An information systems security risk assessment model under uncertain environment

Download An information systems security risk assessment model under uncertain environment

Post on 04-Sep-2016




2 download


  • Journal Identication = ASOC Article Identication = 911 Date: July 5, 2011 Time: 1:46 am

    Applied Soft Computing 11 (2011) 43324340

    Contents lists available at ScienceDirect

    Applied Soft Computing

    j ourna l ho me p age: www.elsev ier .co

    An info ntenviron

    Nan FengDepartment of nivers

    a r t i c l

    Article history:Received 21 AAccepted 13 JuAvailable onlin

    Keywords:Information syRisk assessmeEvidence theoFuzzy measureEvidential con

    nty inf grementuantiin evssignstencer deeliabi

    1. Introdu

    Organizations are increasingly relying on information sys-tems (IS) to enhance business operations, facilitate managementdecision-making, and deploy business strategies. The dependencehas increased in current business environments where a varietyof transactions involving trading of goods and services are accom-plished elecon the IS hamation systissue that hand practiti

    In ordertrols (and vvarious patnerable to tare often notrol weakneISS risk man

    In practithe uncertacess of asseeffectivenesin order to mation, the

    CorresponE-mail add


    process of assessment.To address these aforementioned issues, we propose an ISS risk

    assessment model based on the improved evidence theory. In thispaper, the model provides a new way to dene the basic beliefassignment in fuzzy measure for dealing with the uncertain evi-

    1568-4946/$ doi:10.1016/j.tronically [1,2]. Increasing organizational dependences led to a corresponding increase in the impact of infor-ems security (ISS) abuses. Therefore, the ISS is a criticalas attracted much attention from both IS researchersoners.

    to prevent security breaches, businesses use con-arious countermeasures) to safeguard their assets fromterns of threats by identifying the IS assets that are vul-hreats. But, even in the presence of controls, the assetst fully protected from threats because of inherent con-sses. Thus, the risk assessment is a critical step for theagement [3].ce, the ISS risk assessment is quite complex and full ofinty as well [4]. The uncertainty, existing in the pro-ssment, has been the primary factor that inuences thes of the ISS risk assessment to a large extent. Therefore,deal with the incompleteness and vagueness of infor-

    uncertainty must be taken into account in the ISS risk

    ding author. Tel.: +86 22 27404796; fax: +86 22 27404796.ress: fengnan (M. Li).

    dence found in the ISS risk assessment. Moreover, we add a processof testing the evidential consistency to the existing evidence theorymethod. This process can effectively reduce the uncertainty derivedfrom the conicts of evidence provided by experts.

    The rest of this paper is organized as follows: Section 2 reviewsthe related work. In the next section, the basic concepts of evidencetheory are explained. Then, we discuss the process of developingan ISS risk assessment model in detail in Section 4. The model isfurther demonstrated and validated in Section 5 via a case study.Finally, we summarize our contributions and present our furtherresearch.

    2. Related work

    The existing approaches for the ISS risk assessment can begrouped into three major categories: the quantitative approaches,the qualitative approaches, and the combination of quantitativeand qualitative approaches.

    The quantitative approaches consider the IS risk exposure asa function of the probability of a threat and the expected lossdue to the vulnerability of the organization to this threat [5,6].The stochastic dominance (SD) approach [7] focuses on answer-

    see front matter 2010 Elsevier B.V. All rights reserved.asoc.2010.06.005rmation systems security risk assessmement

    , Minqiang Li

    Information Management and Management Science, School of Management, Tianjin U

    e i n f o

    pril 2010ne 2010e 18 June 2010

    stems securityntry


    a b s t r a c t

    Given there is a great deal of uncertaiment, the handling of uncertainty is opaper, we propose an ISS risk assessestablish the ISS index system and qconstructed. To deal with the uncertaa new way to dene the basic belief amethod of testing the evidential consiof evidence. Finally, the model is furthanalysis is employed to validate the r

    ction assessmassessmm/l ocate /asoc

    model under uncertain

    ity, 92 Weijin Road, Nankai District, Tianjin 300072, PR China

    the process of information systems security (ISS) risk assess-at signicance for the effectiveness of risk assessment. In this

    model based on the improved evidence theory. Firstly, wefy index weights, based on which the evidential diagram isidence found in the ISS risk assessment, this model providesment in fuzzy measure. Moreover, the model also provides ay, which can reduce the uncertainty derived from the conictsmonstrated and validated via a case study, in which sensitivitylity of the proposed model.

