Article
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

This paper proposes a risk analysis model for information security assessment, which identifies and evaluates the sequence of events - referred to as alternatives - in a potential accident scenario following the occurrence of an initiating event corresponding to abuses of Information Technology systems. In order to perform this evaluation, this work suggests the use of Event Tree Analysis combined with fuzzy decision theory. The contributions of the present proposal are: the development of a taxonomy of events and scenarios, the ranking of alternatives based on the criticality of the risk, considering financial losses, and finally, the provision of information regarding the causes of information system attacks of highest managerial relevance for organizations. We included an illustrative example regarding a data center aiming to illustrate the applicability of the proposed model. To assess its robustness, we analyzed twelve alternatives considering two different methods of setting probabilities of the occurrence of events. Results showed that deliberate external database services attack represent the most risky alternative.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Seven articles focus on information security risk analysis in government, three on educational institutions, one on civil engineering companies, one on e-commerce in particular, two on cloud computing, and the others on information systems in general. [11], [13], [15], [18], [21], [24], [25], [26], [27], [30], [35] 11 Government [14], [19], [23], [28], [29], [32], [34] 7 Education Institution [16], [20], [ ...
... There is one study that compares quantitative and qualitative methods [11]. [11], [15], [18], [20], [21], [25], [28], [31], [32] 9 Quantitative [11], [13], [16], [17], [22], [26], [27], [35] 8 Hybrid [12], [14], [19], [23], [24], [29], [30], [33], [ [7]. However, the results of this study represent that the number of related articles fluctuated. ...
... Based on the first research question of this study, the focus is on developing new analytical techniques, models, and frameworks (see Table 2). One research used a combination of analysis techniques, namely Event Tree Analysis (ETA) and Fuzzy Decision Theory [13]. Particular research also combined Fault Tree Analysis (FTA), Decision 214 Theory, and Fuzzy Decision Theory [17]. ...
Article
Full-text available
Background: Information security is essential for organisations, hence the risk assessment. Information security risk assessment (ISRA) identifies, assesses, and prioritizes risks according to organisational goals. Previous studies have analysed and discussed information security risk assessment. Therefore, it is necessary to understand the models more systematically. Objective: This study aims to determine types of ISRA and fill a gap in literature review research by categorizing existing frameworks, models, and methods. Methods: The systematic literature review (SLR) approach developed by Kitchenham is applied in this research. A total of 25 studies were selected, classified, and analysed according to defined criteria. Results: Most selected studies focus on implementing and developing new models for risk assessment. In addition, most are related to information systems in general. Conclusion: The findings show that there is no single best framework or model because the best framework needs to be tailored according to organisational goals. Previous researchers have developed several new ISRA models, but empirical evaluation research is needed. Future research needs to develop more robust models for risk assessments for cloud computing systems. Keywords: Information Security Risk Assessment, ISRA, Security Risk
... Knapp et al., [4] highlighted that the main security issues concerning modern data centers are particularly in regards to data center management, operations and physical security as well as disaster planning. According to [4][5][6][7] all disastrous threats that caused major business disruptions and damages to organizations, discussed by past researches were targeted at data centers. As a result, the security of data centers has become an utmost concern for both the government and the ICT industry with the increased societal reliance on internet-based cloud computing to provide secure and affordable storage. ...
... As a result, the security of data centers has become an utmost concern for both the government and the ICT industry with the increased societal reliance on internet-based cloud computing to provide secure and affordable storage. Thus, it is crucial for organizations to be able to predict the security risks and implement effective strategies to reduce them by implementing a systematic approach in managing information security [6][7][8][9][10] and the first step to ensure this is to identify the potential information security threats faced by the data centers effectively. This will enable organizations to apply right strategies and tactics to ensure successful information security management to protect organizational goal by curbing digital disruption [11]. ...
... Studies conducted previously on threats identification mainly were focused on specific areas such as insider threats, human threats, network front or general in nature. There were very few studies conducted on data center security [6] as only very few scholarly articles are available and none on the data centers in the Malaysian public sector. ...
Article
Full-text available
span>D ata centers are primarily the main targets of cybercriminals and security threats as they host various critical information and communication technology (ICT) services. Identifying the threats and managing the risks associated with data centers have become a major challenge as this will enable organizations to optimize their resources to focus on the most hazardous threats to prevent the potential risks and damages. The objective of this paper is to identify major ICT security threats to data centers in the Malaysian public sector and their causes. The data for this study was collected through interview sessions. A total of 33 respondents from various government organizations were interviewed. The results revealed that the technical threats, spyware, phishing, bluesnarfing threats, social engineering and virus, trojan, malware, ransomware, viral websites threats are the major categories of threats often encountered by the malaysian public sector organizations. The causes for these threats are lack of budget, competent personnel, and manpower for security tasks, user awareness; lack of compliances and monitoring; insufficient security policies and procedures as well as deliberate cyber attacks. The outcome of this study will give a greater degree of awareness and understanding to the ICT security officers, who are entrusted with data center security.</span
... A lot of attention has been devoted to solving the problem of estimating the likelihood of occurrence of a threat and the corresponding impact. For example, several methods have been proposed using different techniques like Bayesian networks [20], attack path graphs [21], fuzzy logic [22], probabilistic model checking [23], vulnerability assessments [24], Monte Carlo simulations [6], [7], and others. Next we provide a brief description of some of the aforementioned methods, highlighting the differences with MAGIC as well as the possible common aspects. ...
... • Risk analysis based on fuzzy decision theory [22]: the first step of this approach is to identify an expert; then, a taxonomy of events and scenarios has to be defined (second step). Finally, the expert builds a matrix with potential accidents on the rows and possible scenarios on the columns: each entry of the matrix has to be filled with a probability that the accident takes place in a certain scenario. ...
Article
Full-text available
The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several existing methods.
... A lot of attention has been devoted to solving the problem of estimating the likelihood of occurrence of a threat and the corresponding impact. For example, several methods have been proposed using different techniques like Bayesian networks [20], attack path graphs [21], fuzzy logic [22], probabilistic model checking [23], vulnerability assessments [24], Monte Carlo simulations [7], [8], and others. ...
... Therefore, MAGIC might be seen, with some adaptations, as an alternative method allowing to bypass the need of experts, rather than a completely different approach. • Risk analysis based on fuzzy decision theory [22]: the first step of this approach is to identify an expert; then, a taxonomy of events and scenarios has to be defined (second step). Finally, the expert builds a matrix with potential accidents on the rows and possible scenarios on the columns: each entry of the matrix has to be filled with a probability that the accident takes place in a certain scenario. ...
Preprint
The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several classical methods.
... Deficiencies in the ICT infrastructure of these services contribute significantly to the increase of harmful attacks on health organizations that also adopt the strategy of promoting their services remotely [11]. Thus, the ICT infrastructure is a crucial factor in developing cybersecurity analysis to implement telehealth systems [12][13][14][15]. The importance of considering vulnerabilities is often associated with the risk of losses, corruptions, inappropriate changes, and theft of data, with information and documents that affect the integrity of medical diagnoses delivered to the patient, which can cause serious damage to the health of the individual [16]. ...
... The work uses Different methods (Failure Mode and Effects Analysis and Grey Theory). [13] Propose a risk model for information security that identify and evaluate the events' sequence in scenarios related to the abuses of information technology systems. ...
Article
Full-text available
Hospital organizations have adopted telehealth systems to expand their services to a portion of the Brazilian population with limited access, mainly due to the geographical distance between their communities and hospitals. The importance and usage of those services have increased recently due to the COVID-19 state-level mobility interventions. These services work with sensitive and confidential data, containing medical records, medication prescriptions, and results of diagnostic processes. Understanding how cybersecurity impacts the development of telehealth strategies is crucial for creating secure systems on daily-based operations. In the application reported in this article, the Fuzzy Cognitive Maps (FCMs) translated the complexity of cybersecurity in telehealth services into intelligible and objective results in an expert-based cognitive map. The tool also allowed the construction of scenarios simulating the possible implications caused by common factors that affect telehealth systems. FCMs provide a better understanding of cybersecurity strategies using expert knowledge and scenario analysis, enabling the maturation of cybersecurity in telehealth services.
