Developing an Information Security Risk Taxonomy and an Assessment Model using Fuzzy Petri Nets

In thedigitalera,organization-wide informationsecurity riskassessmenthasgained importance because it can impact businesses in many ways. In this article, the authors propose a model to assesstheinformationsecurityriskusingFuzzyPetriNets(FPN).DeeplyrootedintheOCTAVE framework,thisresearchpresentsataxonomyofriskpracticeareasandriskfactors.Theauthors applytheconstituentsofthetaxonomytoriskassessmentthroughawell-definedFPNmodel.The primarymotiveofthearticleistoextendtheusabilityofFPNstonewerandlessexploreddomains likeauditandevaluationof informationsecurity risks.Theuniquecontributionof thisarticle is thedefinitionanddevelopmentofacomprehensiveandmeasurablemodelofriskassessmentand quantification.Themodelcanalsoserveasatooltocapturetheriskperceptionoftherespondents forvalidatingthecriticalityofriskandfacilitatethetopmanagementtoinvestininformationsecurity controleco-systemjudiciously.

[1]  Qin Chen,et al.  A Fuzzy Petri Nets/ANP Evaluation Model on Business Process Reengineering Implementation , 2014 .

[2]  Ruth Breu,et al.  Information Security Measurement Roles and Responsibilities , 2013 .

[3]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[4]  N. Kshetri Privacy and security issues in cloud computing: The role of institutions and institutional evolution , 2013 .

[5]  Kwo-Jean Farn,et al.  A study on information security management system evaluation - assets, threat and vulnerability , 2004, Comput. Stand. Interfaces.

[6]  Ramakrishnan Raman,et al.  Risks Assessment using Fuzzy Petri Nets for ERP Extension in Small and Medium Enterprises , 2017, Inf. Resour. Manag. J..

[7]  Dayal Ramakrushna Parhi,et al.  Navigational control of several mobile robotic agents using Petri-potential-fuzzy hybrid controller , 2011, Appl. Soft Comput..

[8]  Mahmood Hussain Shah,et al.  Information security management needs more holistic approach: A literature review , 2016, Int. J. Inf. Manag..

[9]  Jongwoo Kim,et al.  Incident-centered information security: Managing a strategic balance between prevention and response , 2014, Inf. Manag..

[10]  Brahim Herbane Threat orientation in small and medium-sized enterprises , 2015 .

[11]  Gurpreet Dhillon,et al.  Interpreting information security culture: An organizational transformation case study , 2016, Comput. Secur..

[12]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[13]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[14]  Z. A. Bakar,et al.  Business Continuity Management Factors and Organizational Performance: A study on the Moderating Role of it Capability , 2015 .

[15]  Carl G. Looney,et al.  Fuzzy Petri nets for rule-based decisionmaking , 1988, IEEE Trans. Syst. Man Cybern..

[16]  Seong Woo Kwak,et al.  Fault Tolerant Control for Spaceborne Dual Ring Counters with Selective Overriding , 2015 .

[17]  S. I. Ahson,et al.  A Fuzzy Petri Net for Knowledge Representation and Reasoning , 1991, Inf. Process. Lett..

[18]  R. Law,et al.  Progress on information and communication technologies in hospitality and tourism , 2014 .

[19]  Engin Kirda,et al.  A security analysis of Amazon's Elastic Compute Cloud service , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2012).

[20]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[21]  Ramakrishnan Raman,et al.  A Conceptual Model for ERP Failure Prediction Using Fuzzy Petri-Nets for Small and Medium Enterprises , 2012 .

[22]  Humayun Zafar Human resource information systems: Information security concerns for organizations , 2013 .

[23]  Shi Zhi-fu Intelligent Target Fusion Recognition Based on Fuzzy Petri Nets , 2012 .

[24]  Dennis P. McCann,et al.  The Social Environment: Ethics and Information Technology , 2016 .

[25]  Ramakrishnan Raman,et al.  A Fuzzy Petri-Net Based Conceptual Model for Risk Prediction in Enterprise Resource Planning (ERP) Acquisition Decisions for Small and Medium Enterprises , 2013, J. Comput. Sci..

[26]  Kyung Kyu Kim,et al.  Information and communication technology overload and social networking service fatigue: A stress perspective , 2016, Comput. Hum. Behav..

[27]  Paul Williams Information Security Governance , 2001, Inf. Secur. Tech. Rep..

[28]  Shyi-Ming Chen,et al.  Fuzzy backward reasoning using fuzzy Petri nets , 2000, IEEE Trans. Syst. Man Cybern. Part B.

[29]  Ramakrishnan Raman,et al.  A FPN Based Risk Assessment Model for ERP Implementation in Small and Medium Enterprises , 2014 .

