Managing security risks for inter-organisational information systems: a multiagent collaborative model

Information sharing across organisations is critical to effectively managing the security risks of inter-organisational information systems. Nevertheless, few previous studies on information systems security have focused on inter-organisational information sharing, and none have studied the sharing of inferred beliefs versus factual observations. In this article, a multiagent collaborative model (MACM) is proposed as a practical solution to assess the risk level of each allied organisation’s information system and support proactive security treatment by sharing beliefs on event probabilities as well as factual observations. In MACM, for each allied organisation’s information system, we design four types of agents: inspection agent, analysis agent, control agent, and communication agent. By sharing soft findings (beliefs) in addition to hard findings (factual observations) among the organisations, each organisation’s analysis agent is capable of dynamically predicting its security risk level using a Bayesian network. A real-world implementation illustrates how our model can be used to manage security risks in distributed information systems and that sharing soft findings leads to lower expected loss from security risks.

[1]  David Heckerman,et al.  A Tutorial on Learning with Bayesian Networks , 1999, Innovations in Bayesian Networks.

[2]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[3]  David L. Olson,et al.  Case study of open-source enterprise resource planning implementation in a small business , 2012, Enterp. Inf. Syst..

[4]  ZengYajun,et al.  Risk assessment for enterprise resource planning ERP system implementations , 2013 .

[5]  R. Narasimhan,et al.  Effect of supply chain integration on the relationship between diversification and performance: evidence from Japanese and Korean firms , 2002 .

[6]  Minqiang Li,et al.  A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis , 2014, Inf. Sci..

[7]  Alain Bensoussan,et al.  When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination , 2011, Inf. Syst. Res..

[8]  Rajendra P. Srivastava,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006, J. Manag. Inf. Syst..

[9]  Young U. Ryu,et al.  Network externalities, layered protection and IT security risk management , 2007, Decis. Support Syst..

[10]  Jirí Vomlel,et al.  Soft evidential update for probabilistic multiagent systems , 2002, Int. J. Approx. Reason..

[11]  Agostino Poggi,et al.  JADE - A Java Agent Development Framework , 2005, Multi-Agent Programming.

[12]  Satoru Miyano,et al.  Optimal Search on Clustered Structural Constraint for Learning Bayesian Network Structure , 2010, J. Mach. Learn. Res..

[13]  Lida Xu,et al.  Integration of hybrid wireless networks in cloud services oriented enterprise information systems , 2012, Enterp. Inf. Syst..

[14]  Xing Gao,et al.  Information Security Investment When Hackers Disseminate Knowledge , 2013, Decis. Anal..

[15]  Sujeet Kumar,et al.  Java Agent Development Framework , 2014 .

[16]  Vasant Honavar,et al.  Lightweight agents for intrusion detection , 2003, J. Syst. Softw..

[17]  Arun Rai,et al.  Firm performance impacts of digitally enabled supply chain integration capabilities , 2006 .

[18]  Raouf Boutaba,et al.  Network security management with intelligent agents , 2000, NOMS 2000. 2000 IEEE/IFIP Network Operations and Management Symposium 'The Networked Planet: Management Beyond 2000' (Cat. No.00CB37074).

[19]  Qiang Yan,et al.  A security evaluation approach for information systems in telecommunication enterprises , 2008, Enterp. Inf. Syst..

[20]  LuoBin,et al.  A novel intrusion detection system based on feature generation with visualization strategy , 2014 .

[21]  Valerie Botta-Genoulaz,et al.  The SCOR model for the alignment of business processes and information systems , 2009, Enterp. Inf. Syst..

[22]  Judea Pearl,et al.  Probabilistic reasoning in intelligent systems - networks of plausible inference , 1991, Morgan Kaufmann series in representation and reasoning.

[23]  Liang Xiao An adaptive security model using agent-oriented MDA , 2009, Inf. Softw. Technol..

[24]  M. Frohlich,et al.  Arcs of integration: an international study of supply chain strategies , 2001 .

[25]  Csilla Farkas,et al.  PAID: A Probabilistic Agent-Based Intrusion Detection system , 2005, Comput. Secur..

[26]  Marco Vieira,et al.  Analysis of Field Data on Web Security Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[27]  Guoying Zhang,et al.  Hacker Behavior, Network Effects, and the Security Software Market , 2012, J. Manag. Inf. Syst..

[28]  Xiaozhu Chen,et al.  Enterprise systems in financial sector – an application in precious metal trading forecasting , 2013, Enterp. Inf. Syst..

[29]  Milan Studený,et al.  Learning Bayesian network structure: Towards the essential graph by integer linear programming tools , 2014, Int. J. Approx. Reason..

[30]  Stefanie Rinderle-Ma,et al.  Comprehensive life cycle support for access rules in information systems: the CEOSIS project , 2009, Enterp. Inf. Syst..

[31]  Sam Ransbotham,et al.  Choice and Chance: A Conceptual Model of Paths to Information Security Compromise , 2009, Inf. Syst. Res..

[32]  Chin-Feng Fan,et al.  BBN-based software project risk management , 2004, J. Syst. Softw..

[33]  Harris Wu,et al.  Research on e-commerce transaction networks using multi-agent modelling and open application programming interface , 2010, Enterp. Inf. Syst..

[34]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[35]  Lawrence A. Gordon,et al.  Market Value of Voluntary Disclosures Concerning Information Security , 2010, MIS Q..

[36]  Ehab Al-Shaer,et al.  Firewall Policy Reconnaissance: Techniques and Analysis , 2014, IEEE Transactions on Information Forensics and Security.

[37]  Ravi S. Behara,et al.  Optimal information security investment in a Healthcare Information Exchange: An economic analysis , 2014, Decis. Support Syst..

[38]  David J. Spiegelhalter,et al.  Local computations with probabilities on graphical structures and their application to expert systems , 1990 .

[39]  Desheng Dash Wu,et al.  A risk analysis model in concurrent engineering product development. , 2010, Risk analysis : an official publication of the Society for Risk Analysis.

[40]  Huseyin Cavusoglu,et al.  Economics of ITSecurity Management: Four Improvements to Current Security Practices , 2004, Commun. Assoc. Inf. Syst..

[41]  Hervé Panetto,et al.  An approach for formalising the supply chain operations , 2011, Enterp. Inf. Syst..

[42]  Minqiang Li,et al.  An information systems security risk assessment model under uncertain environment , 2011, Appl. Soft Comput..

[43]  Xiao-dan Zhang,et al.  Design and implementation of embedded un-interruptible power supply system (EUPSS) for web-based mobile application , 2012, Enterp. Inf. Syst..

[44]  Ramayya Krishnan,et al.  Correlated Failures, Diversification, and Information Security Risk Management , 2011, MIS Q..

[45]  Bin Luo,et al.  A novel intrusion detection system based on feature generation with visualization strategy , 2014, Expert Syst. Appl..