Article
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

This paper proposes a risk analysis model for information security assessment, which identifies and evaluates the sequence of events - referred to as alternatives - in a potential accident scenario following the occurrence of an initiating event corresponding to abuses of Information Technology systems. In order to perform this evaluation, this work suggests the use of Event Tree Analysis combined with fuzzy decision theory. The contributions of the present proposal are: the development of a taxonomy of events and scenarios, the ranking of alternatives based on the criticality of the risk, considering financial losses, and finally, the provision of information regarding the causes of information system attacks of highest managerial relevance for organizations. We included an illustrative example regarding a data center aiming to illustrate the applicability of the proposed model. To assess its robustness, we analyzed twelve alternatives considering two different methods of setting probabilities of the occurrence of events. Results showed that deliberate external database services attack represent the most risky alternative.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Knapp et al., [4] highlighted that the main security issues concerning modern data centers are particularly in regards to data center management, operations and physical security as well as disaster planning. According to [4][5][6][7] all disastrous threats that caused major business disruptions and damages to organizations, discussed by past researches were targeted at data centers. As a result, the security of data centers has become an utmost concern for both the government and the ICT industry with the increased societal reliance on internet-based cloud computing to provide secure and affordable storage. ...
... As a result, the security of data centers has become an utmost concern for both the government and the ICT industry with the increased societal reliance on internet-based cloud computing to provide secure and affordable storage. Thus, it is crucial for organizations to be able to predict the security risks and implement effective strategies to reduce them by implementing a systematic approach in managing information security [6][7][8][9][10] and the first step to ensure this is to identify the potential information security threats faced by the data centers effectively. This will enable organizations to apply right strategies and tactics to ensure successful information security management to protect organizational goal by curbing digital disruption [11]. ...
... Studies conducted previously on threats identification mainly were focused on specific areas such as insider threats, human threats, network front or general in nature. There were very few studies conducted on data center security [6] as only very few scholarly articles are available and none on the data centers in the Malaysian public sector. ...
Article
Full-text available
span>D ata centers are primarily the main targets of cybercriminals and security threats as they host various critical information and communication technology (ICT) services. Identifying the threats and managing the risks associated with data centers have become a major challenge as this will enable organizations to optimize their resources to focus on the most hazardous threats to prevent the potential risks and damages. The objective of this paper is to identify major ICT security threats to data centers in the Malaysian public sector and their causes. The data for this study was collected through interview sessions. A total of 33 respondents from various government organizations were interviewed. The results revealed that the technical threats, spyware, phishing, bluesnarfing threats, social engineering and virus, trojan, malware, ransomware, viral websites threats are the major categories of threats often encountered by the malaysian public sector organizations. The causes for these threats are lack of budget, competent personnel, and manpower for security tasks, user awareness; lack of compliances and monitoring; insufficient security policies and procedures as well as deliberate cyber attacks. The outcome of this study will give a greater degree of awareness and understanding to the ICT security officers, who are entrusted with data center security.</span
... The most important advantage of the TOPSIS method is that it is simpler and faster than other MCDM approaches, such as fuzzy analytic hierarchy process, and it is suitable to deal with uncertainties in complex decision-making problems [8]. The concept of fuzzy logic would be very appropriate for determining the risk factors, because many uncertain influencers and factors affect risk [9]. Furthermore, the analysis of risk in the view of multiple experts can increase the robustness of estimations [10]. ...
... Poleto et al. [9] have presented a risk analysis model for information security assessment using fuzzy theory. In their approach, they have used the event tree analysis combined with fuzzy decision theory to evaluate the sequence of events. ...
... As can be concluded from the reviewed literature (e.g., [9] and [10]), the concept of fuzzy logic would be very appropriate for determining the risk factors. Furthermore, the analysis of risk in the view of multiple experts can increase the robustness of estimations. ...
Article
One of the main challenges of the security of cyber-physical systems (CPSs) is the lack of an efficient approach to evaluate the impacts of attacks on physical processes and their probabilities of occurrence. This paper proposes a method for evaluating the security of CPSs. By using the proposed method, one can predict the attacker's preferences in attacking CPSs and study the dynamic behavior of systems under security attacks. To deal with uncertainties in attacker's decision making to conduct attacks, the attack tree structure is used and parameterized with suitable fuzzy data. In the next step, the fuzzy technique for order of preference by similarity to ideal solution method is used to evaluate the model and predict the behavior of attackers. Besides, the dynamic behavior of CPSs under attacks is investigated by using the system's process model. The output of the model is a relative estimation of the security level of system based on suitable security metrics, such as the probability of attack scenarios, the time that the process is able to operate after conducting attack before shutting down (time-to-shutdown), and security risks. We illustrate the effectiveness of the method by comparing it with another attack tree-based method. Furthermore, we present two illustrative examples and estimate the defined quantitative security measures. Copyright
... A lot of attention has been devoted to solving the problem of estimating the likelihood of occurrence of a threat and the corresponding impact. For example, several methods have been proposed using different techniques like Bayesian networks [20], attack path graphs [21], fuzzy logic [22], probabilistic model checking [23], vulnerability assessments [24], Monte Carlo simulations [7], [8], and others. ...
... Therefore, MAGIC might be seen, with some adaptations, as an alternative method allowing to bypass the need of experts, rather than a completely different approach. • Risk analysis based on fuzzy decision theory [22]: the first step of this approach is to identify an expert; then, a taxonomy of events and scenarios has to be defined (second step). Finally, the expert builds a matrix with potential accidents on the rows and possible scenarios on the columns: each entry of the matrix has to be filled with a probability that the accident takes place in a certain scenario. ...
Preprint
The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several classical methods.
... In this stage, assessment of risk consequences becomes more complex. Vulnerability level can be escalated by the relationship among risk factors [5,16,17]. Risk model is developed to describe security control's dependencies and vulnerability propagation among these controls [7,8,[16][17][18]. This model is represented as a dependency graph. ...
... Vulnerability level can be escalated by the relationship among risk factors [5,16,17]. Risk model is developed to describe security control's dependencies and vulnerability propagation among these controls [7,8,[16][17][18]. This model is represented as a dependency graph. ...
... Over the last few years, several researchers have proposed solutions for mitigating security threats. In [12], a taxonomy of events and scenarios was developed and the ranking of alternatives based on the criticality of the risk was provided by means of event tree analysis combined with fuzzy decision theory. Reference [13] developed a mathematical model to solve the problem according to the risk management paradigm and thereby provided managers with additional insights for making optimal decisions. ...
... In a general way, FMEA has been extensively used for examining potential failures in many industries. Moreover, FMEA together with Fuzzy Theory and/or Grey Theory has been widely and successfully used in the risk management of information systems [12], equipment failure [42], and failure in services [43]. ...
Article
Full-text available
Big data is the term used to denote enormous sets of data that differ from other classic databases in four main ways: (huge) volume, (high) velocity, (much greater) variety, and (big) value. In general, data are stored in a distributed fashion and on computing nodes as a result of which big data may be more susceptible to attacks by hackers. This paper presents a risk model for big data, which comprises Failure Mode and Effects Analysis (FMEA) and Grey Theory, more precisely grey relational analysis. This approach has several advantages: it provides a structured approach in order to incorporate the impact of big data risk factors; it facilitates the assessment of risk by breaking down the overall risk to big data; and finally its efficient evaluation criteria can help enterprises reduce the risks associated with big data. In order to illustrate the applicability of our proposal in practice, a numerical example, with realistic data based on expert knowledge, was developed. The numerical example analyzes four dimensions, that is, managing identification and access, registering the device and application, managing the infrastructure, and data governance, and 20 failure modes concerning the vulnerabilities of big data. The results show that the most important aspect of risk to big data relates to data governance.
... Deficiencies in the ICT infrastructure of these services contribute significantly to the increase of harmful attacks on health organizations that also adopt the strategy of promoting their services remotely [11]. Thus, the ICT infrastructure is a crucial factor in developing cybersecurity analysis to implement telehealth systems [12][13][14][15]. The importance of considering vulnerabilities is often associated with the risk of losses, corruptions, inappropriate changes, and theft of data, with information and documents that affect the integrity of medical diagnoses delivered to the patient, which can cause serious damage to the health of the individual [16]. ...
... The work uses Different methods (Failure Mode and Effects Analysis and Grey Theory). [13] Propose a risk model for information security that identify and evaluate the events' sequence in scenarios related to the abuses of information technology systems. ...
Article
Full-text available
Hospital organizations have adopted telehealth systems to expand their services to a portion of the Brazilian population with limited access, mainly due to the geographical distance between their communities and hospitals. The importance and usage of those services have increased recently due to the COVID-19 state-level mobility interventions. These services work with sensitive and confidential data, containing medical records, medication prescriptions, and results of diagnostic processes. Understanding how cybersecurity impacts the development of telehealth strategies is crucial for creating secure systems on daily-based operations. In the application reported in this article, the Fuzzy Cognitive Maps (FCMs) translated the complexity of cybersecurity in telehealth services into intelligible and objective results in an expert-based cognitive map. The tool also allowed the construction of scenarios simulating the possible implications caused by common factors that affect telehealth systems. FCMs provide a better understanding of cybersecurity strategies using expert knowledge and scenario analysis, enabling the maturation of cybersecurity in telehealth services.
... Fuzzy sets theory was proposed by Lotfiizadeh in 1965 [44]. This theory is used for mathematical modeling of uncertainties in real-world phenomena in various spheres such as "Multicriteria decision-making, " "pattern classification, " and "time series" [44][45][46][47]. ...
... Fuzzy sets theory was proposed by Lotfiizadeh in 1965 [44]. This theory is used for mathematical modeling of uncertainties in real-world phenomena in various spheres such as "Multicriteria decision-making, " "pattern classification, " and "time series" [44][45][46][47]. ...