    2010 Elsevier B.V. All rights reserved.

    . However, most existing approaches applied to the ISS have some drawbacks on handling uncertainty in the

  • Journal Identication = ASOC Article Identication = 911 Date: July 5, 2011 Time: 1:46 am

    N. Feng, M. Li / Applied Soft Computing 11 (2011) 43324340 4333

    ing the specic question of what contingency plan should be usedto prevent losses if a disaster occurs. To achieve this goal, the SDcompares the costs associated with various backup and recoveryoptions during the entire disaster recovery process in all areas ofthe organizassess the for how to amultiple thstructure tointo its subcinterrelatiosists of vetraining samforward provalue is smaing is stoppapproach hthe acquisittional methsamples forassessmentparametric security brebilities as wenvironmenof the moduinformationing the uncexistence o

    In the quthe Delphi only the estysis dependprocess andsubjective [

    As inforness, neithemodel the aapproachesapproachesNetworks (for risk ana(dene thetributions),evidence obtinually estThe approa[1820] is aISS risks usiapproach islating the chcapable to risk factorsin this papeconstructs tthe complexthat of one the above afrom the cowe proposecan reduce

    In this uncertaintyIn additionory, the prean evidenti

    variables such as the IS assets, the related threats, and the corre-sponding countermeasures. Next, the decision maker can input hisor her judgments about the presence or absence of threats and theimpact of countermeasures on the corresponding threats according

    ef funencines,telligsis oque [n imith te imo dewe imput

    the ocesictthe aprov


    his se not


    evidd on

    the of thpplieposees oftive

    by epresasic bd by:



    A is aions:



    icallyf diren a



    B is is in ation. However, it fails to provide guidance on how toailure of multiple controls pertaining to a single threatssess the failure and the impact of a single control onreats. The proposed approach in this paper provides a

    the ISS risk assessment process by decomposing riskomponents and identifying relevant controls and theirnships. The approach based on neural networks [8] con-

    phases: network parameter initialization, input theple and the expectation output, network self-learning,pagation, and back propagation. If the error functionller than the pre-established value, the network learn-ed, otherwise turn to the second phase. While this

    as the intelligent features such as the self-learning andion of knowledge, which is different from the conven-ods, it is very difcult to get a large numbers of training

    network self-learning in the process of the ISS risk. The modular attack trees [9] approach is specied asconstraints, which allow quantifying the probability ofaches that occur due to internal component vulnera-ell as vulnerabilities in the components deploymentt. Based on the attack probabilities and the structurelar attack trees, security risks can be estimated for the

    system. But, this approach has the difculties captur-ertainty in the ISS risk environment dealing with thef the incompleteness and vagueness of information.alitative approaches, such as the logic analysis [10] andmethod [11], the probability data is not required andimated potential loss is used. Since the qualitative anal-s to a great extend on the analysts experience, both the

    the result of the security risk assessment are relatively12].mation systems have become more complex in busi-r quantitative nor qualitative approaches can properlyssessment process alone. Therefore, the comprehensive

    combining both the quantitative and the qualitative are needed [13,14]. The approach using the BayesianBNs) [1517] provides an objective and visible supportlysis. It consists of three phases: the BN initialization

    structure and the set of conditional probability dis- the risk monitoring, and the risk analysis. Using newtained from information system, this approach can con-imate risk probability and identify the sources of based on the fuzzy comprehensive evaluation (FCE)

    mathematical method to comprehensively evaluate theng fuzzy set theory of fuzzy mathematics. Although this

    good at processing the ambiguous information by simu-aracteristic of human in making the judgment, it is not

    provide the graphical relationships among various ISS using ow charts or diagrams. The proposed approachr consists of the graphical representation of relevanthrough an evidential diagram, which can fully captureity of multiple controls dealing with one threat and alsocontrol dealing with multiple threats. In addition, bothpproaches are suffering from the uncertainty derivednicts of evidence provided by experts. In this paper,

    a method of testing the evidential consistency, whichthe uncertainty derived from the conicts of evidence.paper, we utilize the evidence theory to model the

    involved in the process of the ISS risk assessment. to representing uncertainties using the evidence the-sent approach allows the decision maker to developal diagram to assess the ISS risk that contains various

    to beliEvid

    disciplcial indiagnotechnimake aison wwith thorder tment, for comtestingThis prthe conpared the im

