Information security risk analysis model using fuzzy decision theory

A risk analysis model for information security was proposed.The model is based on fuzzy decision theory.A taxonomy of events and scenarios using ETA methodology was developed.Alternatives can be ranked based on the criticality of the risk.The model provides information regarding the criticality causes of attacks.Results show that deliberate external database attack is the most risky alternative. This paper proposes a risk analysis model for information security assessment, which identifies and evaluates the sequence of events - referred to as alternatives - in a potential accident scenario following the occurrence of an initiating event corresponding to abuses of Information Technology systems. In order to perform this evaluation, this work suggests the use of Event Tree Analysis combined with fuzzy decision theory. The contributions of the present proposal are: the development of a taxonomy of events and scenarios, the ranking of alternatives based on the criticality of the risk, considering financial losses, and finally, the provision of information regarding the causes of information system attacks of highest managerial relevance for organizations. We included an illustrative example regarding a data center aiming to illustrate the applicability of the proposed model. To assess its robustness, we analyzed twelve alternatives considering two different methods of setting probabilities of the occurrence of events. Results showed that deliberate external database services attack represent the most risky alternative.

[1]  Steven L. Alter,et al.  A General, But Readily Adaptable Model of Information System Risk , 2004, Commun. Assoc. Inf. Syst..

[2]  Jamal Ghodousi,et al.  Safety barriers analysis of offshore drilling system by employing Fuzzy Event Tree Analysis , 2015 .

[3]  Kevin Grant,et al.  International Journal of Information Management , 2022 .

[4]  Robert LIN,et al.  NOTE ON FUZZY SETS , 2014 .

[5]  Brian Veitch,et al.  Handling data uncertainties in event tree analysis , 2009 .

[6]  Clifton A. Ericson,et al.  Hazard Analysis Techniques for System Safety , 2005 .

[7]  L. Camp Economics of Information Security , 2006 .

[8]  Hassan Rasheed,et al.  Data and infrastructure security auditing in cloud computing environments , 2014, Int. J. Inf. Manag..

[9]  Minqiang Li,et al.  An information systems security risk assessment model under uncertain environment , 2011, Appl. Soft Comput..

[10]  Chi-Chun Lo,et al.  A fuzzy outranking approach in risk analysis of web service security , 2007, Cluster Computing.

[11]  Chi-Chun Lo,et al.  A hybrid information security risk assessment procedure considering interdependences between controls , 2012, Expert Syst. Appl..

[12]  Etienne E. Kerre,et al.  Reasonable properties for the ordering of fuzzy quantities (II) , 2001, Fuzzy Sets Syst..

[13]  Riitta Molarius,et al.  Event tree analysis for flood protection - An exploratory study in Finland , 2013, Reliab. Eng. Syst. Saf..

[14]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[15]  Rabiah Ahmad,et al.  A conceptual framework of info structure for information security risk assessment (ISRA) , 2013, J. Inf. Secur. Appl..

[16]  Adiel Teixeira de Almeida,et al.  A risk measurement tool for an underground electricity distribution system considering the consequences and uncertainties of manhole events , 2014, Reliab. Eng. Syst. Saf..

[17]  Ramesh Jain,et al.  DECISION MAKING IN THE PRESENCE OF FUZZY VARIABLES , 1976 .

[18]  Kuheli Roy Sarkar Assessing insider threats to information security using technical, behavioural and organisational measures , 2010, Inf. Secur. Tech. Rep..

[19]  Jun g Sik Kong,et al.  Quantitative risk evaluation based on event tree analysis technique: Application to the design of shield TBM , 2009 .

[20]  Thomas Whalen,et al.  Decisionmaking under uncertainty with various assumptions about available information , 1984, IEEE Transactions on Systems, Man, and Cybernetics.

[21]  F.C.A. Groen,et al.  Possibilistic decision making in sensor systhems , 1998 .

[22]  R. Power CSI/FBI computer crime and security survey , 2001 .

[23]  Witold Pedrycz,et al.  A general approach to solving a wide class of fuzzy optimization problems , 1998, Fuzzy Sets Syst..

[24]  Huo Hongxia Event-tree Analysis Using Binary Decision Diagrams , 2008 .

[25]  Shyi-Ming Chen,et al.  A new method for analyzing fuzzy risk based on a new fuzzy ranking method between generalized fuzzy numbers , 2009, 2009 International Conference on Machine Learning and Cybernetics.

[26]  Iliya Markov,et al.  Risk perception and risk management in cloud computing: Results from a case study of Swiss companies , 2013, Int. J. Inf. Manag..

[27]  Minqiang Li,et al.  A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis , 2014, Inf. Sci..

[28]  Saeid Abbasbandy,et al.  A new approach for ranking of trapezoidal fuzzy numbers , 2009, Comput. Math. Appl..

[29]  Shinsaku Kiyomoto,et al.  Security issues on IT systems during disasters: a survey , 2013, Journal of Ambient Intelligence and Humanized Computing.

[30]  Roger M. Cooke,et al.  On the performance of social network and likelihood-based expert weighting schemes , 2008, Reliab. Eng. Syst. Saf..