... Fuzzy sets theory was proposed by Lotfiizadeh in 1965 [44]. This theory is used for mathematical modeling of uncertainties in real-world phenomena in various spheres such as "Multicriteria decision-making, " "pattern classification, " and "time series" [44][45][46][47]. ...
... Fuzzy sets theory was proposed by Lotfiizadeh in 1965 [44]. This theory is used for mathematical modeling of uncertainties in real-world phenomena in various spheres such as "Multicriteria decision-making, " "pattern classification, " and "time series" [44][45][46][47]. ...
Article
Full-text available
Websites are considered as the core infrastructure of e-government, so evaluating the quality of websites assists organizations to provide high-quality online services to citizens. For this purpose, this paper is seeking to design a model that enables any organization to evaluate the quality of its websites and identify its strengths and weaknesses. The proposed model includes nine main indexes including “website design,” “responsiveness quality,” “security,” “content and information quality,” “participation,” “trust,” “maintenance and support,” “services” and “usability,” alongside with 85 indicators. Since some of indexes and indicators possess intrinsic uncertainties so “fuzzy set theory” was applied to model the problem's ambiguity. “Analytic hierarchy process” and “PROMETHEE” methods were applied to weigh and rank indexes and indicators respectively. After designing the model, it was used for assessing the websites of five metropolitan municipalities of Iranian cities to spot their strengths and weaknesses.
... However, despite the benefits that this structure offers, there are vulnerabilities that can threaten the integrity of the stored data and cause enormous harm to patients. According to [37], four types of attacks can occur during communication established in telemedicine services: interruption, interception, modification, and fabrication. ...
... Audit and Accountability [32][33][34][35][36][37] Audit Events, Review, Analysis, and Reporting Generates audit records containing information that establishes what type of event occurred, when the event occurred, and where the event occurred. ...
Article
Full-text available
The purpose of this paper is to propose a framework for cybersecurity risk management in telemedicine. The framework, which uses a bow-tie approach for medical image diagnosis sharing, allows the identification, analysis, and assessment of risks, considering the ISO/TS 13131:2014 recommendations. The bow-tie method combines fault tree analysis (FTA) and event tree analysis (ETA). The literature review supported the identification of the main causes and forms of control associated with cybersecurity risks in telemedicine. The main finding of this paper is that it is possible, through a structured model, to manage risks and avoid losses for everyone involved in the process of exchanging medical image information through telemedicine services. Through the framework, those responsible for the telemedicine services can identify potential risks in cybersecurity and act preventively, recognizing the causes even as, in a mitigating way, identifying viable controls and prioritizing investments. Despite the existence of many studies on cybersecurity, the paper provides theoretical contributions to studies on cybersecurity risks and features a new methodological approach, which incorporates both causes and consequences of the incident scenario.
... In the area of computer security several works have been developed; for example, in the University of Pernambuco in Brazil, a risk analysis model for information security was designed incorporating fuzzy decision theory [5]. Likewise, a framework for the government of information security in cloud computing services was established in order to define processes that systematize related security aspects [6]. ...
... Several jobs have been developed in the field of computer security; for example, at the University of Pernambuco in Brazil, a risk analysis model for information security was designed incorporating fuzzy decision theory [5]. ...
Article
Full-text available
The objective of this project is to design an information security model applicable to higher education institutions that allows effective control of their processes. The development of the project starts with the characterization of the different existing processes in the higher education institutions of the Norte de Santander, Colombia, it is compared with the standards or good practices of security of the existing information, which allows structuring the elements that make up the model of information security for higher education institutions and, finally, the validation of the model designed in a higher education institution.
... In this stage, assessment of risk consequences becomes more complex. Vulnerability level can be escalated by the relationship among risk factors [5,16,17]. Risk model is developed to describe security control's dependencies and vulnerability propagation among these controls [7,8,[16][17][18]. This model is represented as a dependency graph. ...
... Vulnerability level can be escalated by the relationship among risk factors [5,16,17]. Risk model is developed to describe security control's dependencies and vulnerability propagation among these controls [7,8,[16][17][18]. This model is represented as a dependency graph. ...
... Finally, given that risk assessment models rely predominantly on probability models, which form the basis for informed decision making related to risk in many areas. Gusmão, Silva, Silva, Poleto, and Costa, (2016) propose a risk analysis model for information security based on Decision Theory. Although these authors use the ETA/FTA method, their model is based solely on the criterion of financial losses. ...
... This paper expands on the research deriving from the study conducted by Gusmão et al. (2016), in which a cybersecurity risk analysis model, developed through the integration of decision theory and fuzzy logic, was proposed. Further, detection of scenarios that lead to hazards was structured using fault tree analysis. ...
Article
Cybersecurity, which is defined as information security aimed at averting cyberattacks, which are among the main issues caused by the extensive use of networks in industrial control systems. This paper proposes a model that integrates fault tree analysis, decision theory and fuzzy theory to (i) ascertain the current causes of cyberattack prevention failures and (ii) determine the vulnerability of a given cybersecurity system. The model was applied to evaluate the cybersecurity risks involved in attacking a website, e-commerce and enterprise resource planning (ERP), and to assess the possible consequences of such attacks; we evaluate these consequences, which include data dissemination, data modification, data loss or destruction and service interruption, in terms of criteria related to financial losses and time for restoration. The results of the model application demonstrate its usefulness and illustrate the increased vulnerability of e-commerce to cybersecurity attacks, relative to websites or ERP, due partly to frequent operator access, credit transactions and users’ authentication problems characteristic of e-commerce.
... Using methods such as borrowing, transformation, and innovation can help visitors experience tradition, experience the region, and understand culture from multiple angles and ways. Secondly, we must pay attention to the use of some regional symbols, combining intuition and indirectness, and combining sensibility and cultural heritage to form a unique visual language [31]. ...
Article
Full-text available
In the context of the rapid development of Internet of Things technology, urban cultural communication and information security have become a new focus in the field of landscape design. This paper innovatively discusses the landscape design of urban cultural communication based on Internet of Things regional information security, aiming at building a safe and culturally rich urban landscape environment. Taking the unique regional culture of Zhangjiajie as an example, this study evaluated the cultural communication effect of landscape design under information security guarantee through in-depth case analysis and field investigation, combined with Internet of Things information security technology. The results show that the cluster head node strategy has significant advantages in resisting physical capture attacks, especially when the number of sensor nodes captured is less than 2000, the information loss rate is less than 0.1. This discovery not only improves the level of information security in the Internet of Things environment, but also provides technical support for the effective dissemination of urban culture. In addition, through the detailed analysis and evaluation of landscape, this study further reveals the important role of landscape design in regional cultural inheritance. To sum up, this study not only provides a new perspective for urban landscape design, but also provides practical guidance for the protection and dissemination of urban culture in the era of Internet of Things.
... Given the above, we can conclude that public information resources completely dominate in the offline space, and the opposition is online [16][17][18][19][20][21]. This may indicate that the elderly population of Belarus is probably not in favor of protests and changes in the country, unlike the young population [22], the main source of information is the Internet. ...
Article
Full-text available
Mass civil protests continue to shake the authoritarian regimes of Eastern Europe. The events that began in August 2020 after the presidential election in Belarus once again prove that society is changing dynamically, unlike the government. Therefore, the authorities are in dire need not only of violently suppressing protests and destroying the opposition but also of providing informational support for their actions to reduce tensions in society.