Article
Full-text available
Websites are considered as the core infrastructure of e-government, so evaluating the quality of websites assists organizations to provide high-quality online services to citizens. For this purpose, this paper is seeking to design a model that enables any organization to evaluate the quality of its websites and identify its strengths and weaknesses. The proposed model includes nine main indexes including “website design,” “responsiveness quality,” “security,” “content and information quality,” “participation,” “trust,” “maintenance and support,” “services” and “usability,” alongside with 85 indicators. Since some of indexes and indicators possess intrinsic uncertainties so “fuzzy set theory” was applied to model the problem's ambiguity. “Analytic hierarchy process” and “PROMETHEE” methods were applied to weigh and rank indexes and indicators respectively. After designing the model, it was used for assessing the websites of five metropolitan municipalities of Iranian cities to spot their strengths and weaknesses.
... However, despite the benefits that this structure offers, there are vulnerabilities that can threaten the integrity of the stored data and cause enormous harm to patients. According to [37], four types of attacks can occur during communication established in telemedicine services: interruption, interception, modification, and fabrication. ...
... Audit and Accountability [32][33][34][35][36][37] Audit Events, Review, Analysis, and Reporting Generates audit records containing information that establishes what type of event occurred, when the event occurred, and where the event occurred. ...
Article
Full-text available
The purpose of this paper is to propose a framework for cybersecurity risk management in telemedicine. The framework, which uses a bow-tie approach for medical image diagnosis sharing, allows the identification, analysis, and assessment of risks, considering the ISO/TS 13131:2014 recommendations. The bow-tie method combines fault tree analysis (FTA) and event tree analysis (ETA). The literature review supported the identification of the main causes and forms of control associated with cybersecurity risks in telemedicine. The main finding of this paper is that it is possible, through a structured model, to manage risks and avoid losses for everyone involved in the process of exchanging medical image information through telemedicine services. Through the framework, those responsible for the telemedicine services can identify potential risks in cybersecurity and act preventively, recognizing the causes even as, in a mitigating way, identifying viable controls and prioritizing investments. Despite the existence of many studies on cybersecurity, the paper provides theoretical contributions to studies on cybersecurity risks and features a new methodological approach, which incorporates both causes and consequences of the incident scenario.
... In the area of computer security several works have been developed; for example, in the University of Pernambuco in Brazil, a risk analysis model for information security was designed incorporating fuzzy decision theory [5]. Likewise, a framework for the government of information security in cloud computing services was established in order to define processes that systematize related security aspects [6]. ...
... Several jobs have been developed in the field of computer security; for example, at the University of Pernambuco in Brazil, a risk analysis model for information security was designed incorporating fuzzy decision theory [5]. ...
Article
Full-text available
The objective of this project is to design an information security model applicable to higher education institutions that allows effective control of their processes. The development of the project starts with the characterization of the different existing processes in the higher education institutions of the Norte de Santander, Colombia, it is compared with the standards or good practices of security of the existing information, which allows structuring the elements that make up the model of information security for higher education institutions and, finally, the validation of the model designed in a higher education institution.
... Finally, given that risk assessment models rely predominantly on probability models, which form the basis for informed decision making related to risk in many areas. Gusmão, Silva, Silva, Poleto, and Costa, (2016) propose a risk analysis model for information security based on Decision Theory. Although these authors use the ETA/FTA method, their model is based solely on the criterion of financial losses. ...
... This paper expands on the research deriving from the study conducted by Gusmão et al. (2016), in which a cybersecurity risk analysis model, developed through the integration of decision theory and fuzzy logic, was proposed. Further, detection of scenarios that lead to hazards was structured using fault tree analysis. ...
Article
Cybersecurity, which is defined as information security aimed at averting cyberattacks, which are among the main issues caused by the extensive use of networks in industrial control systems. This paper proposes a model that integrates fault tree analysis, decision theory and fuzzy theory to (i) ascertain the current causes of cyberattack prevention failures and (ii) determine the vulnerability of a given cybersecurity system. The model was applied to evaluate the cybersecurity risks involved in attacking a website, e-commerce and enterprise resource planning (ERP), and to assess the possible consequences of such attacks; we evaluate these consequences, which include data dissemination, data modification, data loss or destruction and service interruption, in terms of criteria related to financial losses and time for restoration. The results of the model application demonstrate its usefulness and illustrate the increased vulnerability of e-commerce to cybersecurity attacks, relative to websites or ERP, due partly to frequent operator access, credit transactions and users’ authentication problems characteristic of e-commerce.
... To address imprecision, subjectivity and vagueness inherent in linguistic assessment of likelihood and impact, some works have adopted decision theory and fuzzy logic. For instance, De Gusmao et al. (2016) developed an approach to security risk analysis that combines decision theory and fuzzy logic. Shameli-Sendi et al. (2012) consider the fuzzy MCDM problem to effectively perform information security risk analysis. ...
Article
Full-text available
The new general data protection regulation requires organizations to conduct a data protection impact assessment (DPIA) when the processing of personal information may result in high risk to individual rights and freedoms. DPIA allows organizations to identify, assess and prioritize the risks related to the processing of personal information and select suitable mitigations to reduce the severity of the risks. The existing DPIA methodologies measure the severity of privacy risks according to analysts’ opinions about the likelihood and the impact factors of the threats. The assessment is therefore subjective to the expertise of the analysts. To reduce subjectivity, we propose a set of well-defined criteria that analysts can use to measure the likelihood and the impact of a privacy risk. Then, we adopt the fuzzy multi-criteria decision-making approach to systematically measure the severity of privacy risks while modeling the imprecision and vagueness inherent in linguistic assessment. Our approach is illustrated for a realistic scenario with respect to LINDDUN threat categories.
... This model is very common in our daily life, and most of the color images we usually see are based on this model. To make the color model more robust to illumination, the chrominance information and brightness information of the color must be separated from each other (27). As a result, people have developed several color models that separate chroma and brightness from each other. ...
Article
Full-text available
The continuous development of the social economy, has stimulataed an increase in the satndard of living and increased the deman for consumption resulting in the demand for high-quality and safe food has continued to increase. The so-called food safety means that the food that people eat under certain conditions will not harm human health. Frequent food safety incidents have highlighted the seriousness of my country's food safety problems and exposed loopholes in my country's food safety supervision. This article aims to study the construction of the Internet of Things technology in the food industry chain safety information traceability system, research on the RFID technology, GPS technology, and sensor technology in the Internet of things technology, and also conduct some research on the modules of the food industry chain safety information traceability system. This paper proposes to integrate the Internet of Things technology into the construction of the food industry chain safety information traceability system. First, a detailed analysis of some of the technologies that may be used is carried out, and then through the investigation of people on food safety and other aspects, and the food traceability system satisfaction survey. The experimental results in this article show that 40% of women pay more attention to food safety. Of course, in the satisfaction survey of the food safety traceability system based on the Internet of Things technology, it has been recognized by more than 20% of the people.
... Various RA studies have been carried out in the field of information security [3,4,6,7,26,27]. Today, information systems have a complex, intricate structure and common use. ...
Article
Full-text available
Risk analysis (RA) contains several methodologies that object to ensure the protection and safety of occupational stakeholders. Multi attribute decision-making (MADM) is one of the most important RA methodologies that is applied to several areas from manufacturing to information technology. With the widespread use of computer networks and the Internet, information security has become very important. Information security is vital as institutions are mostly dependent on information, technology, and systems. This requires a comprehensive and effective implementation of information security RA. Analytic hierarchy process (AHP) and technique for order preference by similarity to ideal solution (TOPSIS) are commonly used MADM methods and recently used for RA. In this study, a new RA methodology is proposed based on AHP–TOPSIS integration extended with Pythagorean fuzzy sets. AHP strengthened by interval-valued Pythagorean fuzzy numbers is used to weigh risk parameters with expert judgment. Then, TOPSIS with Pythagorean fuzzy numbers is used to prioritize previously identified risks. A comparison of the proposed approach with three approaches (classical RA method, Pythagorean fuzzy VIKOR and Pythagorean fuzzy MOORA) is also provided. To illustrate the feasibility and practicality of the proposed approach, a case study for information security RA in corrugated cardboard sector is executed.
... Compared with qualitative methods, quantitative methods are more intuitive and reasonable. However, it is very difficult to reach a state of full quantization due to the lack of statistical data [23]. The above gives a brief idea of the differences between quantitative and qualitative risk assessments [24]. ...
Article
In virtue of the rapid development of the Internet of Things (IoT), Organizations have grown to rely on their cyber systems and networks. However, this phenomenon also creates many new information security issues. In this paper, we propose an evolutionary algorithm improved cuckoo search (ICS) to pre-train a back-propagation neural network (BPNN) for the sake of improving the accuracy and stability. Using this pre-training process, the BP neural network can surmount the defect of falling into the local minima and greatly improve its efficiency. Then, this neural network is used as a part of information security risk assessment (ISRA) processes for a miniature IoT system. An illustration example is introduced to demonstrate that the ICS-BPNN outperforms other neural networks in this ISRA process.
... On the other hand, Sugeno method is computationally efficient and works well with optimization and adaptive techniques, which makes it very attractive in control problems, particularly for dynamic nonlinear systems. The main Mamdani structure of a fuzzy inference consists of the following three steps: Fuzzification; Inference engine and Defuzzification [12]. The Matlab software package was used to apply the fuzzy logic system to model a fuzzy risk matrix assessment methodology ...
