A hybrid information security risk assessment procedure considering interdependences between controls

Risk assessment is the core process of information security risk management. Organizations use risk assessment to determine the risks within an information system and provide sufficient means to reduce these risks. In this paper, a hybrid procedure for evaluating risk levels of information security under various security controls is proposed. First, this procedure applies the Decision Making Trial and Evaluation Laboratory (DEMATEL) approach to construct interrelations among security control areas. Secondly, likelihood ratings are obtained through the Analytic Network Process (ANP) method; as a result, the proposed procedure can detect the interdependences and feedback between security control families and function in real world situations. Lastly, the Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) operator is used to aggregate impact values assessed by experts, applied to diminish the influence of extreme evaluations such as personal views and drastic perspectives. A real world application in a branch office of the health insurance institute in Taiwan was examined to verify the proposed procedure. By analyzing the acquired data, we confirm the proposed procedure certainly detects the influential factors among security control areas. This procedure also evaluates risk levels more accurately by coping with the interdependencies among security control families and determines the information systems safeguards required for better security, therefore enabling organizations to accomplish their missions.

[1]  R. Yager Families of OWA operators , 1993 .

[2]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[3]  M. Bohanec,et al.  The Analytic Hierarchy Process , 2004 .

[4]  Jun Ma,et al.  Research on Fuzzy Group Decision Making in Security Risk Assessment , 2005, ICN.

[5]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[6]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[7]  G. Tzeng,et al.  Reconfiguring the innovation policy portfolios for Taiwan's SIP Mall industry , 2007 .

[8]  G. Tzeng,et al.  Marketing strategy based on customer behaviour for the LCD-TV , 2006 .

[9]  Francisco Herrera,et al.  Direct approach processes in group decision making using linguistic OWA operators , 1996, Fuzzy Sets Syst..

[10]  Gwo-Hshiung Tzeng,et al.  Airline safety measurement using a hybrid model , 2007 .

[11]  Yujiro Shimizu,et al.  Designing methods of human interface for supervisory control systems , 1998 .

[12]  S. M. Seyed Hosseini,et al.  Reprioritization of failures in a system failure mode and effects analysis by decision making trial and evaluation laboratory technique , 2006, Reliab. Eng. Syst. Saf..

[13]  T. L. Saaty,et al.  Decision making with dependence and feedback , 2001 .

[14]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[15]  Dimitar Filev,et al.  Analytic Properties of Maximum Entropy OWA Operators , 1995, Inf. Sci..

[16]  Dimitar Filev,et al.  On the issue of obtaining OWA operator weights , 1998, Fuzzy Sets Syst..

[17]  M. O'Hagan,et al.  Aggregating Template Or Rule Antecedents In Real-time Expert Systems With Fuzzy Set Logic , 1988, Twenty-Second Asilomar Conference on Signals, Systems and Computers.

[18]  Jennifer S. Shang,et al.  A unified framework for multicriteria evaluation of transportation projects , 2004, IEEE Transactions on Engineering Management.

[19]  Sheng-Lin Chang,et al.  Applying fuzzy linguistic quantifier to select supply chain partners at different phases of product life cycle , 2006 .

[20]  Yannis C. Stamatiou,et al.  Model-based risk assessment – the CORAS approach , 2002 .

[21]  L. Johnson,et al.  Minimum Security Requirements for Federal Information and Information Systems , 2006 .

[22]  Francisco Herrera,et al.  A Sequential Selection Process in Group Decision Making with a Linguistic Assessment Approach , 1995, Inf. Sci..

[23]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[24]  Gwo-Hshiung Tzeng,et al.  Evaluating intertwined effects in e-learning programs: A novel hybrid MCDM model based on factor analysis and DEMATEL , 2007, Expert Syst. Appl..

[25]  Sevin Sozer,et al.  Product planning in quality function deployment using a combined analytic network process and goal programming approach , 2003 .

[26]  Thomas L. Saaty,et al.  Decision making with dependence and feedback : the analytic network process : the organization and prioritization of complexity , 1996 .

[27]  Chih-Hung Tsai,et al.  The study of applying ANP model to assess dispatching rules for wafer fabrication , 2008, Expert Syst. Appl..

[28]  Lotfi A. Zadeh,et al.  A COMPUTATIONAL APPROACH TO FUZZY QUANTIFIERS IN NATURAL LANGUAGES , 1983 .

[29]  Soung Hie Kim,et al.  Using analytic network process and goal programming for interdependent information system project selection , 2000, Comput. Oper. Res..

[30]  Adrien Presley,et al.  R&D project selection using the analytic network process , 2002, IEEE Trans. Engineering Management.

[31]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[32]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[33]  J. Kacprzyk Group decision making with a fuzzy linguistic majority , 1986 .

[34]  Daniel E. Geer,et al.  Information security is information risk management , 2001, NSPW '01.

[35]  Wei-Wen Wu,et al.  Choosing knowledge management strategies by using a combined ANP and DEMATEL approach , 2008, Expert Syst. Appl..

[36]  Ronald R. Yager,et al.  On ordered weighted averaging aggregation operators in multicriteria decisionmaking , 1988, IEEE Trans. Syst. Man Cybern..

[37]  Wen-Hsien Tsai,et al.  Selecting management systems for sustainable development in SMEs: A novel hybrid model based on DEMATEL, ANP, and ZOGP , 2009, Expert Syst. Appl..

[38]  A. Gabus,et al.  World Problems, An Invitation to Further Thought within the Framework of DEMATEL , 1972 .

[39]  Jih-Jeng Huang,et al.  Multidimensional data in multidimensional scaling using the analytic network process , 2005, Pattern Recognit. Lett..

[40]  Chi-Chun Lo,et al.  A fuzzy outranking approach in risk analysis of web service security , 2007, Cluster Computing.

[41]  A. Gabus,et al.  Perceptions of the world problematique: communication procedure, communicating with those bearing collective responsibility , 1973 .