Information security risk analysis model using fuzzy decision theory |
| |
| Institution: | 1. School of Business, Yonsei University 50 Yonsei-ro, Seodaemun-gu, Seoul 120-749, South Korea;2. Jon M. Huntsman School of Business, Utah State University, 3515 Old Main Hill, Logan, UT 84322-3515, USA;1. School of Entrepreneurship, Xi''an International University, PR China;2. State Key Laboratory of Integrated Service Networks (ISN), Xidian University, PR China;3. School of Information Science, Korean Bible University, Seoul 139-791, Republic of Korea;1. Grenoble Ecole de Management, 12, Rue Pierre Sémard, 38003, Grenoble, Cedex 01, France;2. Toulouse University, Toulouse Business School, 20 Boulevard Lascrosses, 31068 Toulouse, France;1. School of Computing, Creative Technologies and Engineering, Leeds Beckett University, Leeds, UK;2. Independent Researcher, Southampton, UK;3. Data Analytics Technology & Applications, Institute for Information Industry, Taiwan, ROC;4. IBM Thomas J. Watson Research Center, Yorktown Heights, NY 10598, USA;1. Vrije Universiteit Amsterdam, The Netherlands;2. Eindhoven University of Technology, The Netherlands;1. Information Systems Department, Autonomous University of Aguascalientes, Ave. Universidad 940, Aguascalientes, Ags 20131, Mexico;2. School of Computing, Dublin City University, Glasnevin, Dublin 9, Ireland;3. School of Management, Texas Woman’s University, 1215 Oakland St., Denton, TX 76201, USA;4. CCADET, Universidad Nacional Autónoma de México, Circuito Exterior S/N, C.P. 04510, Cd. Universitaria, México D.F., Mexico |
| |
| Abstract: | This paper proposes a risk analysis model for information security assessment, which identifies and evaluates the sequence of events – referred to as alternatives – in a potential accident scenario following the occurrence of an initiating event corresponding to abuses of Information Technology systems. In order to perform this evaluation, this work suggests the use of Event Tree Analysis combined with fuzzy decision theory. The contributions of the present proposal are: the development of a taxonomy of events and scenarios, the ranking of alternatives based on the criticality of the risk, considering financial losses, and finally, the provision of information regarding the causes of information system attacks of highest managerial relevance for organizations. We included an illustrative example regarding a data center aiming to illustrate the applicability of the proposed model. To assess its robustness, we analyzed twelve alternatives considering two different methods of setting probabilities of the occurrence of events. Results showed that deliberate external database services attack represent the most risky alternative. |
| |
| Keywords: | Information security Risk analysis Fuzzy decision theory |
| 本文献已被 ScienceDirect 等数据库收录! |
|