... The risk analysis model employs a Bayesian network and ant colony optimization techniques to represent risk factors and defined vulnerability propagation paths based on the knowledge from observed cases and domain experts. Other research has proposed a similar mechanism, but by using fuzzy decision theory [62]. Besides observation and experts, this paper has taken advantage of events and their cause-consequence relations to add value in the quality of assessment process. ...
Chapter
Full-text available
Vulnerability assessment is the essential and well-established process of probing security flaws, weaknesses and inadequacies in a computing infrastructure. The process helps organisations to eliminate security issues before attackers can exploit them for monetary gains or other malicious purposes. The significant advancements in desktop, Web and mobile computing technologies have widened the range of security-related complications. It has become an increasingly crucial challenge for security analysts to devise comprehensive security evaluation and mitigation tools that can protect the business-critical operations. Researchers have proposed a variety of methods for vulnerability assessment, which can be broadly categorised into manual, assistive and fully automated. Manual vulnerability assessment is performed by a human expert, based on a specific set of instructions that are aimed at finding the security vulnerability. This method requires a large amount of time, effort and resources, and it is heavily reliant on expert knowledge, something that is widely attributed to being in short supply. The assistive vulnerability assessment is conducted with the help of scanning tools or frameworks that are usually up-to-date and look for the most relevant security weakness. However, the lack of flexibility, compatibility and regular maintenance of tools, as they contain static knowledge, renders them outdated and does not provide the beneficial information (in terms of depth and scope of tests) about the state of security. Fully automated vulnerability assessment leverages artificial intelligence techniques to produce expert-like decisions without human assistance and is by far considered as the most desirable (due to time and financial reduction for the end-user) method of evaluating a systems’ security. Although being highly desirable, such techniques require additional research in improving automated knowledge acquisition, representation and learning mechanisms. Further research is also needed to develop automated vulnerability mitigation techniques that are capable of actually securing the computing platform. The volume of research being performed into the use of artificial intelligence techniques in vulnerability assessment is increasing, and there is a need to provide a survey into the state of the art.
... With the published paper "fuzzy sets" by Zadeh (1965), fuzzy set theory was widely considered as a new way for modeling more realistic decision models (de Gusmão et al., 2016). Fuzzy set theory provides a language with syntax and semantics. ...
Article
Full-text available
Bayesian network (BN) has been proven to be an excellent method that can describe relationships between different parameters and consequences to mitigate the likelihood of accidents. Nevertheless, the application of BN is limited due to the subjective probability and the static structure. In reality, available crisp probabilities for BN are generally insufficient, the system under consideration cannot be precisely described since the knowledge of the underlying phenomena is incomplete, which introduces data uncertainties. Furthermore, conventional BN have static structures, which results the model to have structure uncertainties. This paper presents a Dynamic BN-based risk analysis model to characterize the epistemic uncertainty and illustrates it through a case on the offshore kick failure. Linguistic variables are transformed into probabilities to represent data uncertainties by applying fuzzy sets and evidence theory. Structural uncertainties caused by conditional dependencies and static models were addressed by utilizing dynamic BN. Based on the model, a robust probability updating and dynamic risk analysis are conducted, through which critical events with potential risks of causing accidents are identified and a dynamic risk profile is obtained. The case study indicates that it is a comprehensive approach for quantitative risk analysis in offshore industries under uncertainties.
... Dhillon et al (2016) gave the definition of security and usability objectives based on the values of individuals [6]. Gusmao et al (2016) proposed a risk analysis model for information security assessment based on event tree analysis and fuzzy decision theory [7]. Coppolino et al (2016) proposed a risk assessment model based on support vector domain description in order to solve the problems such as inaccurate security classification and long assessment time [8]. ...
... The final row of the table calculates the total risk analyzed due to all attack types, i.e. the overall risk that a web application can have due to the successful execution of SQL injection attacks. This risk analysis methodology provides the estimation of the risk within a specified range (5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19). This evaluation helps in deciding the risk associated with web application under consideration. ...
Article
Full-text available
For all intents and purposes, web applications with a basic database are feeble on the way for SQLi (Structure Query Language injection) attacks. Privately owned businesses progressively depend on online environments and secure internet-based applications designed for information trade. However, a safety measure of these applications depends on awareness and critical examination of potential threats. A SQLi attack exists as a noteworthy threat to a web-based application with their underlying databases. These attacks achieve the right of entry to web application database servers by means of the assistance of SQL commands, placing confidential data, business strategies, financial records, and applications at risk. The challenge before the application developers and researchers is to analyze/compute the risk postured by these applications. The proposed methodology provides a risk analysis computation that determines the numeric value of probability and impact on a web application due to SQL injection attacks. The probability is calculated by the practical execution of SQL injection attack methods on the web application. A fuzzy logic system is employed as a computational strategy to figure the impact. The contribution of this quantitative risk analysis methodology is the introduction of new metrics which captures the impact and calculations of attacks wise risk associated with the application known ahead of time.
... To calculate the performance indicator for the information system, one needs to assemble a group of indicators that show the state of the information system; identify critical values for each indicator with due regard to the assessment scale; develop software or an additional module for the existing corporate information system to use in practice the performance indicators of the information system; and design a method for evaluating the obtained results [5]. ...
Article
Full-text available
Information provision for a company’s management system not only provides data for evaluating day-to-day operations but also is an efficient tool for improving the reliability of the entire management system. For purposes of efficiently managing projects for implementing modern information provision, the company should design a formalized model for assessing the relationship between project-related financial costs and the number of automated business processes in place at the company. This paper proposes using a mathematical model that contains financial indicators such as net present value, cash flows, and discount rates. Thanks to lower investment risks, the model will improve the economic efficiency of investment projects as part of implementing information provision at the company.
... Information security investment decisions, including the ones discussed above, are essentially about managing risk (de Gusmão et al., 2016), and research performed over several decades by decision scientists provide solid evidence that behavioral factors play a prominent role in managing and mitigating risk in various contexts (Slovic, 2010). Despite these wellestablished findings, factors related to risk behaviors have remained mostly unexplored in the literature of security investment. ...
Article
Full-text available
Information resources are becoming increasingly important to individuals and organizations, and ensuring their security is a major concern. While research in information security has adopted primarily a quantitative method to determine how and how much to invest in security, most decision makers rely on non-quantitative methods for this purpose, thereby introducing a considerable amount of as yet unexplained subjective judgment to the problem. We use a behavioral decision making approach to investigate factors causing possible inefficiencies of security spending decisions. Decision makers in our experiment performed a series of economic games featuring the key characteristics of a typical security problem. We found several biases in investment decisions. For budgeting their investment between major classes of security measures, decision makers demonstrated a strong bias toward investing in preventive measures rather than in detection and response measures, even though the task was designed to yield the same return on investment for both classes of measures. We term this phenomenon the “Prevention Bias.” Decision makers also reacted to security threats when the risk was so small that no investment was economically justified. For higher levels of risk that warranted some security investment, decision makers showed a strong tendency to overinvest. Theoretical and practical implications of the findings are discussed.
... Combined event tree analysis (ETA) with the fuzzy theory is another method for information security risk assessment which was studied by De Gusmão et al. (2016). ...
... critical) business processes. If it occurs, a threat that exploits the vulnerability in question leads to the loss of confidentiality, availability, and integrity of protected information resources(De Gusmão, Silva, Silva, Poleto, & Costa, 2016).Loss caused by information security risks can be quantified, for example, by the amount of lost profits or the costs of restoring lost data. There is also an approach to qualitatively assessing loss based on the use of an impact scale. ...
... Third party intervention. An analysis of information system risk identifies deliberate external database attacks as the vital risks [54]. Human failure is the prime reason for third party intervention, which can be categorized as security abuses. ...
Article
Full-text available
The increasing use of Information Technology (IT) has led to many security and other related failures in the banks and other financial institutions in Bangladesh. In this paper, we investigated the factors contributing to the failure in the IT system of the banking industry in Bangladesh. Based on the experts' opinions and weight on the specified evaluating criteria, an empirical test was conducted using a rough set theory to produce a framework for the IT system failure factors. In this study, an extended approach involving the integration of rough set theory based flexible Failure Mode and Effect Analysis (FMEA) and the Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) has been applied to help the managers of the corresponding field to identify the factors responsible for the failure of the IT system in the banking industries and then prioritize them accordingly, for the ease of decision making .In this research, eleven such failure factors were identified, which were then quantitatively analyzed to facilitate managers in crucial decision-making. It was observed that cyber-attack, database hack risks, server failure, network interruption, broadcast data error, and virus effect were the most significant factors for the failure of the IT system. The framework developed in this research can be utilized to assist in efficient decision-making in other service industries where IT systems play a key role. To the best of the knowledge, this is the first study that empirically tested key failure factors of the IT system for the banking sector using an integrated method.
Article
In 2019, the International Journal of Information Management (IJIM) celebrated its 40th year of publication. This study commemorates this event by presenting a retrospect of the journal. Using a range of bibliometric tools, we find that the journal has grown impressively in terms of publication and citation. The contributions come from all over the world, but the majority are from Europe and the United States. The journal has mostly published empirical articles, with its authors dominantly using quantitative methodology. Further, the culture of collaboration has increased among authors over the years. The journal publishes on a number of including managing information systems, information technologies and their application in business, technology acceptance among consumers, using information systems for decision making, social perspectives on knowledge management, and information research from the social science perspective. Regression analysis reveals that article attributes such as article order, methodology, presence of authors from Europe, number of references, number of keywords, and abstract length have a significant association with the citations. Finally, we find that conceptual and review articles have a positive association with citations.
Article
This paper discusses the key role of incentives in information systems security. Vulnerabilities can be reduced, and even removed, if individual motivations are taken into account in the process of protection and insurance design. The article first discusses the importance of externalities, free-riding behavior, uncertainty and the incentives mismatch between individuals and organizations involved in information systems security. Previous works perform this study using a game theoretical approach but the paper shows that an agent-based model is capable of including the heterogeneity and interrelations among individuals, not focusing on the reached equilibrium but on the dynamics prior to its emergence.