... The use of quantitative probabilistic risk assessment methods based on statistical models is rather common. However, these methods usually rely on external [1]- [3] and/or calibrated [4]- [6] experts' estimates. Moreover, these estimates usually require the availability of past data regarding the organization under exam [7]. ...
... Later, De Gusmão et al. 35 improved Feng et al. 12 risk analysis model by incorporating a mechanism to overcome uncertainty factors when determining the vulnerability level. The risk analysis model identified and evaluated a series of risk events, along with several alternatives, in potential incident scenarios after an initial incident resulting from the misuse of information technology. ...
Article
Full-text available
Background: Business process redesign (BPR) is typical in organizations and is followed by adaptive maintenance on supporting applications. However, BPR leads to information security vulnerabilities that can propagate to its supporting applications. Methods: This study proposes a new method called Node Strength-based Vulnerability Modeling (NSVM) for modeling security vulnerability propagation in the business processes and IT service layers. We applied the concept of social network strength to build our propagation model. The propagation model is needed to predict the impact of BPR on application vulnerabilities. We chose e-commerce applications as a case study. We evaluated the vulnerability propagation model by comparing the predicted vulnerability scores from the model with the actual scores of e-commerce applications in the National Vulnerability Database. Results: Our experimentation indicates that the propagation strength between nodes is influenced by Common Weakness Enumerations (CWEs) between them. Thus, the vulnerability propagation model can predict vulnerability scores at module nodes in the IT service layer. In the NSVM, the best prediction scores were obtained by aggregating the adjacency and initial scores using the maximum principle approach. The best evaluation results yield mean absolute error (MAE), root mean squared error (RMSE), and mean squared error (MSE) scores of 0.60, 1.44, and 1.16, respectively. Conclusion: Our study shows that the vulnerability propagation model with an adaptive mechanism based on BPR can be used to predict security vulnerability scores as the impact of business process redesign.
... However, this method could not provide the best scheme in accordance with decision's risk level. In 2016, Ana et al. [36] proposed a fuzzy decision theory-based information security risk assessment method, which could select appropriate schemes for different risk levels through ETA and fuzzy decision theory. However, the suitable selection of a scheme requires an accurate assessment of the risk level. ...
Article
Full-text available
The rapid development of urban informatization is an important way for cities to achieve a higher pattern, but the accompanying information security problem become a major challenge restricting the efficiency of urban development. Therefore, effective identification and assessment of information security risks has become a key factor to improve the efficiency of urban development. In this paper, an information security risk assessment method based on fuzzy theory and neural network technology is proposed to help identify and solve the information security problem in the development of urban informatization. Combined with the theory of information ecology, this method establishes an improved fuzzy neural network model from four aspects by using fuzzy theory, neural network model and DEMATEL method, and then constructs the information security risk assessment system of smart city. According to this method, this paper analyzed 25 smart cities in China, and provided suggestions and guidance for information security control in the process of urban informatization construction.
... Task level: With the operations' impact scores assigned, these values are then propagated to the tasks in the FIRE graph by using a fuzzy aggregation operator [31]. Fuzzy methods have been commonly used for security risk evaluation, as they better represent the likelihoods of threats and impacts [32]. We utilize the Hamacher sum as the fuzzy aggregator operator. ...
Article
Full-text available
Life-critical embedded systems, including medical devices, are becoming increasingly interconnected and interoperable, providing great efficiency to the healthcare ecosystem. These systems incorporate complex software that plays a significantly integrative and critical role. However, this complexity substantially increases the potential for cybersecurity threats, which directly impact patients’ safety and privacy. With software continuing to play a fundamental role in life-critical embedded systems, maintaining its trustworthiness by incorporating fail-safe modes via a multimodal design is essential. Comprehensive and proactive evaluation and management of cybersecurity risks are essential from the very design to deployment and long-term management. In this paper, we present FIRE, a finely integrated risk evaluation methodology for life-critical embedded systems. Security risks are carefully evaluated in a bottom-up approach from operations-to-system modes by adopting and expanding well-established vulnerability scoring schemes for life-critical systems, considering the impact to patient health and data sensitivity. FIRE combines a static risk evaluation with runtime dynamic risk evaluation to establish comprehensive risk management throughout the lifecycle of the life-critical embedded system. We demonstrate the details and effectiveness of our methodology in systematically evaluating risks and conditions for risk mitigation with a smart connected insulin pump case study. Under normal conditions and eight different malware threats, the experimental results demonstrate effective threat mitigation by mode switching with a 0% false-positive mode switching rate.
... In order to evaluate its robustness, they considered two different methods for setting the probability of occurrence of events and analyzed twelve alternatives. However, the information security assessment risk analysis model they proposed is too complicated, and errors may occur in the calculation process [2]. Runtime security is a hot spot in current cyberspace security research, especially embedded terminals, such as smart hardware and wearable and mobile devices. ...
Article
Full-text available
After the mobile phone virus infects the mobile phone, it can transmit the real-time information of the user to the designated place set by the virus through the built-in recorder and camera on the mobile phone, thereby causing information leakage. With the rapid development of the Internet, the penetration rate of mobile terminals is also increasing day by day. As an emerging mobile terminal, smart phones have now fully occupied the market. With this trend, the importance of mobile phone information security is also increasing day by day. How to prevent mobile phone virus has gradually become an important issue. Trojan horse crime cases have different manifestations and behavioral characteristics from traditional cases. They have the characteristics of low crime cost, high income, high concealment, novel criminal methods, and great difficulty in detection, which brings greater difficulties to the public security organs in their investigation and detection. And the current research on mobile phone virus behavior is still in the preliminary stage, and some existing detection models can only target random networks. Trojan horses, viruses, and malicious software for smartphones have sprung up like mushrooms after rain, seriously infringing on the data security of mobile communication terminals, such as mobile phones and causing incalculable losses to users. This paper proposes a naive Bayesian algorithm to mine the clues of the criminal cases of mobile phone Trojans. It helps detect and discover new viruses at the beginning of an attack, allowing them to be more effectively defended and contained. And based on the feature set data extracted from the network data packets, it conducts an in-depth analysis of the current business behaviors of mobile phone Trojans, such as propagation and implantation, remote control, leakage of user privacy information, and malicious ordering, and extracts its behavior characteristics. Thus, unknown mobile Trojan horses that are taking place can be detected. The experimental results of the naive Bayesian classification algorithm proposed in this paper show that the algorithm improves the accuracy of mobile phone Trojan virus mining by 28%, which plays a significant role.
... This model is very common in our daily life, and most of the color images we usually see are based on this model. To make the color model more robust to illumination, the chrominance information and brightness information of the color must be separated from each other (27). As a result, people have developed several color models that separate chroma and brightness from each other. ...
Article
Full-text available
The continuous development of the social economy, has stimulataed an increase in the satndard of living and increased the deman for consumption resulting in the demand for high-quality and safe food has continued to increase. The so-called food safety means that the food that people eat under certain conditions will not harm human health. Frequent food safety incidents have highlighted the seriousness of my country's food safety problems and exposed loopholes in my country's food safety supervision. This article aims to study the construction of the Internet of Things technology in the food industry chain safety information traceability system, research on the RFID technology, GPS technology, and sensor technology in the Internet of things technology, and also conduct some research on the modules of the food industry chain safety information traceability system. This paper proposes to integrate the Internet of Things technology into the construction of the food industry chain safety information traceability system. First, a detailed analysis of some of the technologies that may be used is carried out, and then through the investigation of people on food safety and other aspects, and the food traceability system satisfaction survey. The experimental results in this article show that 40% of women pay more attention to food safety. Of course, in the satisfaction survey of the food safety traceability system based on the Internet of Things technology, it has been recognized by more than 20% of the people.
... Third party intervention. An analysis of information system risk identifies deliberate external database attacks as the vital risks [54]. Human failure is the prime reason for third party intervention, which can be categorized as security abuses. ...
