nan Liu,et al.  Risk evaluation in failure mode and effects analysis with extended VIKOR method under fuzzy environment , 2012, Expert Syst. Appl..

[6]  Lotfi A. Zadeh,et al.  The concept of a linguistic variable and its application to approximate reasoning-III , 1975, Inf. Sci..

[7]  Borka Jerman-Blazic,et al.  An economic modelling approach to information security risk management , 2008, Int. J. Inf. Manag..

[8]  Snorre Sklet,et al.  Generalised methodology for operational risk analysis , 2007 .

[9]  Richard Bellman,et al.  Decision-making in fuzzy environment , 2012 .

[10]  William J. Buchanan,et al.  Monitoring information security risks within health care , 2013, Comput. Secur..

[11]  George J. Klir,et al.  Concepts and Fuzzy Logic , 2011 .

[12]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[13]  Lotfi A. Zadeh,et al.  Fuzzy Logic for Business, Finance, and Management , 1997, Advances in Fuzzy Systems - Applications and Theory.

[14]  József Mezei,et al.  How different are ranking methods for fuzzy numbers? A numerical study , 2013, Int. J. Approx. Reason..

[15]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[16]  H Prade,et al.  An introduction to fuzzy systems. , 1998, Clinica chimica acta; international journal of clinical chemistry.

[17]  Gang Chen,et al.  Model of Information Security Risk Assessment based on Improved Wavelet Neural Network , 2013, J. Networks.

[18]  Theodor J. Stewart,et al.  Multiple criteria decision analysis - an integrated approach , 2001 .

[19]  Lotfi A. Zadeh,et al.  Fuzzy Sets , 1996, Inf. Control..

[20]  Witold Pedrycz,et al.  Fuzzy Multicriteria Decision-Making: Models, Methods and Applications , 2010 .

[21]  Etienne E. Kerre,et al.  Reasonable properties for the ordering of fuzzy quantities (II) , 2001, Fuzzy Sets Syst..

[22]  Sandip C. Patel,et al.  Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements , 2008, Int. J. Inf. Manag..

[23]  Hu-Chen Liu,et al.  Human reliability assessment for medical devices based on failure mode and effects analysis and fuzzy linguistic theory , 2014 .

[24]  Jin Wang,et al.  A subjective approach for ballast water risk estimation , 2013 .

[25]  Yongtae Park,et al.  A systematic approach for diagnosing service failure: Service-specific FMEA and grey relational analysis approach , 2011, Math. Comput. Model..

[26]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[27]  Serpil Aytac,et al.  Factors influencing information security management in small- and medium-sized enterprises: A case study from Turkey , 2011, Int. J. Inf. Manag..

[28]  Bilge Karabacak,et al.  Collaborative risk method for information security management practices: A case context within Turkey , 2010, Int. J. Inf. Manag..

[29]  Michael R. Beauregard,et al.  The Basics of FMEA , 1996 .

[30]  Jae-Hyeon Ahn,et al.  Improving information security management: An analysis of ID-password usage and a new login vulnerability measure , 2012, Int. J. Inf. Manag..

[31]  Lotfi A. Zadeh,et al.  Fuzzy logic = computing with words , 1996, IEEE Trans. Fuzzy Syst..