Thesis
Full-text available
The main aim of this Ph.D. Thesis is to present a set of different novel ways in which multiagent systems (MAS) can play a key role in economic forecasting and modelling in a wide set of contexts. Then, the principal hypothesis is that multiagent systems allow creating macroeconomic models with real microfoundations that are capable of representing the economy at different levels according to different purposes and necessities.
Conference Paper
Cloud computing is an innovative and popular paradigm in information technology. It delivers on-demand services by offering numerous advantages such as reduced management effort and efficient resource usage which would lead to economic saving. However, the associated flexibility and elasticity have caused many information security issues in a business environment. In such scenarios, all risk factors must be managed based on their probable effects on assets. Moreover, risk assessment as a core of risk management, estimates and prioritizes risks to reduce their impact and maximize the benefits of cloud computing for system providers and clients. In this paper, we adopt fuzzy logic to deal with insufficient information and estimate the severity and the likelihood of each risk mathematically. The aim of this paper is to develop a conceptual model to prioritize risks based on severity and probability. For estimating risk, human knowledge and expertise need to be integrated into role based circumstance. As a result, fuzzy logic is presented in this paper and the incenter on centroid method is proposed to convert linguistics data to numerical value in order to quantify the rate of risk. On the other hand, fuzzy logic has been used to deal with human experience as insufficient information to obtain the quantitative data due to the risk characterizing factors.
Conference Paper
Full-text available
The soft targets and crowded places are closely related with a high risk of the violent attack. Between the experts are the soft targets known as the objects or events, where the large group of people is concentrated at the same place and this place has not integrated special security measures into processes. The soft targets can be the objects of the different types of the objects. Generally, we can say, that these objects have similar characteristics. Between the characteristics of soft targets belong a considerable a lot of persons at the same time in the same area. In addition, these kinds of the objects have not implemented the adequate security and safety measures to the processes. This proposal of the analytical tool of the software solution was developed for the assessment the current state of the objects. The main aim of the proposed solution is to support the operators in the decision-making process and increase the security situation in the soft targets. This analytical tool is designed to static analysis, which is based on the comparison object’s and incident’s characteristics.
Article
Full-text available
With the rapid development of modern information technology, the health care industry is entering a critical stage of intelligence. Faced with the growing health care big data, information security issues are becoming more and more prominent in the management of smart health care, especially the problem of patient privacy leakage is the most serious. Therefore, strengthening the information management of intelligent health care in the era of big data is an important part of the long-term sustainable development of hospitals. This paper first identified the key indicators affecting the privacy disclosure of big data in health management, and then established the risk access control model based on the fuzzy theory, which was used for the management of big data in intelligent medical treatment, and solves the problem of inaccurate experimental results due to the lack of real data when dealing with actual problems. Finally, the model is compared with the results calculated by the fuzzy tool set in Matlab. The results verify that the model is effective in assessing the current safety risks and predicting the range of different risk factors, and the prediction accuracy can reach more than 90%.
Article
Full-text available
The security risk management framework is an essential part of strategic management for government agencies. It allows a government to systematically identify and address the risks associated with its activities to achieve sustainability for different activities of security risk management. The goal of security risk management is to add sustainable value to government activities and reduce the chance of security breaches. Applying security risk management techniques used to government projects can increase the chances of success, help achieve objectives, and assist in finding preventive solutions for future projects. The application of security risk management is profitable for government agencies because it sets specific risk management objectives that are based on the broader overall strategy. It contributes to the achievement of strategic objectives with mechanisms like Spearman's rank correlation coefficient and simple linear regression. These techniques can improve decision-making, planning and implementation of government activities, as well as reduce the negative consequences of present threats. It is recommended to apply the integrated security risk management framework proposed in this paper to increase the effectiveness of security risk management in government agencies. Also using quantitative and intelligent techniques in the analysis and estimation of security risks can help managers to make decisions regarding security issues in government agencies.
Article
Full-text available
The study conducted with aim of ranking each aspect of information security risk management. At the first stage, the dimensions and characteristics of each have been identified based on the research literature and expert opinions. In order to rank the factors under study using a hybrid approach using FEMA and Gray theory, 50 questionnaires collected among IT, soft ware, and network experts that choosed based on researchers’ judgement and accessible one. According to the results, the security of communications was ranked first. Infrastructure of hard ware and network, human factors, security management, access to information and systems and the development of secure information systems were ranked second to sixth, respectively.Therefore, it is recommended that organizations set up an independent security department within the organization. Also, providing a list of all the information assets of the organization and specifying control and strategic goals in the area of information security in the organization can be useful for organizations. Moreover, if the organization has several branches and need internet connection, preferably communications are available as VPN. In addition, if organizations have web automation for outside usage, the site should be licensed with SSL and https protocol.
Article
Purpose This paper aims to examine optimal decisions for information security investments for a firm in a fuzzy environment. Under both sequential and simultaneous attack scenarios, optimal investment of firm, optimal efforts of attackers and their economic utilities are determined. Design/methodology/approach Throughout the analysis, a single firm and two attackers for a “firm as a leader” in a sequential game setting and “firm versus attackers” in a simultaneous game setting are considered. While the firm makes investments to secure its information assets, the attackers spend their efforts to launch breaches. Findings It is observed that the firm needs to invest more when it announces its security investment decisions ahead of attacks. In contrast, the firm can invest relatively less when all agents are unaware of each other’s choices in advance. Further, the study reveals that attackers need to exert higher effort when no agent enjoys the privilege of being a leader. Research limitations/implications In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon – Loeb breach function, with the help of fuzzy expectation operator. Practical implications This study reports that the optimal breach effort exerted by each attacker is proportional to its obtained economic benefit for both sequential and simultaneous attack scenarios. A set of numerical experiments and sensitivity analyzes complement the analytical modeling. Originality/value In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon – Loeb breach function, with the help of fuzzy expectation operator.
Article
The security of information issue has become a global problem and has risen the concerns of both researchers and practitioners. When security incidents occur, there is a risk that national military secrets or confidential information of corporations will leak out and cause serious damages to the collective. This paper is aimed to explore the knowledge structure, development, and the future trend of information security area by providing a comprehensive review of the present information security risk (ISR) literature. The visualization analysis was conducted on journal literatures from the Web of Science, IEEE, ACM and Scopus database, and the results were mapped into the I-model. According to 2748 articles, evaluation methods, e.g., frequency statistics, clustering coefficient, as well as centrality calculation are employed to analyze all of the interrelated matrixes which are supported by CiteSpace. Some useful outcomes of a variety of objectives are shown under a significant level, such as author, country/territory, cluster, institute as well as reference. Synthetical analysis has demonstrated the future research trend on ISR. As for researchers and practitioners, our study suggests an analysis of integrated visualization in terms of the knowledge and innovation based on the area of ISR.
Article
The performance analysis of healthcare supply chain management (SCM) has become extremely important as healthcare systems have begun to struggle to enhance operational efficiency and diminish costs. The aim of this study was to measure healthcare SCM in accordance with competency-based operation evaluation. The study was organized as a hierarchical structure based on the main processes, sub-processes, and their operations of healthcare SCM. It is considerably difficult to quantify the competency of an operation. Therefore, a fuzzy model was developed to measure healthcare SCM performance according to competency-based operation evaluation. The fuzzy model consisted of evaluation and measurement levels. The first-level assessed the operations that measured the competency of the operation using a fuzzy heuristic algorithm. The second-level measured the performance of healthcare SCM using a fuzzy rule-based system established based on the performance of the main SCM processes. This model was used to measure the performance of SCM and evaluate the activities of five hospitals operating in Bishkek, Kyrgyzstan. The findings were determined to be helpful for healthcare systems to identify and enhance weak processes and their sub-processes in order to provide competitive advantage against competitors.
Chapter
Information Security (IS) Risk Assessment is a main part of risk analysis; it helps organizations make decisions to protect their Information Technology (IT) services and underlying IT assets from potentially adverse events. How to do assessment in this context, however, is not a well defined task. Some approaches provide guidelines but leave analysts to define how to implement them, leading to different mechanisms to identify input data, different procedures to process those inputs, and different results as a consequence. To address this problem, we present a semiautomatic procedure, based on data systematically obtained from modern IT Service Management (ITSM) tools used by IT staff to handle IT services’ assets and configurations. We argue that these tools handle actual data that may be used to collect inputs for a IS risk assessment procedure, thus reducing subjective values. We evaluated the procedure in a real case study and found that our approach actually reduces variability of some results. We also identified areas that must be addressed in future work.
Article
Full-text available
In recent years, finance institutions robustly need an instrument for risk management. From several committees on banking supervision require that institutions must have reliable rating scale for probability of default. The most important step is the transition towards Internal Ratings-Based (IRB) approach. This paper presents an approach to estimate implied probability of default (PD) and classify into desired credit scale. The calculation of PD is based on Newton’s method and classification is done by competitive trained neural network.
Article
Full-text available
During the initial literature review on this research question, areas of focus included the following: • Current qualitative and quantitative methodologies for technology risk analysis. • Business applications for expanding the use of qualitative and quantitative technology and security risk models. • Implementation of qualitative and quantitative technology and security risk analysis methodologies models by practitioners. Information Technology (IT) risk analysis has become be an integral part of the enterprise risk management systems in many organizations. However, many companies have struggled to effectively implement these systems. This has become a serious problem in many cases where governmental regulations, industry requirements, and even contractual language for doing business have increasingly included technology risk management obligations that companies must meet. Currently, technology risk management is not as mature a field as those like IT Audit or Information Security, which have had professional certification processes for over 23 years. Technology risk management, on the other hand, has had similar certifications for less than 10 years. As such, many of the current technology risk management practitioners have come from other fields, which has made it difficult to construct a common body of knowledge on which technology risk management systems can be built. In many cases, such factors, as well as others, are making it difficult to implement technology risk management systems. This research will seek to evaluate those factors in more detail to determine common ones that have the most impact on the success of technology risk management projects and make recommendations for overcoming the factors that limit the success of these projects.