Article
Full-text available
The increasing use of Information Technology (IT) has led to many security and other related failures in the banks and other financial institutions in Bangladesh. In this paper, we investigated the factors contributing to the failurein the IT system of the banking industry in Bangladesh. Based on the experts’ opinions and weight on the specified evaluating criteria, an empirical test was conducted using a rough set theory to produce a framework for the IT system failure factors. In this study, an extended approach involving the integration of rough set theory based flexible Failure Mode and Effect Analysis (FMEA) and the Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) has beenapplied to help the managers of the corresponding field to identify the factors responsible for the failure of the IT system in the banking industries and then prioritize them accordingly, for the ease of decision-making.In this research, eleven such failure factors were identified, which were then quantitatively analyzed to facilitate managers in crucial decision-making. It was observed that cyber-attack, database hack risks, server failure, network interruption, broadcast data error, and virus effect were the most significant factors for the failure of the IT system. The framework developed in this research can be utilized to assist in efficient decision-makingin other serviceindustries where IT systems play a key role. To the best of the knowledge, this is the first study thatempirically tested key failure factors of the IT system for the banking sector using an integrated method.
... analisis dimensi keamanan informasi[15] yaitu: kontrol akses, infrastruktur dan manajemen teknik keamanan informasi. Lebih lanjut dapat dilihat pada Tabel 2. Tabel 2. Dimensi keamanan informasi A.5, A.6, A.12, A.13, A.14, A.15 Kemudian dilakukan penilaian fuzzy terhadap dimensi keamanan informasi, perhitungan didasarkan pada hasil assessment sebelumnya, seperti dijelaskan pada Tabel 3. berikut ini: Tabel 3. Nilai triangular fuzzy terhadap dimensi keamanan informasi keamanan informasi berada pada tingkat Initial, yaitu semua proses telah dilaksanakan dengan cukup baik namun dokumentasi kebijakan belum tersusun sesuai dengan standar keamanan informasi. ...
Article
Full-text available
The business process of an organization can’t be done properly without appropriate information management, in which information is an important asset that needs to be protected with the utmost care and concern. Information security is a way to protect information from large scale threats, thus to ensure the sustainability of the organization's operational, to reduce business risks and to increase business opportunity and return of investment. This research is conducted to measure the accountability of ISO 27001 in assisting the organization to document the information security policy. ISO/IEC 27001:2005 is a standard of information security that is widely used, openly accepted and implemented, and suitable for providing rules related to implementation and evaluation of the information security system. The assessment from ISO controls and objectives will be converted into a triangular fuzzy number to help in the analysis purpose. The fuzzy number is used to simplify the measurement. The result shows that the organization is not yet complying with the standard procedures of the Information Security Management System so it is needed to document the security policy based on the ISO 27001 framework standard.
... Information security investment decisions, including the ones discussed above, are essentially about managing risk (Gusmão, Silva, Silva, Poleto, & Costa, 2016), and research performed over several decades by decision scientists provides solid evidence that behavioral factors play a prominent role in managing and mitigating risk in various contexts (Slovic, 2010). Despite these well-established findings, factors related to risk behaviors have remained mostly unexplored in the literature of security investment. ...
Article
Full-text available
Information resources are becoming increasingly important to individuals and organizations, and ensuring their security is a major concern. While research in information security has adopted primarily a quantitative method to determine how and how much to invest in security, most decision makers rely on non-quantitative methods for this purpose, thereby introducing a considerable amount of as yet unexplained subjective judgment to the problem. We use a behavioral decision making approach to investigate factors causing possible inefficiencies of security spending decisions. Decision makers in our experiment performed a series of economic games featuring the key characteristics of a typical security problem. We found several biases in investment decisions. For budgeting their investment between major classes of security measures, decision makers demonstrated a strong bias toward investing in preventive measures rather than in detection and response measures, even though the task was designed to yield the same return on investment for both classes of measures. We term this phenomenon the “Prevention Bias.” Decision makers also reacted to security threats when the risk was so small that no investment was economically justified. For higher levels of risk that warranted some security investment, decision makers showed a strong tendency to overinvest. Theoretical and practical implications of the findings are discussed.
... Moreover, they provide a reliable means for integrating both quantitative and qualitative knowledge. Many researchers have applied fuzzy methods and systems to diminish the subjective nature of qualitative assessments (de Gusmão & e Silva, Silva, Poleto, & Costa, 2016). These methods have been widely used in many areas such as nature, society, economics, energy, medicine, material, pharmacology sciences, agriculture, chemistry, computer science, engineering, physics, geology, finance, military and entertainment (Lan et al., 2017). ...
Article
The performance analysis of healthcare supply chain management (SCM) has become extremely important as healthcare systems have begun to struggle to enhance operational efficiency and diminish costs. The aim of this study was to measure healthcare SCM in accordance with competency-based operation evaluation. The study was organized as a hierarchical structure based on the main processes, sub-processes, and their operations of healthcare SCM. It is considerably difficult to quantify the competency of an operation. Therefore, a fuzzy model was developed to measure healthcare SCM performance according to competency-based operation evaluation. The fuzzy model consisted of evaluation and measurement levels. The first-level assessed the operations that measured the competency of the operation using a fuzzy heuristic algorithm. The second-level measured the performance of healthcare SCM using a fuzzy rule-based system established based on the performance of the main SCM processes. This model was used to measure the performance of SCM and evaluate the activities of five hospitals operating in Bishkek, Kyrgyzstan. The findings were determined to be helpful for healthcare systems to identify and enhance weak processes and their sub-processes in order to provide competitive advantage against competitors.
... critical) business processes. If it occurs, a threat that exploits the vulnerability in question leads to the loss of confidentiality, availability, and integrity of protected information resources(De Gusmão, Silva, Silva, Poleto, & Costa, 2016).Loss caused by information security risks can be quantified, for example, by the amount of lost profits or the costs of restoring lost data. There is also an approach to qualitatively assessing loss based on the use of an impact scale. ...
... Combined event tree analysis (ETA) with the fuzzy theory is another method for information security risk assessment which was studied by De Gusmão et al. (2016). ...
... The final row of the table calculates the total risk analyzed due to all attack types, i.e. the overall risk that a web application can have due to the successful execution of SQL injection attacks. This risk analysis methodology provides the estimation of the risk within a specified range (5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19). This evaluation helps in deciding the risk associated with web application under consideration. ...
Article
Full-text available
For all intents and purposes, web applications with a basic database are feeble on the way for SQLi (Structure Query Language injection) attacks. Privately owned businesses progressively depend on online environments and secure internet-based applications designed for information trade. However, a safety measure of these applications depends on awareness and critical examination of potential threats. A SQLi attack exists as a noteworthy threat to a web-based application with their underlying databases. These attacks achieve the right of entry to web application database servers by means of the assistance of SQL commands, placing confidential data, business strategies, financial records, and applications at risk. The challenge before the application developers and researchers is to analyze/compute the risk postured by these applications. The proposed methodology provides a risk analysis computation that determines the numeric value of probability and impact on a web application due to SQL injection attacks. The probability is calculated by the practical execution of SQL injection attack methods on the web application. A fuzzy logic system is employed as a computational strategy to figure the impact. The contribution of this quantitative risk analysis methodology is the introduction of new metrics which captures the impact and calculations of attacks wise risk associated with the application known ahead of time.
... To address imprecision, subjectivity and vagueness inherent in linguistic assessment of likelihood and impact, some works have adopted decision theory and fuzzy logic. For instance, De Gusmao et al. (2016) developed an approach to security risk analysis that combines decision theory and fuzzy logic. Shameli-Sendi et al. (2012) consider the fuzzy MCDM problem to effectively perform information security risk analysis. ...