[31]  S. Nasseri,et al.  Ranking fuzzy quantities based on the angle of the reference functions , 2013 .

[32]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[33]  Clifton A. Ericson,et al.  Hazard Analysis Techniques for System Safety: Ericson/Hazard Analysis Techniques for System Safety , 2005 .

[34]  Ana Paula Cabral Seixas Costa,et al.  A multidimensional approach to information security risk management using FMEA and fuzzy theory , 2014, Int. J. Inf. Manag..

[35]  Stéphane Paul,et al.  Unifying traditional risk assessment approaches with attack trees , 2014, J. Inf. Secur. Appl..

[36]  Tyler Moore,et al.  Economics of Information Security and Privacy , 2014 .

[37]  Bruce Schneier,et al.  Guest Editors' Introduction: Economics of Information Security , 2005, IEEE Secur. Priv..

[38]  J. Adamo Fuzzy decision trees , 1980 .

[39]  Ainin Sulaiman,et al.  Information security landscape and maturity level: Case study of Malaysian Public Service (MPS) organizations , 2009, Gov. Inf. Q..

[40]  Joaquim Casal Fàbrega,et al.  A proposal of generic event trees and probabilities for the release of different types of hazardous materials , 2011 .

[41]  Jun Ma,et al.  Research on Fuzzy Group Decision Making in Security Risk Assessment , 2005, ICN.

[42]  Heinrich Rommelfanger,et al.  Fuzzy Decision Theory Intelligent Ways for Solving Real-World Decision Problems and for Solving Information Costs , 2003, Planning Based on Decision Theory.

[43]  Bruce Schneier,et al.  Secrets and lies - digital security in a networked world: with new information about post-9/11 security , 2004 .

[44]  Steven Furnell,et al.  Insider Threat Prediction Tool: Evaluating the probability of IT misuse , 2002, Comput. Secur..

[45]  G. Bortolan,et al.  A review of some methods for ranking fuzzy subsets , 1985 .

[46]  Rajendra P. Srivastava,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006, J. Manag. Inf. Syst..

[47]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[48]  Jin Wang,et al.  Decision support framework for risk management on sea ports and terminals using fuzzy set theory and evidential reasoning approach , 2012, Expert Syst. Appl..

[49]  Heinrich Rommelfanger,et al.  Entscheidungsmodelle mit Fuzzy-Nutzen , 1984 .

[50]  T. V. Garcez,et al.  Multidimensional Risk Assessment of Manhole Events as a Decision Tool for Ranking the Vaults of an Underground Electricity Distribution System , 2014, IEEE Transactions on Power Delivery.

[51]  Didier Dubois,et al.  Ranking fuzzy numbers in the setting of possibility theory , 1983, Inf. Sci..

[52]  Ching-Hsue Cheng,et al.  A new approach for ranking fuzzy numbers by distance method , 1998, Fuzzy Sets Syst..

[53]  Jhp Julwan Hendry Purba,et al.  A fuzzy-based reliability approach to evaluate basic events of fault tree analysis for nuclear power plant probabilistic safety assessment , 2014 .

[54]  Petr Ekel,et al.  Algorithms of discrete optimization and their application to problems with fuzzy coefficients , 2006, Inf. Sci..

[55]  Michael L. Donnell,et al.  Fuzzy Decision Analysis , 1979, IEEE Transactions on Systems, Man, and Cybernetics.

[56]  O. R. Bidder,et al.  A risky business or a safe BET? A Fuzzy Set Event Tree for estimating hazard in biotelemetry studies , 2014, Animal Behaviour.

[57]  Petr Ekel,et al.  Multicriteria analysis in decision making under information uncertainty , 2008, Appl. Math. Comput..

[58]  Kailan Shang,et al.  Applying Fuzzy Logic to Risk Assessment and Decision-Making Sponsored by CAS/CIA/SOA Joint Risk Management Section , 2013 .

[59]  Borka Jerman-Blazic,et al.  An economic modelling approach to information security risk management , 2008, Int. J. Inf. Manag..

[60]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[61]  Sébastien Destercke,et al.  Ranking of fuzzy intervals seen through the imprecise probabilistic lens , 2015, Fuzzy Sets Syst..

[62]  Madan M. Gupta,et al.  Fuzzy mathematical models in engineering and management science , 1988 .

[63]  W. Pedrycz Why triangular membership functions , 1994 .

[64]  Gang Chen,et al.  Model of Information Security Risk Assessment based on Improved Wavelet Neural Network , 2013, J. Networks.

[65]  Mashaallah Mashinchi,et al.  Ranking fuzzy numbers based on the areas on the left and the right sides of fuzzy number , 2011, Comput. Math. Appl..

[66]  Adiel Teixeira de Almeida,et al.  Multi-attribute risk assessment for risk ranking of natural gas pipelines , 2009, Reliab. Eng. Syst. Saf..

[67]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[68]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[69]  Etienne E. Kerre,et al.  Reasonable properties for the ordering of fuzzy quantities (II) , 2001, Fuzzy Sets Syst..

[70]  Adiel Teixeira de Almeida,et al.  Multicriteria and multiobjective models for risk, reliability and maintenance decision analysis , 2015 .