Article
Organizations use information systems to automate their processes. Similar to other types of information systems, hospital information systems face a variety of risks (i.e. potential hazards to human health). For responding to such risks, a practical fuzzy risk assessment framework is developed under the business continuity management concepts. The proposed framework benefits from a fuzzy multi-criteria decision-making method and a fuzzy inference system to quantify and analyze the uncertain information gathered from experts. A procedure for developing suitable business continuity plans is also presented. Finally, the applicability of the proposed framework is demonstrated through a real case study.
Conference Paper
This paper aims at how to construct the security architecture for virtual enterprises. In order to help the virtual enterprise to be adaptive of these urgent security problems result from the soaring new applications based on internet, a dynamic security reference model named Object oriented PDRR model is proposed. The security requirement, access operations, security architecture and working mechanism are discussed in detailed. Based on the security reference model, an information security system, including intrusion detection and vulnerability scanning system, firewall and antivirus system, was construct for a virtue enterprise. The presented case verified the model's applicability.
Chapter
Full-text available
This paper surveys six different varieties of methodology for choosing one of a fixed number of alternative actions in the context of uncertainty about which of a fixed number of possible states of the world actually holds, where the outcome of each alternative action depends on the state of the world. The six approaches differ from one another primarily in their assumptions about the quality and quantity of information that is available regarding (a) the relative possibility or likelihood of the various states of the world, and (b) the relative utility of the various outcomes defined by (action, state) pairs.
Article
Full-text available
Six different varieties of methodology are surveyed for choosing one of a fixed number of alternative actions in the context of uncertainty. Within this context a fixed number of possible states of the world can actually hold, where the outcome of each alternative action is dependent on the state of the world. The six approaches differ from each other primarily in their assumptions about the quality and quantity of information that is available regarding: the relative possibility or likelihood of the various states of the world, and the relative utility of the various outcomes defined by (action, state) pairs. The six approaches are illustrated using a single example. Finally, the prospects for an integrated approach to decision support that is sensitive to the quality and quantity of information are discussed, and some fruitful areas for further research are suggested.
Article
Full-text available
The use of biotelemetry methods can provide information on animal behaviour, movement ecology and energetics. However, deployment of biotelemetry equipment on free-living animals incurs risk of damage or loss, which can result in high cost and low sample sizes. To facilitate the uptake of these methods, we have recognized the need for a prescribed procedure for assessing failure risk in biotelemetry studies. Here, we have adapted a commonly used technique in industry and engineering, Event Tree analysis, to facilitate risk estimation and deployment procedure critique. This method can incorporate the use of fuzzy logic to accommodate the uncertainty and scarcity of technical data that are often associated with animal biotelemetry equipment and techniques. Alternatively, probabilistic data may be used for procedures where appropriate models have been established. To encourage the adoption of this method by the scientific community, we have developed a freeware program, Biotelemetry Event Tree (BET). We advocate the use of this method, in the interests of scientific robustness and animal welfare.
Article
Full-text available
This paper explores the risk perceptions of key stakeholders in SMEs when making decisions on technology investments. Current literature focuses on the nature of the technology from a technical perspective and its associated benefits to the SME. We seek to make a contribution that builds on the small but growing work, which views investment technology decisions as the outcome of a process of both objective and subjective risk assessment. Evidence presented in this paper suggests that subjective elements play an important part in assessing technology risks. Our empirical findings are that both e-business experience and the role of the decision-maker within the firm influences risk perception, whereas, sector differences are more modest. One implication of our findings is that policy interventions should be more sensitive and targeted at different types of stakeholders – owners, IT professionals and other individuals rather than on the sector in which the SME operates.
Article
Full-text available
Developing emergency and disaster management systems is an important issue in our “computer society”. The primary issue is how to share information about a current disaster and the status of resource allocation for emergency management. System continuity management is another important issue on disaster-related issue. Furthermore, we should consider a solution for constructing a trust network in a disaster situation. In this paper, we focus on security issues that confront IT systems during disasters. The security issues include privacy breach in a disaster situation. We summarize these security and privacy issues in the context of three major areas of operation: information gathering, network access, and system continuity management. Then we provide the results of a survey on techniques for solving these issues.
Article
Full-text available
Information protection is of paramount importance in today's world. From information involving the highest level of government administration and national security, to information existing at the level of the private company in the form of trade secrets or personal data, all are under the constant threat of being compromised. In this study, the researchers attempt to evaluate the information security maturity level and provide clear thoughtful analysis of the information security landscapes of the Malaysian Public Service (MPS) organizations. This study uses convenience sampling and the required data collected from 970 targeted individuals through a self-administrated survey. In addition, a survey questionnaire is utilized to gauge the security landscape and to further understand the occurrence of incidents, the sources of attack, and the types of technical safeguard. Findings revealed that the highest security incidents experienced by the MPS were spamming (42%), followed by attacks of malicious codes (41%). Twenty-five percent of incidents originated from within the organizations, 15% originated from outside, and 11% were from a mixture of internal and external sources. Also, it shows that 49% of incidents were from sources unknown to the respondents. The top most deployed safeguards by the MPS were found to be firewalls (95%), followed by anti-virus software (92%), and access control to information system (89%). Findings on the maturity level show that 61% of respondents are at Level 3, followed by 21% at Level 2 where the information security processes are still considered an Information and Communication Technology (ICT) domain. At the higher end of the continuum lies 13% for Level 4 and 1% at Level 5.
Article
Full-text available
Looking at modern theories in management science and business administration, one recognizes that many of these conceptions are based on decision theory in the sense of von Neumann and Morgenstern. However, empirical surveys reveal that the normative decision theory is hardly used in practice to solve real-life problems. This neglect of recognized classical decision concepts may be caused by the fact that the information necessary for modeling a real decision problem is not available, or the cost for getting this information seems too high. Subsequently, decision makers (DM’s) abstain from constructing decision models. As the fuzzy set theory offers the possibility to model vague data as precise as a person can describes them, a lot of decision models with fuzzy components are proposed in literature since 1965. But in my opinion only fuzzy consequences and fuzzy probabilities are important for practical applications. Therefore, this paper is restricted to these subjects. It is shown that the decision models with fuzzy utilities or/and fuzzy probabilities are suitable for getting realistic models of real world decision situations. Moreover, we propose appropriate instruments for selecting the best alternative and for compiling a ranking of the alternatives. As fuzzy sets are not well ordered, this should be done in form of an interactive solution process, where additional information is gathered in correspondence with the requirements and under consideration of cost—benefit relations. This procedure leads to a reduction of information costs.
Article
Full-text available
This article is the first of two whose goal is to advance the discussion of IS risk by addressing limitations of the current IS risk literature. These limitations include: • inconsistent or unclear definitions of risk, • limited applicability of risk models, • frequent omission of the temporal nature of risk, and • lack of an easily communicated organizing framework for risk factors. This article presents a general, but broadly adaptable model of system-related risk. The companion article, Volume 14, Article 2[Sherer and Alter, 2004] focuses on IS risk factors and how these factors can be organized. This article starts by identifying criteria for a general, but broadly applicable risk model. It compares alternative conceptualizations of risk and provides clarifications of the definitions of risk and of different treatments of goals, expectations, and baselines for assessing risk. It presents several of the risk models in the IS literature and discusses the temporal nature of risk. Based on that background it presents a general and broadly adaptable model of risk that encompasses: • goals and expectations, • risk factors and other sources of uncertainty, • the operation of the system or project whose risks are being managed, • and the resulting financial gains or losses. The model's adaptability allows users to eliminate facets that are not important for their purposes. For example, the majority of current practitioners would probably think of risk in terms of negative outcomes rather than the full distribution of possible outcomes. A comparison of the general model with other risk models in the IS literature shows that it covers most of the ideas expressed by previous IS risk models while also providing a practical approach that managers can use for thinking about IS risk at whatever level of detail makes sense to them.
Article
Full-text available
This paper presents an approach enabling economic modelling of information security risk management in contemporaneous businesses and other organizations. In the world of permanent cyber attacks to ICT systems, risk management is becoming a crucial task for minimization of the potential risks that can endeavor their operation. The prevention of the heavy losses that may happen due to cyber attacks and other information system failures in an organization is usually associated with continuous investment in different security measures and purchase of data protection systems. With the rise of the potential risks the investment in security services and data protection is growing and is becoming a serious economic issue to many organizations and enterprises. This paper analyzes several approaches enabling assessment of the necessary investment in security technology from the economic point of view. The paper introduces methods for identification of the assets, the threats, the vulnerabilities of the ICT systems and proposes a procedure that enables selection of the optimal investment of the necessary security technology based on the quantification of the values of the protected systems. The possibility of using the approach for an external insurance based on the quantified risk analyses is also provided.