Article
Full-text available
The new general data protection regulation requires organizations to conduct a data protection impact assessment (DPIA) when the processing of personal information may result in high risk to individual rights and freedoms. DPIA allows organizations to identify, assess and prioritize the risks related to the processing of personal information and select suitable mitigations to reduce the severity of the risks. The existing DPIA methodologies measure the severity of privacy risks according to analysts’ opinions about the likelihood and the impact factors of the threats. The assessment is therefore subjective to the expertise of the analysts. To reduce subjectivity, we propose a set of well-defined criteria that analysts can use to measure the likelihood and the impact of a privacy risk. Then, we adopt the fuzzy multi-criteria decision-making approach to systematically measure the severity of privacy risks while modeling the imprecision and vagueness inherent in linguistic assessment. Our approach is illustrated for a realistic scenario with respect to LINDDUN threat categories.
... To calculate the performance indicator for the information system, one needs to assemble a group of indicators that show the state of the information system; identify critical values for each indicator with due regard to the assessment scale; develop software or an additional module for the existing corporate information system to use in practice the performance indicators of the information system; and design a method for evaluating the obtained results [5]. ...
Article
Full-text available
Information provision for a company’s management system not only provides data for evaluating day-to-day operations but also is an efficient tool for improving the reliability of the entire management system. For purposes of efficiently managing projects for implementing modern information provision, the company should design a formalized model for assessing the relationship between project-related financial costs and the number of automated business processes in place at the company. This paper proposes using a mathematical model that contains financial indicators such as net present value, cash flows, and discount rates. Thanks to lower investment risks, the model will improve the economic efficiency of investment projects as part of implementing information provision at the company.
... Various RA studies have been carried out in the field of information security [3,4,6,7,26,27]. Today, information systems have a complex, intricate structure and common use. ...
Article
Full-text available
Risk analysis (RA) contains several methodologies that object to ensure the protection and safety of occupational stakeholders. Multi attribute decision-making (MADM) is one of the most important RA methodologies that is applied to several areas from manufacturing to information technology. With the widespread use of computer networks and the Internet, information security has become very important. Information security is vital as institutions are mostly dependent on information, technology, and systems. This requires a comprehensive and effective implementation of information security RA. Analytic hierarchy process (AHP) and technique for order preference by similarity to ideal solution (TOPSIS) are commonly used MADM methods and recently used for RA. In this study, a new RA methodology is proposed based on AHP–TOPSIS integration extended with Pythagorean fuzzy sets. AHP strengthened by interval-valued Pythagorean fuzzy numbers is used to weigh risk parameters with expert judgment. Then, TOPSIS with Pythagorean fuzzy numbers is used to prioritize previously identified risks. A comparison of the proposed approach with three approaches (classical RA method, Pythagorean fuzzy VIKOR and Pythagorean fuzzy MOORA) is also provided. To illustrate the feasibility and practicality of the proposed approach, a case study for information security RA in corrugated cardboard sector is executed.
... On the other hand, Sugeno method is computationally efficient and works well with optimization and adaptive techniques, which makes it very attractive in control problems, particularly for dynamic nonlinear systems. The main Mamdani structure of a fuzzy inference consists of the following three steps: Fuzzification; Inference engine and Defuzzification [12]. The Matlab software package was used to apply the fuzzy logic system to model a fuzzy risk matrix assessment methodology ...
... The risk analysis model employs a Bayesian network and ant colony optimization techniques to represent risk factors and defined vulnerability propagation paths based on the knowledge from observed cases and domain experts. Other research has proposed a similar mechanism, but by using fuzzy decision theory [62]. Besides observation and experts, this paper has taken advantage of events and their cause-consequence relations to add value in the quality of assessment process. ...
Chapter
Full-text available
Vulnerability assessment is the essential and well-established process of probing security flaws, weaknesses and inadequacies in a computing infrastructure. The process helps organisations to eliminate security issues before attackers can exploit them for monetary gains or other malicious purposes. The significant advancements in desktop, Web and mobile computing technologies have widened the range of security-related complications. It has become an increasingly crucial challenge for security analysts to devise comprehensive security evaluation and mitigation tools that can protect the business-critical operations. Researchers have proposed a variety of methods for vulnerability assessment, which can be broadly categorised into manual, assistive and fully automated. Manual vulnerability assessment is performed by a human expert, based on a specific set of instructions that are aimed at finding the security vulnerability. This method requires a large amount of time, effort and resources, and it is heavily reliant on expert knowledge, something that is widely attributed to being in short supply. The assistive vulnerability assessment is conducted with the help of scanning tools or frameworks that are usually up-to-date and look for the most relevant security weakness. However, the lack of flexibility, compatibility and regular maintenance of tools, as they contain static knowledge, renders them outdated and does not provide the beneficial information (in terms of depth and scope of tests) about the state of security. Fully automated vulnerability assessment leverages artificial intelligence techniques to produce expert-like decisions without human assistance and is by far considered as the most desirable (due to time and financial reduction for the end-user) method of evaluating a systems’ security. Although being highly desirable, such techniques require additional research in improving automated knowledge acquisition, representation and learning mechanisms. Further research is also needed to develop automated vulnerability mitigation techniques that are capable of actually securing the computing platform. The volume of research being performed into the use of artificial intelligence techniques in vulnerability assessment is increasing, and there is a need to provide a survey into the state of the art.
... With the published paper "fuzzy sets" by Zadeh (1965), fuzzy set theory was widely considered as a new way for modeling more realistic decision models (de Gusmão et al., 2016). Fuzzy set theory provides a language with syntax and semantics. ...
Article
Full-text available
Bayesian network (BN) has been proven to be an excellent method that can describe relationships between different parameters and consequences to mitigate the likelihood of accidents. Nevertheless, the application of BN is limited due to the subjective probability and the static structure. In reality, available crisp probabilities for BN are generally insufficient, the system under consideration cannot be precisely described since the knowledge of the underlying phenomena is incomplete, which introduces data uncertainties. Furthermore, conventional BN have static structures, which results the model to have structure uncertainties. This paper presents a Dynamic BN-based risk analysis model to characterize the epistemic uncertainty and illustrates it through a case on the offshore kick failure. Linguistic variables are transformed into probabilities to represent data uncertainties by applying fuzzy sets and evidence theory. Structural uncertainties caused by conditional dependencies and static models were addressed by utilizing dynamic BN. Based on the model, a robust probability updating and dynamic risk analysis are conducted, through which critical events with potential risks of causing accidents are identified and a dynamic risk profile is obtained. The case study indicates that it is a comprehensive approach for quantitative risk analysis in offshore industries under uncertainties.
... Compared with qualitative methods, quantitative methods are more intuitive and reasonable. However, it is very difficult to reach a state of full quantization due to the lack of statistical data [23]. The above gives a brief idea of the differences between quantitative and qualitative risk assessments [24]. ...
Article
Full-text available
In virtue of the rapid development of the Internet of Things (IoT), Organizations have grown to rely on their cyber systems and networks. However, this phenomenon also creates many new information security issues. In this paper, we propose an evolutionary algorithm improved cuckoo search (ICS) to pre-train a back-propagation neural network (BPNN) for the sake of improving the accuracy and stability. Using this pre-training process, the BP neural network can surmount the defect of falling into the local minima and greatly improve its efficiency. Then, this neural network is used as a part of information security risk assessment (ISRA) processes for a miniature IoT system. An illustration example is introduced to demonstrate that the ICS-BPNN outperforms other neural networks in this ISRA process.