[30]  G. Manimaran,et al.  Vulnerability Assessment of Cybersecurity for SCADA Systems , 2008, IEEE Transactions on Power Systems.

[31]  Jian Wang,et al.  Using Fuzzy Clustering Method to Classify the Component in the Process of Software Evolution , 2012 .

[32]  Hellen Nanda Janine Havinga,et al.  Risk Reduction Overview - A Visualization Method for Risk Management , 2014, CD-ARES.

[33]  Joe Peppard,et al.  Information systems strategy as practice: Micro strategy and strategizing for IS , 2014, J. Strateg. Inf. Syst..

[34]  Samer Al Hawari,et al.  Knowledge-Based Risk Management framework for Information Technology project , 2012, Int. J. Inf. Manag..

[35]  Edgar R. Weippl,et al.  A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) , 2010, Communications and Multimedia Security.

[36]  S. Vijayakumar Bharathi,et al.  Prioritizing and Ranking the Big Data Information Security Risk Spectrum , 2017 .

[37]  A. Kumaravel,et al.  Measuring Employee Performance Key Indicators by Fuzzy Petri Nets , 2015 .

[38]  Dwayne Whitten,et al.  Effective Information Security Requires a Balance of Social and Technology Factors , 2012, MIS Q. Executive.

[39]  Yung-Hsiang Cheng,et al.  A Fuzzy Petri Nets approach for railway traffic control in case of abnormality: Evidence from Taiwan railway system , 2009, Expert Syst. Appl..

[40]  Arthur L Kellermann,et al.  What it will take to achieve the as-yet-unfulfilled promises of health information technology. , 2013, Health affairs.

[41]  Young U. Ryu,et al.  Unrealistic optimism on information security management , 2012, Comput. Secur..

[42]  Butler W. Lampson,et al.  31. Paper: Computer Security in the Real World Computer Security in the Real World , 2022 .

[43]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[44]  Charles Cresson Wood,et al.  Information systems security: Management success factors , 1987, Comput. Secur..

[45]  Tom L. Roberts,et al.  Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust , 2015, Inf. Syst. J..

[46]  Dhanya Pramod A Study of Various Approaches to Assess and Provide Web based Application Security , 2011 .

[47]  Siani Pearson,et al.  Privacy, Security and Trust in Cloud Computing , 2013 .

[48]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[49]  Graeme G. Shanks,et al.  A case analysis of information systems and security incident responses , 2015, Int. J. Inf. Manag..

[50]  Ramakrishnan Raman,et al.  A Study on the User Perception and Awareness of Smartphone Security , 2014 .

[51]  George Cybenko,et al.  Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity , 2013 .

[52]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[53]  Abdulrahman Al-Ahmari,et al.  Reversed fuzzy Petri nets and their application for fault diagnosis , 2011, Comput. Ind. Eng..

[54]  Dhanya Pramod,et al.  A Platform Specific UML model for Web application self defense through an Aspect Oriented Approach , 2009 .

[55]  Roger Tagg,et al.  Intelligent Concepts for the Management of Information in Workflow Systems , 2009 .

[56]  A. Kumaravel,et al.  Survey on Fuzzy Petri Nets for Classification , 2015 .

[57]  Rong-Jong Wai,et al.  Design of Dynamic Petri Recurrent Fuzzy Neural Network and Its Application to Path-Tracking Control of Nonholonomic Mobile Robot , 2009, IEEE Transactions on Industrial Electronics.

[58]  Robert Valette,et al.  Fuzzy Petri net-based programmable logic controller , 1997, IEEE Trans. Syst. Man Cybern. Part B.

[59]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[60]  Anastasia Papazafeiropoulou,et al.  Understanding governance, risk and compliance information systems (GRC IS): The experts view , 2016, Inf. Syst. Frontiers.

[61]  Christian Reuter Towards Efficient Security: Business Continuity Management in Small and Medium Enterprises , 2015, Int. J. Inf. Syst. Crisis Response Manag..

[62]  Binshan Lin,et al.  An Embedded Mobile ECG Reasoning System for Elderly Patients , 2010, IEEE Transactions on Information Technology in Biomedicine.

[63]  Graeme G. Shanks,et al.  A situation awareness model for information security risk management , 2014, Comput. Secur..

[64]  Clifton L. Smith,et al.  The Development of Access Control Policies for Information Technology Systems , 2002, Comput. Secur..

[65]  Sam Ransbotham,et al.  Choice and Chance: A Conceptual Model of Paths to Information Security Compromise , 2009, Inf. Syst. Res..

[66]  Navid Sahebjamnia,et al.  Integrated business continuity and disaster recovery planning: Towards organizational resilience , 2015, Eur. J. Oper. Res..