Article
Full-text available
An approach to solving optimization problems with fuzzy coefficients in objective functions and constraints is described. It consists in formulating and solving one and the same problem within the framework of mutually related models with constructing equivalent analogs with fuzzy coefficients in objective functions alone. It enables one to maximally cut off dominated alternatives “from below” as well as “from above”. Since the approach is applied within the context of fuzzy discrete optimization problems, several modified algorithms of discrete optimization are discussed. These algorithms are associated with the method of normalized functions, are based on a combination of formal and heuristic procedures, and allow one to obtain quasi-optimal solutions after a small number of steps, thus overcoming the computational complexity posed the NP-completeness of discrete optimization problems. The subsequent contraction of the decision uncertainty regions is associated with reduction of the problem to multiobjective decision making in a fuzzy environment with using techniques based on fuzzy preference relations. The techniques are also directly applicable to situations in which the decision maker is required to choose alternatives from a set of explicitly available alternatives. The results of the paper are of a universal character and can be applied to the design and control of systems and processes of different purposes as well as the enhancement of corresponding CAD/CAM systems and intelligent decision making systems. The results of the paper are already being used to solve problems of power engineering.
Article
Full-text available
Despite the well documented and emerging insider threat to information systems, there is currently no substantial effort devoted to addressing the problem of internal IT misuse. In fact, the great majority of misuse counter measures address forms of abuse originating from external factors (i.e. the perceived threat from unauthorized users). This paper suggests a new and innovative approach of dealing with insiders that abuse IT systems. The proposed solution estimates the level of threat that is likely to originate from a particular insider by introducing a threat evaluation system based on certain profiles of user behaviour. However, a substantial amount of work is required, in order to materialize and validate the proposed solutions.
Article
Even though an underground electricity distribution system is safer than an overhead system, several accidents have occurred in them. Assessing the risk of hundreds or even thousands of underground vaults is a hard task. Furthermore, given the large variability in external and internal environments and, hence, there being a wide range of possible consequences when an accident occurs, an approach to risk assessment under a multidimensional view is required. Moreover, in terms of decision making, the aggregation of the decision maker's preferences in modeling, by multiple-criteria decision-making methods, is more complete, comprehensive, and, in particular, includes considering the decision maker's desires. Therefore, this study puts forward a multidimensional assessment of the risks from underground vaults by generating a decision tool, which ranks the vaults in a risk hierarchy. Multiattribute utility theory was used to achieve this ranking. An application was generated to demonstrate the applicability of the model, under the following aspects of consequences: those that are human, financial, and operational; and disruptions to local vehicular traffic. The use of information arising from analysis of the differences between risks enabled the decision maker to make an in-depth analysis of the range of possibilities over which alternatives may be chosen in order to implement preventive actions.
Article
Eine wesentliche Ursache für die geringe praktische Bedeutung statistischer Entscheidungsmodelle sind die ihnen zugrunde liegenden realitätsfremden Prämissen, insbesondere die hohen Anforderungen an den Informationsstand des Entscheidungsträgers. Dessen zumeist nur vages Wissen über die Menge aller in Betracht kommenden Alternativen A={ai}, i=1,2,..,m, die Menge der möglichen Umweltzustände S={sj}, j=1,2,..,n, die Konsequenzen, die sich aus der Entscheidung für eine Handlungsalternative ai ergeben, wenn sich der Umweltzustand sj einstellt, und die zumeist als Nutzen u(ai,sj) ausgedrückt werden, reicht im allgemeinen nicht aus, ein Entscheidungsmodell der klassischen Form <A,S,u> aufzustellen.
Article
The "Computer Crime and Security Survey", now on its 7th year, is conducted to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. For this year's survey, responses came from 503 computer security practitioners in the U.S. corporations, government agencies, financial institutions, medical institutions and universities. Data obtained indicate that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting.
Book
IntroductionBackground HistoryDefinitionsTheoryMethodologyWorksheetExample 1: Hardware Product FMEAExample 2: Functional FMEALevel of DetailAdvantages and DisadvantagesCommon Mistakes to AvoidSummary
Article
In technical systems like oil and gas drilling systems, an accident sequence starts with an Initiating Event (IE) and evolves over time through the interaction of barriers in terms of success or failure. As it has been dramatically demonstrated in a variety of cases, offshore oil rigs activities have severe consequences to people, asset, environment and reputation.A survey carried out on a leakage event in production phase. The barriers of the above IE are assessed by Event Tree Analysis (ETA) which evaluates the sequence of events in a potential accident scenario following the occurrence of an IE. In this research to calculate Failure Probability (FP) of barriers new approach is proposed. In this methodology, Reliability Block Diagram (RBD) and Fault Tree Analysis (FTA) are employed to quantify barriers FP. RBD is useful tool to quantify FP of barriers with logic diagram. FP of barriers with logic diagram is obtained by FTA. However it is often difficult to estimate precisely the FP of the components due to insufficient data. It has been reported that availability of the FP data pertaining to local conditions is surprisingly limited. In this study to overcome this problem using of expert judgment and then fuzzy logic is employed. Therefore, Fuzzy FTA (FFTA) is used to reduce uncertainty of expert judgment.
Article
This paper concentrates on the information security risk assessment model utilizing the improved wavelet neural network. The structure of wavelet neural network is similar to the multi-layer neural network, which is a feed-forward neural network with one or more inputs. Afterwards, we point out that the training process of wavelet neural networks is made up of four steps until the value of error function can satisfy a pre-defined error criteria. In order to enhance the quality of information security risk assessment, we proposed a modified version of wavelet neural network which can effectively combine all influencing factors in assessing information security risk by linear integrating several weights. Furthermore, the proposed wavelet neural network is trained by the BP algorithm with batch mode, and the weight coefficients of the wavelet are modified with the adopting mode. Finally, a series of experiments are conduct to make performance evaluation. From the experimental results, we can see that the proposed model can assess information security risk accurately and rapidly.
Book
Multiobjective and Multicriteria Problems and Decision Models.- Multiobjective and Multicriteria Decision Processes and Methods.- Basic Concepts on Risk Analysis, Reliability and Maintenance.- Multidimensional Risk Analysis.- Preventive Maintenance Decisions.- Decision Making in Condition-Based Maintenance.- Decision on Maintenance Outsourcing.- Spare Parts Planning Decisions.- Decision on Redundancy Allocation.- Design Selection Decisions.- Decisions on Priority Assignment for Maintenance Planning.- Other Risk, Reliability and Maintenance Decision Problems.
Article
Ordering fuzzy quantities and their comparison play a key tool in many applied models in the world and in particular decision-making procedures. However a huge number of researches is attracted to this filed but until now there is any unique accepted method to rank the fuzzy quantities. In fact, each proposed method may has some shortcoming. So we are going to present a novel method based on the angle of the reference functions to cover a wide range of fuzzy quantities by over coming the draw backs of some existing methods. In the mentioned firstly, the angle between the left and right membership functions (the reference functions) of every fuzzy set is called Angle of Fuzzy Set (AFS), and then in order to extend ranking of two fuzzy sets the angle of fuzzy sets and alpha-cuts is used. The method is illustrated by some numerical examples and in particular the results of ranking by the proposed method and some common and existing methods for ranking fuzzy sets is compared to verify the advantage of the new approach. In particular, based on the results of comparison of our method with well known methods which are exist in the literature, we will see that against of most existing ranking approaches, our proposed approach can rank fuzzy numbers that have the same mode and symmetric spreads. In fact, the proposed method in this paper can effectively rank symmetric fuzzy numbers as well as the effective methods which are appeared in the literature. Moreover, unlike of most existing ranking approaches, our proposed approach can rank non-normal fuzzy sets. Finally, we emphasize that the concept of fuzzy, ordering is one of key role in establishing the numerical algorithms in operations research such as fuzzy primal simplex algorithms, fuzzy dual simplex algorithms and as well as discussed in the works of Ebrahimnejad and Nasseri and coworkers [1-7].
Conference Paper
Within the fuzzy literature, the issue of ranking fuzzy intervals has been addressed by many authors, who proposed various solutions to the problem. Most of these solutions intend to find a total order on a given collection of fuzzy intervals. However, if one sees fuzzy intervals as descriptions of uncertain quantities, an alternative to rank them is to use ranking rules issued from the imprecise probabilistic literature. In this paper, we investigate ranking rules based on different statistical features (mean, median) and orderings, and relate the obtained (partial) orders to some classical proposals. In particular, we propose a generic expression of stochastic orderings, and then use it to systematically investigate extensions of the most usual stochastic orderings to fuzzy intervals. We also show some relations between those extensions, and explore their relation with existing fuzzy ranking proposals.
Article
A survey of decision-analysis-oriented methods based on the concept of a fuzzy number, is proposed, together with new results likely to improve the reviewed material. Fuzzy numbers are useful to perform sensitivity analysis on utility-based models or scoring methods, when probability or utility values, weights of attributes. . . cannot be precisely estimated but are obtained through verbal statements. Algorithms for computing fuzzy expectations of utility or fuzzy global ratings are provided. Lastly, new possibilistic scalar comparison indices are suggested for the purpose of ranking fuzzy numbers which represent the overall worth of alternative decisions.
Article
Because of the evolution and widespread use of the Internet, organisations are becoming more susceptible to attacks on Information Technology Systems. These attacks result in data losses and alterations, and impact services and business operations. Therefore, to minimise these potential failures, this paper presents an approach to information security risk management, encompassing Failure Mode and Effects Analysis (FMEA) and fuzzy theory. This approach analyses five dimensions of information security: access to information and systems, communication security, infrastructure, security management and secure information systems development. To illustrate the proposed model, it was applied to a University Research Group project. The results show that the most important aspects of information security risk are communication security, followed by infrastructure.