Article
Full-text available
This paper aims to analyze the intellectual structure and research fronts in application information security in smart cities to identify research boundaries, trends, and new opportunities in the area. It applies bibliometric analyses to identify the main authors and their influences on information security and the smart city area. Moreover, this analysis focuses on journals indexed in Scopus databases. The results indicate that there is an opportunity for further advances in the adoption of information security policies in government institutions. Moreover, the production indicators presented herein are useful for the planning and implementation of information security policies and the knowledge of the scientific community about smart cities. The bibliometric analysis provides support for the visualization of the leading research technical collaboration networks among authors, co-authors, countries, and research areas. The methodology offers a broader view of the application information security in smart city areas and makes it possible to assist new research that may contribute to further advances. The smart cities topic has been receiving much attention in recent years, but to the best of our knowledge, there is no research on reporting new possibilities for advances. Therefore, this article may contribute to an emerging body of literature that explores the nature of application information security and smart cities research productivity to assist researchers in better understanding the current emerging of the area.
Conference Paper
Full-text available
As Cybersecurity continues to have a significant impact on modern society, there is a pressing need for a more comprehensive research agenda in Information Systems (IS). In this study, we conducted a thorough literature review of prominent IS journals to identify gaps in Cybersecurity research practices. Our findings indicate that there is a significant gap between research and practice, particularly in terms of focus on Cybersecurity behavioural factors in the past decade. To address this gap, we recommend that future Cybersecurity research in IS should adopt a broader perspective that incorporates relevant sociotechnical knowledge areas and theories. We provide an example of Cybersecurity research topics that go beyond behavioural aspects and suggest mapping of Cybersecurity sociotechnical research knowledge areas in Information Systems to guide future research efforts. This study highlights the importance of broadening the scope of Cybersecurity research in IS to address the complex Cybersecurity challenges in contemporary practice.
Chapter
Full-text available
The external information security resource allocation method is proposed considering the non-cooperation of multiple cities. In this method, the effects of different influence factors, for example, city size, probability of intrusion by illegal users and propagation probability of one-time intrusion on resource allocation is explored. Through the simulation experiment, the proposed conclusions are conveniently and clearly verified. KeywordsInformation securityExternal resourceAllocation methodNon-cooperation
Chapter
Full-text available
Based on the discussion of related concepts and technical theories, the information security resource allocation influencing factors index system is constructed from four aspects: resources, threat sources, vulnerabilities and security measures. With the further analysis of information security factors and their affecting mechanisms, the basic theoretical framework of information security resource allocation is established based on the evolutionary game. Under this framework, the subject relationship in various situations is analyzed. This research work can conduct a reasonable allocation of resources related to information security. KeywordsSmart cityInformation securityResource allocationEvolutionary game
Chapter
In the modern conditions of the digital economy, the efficiency of the enterprise management system is based on the constant optimization of the movement of information flows. Enterprise management activity is a set of business processes, the functioning of which is based on the movement of information. The information resource management system is allocated within the framework of a single complex of information support for the management system. The development and implementation of a complex of information flow management in a particular enterprise depends on various factors: the organizational structure, the field of activity, the significance of specific information. The main criterion for the quality of management is the efficiency of processing stream processes. Reducing the processing time of documents can be a problem of queuing theory. It is necessary to implement this task under the condition of a systematic construction of information support. To effectively manage the quality of the service provided, it is necessary to build a mathematical model that describes the operator's work on collecting and processing information flows, based on the mathematical apparatus of the theory of queuing in systems with expectation. The most important problem remains the integration of the information support system of management processes into a single information management system of the organization. These issues can be solved when designing the information support of the information flow management system based on the process approach.KeywordsDistribution lawInformation flowInformation management systemMathematical expectationVariance
Article
In 2019, the International Journal of Information Management (IJIM) celebrated its 40th year of publication. This study commemorates this event by presenting a retrospect of the journal. Using a range of bibliometric tools, we find that the journal has grown impressively in terms of publication and citation. The contributions come from all over the world, but the majority are from Europe and the United States. The journal has mostly published empirical articles, with its authors dominantly using quantitative methodology. Further, the culture of collaboration has increased among authors over the years. The journal publishes on a number of including managing information systems, information technologies and their application in business, technology acceptance among consumers, using information systems for decision making, social perspectives on knowledge management, and information research from the social science perspective. Regression analysis reveals that article attributes such as article order, methodology, presence of authors from Europe, number of references, number of keywords, and abstract length have a significant association with the citations. Finally, we find that conceptual and review articles have a positive association with citations.
Article
Full-text available
The study conducted with aim of ranking each aspect of information security risk management. At the first stage, the dimensions and characteristics of each have been identified based on the research literature and expert opinions. In order to rank the factors under study using a hybrid approach using FEMA and Gray theory, 50 questionnaires collected among IT, soft ware, and network experts that choosed based on researchers’ judgement and accessible one. According to the results, the security of communications was ranked first. Infrastructure of hard ware and network, human factors, security management, access to information and systems and the development of secure information systems were ranked second to sixth, respectively.Therefore, it is recommended that organizations set up an independent security department within the organization. Also, providing a list of all the information assets of the organization and specifying control and strategic goals in the area of information security in the organization can be useful for organizations. Moreover, if the organization has several branches and need internet connection, preferably communications are available as VPN. In addition, if organizations have web automation for outside usage, the site should be licensed with SSL and https protocol.
Article
Purpose This paper aims to examine optimal decisions for information security investments for a firm in a fuzzy environment. Under both sequential and simultaneous attack scenarios, optimal investment of firm, optimal efforts of attackers and their economic utilities are determined. Design/methodology/approach Throughout the analysis, a single firm and two attackers for a “firm as a leader” in a sequential game setting and “firm versus attackers” in a simultaneous game setting are considered. While the firm makes investments to secure its information assets, the attackers spend their efforts to launch breaches. Findings It is observed that the firm needs to invest more when it announces its security investment decisions ahead of attacks. In contrast, the firm can invest relatively less when all agents are unaware of each other’s choices in advance. Further, the study reveals that attackers need to exert higher effort when no agent enjoys the privilege of being a leader. Research limitations/implications In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon – Loeb breach function, with the help of fuzzy expectation operator. Practical implications This study reports that the optimal breach effort exerted by each attacker is proportional to its obtained economic benefit for both sequential and simultaneous attack scenarios. A set of numerical experiments and sensitivity analyzes complement the analytical modeling. Originality/value In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon – Loeb breach function, with the help of fuzzy expectation operator.
Article
Organizations use information systems to automate their processes. Similar to other types of information systems, hospital information systems face a variety of risks (i.e. potential hazards to human health). For responding to such risks, a practical fuzzy risk assessment framework is developed under the business continuity management concepts. The proposed framework benefits from a fuzzy multi-criteria decision-making method and a fuzzy inference system to quantify and analyze the uncertain information gathered from experts. A procedure for developing suitable business continuity plans is also presented. Finally, the applicability of the proposed framework is demonstrated through a real case study.
Article
Full-text available
The security risk management framework is an essential part of strategic management for government agencies. It allows a government to systematically identify and address the risks associated with its activities to achieve sustainability for different activities of security risk management. The goal of security risk management is to add sustainable value to government activities and reduce the chance of security breaches. Applying security risk management techniques used to government projects can increase the chances of success, help achieve objectives, and assist in finding preventive solutions for future projects. The application of security risk management is profitable for government agencies because it sets specific risk management objectives that are based on the broader overall strategy. It contributes to the achievement of strategic objectives with mechanisms like Spearman's rank correlation coefficient and simple linear regression. These techniques can improve decision-making, planning and implementation of government activities, as well as reduce the negative consequences of present threats. It is recommended to apply the integrated security risk management framework proposed in this paper to increase the effectiveness of security risk management in government agencies. Also using quantitative and intelligent techniques in the analysis and estimation of security risks can help managers to make decisions regarding security issues in government agencies.