[67]  Ramakrishnan Raman,et al.  A Fuzzy Petri-Net Model for Predicting the Post-Implementation Risks of ERP in Small and Medium Enterprises , 2014 .

[68]  Mohammad Ali Badamchizadeh,et al.  Fuzzy Petri Nets for Human Behavior Verification and Validation , 2013, ArXiv.

[69]  Gang Wang,et al.  Fuzzy Petri Net-Based Evaluation to the Process of ERP Implementation , 2006, 2006 IEEE Asia-Pacific Conference on Services Computing (APSCC'06).

[70]  Dhanya Pramod,et al.  Study of an effective way of detecting unexpected permission authorization to mobile apps , 2017, 2017 International Conference on Intelligent Computing and Control Systems (ICICCS).

[71]  Witold Pedrycz,et al.  A generalized fuzzy Petri net model , 1994, IEEE Trans. Fuzzy Syst..

[72]  Jiufu Liu,et al.  Fault Analysis for Flight Control System Using Weighted Fuzzy Petri Nets , 2011 .

[73]  Richard G. Taylor,et al.  Potential Problems with Information Security Risk Assessments , 2015, Inf. Secur. J. A Glob. Perspect..

[74]  William N. Dilla,et al.  The relationship between internal audit and information security: An exploratory investigation , 2012, Int. J. Account. Inf. Syst..

[75]  Nan Liu,et al.  Knowledge Acquisition and Representation Using Fuzzy Evidential Reasoning and Dynamic Adaptive Fuzzy Petri Nets , 2013, IEEE Transactions on Cybernetics.

[76]  Shi-Jaw Chen,et al.  Nontechnical Loss and Outage Detection Using Fractional-Order Self-Synchronization Error-Based Fuzzy Petri Nets in Micro-Distribution Systems , 2015, IEEE Transactions on Smart Grid.

[77]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.

[78]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[79]  Michael H. Breitner,et al.  Employees' Information Security Awareness and Behavior: A Literature Review , 2013, 2013 46th Hawaii International Conference on System Sciences.

[80]  Nagarajan Sukavanam,et al.  Reliability analysis of complex robotic system using Petri nets and fuzzy lambda‐tau methodology , 2010 .

[81]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[82]  Carol Woody,et al.  OCTAVE-S (Registered) Implementation Guide, Version 1.0. Volume 1: Introduction to OCTAVE-S , 2005 .

[83]  Xuezeng Pan,et al.  Use trust management module to achieve effective security mechanisms in cloud environment , 2010, 2010 International Conference on Electronics and Information Engineering.

[84]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[85]  Chia-Hung Lin,et al.  A Rule-Based Decision-Making Diagnosis System to Evaluate Arteriovenous Shunt Stenosis for Hemodialysis Treatment of Patients Using Fuzzy Petri Nets , 2014, IEEE Journal of Biomedical and Health Informatics.

[86]  Stefan Fenz,et al.  Current challenges in information security risk management , 2014, Inf. Manag. Comput. Secur..

[87]  Gurpreet Dhillon,et al.  Defining value-based objectives for ERP systems planning , 2013, Decis. Support Syst..

[88]  Jackie Rees Ulmer,et al.  The Association between Top Management Involvement and Compensation and Information Security Breaches , 2013, J. Inf. Syst..

[89]  Yong-Hua Song,et al.  Fault diagnosis of electric power systems based on fuzzy Petri nets , 2004 .

[90]  Jean-Noël Ezingeard,et al.  Perception of risk and the strategic impact of existing IT on information security strategy at board level , 2007, Online Inf. Rev..

[91]  A. Picot,et al.  Information Security Management (ISM) Practices: Lessons from Select Cases from India and Germany , 2013 .

[92]  Ramakrishnan Raman,et al.  A Strategic Approach Using Governance, Risk and Compliance Model to Deal with Online Counterfeit Market , 2017, J. Theor. Appl. Electron. Commer. Res..

[93]  Azlan Mohd Zain,et al.  Fuzzy Petri nets and industrial applications: a review , 2015, Artificial Intelligence Review.

[94]  Qingxiong Ma,et al.  Information security management objectives and practices: a parsimonious framework , 2008, Inf. Manag. Comput. Secur..

[95]  Evangelos A. Kiountouzis,et al.  Managing the introduction of information security awareness programmes in organisations , 2015, Eur. J. Inf. Syst..

[96]  Steven Furnell,et al.  Insider Threat Prediction Tool: Evaluating the probability of IT misuse , 2002, Comput. Secur..

[97]  Christopher J. Alberts,et al.  Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0 , 1999 .

[98]  R. Kelly Rainer,et al.  The Top Information Security Issues Facing Organizations: What Can Government do to Help? , 2006 .