    3. Evi

    In tand th

    3.1. Te

    Theis baseduringizationbeen a

    Supor statexhaussentedof , r

    A bdene

    m : P



    A P()


    m() =

    Basof belie


    Bel :

    whereobject ctions.e theory has been widely used in a broad range of

    including audit and assurance services [21,22], arti-ence and expert systems [23], data mining [24], faultf machines [25], design optimization [26], ensembling27], and image object recognition [28]. In this paper, weprovement on the existing evidence theory. In compar-he above existing works, there are several advantagesproved evidence theory used in this paper. Firstly, inal with fuzzy evidence involved in the ISS risk assess-prove the existing mass function of evidence theory

    ing the BBAs in fuzzy form. Next, we add a process ofevidential consistency to the existing evidence theory.s can effectively reduce the uncertainty derived froms of evidence provided by experts. In Section 5, we com-ssessment results of the existing evidence theory anded evidence theory.

    e theory

    ection, we dene the terminology of evidence theoryations used in this paper.


    ence theory, also called the DempsterShafers theory,the work of Dempster during the 1960s [29] and Shafer1970s [30]. Although, the evidence theory is a general-e Bayesian theory of subjective probability, it has oftend in the reasoning under uncertainty [31,32].

    we have a decision problem with n possible elements nature forming a mutually exclusive and collectivelyset. This set is called the frame of discernment repre-. The power set of containing all the possible subsetsented as P().elief assignment (BBA) is a function from P() to [0,1]

    [0, 1](A)

    , (1)

    n element of P(). In addition, it satises the following

    = 1, (2)


    , the BBA pertaining to a statement measures the degreeectly assigned to the statement based on the evidence.BBA m, a belief function is dened as:

    ) [0, 1],

    Bel(A) =BA

    m (B) , (4)

    a subset of A. Bel(A) measures the total belief that theA. In particular, we have Bel() = 0 and Bel() = 1.

  • Journal Identication = ASOC Article Identication = 911 Date: July 5, 2011 Time: 1:46 am

    4334 N. Feng, M. Li / Applied Soft Computing 11 (2011) 43324340

    Given a belief function, a plausibility function is dened as:

    Pl : P() [0, 1],

    A Pl(A) =

    AB /= m(B). (5)

    The plausibility function can also be dened in terms of belieffunction as

    Pl(A) = 1 Bel(Ac), (6)where Ac is the complement of A. The plausibility function for

    a subset of elements A is dened as the maximum possible beliefthat could be assigned to A if all future evidence were in support ofA. In particular, we have Pl() = 0 and Pl() = 1.

    3.2. Combination of evidence

    Dempsters rule [30] is the fundamental rule for combining twoor more items of evidence in the belief function framework. Forsimplicity, let us illustrate Dempsters rule for only two items ofevidence. In general, if m1 and m2 are two BBAs representing twoindependent items of evidence pertaining to , then the combinedBBAs for a subset A of frame using Dempsters rule is given by

    m(A) = K1

    BC=Am1(B)m2(C), (7)

    where K = 1

    BC=m1(B)m2(C), which represents the renormal-

    ization constant. The second term in K represents the conict.

    4. ISS risk assessment model

    The procof four phasindex weigthe BBAs fo

    evidential consistency. Each phase is discussed in detail as follows.And, the procedure of the model is given in Fig. 1.

    4.1. Establish the ISS index system and quantify index weights

    The ISS index system is based on the risk analysis, which includesthe identication of vulnerabilities and threads, the analysis of thelosses arising from the threads acting on vulnerabilities [33]. Basedon the ISS risk analysis for a securities company (see Section 5), wehave established the index system (see Table 1).

    For quantifying the index weights, six information systemexperts, two of which are also this companys IT managers, wereinvited to ll in the questionnaires about the comparison table offactor weights. And then, we have quantied the index weightsusing the method in Ref. [34]. This method can effectively reducethe uncertainty in the process of quantifying index weights [34].

    4.2. Construct the evidential diagram

    An evidential diagram consists of assertions, evidence, and theirinterrelationships. Assertions include the main assertion and sub-assertions. The main assertion is the highest-level assertion; thesubassertions are lower-level assertions. Relationships betweenassertions (e.g., between the main assertion and subassertions, andbetween higher-level subassertions and lower-level subassertions)need to be dened using logical relationships such as and and or.And evidence represents the information that supports or negatesassertions.

    In this paper, the evidential diagram is derived from the ISSindex system. Suppose a manager is interested in evaluating theISS risk involved in the ISS vulnerabilities. The corresponding evi-dential diagram is given in Fig. 2, which is a part of the evi...


View more >