Article
Full-text available
With the rapid development of modern information technology, the health care industry is entering a critical stage of intelligence. Faced with the growing health care big data, information security issues are becoming more and more prominent in the management of smart health care, especially the problem of patient privacy leakage is the most serious. Therefore, strengthening the information management of intelligent health care in the era of big data is an important part of the long-term sustainable development of hospitals. This paper first identified the key indicators affecting the privacy disclosure of big data in health management, and then established the risk access control model based on the fuzzy theory, which was used for the management of big data in intelligent medical treatment, and solves the problem of inaccurate experimental results due to the lack of real data when dealing with actual problems. Finally, the model is compared with the results calculated by the fuzzy tool set in Matlab. The results verify that the model is effective in assessing the current safety risks and predicting the range of different risk factors, and the prediction accuracy can reach more than 90%.
Article
Full-text available
During the initial literature review on this research question, areas of focus included the following: • Current qualitative and quantitative methodologies for technology risk analysis. • Business applications for expanding the use of qualitative and quantitative technology and security risk models. • Implementation of qualitative and quantitative technology and security risk analysis methodologies models by practitioners. Information Technology (IT) risk analysis has become be an integral part of the enterprise risk management systems in many organizations. However, many companies have struggled to effectively implement these systems. This has become a serious problem in many cases where governmental regulations, industry requirements, and even contractual language for doing business have increasingly included technology risk management obligations that companies must meet. Currently, technology risk management is not as mature a field as those like IT Audit or Information Security, which have had professional certification processes for over 23 years. Technology risk management, on the other hand, has had similar certifications for less than 10 years. As such, many of the current technology risk management practitioners have come from other fields, which has made it difficult to construct a common body of knowledge on which technology risk management systems can be built. In many cases, such factors, as well as others, are making it difficult to implement technology risk management systems. This research will seek to evaluate those factors in more detail to determine common ones that have the most impact on the success of technology risk management projects and make recommendations for overcoming the factors that limit the success of these projects.
Article
Full-text available
In recent years, finance institutions robustly need an instrument for risk management. From several committees on banking supervision require that institutions must have reliable rating scale for probability of default. The most important step is the transition towards Internal Ratings-Based (IRB) approach. This paper presents an approach to estimate implied probability of default (PD) and classify into desired credit scale. The calculation of PD is based on Newton’s method and classification is done by competitive trained neural network.
Chapter
Information Security (IS) Risk Assessment is a main part of risk analysis; it helps organizations make decisions to protect their Information Technology (IT) services and underlying IT assets from potentially adverse events. How to do assessment in this context, however, is not a well defined task. Some approaches provide guidelines but leave analysts to define how to implement them, leading to different mechanisms to identify input data, different procedures to process those inputs, and different results as a consequence. To address this problem, we present a semiautomatic procedure, based on data systematically obtained from modern IT Service Management (ITSM) tools used by IT staff to handle IT services’ assets and configurations. We argue that these tools handle actual data that may be used to collect inputs for a IS risk assessment procedure, thus reducing subjective values. We evaluated the procedure in a real case study and found that our approach actually reduces variability of some results. We also identified areas that must be addressed in future work.
Article
Full-text available
The security of information issue has become a global problem and has risen the concerns of both researchers and practitioners. When security incidents occur, there is a risk that national military secrets or confidential information of corporations will leak out and cause serious damages to the collective. This paper is aimed to explore the knowledge structure, development, and the future trend of information security area by providing a comprehensive review of the present information security risk (ISR) literature. The visualization analysis was conducted on journal literatures from the Web of Science, IEEE, ACM and Scopus database, and the results were mapped into the I-model. According to 2748 articles, evaluation methods, e.g., frequency statistics, clustering coefficient, as well as centrality calculation are employed to analyze all of the interrelated matrixes which are supported by CiteSpace. Some useful outcomes of a variety of objectives are shown under a significant level, such as author, country/territory, cluster, institute as well as reference. Synthetical analysis has demonstrated the future research trend on ISR. As for researchers and practitioners, our study suggests an analysis of integrated visualization in terms of the knowledge and innovation based on the area of ISR.
Chapter
Full-text available
Security and reliability of information technologies have emerged as major concerns nowadays. Risk assessment, an estimation of negative impacts that might be imposed to a network by a series of potential sources, is one of the main tasks to ensure the security and is performed either statically or dynamically. Static risk assessment cannot satisfy the requirements of real-time and ubiquitous computing networks as it is pre-planned and does not consider upcoming changes such as the creation of new attack strategies. However, dynamic risk assessment (DRA) considers real-time evidences, being capable of diagnosing abnormal events in changing environments. Several DRA approaches have been proposed recently, but it is unclear which technique fits best into IT scenarios with different requirements. Thus, this chapter introduces recent trends in DRA, by analyzing 27 works and proposes a decision guide to help IT managers in choosing the most suitable DRA technique considering three illustrative scenarios – regular computer networks, internet of things, and industrial control systems.
Conference Paper
Full-text available
The soft targets and crowded places are closely related with a high risk of the violent attack. Between the experts are the soft targets known as the objects or events, where the large group of people is concentrated at the same place and this place has not integrated special security measures into processes. The soft targets can be the objects of the different types of the objects. Generally, we can say, that these objects have similar characteristics. Between the characteristics of soft targets belong a considerable a lot of persons at the same time in the same area. In addition, these kinds of the objects have not implemented the adequate security and safety measures to the processes. This proposal of the analytical tool of the software solution was developed for the assessment the current state of the objects. The main aim of the proposed solution is to support the operators in the decision-making process and increase the security situation in the soft targets. This analytical tool is designed to static analysis, which is based on the comparison object’s and incident’s characteristics.
Chapter
Full-text available
This paper surveys six different varieties of methodology for choosing one of a fixed number of alternative actions in the context of uncertainty about which of a fixed number of possible states of the world actually holds, where the outcome of each alternative action depends on the state of the world. The six approaches differ from one another primarily in their assumptions about the quality and quantity of information that is available regarding (a) the relative possibility or likelihood of the various states of the world, and (b) the relative utility of the various outcomes defined by (action, state) pairs.
Article
Full-text available
Six different varieties of methodology are surveyed for choosing one of a fixed number of alternative actions in the context of uncertainty. Within this context a fixed number of possible states of the world can actually hold, where the outcome of each alternative action is dependent on the state of the world. The six approaches differ from each other primarily in their assumptions about the quality and quantity of information that is available regarding: the relative possibility or likelihood of the various states of the world, and the relative utility of the various outcomes defined by (action, state) pairs. The six approaches are illustrated using a single example. Finally, the prospects for an integrated approach to decision support that is sensitive to the quality and quantity of information are discussed, and some fruitful areas for further research are suggested.
Article
Full-text available
The use of biotelemetry methods can provide information on animal behaviour, movement ecology and energetics. However, deployment of biotelemetry equipment on free-living animals incurs risk of damage or loss, which can result in high cost and low sample sizes. To facilitate the uptake of these methods, we have recognized the need for a prescribed procedure for assessing failure risk in biotelemetry studies. Here, we have adapted a commonly used technique in industry and engineering, Event Tree analysis, to facilitate risk estimation and deployment procedure critique. This method can incorporate the use of fuzzy logic to accommodate the uncertainty and scarcity of technical data that are often associated with animal biotelemetry equipment and techniques. Alternatively, probabilistic data may be used for procedures where appropriate models have been established. To encourage the adoption of this method by the scientific community, we have developed a freeware program, Biotelemetry Event Tree (BET). We advocate the use of this method, in the interests of scientific robustness and animal welfare.
Article
Full-text available
This paper explores the risk perceptions of key stakeholders in SMEs when making decisions on technology investments. Current literature focuses on the nature of the technology from a technical perspective and its associated benefits to the SME. We seek to make a contribution that builds on the small but growing work, which views investment technology decisions as the outcome of a process of both objective and subjective risk assessment. Evidence presented in this paper suggests that subjective elements play an important part in assessing technology risks. Our empirical findings are that both e-business experience and the role of the decision-maker within the firm influences risk perception, whereas, sector differences are more modest. One implication of our findings is that policy interventions should be more sensitive and targeted at different types of stakeholders – owners, IT professionals and other individuals rather than on the sector in which the SME operates.