Article
Information security has become a vital entity to most organizations today due to current trends in information transfer through a borderless and vulnerable world. The concern and interest in information security is mainly due to the fact that information security risk assessment (ISRA) is a vital method to not only to identify and prioritize information assets but also to identify and monitor the specific threats that an organization induces; especially the chances of these threats occurring and their impact on the respective businesses. However, organizations wanting to conduct risk assessment may face problems in selecting suitable methods that would augur well in meeting their needs. This is due to the existence of numerous methodologies that are readily available. However, there is a lack in agreed reference benchmarking as well as in the comparative framework for evaluating these ISRA methods to access the information security risk. Generally, organizations will choose the most appropriate ISRA method by carrying out a comparative study between the available methodologies in detail before a suitable method is selected to conduct the risk assessment. This paper suggests a conceptual framework of info-structure for ISRA that was developed by comparing and analysing six methodologies which are currently available. The info-structure for ISRA aims to assist organizations in getting a general view of ISRA flow, gathering information on the requirements to be met before risk assessment can be conducted successfully. This info-structure can be conveniently used by organizations to complete all the required planning as well as the selection of suitable methods to complete the ISRA.
Article
As software-intensive systems become more and more complex, so does the assessment of the risks that these systems may have on people's businesses, privacy, livelihoods, and very lives. For very large long-lived industrial programmes, such as the Galileo programme of the European Space Agency (ESA), or the French Pentagon programme for the Ministry of Defence, traditional risk management approaches are now reaching their limit. This is true for tooling, but even more so for humans. This paper proposes novel techniques to deal with cognitive scalability issues in risk assessment studies, amongst which graphical extensions to traditional risk management approaches, such as chain diagrams, and the seamless integration of attack trees. Feedback and results were collected from security experts and other stakeholders, in a large industrial context (namely, the Galileo risk assessment programme) and through dedicated research and development demonstrations. The feedback and results show effective improvements with respect to standard practices, even though fine tuning is still needed to reach an adequate and financially acceptable equilibrium between: (i) dealing with a large number of small independent problems; and (ii) maintaining an overall understanding of the system’s risks and risks treatment.
Article
Fault tree analysis has been widely utilized as a tool for nuclear power plant probabilistic safety assessment. This analysis can be completed only if all basic events of the system fault tree have their quantitative failure rates or failure probabilities. However, it is difficult to obtain those failure data due to insufficient data, environment changing or new components. This study proposes a fuzzy-based reliability approach to evaluate basic events of system fault trees whose failure precise probability distributions of their lifetime to failures are not available. It applies the concept of failure possibilities to qualitatively evaluate basic events and the concept of fuzzy sets to quantitatively represent the corresponding failure possibilities. To demonstrate the feasibility and the effectiveness of the proposed approach, the actual basic event failure probabilities collected from the operational experiences of the David–Besse design of the Babcock and Wilcox reactor protection system fault tree are used to benchmark the failure probabilities generated by the proposed approach. The results confirm that the proposed fuzzy-based reliability approach arises as a suitable alternative for the conventional probabilistic reliability approach when basic events do not have the corresponding quantitative historical failure data for determining their reliability characteristics. Hence, it overcomes the limitation of the conventional fault tree analysis for nuclear power plant probabilistic safety assessment.
Article
This paper explores a risk measure of underground vaults that considers the consequences of arc faults. The increasing use of underground systems, together with the aging of networks, the lack of maintenance and interference from other (third party) underground systems nearby have caused many accidents in urban areas, thus endangering human life. The involvement of a large number (hundreds or thousands) of underground vaults with different characteristics, the lack of historical data on modes of failure, the rarity of the occurrence of some faults, the magnitude of their consequences and the involvement of a complex environment surrounding the hazard zone make risk management even more complex and uncertain. Furthermore, given that the (monetary, time, staff, etc.) resources of an electrical power company are limited and scarce, it is necessary to use decision-making tools that aggregate the consequences and the uncertainties to assess the risks jointly with the preference structure of the company, thus solving the problem more realistically. Therefore, this paper puts forward the use of an additional risk analysis for manhole events in underground electrical distribution networks with a view to its being used as a decision aid tool in risk management. As an illustration of the use of the risk measurement tool proposed, a numerical application is presented. The result rather than showing a ranking of underground vaults, gives a measure of the risk used that can show the decision-maker (DM) how much better one group of alternatives (formed by alternatives with quite similar risk values) is than other groups, based on the DM’s attitude to risk and grounded on the axiomatic structure of utility theory.
Article
For many companies the remaining barriers to adopting cloud computing services are related to security. One of these significant security issues is the lack of auditability for various aspects of security in the cloud computing environment. In this paper we look at the issue of cloud computing security auditing from three perspectives: user auditing requirements, technical approaches for (data) security auditing and current cloud service provider capabilities for meeting audit requirements. We also divide specific auditing issues into two categories: infrastructure security auditing and data security auditing. We find ultimately that despite a number of techniques available to address user auditing concerns in the data auditing area, cloud providers have thus far only focused on infrastructure security auditing concerns.
Article
With the increasing organizational dependence on information systems, information systems security has become a very critical issue in enterprise risk management. In information systems, security risks are caused by various interrelated internal and external factors. A security vulnerability could also propagate and escalate through the causal chains of risk factors via multiple paths, leading to different system security risks. In order to identify the causal relationships among risk factors and analyze the complexity and uncertainty of vulnerability propagation, a security risk analysis model (SRAM) is proposed in this paper. In SRAM, a Bayesian network (BN) is developed to simultaneously define the risk factors and their causal relationships based on the knowledge from observed cases and domain experts. Then, the security vulnerability propagation analysis is performed to determine the propagation paths with the highest probability and the largest estimated risk value. SRAM enables organizations to establish proactive security risk management plans for information systems, which is validated via a case study.
A decision method for systems in which the state of the system and/or the utilities of the alternative actions are known imprecisely is presented. By assuming that these imprecise quantities may be represented using fuzzy sets, a decision procedure is presented which results in the fuzzy set representing an optimal alternative. This set gives us the best alternative and the rating of other alternatives in comparison to the optimal alternative. The computation procedure is illustrated using some examples.
Article
Decision-makingforthepurposeofadaptationtoclimatechangetypicallyinvolvesseveralstake- holders,regionsandsectors,aswellasmultipleobjectivesrelatedtotheuseofresourcesandbenefits. In thecaseofadaptingtoextremeevents,modellingoftheimpactpathwaysandconsequencesneedto be conductedinsomeway.Weexploretheroleofeventtreeanalysisofextremeeventsinthecontext of floodprotectionofcriticalinfrastructure.Expertsrepresentingpotentiallyaffectedinfrastructure servicesareconsultedontheusabilityoftheETAmethodforprovidingstructuredinformationonflood scenarios,systemimpactsandconsequences,risksandcountermeasures.Themainusersofthe analysisresultsaretheassetownersandthelocalpublicdecision-makerswhosejointeffortsare usuallyrequiredtofundandprioritizesuchmeasuresofadaptation.
Article
This paper analyses the risk probability of an underwater tunnel excavation using an earth pressure balance (EPB) type tunnel boring machine (TBM). An event tree analysis (ETA) has been applied to quantify the risk at the preliminary design stage of the tunnel. Probable results, which may be sequenced from specific initiating events, are analyzed, and adequate general countermeasures (safety functions) are selected to ensure safety against risks. To identify the initiating events, various data on underwater tunneling such as empirical analyses; design reports; case studies of practical problems; numerical analyses and model test results; and hydrological analysis results were used. Event trees corresponding to three significant initiating events were constructed. Each event tree consists of five countermeasures that construct 32 paths, and the probability of each path is calculated. A quantitative risk assessment was performed and the occurrence probabilities and criticalities of the paths depending on the initiating events were considered. Based on these ETA results, it was found that the selected underwater tunnel site still has a considerable probability of accidents in spite of common countermeasures. Based on the evaluated risks, improved target probabilities are proposed to reduce the probability of disaster during construction. Additional countermeasures, in other words mitigation actions, corresponding to the new target are considered. As a result, technical risks and economical losses of property can be minimized in a systematic way. It was found that the ETA is an effective method for the evaluation and quantitative analysis of probable risks and for the proposition of countermeasures for hazardous environmental conditions such as the underwater tunnel.
Article
The UK government took a bruising in the headlines (Sep 2008) after a Home Office contractor lost a USB stick containing unencrypted data on all 84,000 prisoners in England and Wales. As a result, the Home Office terminated the £1.5 million contract with the management consultancy firm.The world woke up to the largest attempted bank fraud ever when the UK’s National Hi-Tech Crime Unit foiled the world’s largest potential bank robbery in March 2005. With the help of the security supervisor, thieves masquerading as cleaning staff installed hardware keystroke loggers on computers within the London branch of a Japanese bank, to steal £220m.It is indeed sobering to imagine that any organisation could fall victim to such events and the damage an insider can do. The consulting firm lost the contract worth £1.5 million due to a small mistake by an employee. The London branch of the Japanese Bank would have lost £220 million had not the crime been foiled.Insider threat is a reality. Insiders commit fraud or steal sensitive information when motivated by money or revenge. Well-meaning employees can compromise the security of an organisation with their overzealousness in getting their job done. Every organisation has a varied mix of employees, consultants, management, partners and complex infrastructure and that makes handling insider threats a daunting challenge. With insider attacks, organisations face potential damage through loss of revenue, loss of reputation, loss of intellectual property or even loss of human life.The insider threat problem is more elusive and perplexing than any other threat. Assessing the insider threat is the first step to determine the likelihood of any insider attack. Technical solutions do not suffice since insider threats are fundamentally a people issue. Therefore, a three-pronged approach - technological, behavioural and organisational assessment is essential in facilitating the prediction of insider threats and pre-empt any insider attack thus improving the organization’s security, survivability, and resiliency in light of insider threats.
