An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions

This study develops an alternative methodology for the risk analysis of information systems security (ISS), an evidential reasoning approach under the Dempster-Shafer theory of belief functions. The approach has the following important dimensions. First, the evidential reasoning approach provides a rigorous, structured manner to incorporate relevant ISS risk factors, related countermeasures, and their interrelationships when estimating ISS risk. Second, the methodology employs the belief function definition of risk--that is, ISS risk is the plausibility of ISS failures. The proposed approach has other appealing features, such as facilitating cost- benefit analyses to help promote efficient ISS risk management. The paper elaborates the theoretical concepts and provides operational guidance for implementing the method. The method is illustrated using a hypothetical example from the perspective of management and a real-world example from the perspective of external assurance providers. Sensitivity analyses are performed to evaluate the impact of important parameters on the model's results.

[1]  Ram D. Gopal,et al.  Preventive and Deterrent Controls for Software Piracy , 1997, J. Manag. Inf. Syst..

[2]  Phillip J. Lederer,et al.  Retail Bank Services Strategy: A Model of Traditional, Electronic, and Mixed Distribution Choices , 2001, J. Manag. Inf. Syst..

[3]  Peter McBurney,et al.  Using Belief Functions to Forecast Demand for Mobile Satellite Services , 2002 .

[4]  Fred Niederman,et al.  Information Systems Management Issues for the 1990s , 1991, MIS Q..

[5]  Gerald V. Post,et al.  A Stochastic Dominance Approach to Risk Analysis of Computer Systems , 1986, MIS Q..

[6]  Alessandro Saffiotti,et al.  Pulcinella: A General Tool for Propagating Uncertainty in Valuation Networks , 1991, UAI.

[7]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[8]  J. Kacprzyk,et al.  Advances in the Dempster-Shafer theory of evidence , 1994 .

[9]  Steven M. Bellovin Computer security—an end state? , 2001, CACM.

[10]  Glenn Shafer,et al.  A Mathematical Theory of Evidence , 2020, A Mathematical Theory of Evidence.

[11]  Glenn Shafer,et al.  Perspectives on the theory and practice of belief functions , 1990, Int. J. Approx. Reason..

[12]  R. P. Srivastava,et al.  Belief functions in business decisions , 2002 .

[13]  John B. Sullivan Discussant's response to "AUDITOR'S ASSISTANT: A knowledge engineering tool for audit decisions"; , 1988 .

[14]  Susan H. Nycum,et al.  Computer crime , 1984, CACM.

[15]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[16]  Ingoo Han,et al.  The Impact of Customer Trust and Perception of Security Control on the Acceptance of Electronic Commerce , 2003, Int. J. Electron. Commer..

[17]  Thierry Denoeux,et al.  Risk assessment based on weak information using belief functions: a case study in water treatment , 2006, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[18]  Rajendra P. Srivastava,et al.  Why We Should Consider Belief Functions in Auditing Research and Practice , 2005 .

[19]  Prakash P. Shenoy,et al.  Axioms for probability and belief-function proagation , 1990, UAI.

[20]  M. Day,et al.  Key Issues , 1981, Philosophy.

[21]  Rajendra P. Srivastava,et al.  Evidential reasoning for WebTrust assurance services , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[22]  Steven L. Alter,et al.  A General, But Readily Adaptable Model of Information System Risk , 2004, Commun. Assoc. Inf. Syst..

[23]  Richard Harris,et al.  SMIS Members: A Membership Analysis , 1982, MIS Q..

[24]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[25]  Thomas M. Strat,et al.  Decision analysis using belief functions , 1990, Int. J. Approx. Reason..

[26]  J. Jaffray Linear utility theory for belief functions , 1989 .

[27]  Yafit Cohen,et al.  Analysis of convergent evidence in an evidential reasoning knowledge-based classification , 2005 .

[28]  Philippe Smets,et al.  The Combination of Evidence in the Transferable Belief Model , 1990, IEEE Trans. Pattern Anal. Mach. Intell..

[29]  SunLili,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006 .

[30]  Jean-Yves Jaffray,et al.  Dynamic Decision Making with Belief Functions , 1992 .

[31]  Arthur P. Dempster,et al.  A Generalization of Bayesian Inference , 1968, Classic Works of the Dempster-Shafer Theory of Belief Functions.

[32]  Chin-Tu Chen,et al.  Spatial reasoning based on multivariate belief functions , 1992, Proceedings 1992 IEEE Computer Society Conference on Computer Vision and Pattern Recognition.

[33]  R. Power CSI/FBI computer crime and security survey , 2001 .

[34]  Hung T. Nguyen,et al.  On decision making using belief functions , 1994 .

[35]  Prakash P. Shenoy,et al.  MODELING FINANCIAL PORTFOLIOS USING BELIEF FUNCTIONS , 2002 .

[36]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[37]  Timothy B. Bell,et al.  Auditing organizations through a strategic-systems lens : the KPMG Business Measurement Process , 1997 .

[38]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[39]  Jack P. C. Kleijnen,et al.  An Overview of the Design and Analysis of Simulation Experiments for Sensitivity Analysis , 2005, Eur. J. Oper. Res..

[40]  Niels Christian Juul,et al.  The Security Hole in WAP: An Analysis of the Network and Business Rationales Underlying a Failure , 2003, Int. J. Electron. Commer..

[41]  Philippe Smets,et al.  Constructing the Pignistic Probability Function in a Context of Uncertainty , 1989, UAI.

[42]  Glenn Shafer,et al.  Belief-Function Formulas for Audit Risk , 2008, Classic Works of the Dempster-Shafer Theory of Belief Functions.

[43]  Rajendra P. Srivastava,et al.  Applications of Belief Functions in Business Decisions: A Review , 2003, Inf. Syst. Frontiers.

[44]  Houston H. Carr,et al.  Risk Analysis for Information Technology , 1991, J. Manag. Inf. Syst..

[45]  Wilpen L. Gorr,et al.  Key Information Systems Management Issues for the Public Sector , 1991, MIS Q..

[46]  R. P. Srivastava,et al.  The Bayesian and belief-function formalisms a general perspective for auditing , 1990 .

[47]  Sergio B. Guarro Principles and procedures of the LRAM approach to information systems risk analysis and management , 1987, Comput. Secur..

[48]  Edward H. Shortliffe,et al.  The Dempster-Shafer theory of evidence , 1990 .

[49]  Glenn Shafer,et al.  The combination of evidence , 1986, Int. J. Intell. Syst..

[50]  Bruce G. Buchanan,et al.  The MYCIN Experiments of the Stanford Heuristic Programming Project , 1985 .

[51]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[52]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[53]  James C. Wetherbe,et al.  Key Information Systems Issues for the 1980's , 1984, MIS Q..

[54]  Martin Herbert,et al.  1985 Opinion Survey of MIS Managers: Key Issues , 1986, MIS Q..

[55]  Glenn Shafer,et al.  Evidential Reasoning Using DELEF , 1988, AAAI.

[56]  Wooil M. Moon,et al.  Integration Of Geophysical And Geological Data Using Evidential Belief Function , 1990 .

[57]  Hong Xu,et al.  A Belief-Function Based Decision Support System , 1993, UAI.

[58]  Simon H. Lavington,et al.  Belief Functions and the Possible Worlds Paradigm , 2002, J. Log. Comput..

[59]  Rajendra P. Srivastava,et al.  Decision Making Under Ambiguity: A Belief-function Perspective , 1997 .

[60]  Ronald R. Yager,et al.  Decision Making Under Dempster-Shafer Uncertainties , 1992, Classic Works of the Dempster-Shafer Theory of Belief Functions.