论文信息 - FEMRA: Fuzzy Expert Model for Risk Assessment

FEMRA: Fuzzy Expert Model for Risk Assessment

Risk assessment is a major part of the ISMS Process. The Information Security Management System standards specify guidelines and a general framework for risk assessment. In many existing standards, such as NIST and ISO27001, risk assessment is described however, while these standards present some guidelines, there are no details on how to implement it in an organization. In a complex organization, risk assessment is a complicated process and involves a lot of assets. In this paper, we present the FEMRA model, which uses fuzzy expert systems to assess risk in organizations. The risk assessment varies considerably with the context, the metrics used as dependent variables, and the opinions of the persons involved. Fuzzy logic thus represents an excellent model for this application. Organizations can use FEMRA as a tool to improve the ISMS implementation. One of the interesting characteristics of FEMRA is that it can represent each risk with a numerical value. The managers can detect higher risks by comparing these values and develop a good strategy to reduce them

[1] 박소현,et al. 금융시스템을 위한 Zachman Framework 설계 , 2009 .

[2] Ying-Ming Wang,et al. Fuzzy TOPSIS method based on alpha level sets with an application to bridge risk assessment , 2006, Expert Syst. Appl..

[3] Gary Stoneburner,et al. SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[4] Svein J. Knapskog,et al. Fuzzy Online Risk Assessment for Distributed Intrusion Prediction and Prevention Systems , 2008, Tenth International Conference on Computer Modeling and Simulation (uksim 2008).

[5] G. Stoneburner,et al. Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[6] Jing-Hong Wang,et al. Fuzzy Risk Assessment of the Network Security , 2006, 2006 International Conference on Machine Learning and Cybernetics.

[7] Chi-Chun Lo,et al. Evaluation of information security related risks of an organization: the application of the multicriteria decision-making method , 2003, IEEE 37th Annual 2003 International Carnahan Conference onSecurity Technology, 2003. Proceedings..