Conference Paper
The economics of information security has recently become a thriving and fastmoving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, incentives are becoming as important to dependability as technical design. The new field provides valuable insights not just into security topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability (the design of peer-to-peer systems and the optimal balance of effort by programmers and testers), and policy (particularly digital rights management). This research program has been starting to spill over into more general security questions (such as law-enforcement strategy), and into the interface between security and the social sciences. Most recently it has started to interact with psychology, both through the psychologyand- economics tradition and in response to phishing. The promise of this research program is a novel framework for analyzing information security problems - one that is both principled and effective.
Article
Results of research into the use of fuzzy sets for handling various forms of uncertainty in the optimal design and control of complex systems are presented. A general approach to solving a wide class of optimization problems containing fuzzy coefficients in objective functions and constraints is described. It involves a modification of traditional mathematical programming methods and is associated with formulating and solving one and the same problem within the framework of mutually conjugated models. This approach allows one to maximally cut off dominated alternatives from below as well as from above. The subsequent contraction of the decision uncertainty region is associated with reduction of the problem to multicriteria decision making in a fuzzy environment. The general approach is applied within the context of a fuzzy discrete optimization model that is based on a modification of discrete optimization algorithms. Prior to application of these algorithms there is a transition from a model with fuzzy coefficients in objective functions and constraints to an equivalent analog with fuzzy coefficients in objective functions alone. The results of the paper are of a universal character and are already being used to solve problems of power engineering.
Article
We propose here to extend the decision trees method to the case when the involved data (probabilities, cost, profits, losses) appear as words belonging to the common language whose semantic representations are fuzzy sets. First we discuss the reasons why such an extension is to be aimed at. Then in the fuzzy case we carry out a reformalization of the basic concepts of probability and utility theory. Finally we show how these reformalized concepts can be applied to fuzzy decision trees.
Article
In this paper an insider attack is considered to be deliberate misuse by those who are authorized to use computers and networks. Applying this definition in real-life settings to determine whether or not an attack was caused by an insider is often, however, anything but straightforward. We know very little about insider attacks, and misconceptions concerning insider attacks abound. The belief that “most attacks come from inside” is held by many information security professionals, for example, even though empirical statistics and firewall logs indicate otherwise. This paper presents a framework based on previous studies and models of insider behavior as well as first-hand experience in dealing with insider attacks. This framework defines relevant types of insider attack-related behaviors and symptoms—“indicators” that include deliberate markers, meaningful errors, preparatory behaviors, correlated usage patterns, verbal behavior and personality traits. From these sets of indicators, clues can be pieced together to predict and detect an attack. The presence of numerous small clues necessitates the use of quantitative methods; multiple regression equations appear to be a particularly promising approach for quantifying prediction.
Article
Many ranking methods have been proposed so far. However, there is yet no method that can always give a satisfactory solution to every situation; some are counterintuitive, not discriminating; some use only the local information of fuzzy values; some produce different rankings for the same situation. For overcoming the above problems, we propose a new method for ranking fuzzy numbers by distance method. Our method is based on calculating the centroid point, where the distance means from original point to the centroid point (), and the index is the same as Murakami et al.'s . However, the index is integrated from the inverse functions of an LR-type fuzzy number. Thus, we use ranking function (distance index) as the order quantities in a vague environment. Our method can rank more than two fuzzy numbers simultaneously, and the fuzzy numbers need not be normal. Furthermore, we also propose the coefficient of variation (CV index) to improve Lee and Li's method [Comput. Math. Appl.15 (1988) 887–896]. Lee and Li rank fuzzy numbers based on two different criteria, namely, the fuzzy mean and the fuzzy spread of the fuzzy numbers, and they pointed out that human intuition would favor a fuzzy number with the following characteristics: higher mean value and at the same time lower spread. However, when higher mean value and at the same time higher spread/or lower mean value and at the same time lower spread exists, it is not easy to compare its orderings clearly. Our CV index is defined as CV = σ (standard error)/μ (mean), which can overcome Lee and Li's problem efficiently. In this way, our proposed method can also be easily calculated by the “Mathematica” package to solve problems of ranking fuzzy numbers. At last, we present three numerical examples to illustrate our proposed method, and compare with other ranking methods.
Article
The paper presents a decision model for risk assessment and for risk ranking of sections of natural gas pipelines based on multi-attribute utility theory. Pipeline hazard scenarios are surveyed and the reasons for a risk assessment model based on a multi-attribute approach are presented. Three dimensions of impact and the need to translate decision-makers’ preferences into risk management decisions are highlighted. The model approaches these factors by using a multi-attribute utility function, in order to produce multi-dimensional risk measurements. By using decision analysis concepts, this model quantitatively incorporates the decision-maker's preferences and behavior regarding risk within clear and consistent risk measurements. In order to support the prioritizing of critical sections of pipeline in natural gas companies, this multi-attribute model also allows sections of pipeline to be ranked into a risk hierarchy. A numerical application based on a real case study was undertaken so that the effectiveness of the decision model could be verified.
Article
As a continuation of the first part related to the first and second class of ordering approaches this paper deals with the fulfilment of reasonable properties in the third class of ordering approaches. To do so we briefly introduce fuzzy relations on which the third class of approaches is based. Then we recall some transitivity-related concepts and an ordering procedure based on a acyclic fuzzy relation. Acyclicity is a very weak restriction on a fuzzy relation. We prove that many fuzzy relations used for the comparison of fuzzy quantities satisfy some conditions stronger than acyclicity. So we give a widely applicable formulation to derive a total ranking order from a fuzzy relation. With our formulation we examine all the ordering indices in the third class with respect to the proposed axioms in part I.
Article
This work aims at the discussion of reasonable properties for the ordering of fuzzy quantities. In the fuzzy literature more than 35 indices exist for the comparison of fuzzy quantities. To grasp this amalgam of indices we split them up into three classes (with linguistic approaches excluded). In this paper we briefly introduce the ordering indices in the first and second class. Based on these indices some ways to formulate the ranking orders among fuzzy quantities are suggested. Then we propose some axioms which serve as the reasonable properties to figure out the rationality of an ordering procedure. Finally, we check all the ordering indices in the first and second class to see whether the proposed axioms are fulfilled or not.
Article
Using expert judgment data from the TU Delft's expert judgment database, we compare the performance of different weighting schemes, namely equal weighting, performance-based weighting from the classical model [Cooke RM. Experts in uncertainty. Oxford: Oxford University Press; 1991.], social network (SN) weighting and likelihood weighting. The picture that emerges with regard to SN weights is rather mixed. SN theory does not provide an alternative to performance-based combination of expert judgments, since the statistical accuracy of the SN decision maker is sometimes unacceptably low. On the other hand, it does outperform equal weighting in the majority of cases. The results here, though not overwhelmingly positive, do nonetheless motivate further research into social interaction methods for nominating and weighting experts. Indeed, a full expert judgment study with performance measurement requires an investment in time and effort, with a view to securing external validation. If high confidence in a comparable level of validation can be obtained by less intensive methods, this would be very welcome, and would facilitate the application of structured expert judgment in situations where the resources for a full study are not available. Likelihood weights are just as resource intensive as performance-based weights, and the evidence presented here suggests that they are inferior to performance-based weights with regard to those scoring variables which are optimized in performance weights (calibration and information). Perhaps surprisingly, they are also inferior with regard to likelihood. Their use is further discouraged by the fact that they constitute a strongly improper scoring rule.
Article
In this note we look at a certain theoretically sound motivation behind the common use of triangular (and trapezoidal) membership functions. The studies are completed within a conceptual framework of fuzzy modelling whose structure comprises of input and output interfaces linked with a single transformation module aimed at processing linguistic information. It is shown that under some additional mild assumptions these triangular fuzzy sets comply with a request for a uniformly excited codebook in the case of the input interfaces and a satisfaction of a zero-error reconstruction criterion being formulated for the output interface.
Article
A fuzzy set is a class of objects with a continuum of grades of membership. Such a set is characterized by a membership (characteristic) function which assigns to each object a grade of membership ranging between zero and one. The notions of inclusion, union, intersection, complement, relation, convexity, etc., are extended to such sets, and various properties of these notions in the context of fuzzy sets are established. In particular, a separation theorem for convex fuzzy sets is proved without requiring that the fuzzy sets be disjoint.
Article
This paper deals with the problem of ranking n fuzzy subsets of the unit interval. A number of methods suggested in the literature is reviewed and tested on a group of selected examples, where the fuzzy sets can be nonnormal and/or nonconvex.The ranking is obtained from: (i) the index of strict preference defined by Watson, (ii) three indexes proposed by Yager, (iii) the algorithm used by Chang, (iv) three versions of the a-preference index suggested by Adamo, (v) the index defined by Baas and Kwakernaak, (vi) three modified versions used by Baldwin and Guild, (vii) the method proposed by Kerre, (viii) three forms of the index suggested by Jain, (ix) the four grades of dominance studied by Dubois and Prade.In simple cases the results are good for all the methods, with some exceptions. In questionable cases, where the decision must be probably modelled in accordance with the context in which it is imbedded, the best indexes seem to be the dominances suggested by Dubois and Prade. These indexes do not force any particular choice, but clearly describe the situation, hence allowing the decision-maker himself to make his ‘best’ choice.
Conference Paper
Decision making problems in security risk assessment are often associated with multiple criteria and multiple decision makers. In the proposed approach, decision making by multiple decision makers has been considered under uncertain conditions. An optimization model is used to assess criteria weights and then to rank risks. The different preference information from different decision makers are firstly transformed into uniform fuzzy preference relations and aggregated. Then ranking or selection of the alternatives reflects the decision makers’ subjective preference based on the objective decision information. It has been found that using fuzzy set theory to represent uncertainties under multiple-participant multi-criteria environment is very promising. The practices indicate that fuzzy group decision making techniques provide concepts and theoretical results that are valuable in formulating and solving problems in security risk assessment.