Fuzzy Multi-Criteria Decision-Making for Information Security Risk Assessment

Risk assessment is a major part of the ISMS process. In a complex organization which involves a lot of assets, risk assessment is a complicated process. In this paper, we present a practical model for information security risk assessment. This model is based on multi-criteria decision-making and uses fuzzy logic. The fuzzy logic is an appropriate model to assess risks and represents the practical results. The proposed risk assessment is a qualitative approach according to ISO/IEC 27005 standard. Main objectives and processes of business have been considered in this model and assessment of risk has been done in managerial and operational levels. This model was performed completely in the information technology section of a supply chain management company and the results show its efficiency and reliability.

[1]  Ying-Ming Wang,et al.  Fuzzy TOPSIS method based on alpha level sets with an application to bridge risk assessment , 2006, Expert Syst. Appl..

[2]  A. Kaufmann,et al.  Introduction to fuzzy arithmetic : theory and applications , 1986 .

[3]  Michel Dagenais,et al.  Intrusion Response Systems: Survey and Taxonomy , 2012 .

[4]  Chi-Chun Lo,et al.  Evaluation of information security related risks of an organization: the application of the multicriteria decision-making method , 2003, IEEE 37th Annual 2003 International Carnahan Conference onSecurity Technology, 2003. Proceedings..

[5]  Svein J. Knapskog,et al.  Fuzzy Online Risk Assessment for Distributed Intrusion Prediction and Prevention Systems , 2008, Tenth International Conference on Computer Modeling and Simulation (uksim 2008).

[6]  Shuo-Yan Chou,et al.  A fuzzy simple additive weighting system under group decision-making for facility location selection with objective/subjective attributes , 2008, Eur. J. Oper. Res..

[7]  Ching-Lai Hwang,et al.  Fuzzy Multiple Attribute Decision Making - Methods and Applications , 1992, Lecture Notes in Economics and Mathematical Systems.

[8]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[9]  C. Eastman Introduction to fuzzy arithmetic: Theory and applications , 1987 .

[10]  Michel Dagenais,et al.  FEMRA: Fuzzy Expert Model for Risk Assessment , 2010, 2010 Fifth International Conference on Internet Monitoring and Protection.

[11]  Jing-Hong Wang,et al.  Fuzzy Risk Assessment of the Network Security , 2006, 2006 International Conference on Machine Learning and Cybernetics.

[12]  S. H. Ghyym A semi-linguistic fuzzy approach to multi-actor decision-making: Application to aggregation of experts' judgments , 1999 .

[13]  Jing-Shing Yao,et al.  Ranking fuzzy numbers based on decomposition principle and signed distance , 2000, Fuzzy Sets Syst..

[14]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[15]  Jing-Shing Yao,et al.  Inventory without backorder with fuzzy total cost and fuzzy storing cost defuzzified by centroid and signed distance , 2003, Eur. J. Oper. Res..

[16]  Douglas Landoll The Security Risk Assessment Handbook , 2005 .

[17]  Chen-Tung Chen,et al.  A fuzzy approach to select the location of the distribution center , 2001, Fuzzy Sets Syst..