Article
Full-text available
Developing emergency and disaster management systems is an important issue in our “computer society”. The primary issue is how to share information about a current disaster and the status of resource allocation for emergency management. System continuity management is another important issue on disaster-related issue. Furthermore, we should consider a solution for constructing a trust network in a disaster situation. In this paper, we focus on security issues that confront IT systems during disasters. The security issues include privacy breach in a disaster situation. We summarize these security and privacy issues in the context of three major areas of operation: information gathering, network access, and system continuity management. Then we provide the results of a survey on techniques for solving these issues.
Article
Full-text available
Information protection is of paramount importance in today's world. From information involving the highest level of government administration and national security, to information existing at the level of the private company in the form of trade secrets or personal data, all are under the constant threat of being compromised. In this study, the researchers attempt to evaluate the information security maturity level and provide clear thoughtful analysis of the information security landscapes of the Malaysian Public Service (MPS) organizations. This study uses convenience sampling and the required data collected from 970 targeted individuals through a self-administrated survey. In addition, a survey questionnaire is utilized to gauge the security landscape and to further understand the occurrence of incidents, the sources of attack, and the types of technical safeguard. Findings revealed that the highest security incidents experienced by the MPS were spamming (42%), followed by attacks of malicious codes (41%). Twenty-five percent of incidents originated from within the organizations, 15% originated from outside, and 11% were from a mixture of internal and external sources. Also, it shows that 49% of incidents were from sources unknown to the respondents. The top most deployed safeguards by the MPS were found to be firewalls (95%), followed by anti-virus software (92%), and access control to information system (89%). Findings on the maturity level show that 61% of respondents are at Level 3, followed by 21% at Level 2 where the information security processes are still considered an Information and Communication Technology (ICT) domain. At the higher end of the continuum lies 13% for Level 4 and 1% at Level 5.
Article
Full-text available
Looking at modern theories in management science and business administration, one recognizes that many of these conceptions are based on decision theory in the sense of von Neumann and Morgenstern. However, empirical surveys reveal that the normative decision theory is hardly used in practice to solve real-life problems. This neglect of recognized classical decision concepts may be caused by the fact that the information necessary for modeling a real decision problem is not available, or the cost for getting this information seems too high. Subsequently, decision makers (DM’s) abstain from constructing decision models. As the fuzzy set theory offers the possibility to model vague data as precise as a person can describes them, a lot of decision models with fuzzy components are proposed in literature since 1965. But in my opinion only fuzzy consequences and fuzzy probabilities are important for practical applications. Therefore, this paper is restricted to these subjects. It is shown that the decision models with fuzzy utilities or/and fuzzy probabilities are suitable for getting realistic models of real world decision situations. Moreover, we propose appropriate instruments for selecting the best alternative and for compiling a ranking of the alternatives. As fuzzy sets are not well ordered, this should be done in form of an interactive solution process, where additional information is gathered in correspondence with the requirements and under consideration of cost—benefit relations. This procedure leads to a reduction of information costs.
Article
Full-text available
This article is the first of two whose goal is to advance the discussion of IS risk by addressing limitations of the current IS risk literature. These limitations include: • inconsistent or unclear definitions of risk, • limited applicability of risk models, • frequent omission of the temporal nature of risk, and • lack of an easily communicated organizing framework for risk factors. This article presents a general, but broadly adaptable model of system-related risk. The companion article, Volume 14, Article 2[Sherer and Alter, 2004] focuses on IS risk factors and how these factors can be organized. This article starts by identifying criteria for a general, but broadly applicable risk model. It compares alternative conceptualizations of risk and provides clarifications of the definitions of risk and of different treatments of goals, expectations, and baselines for assessing risk. It presents several of the risk models in the IS literature and discusses the temporal nature of risk. Based on that background it presents a general and broadly adaptable model of risk that encompasses: • goals and expectations, • risk factors and other sources of uncertainty, • the operation of the system or project whose risks are being managed, • and the resulting financial gains or losses. The model's adaptability allows users to eliminate facets that are not important for their purposes. For example, the majority of current practitioners would probably think of risk in terms of negative outcomes rather than the full distribution of possible outcomes. A comparison of the general model with other risk models in the IS literature shows that it covers most of the ideas expressed by previous IS risk models while also providing a practical approach that managers can use for thinking about IS risk at whatever level of detail makes sense to them.
Article
Full-text available
This paper presents an approach enabling economic modelling of information security risk management in contemporaneous businesses and other organizations. In the world of permanent cyber attacks to ICT systems, risk management is becoming a crucial task for minimization of the potential risks that can endeavor their operation. The prevention of the heavy losses that may happen due to cyber attacks and other information system failures in an organization is usually associated with continuous investment in different security measures and purchase of data protection systems. With the rise of the potential risks the investment in security services and data protection is growing and is becoming a serious economic issue to many organizations and enterprises. This paper analyzes several approaches enabling assessment of the necessary investment in security technology from the economic point of view. The paper introduces methods for identification of the assets, the threats, the vulnerabilities of the ICT systems and proposes a procedure that enables selection of the optimal investment of the necessary security technology based on the quantification of the values of the protected systems. The possibility of using the approach for an external insurance based on the quantified risk analyses is also provided.
Article
Full-text available
An approach to solving optimization problems with fuzzy coefficients in objective functions and constraints is described. It consists in formulating and solving one and the same problem within the framework of mutually related models with constructing equivalent analogs with fuzzy coefficients in objective functions alone. It enables one to maximally cut off dominated alternatives “from below” as well as “from above”. Since the approach is applied within the context of fuzzy discrete optimization problems, several modified algorithms of discrete optimization are discussed. These algorithms are associated with the method of normalized functions, are based on a combination of formal and heuristic procedures, and allow one to obtain quasi-optimal solutions after a small number of steps, thus overcoming the computational complexity posed the NP-completeness of discrete optimization problems. The subsequent contraction of the decision uncertainty regions is associated with reduction of the problem to multiobjective decision making in a fuzzy environment with using techniques based on fuzzy preference relations. The techniques are also directly applicable to situations in which the decision maker is required to choose alternatives from a set of explicitly available alternatives. The results of the paper are of a universal character and can be applied to the design and control of systems and processes of different purposes as well as the enhancement of corresponding CAD/CAM systems and intelligent decision making systems. The results of the paper are already being used to solve problems of power engineering.
Article
Full-text available
Despite the well documented and emerging insider threat to information systems, there is currently no substantial effort devoted to addressing the problem of internal IT misuse. In fact, the great majority of misuse counter measures address forms of abuse originating from external factors (i.e. the perceived threat from unauthorized users). This paper suggests a new and innovative approach of dealing with insiders that abuse IT systems. The proposed solution estimates the level of threat that is likely to originate from a particular insider by introducing a threat evaluation system based on certain profiles of user behaviour. However, a substantial amount of work is required, in order to materialize and validate the proposed solutions.
Article
Even though an underground electricity distribution system is safer than an overhead system, several accidents have occurred in them. Assessing the risk of hundreds or even thousands of underground vaults is a hard task. Furthermore, given the large variability in external and internal environments and, hence, there being a wide range of possible consequences when an accident occurs, an approach to risk assessment under a multidimensional view is required. Moreover, in terms of decision making, the aggregation of the decision maker's preferences in modeling, by multiple-criteria decision-making methods, is more complete, comprehensive, and, in particular, includes considering the decision maker's desires. Therefore, this study puts forward a multidimensional assessment of the risks from underground vaults by generating a decision tool, which ranks the vaults in a risk hierarchy. Multiattribute utility theory was used to achieve this ranking. An application was generated to demonstrate the applicability of the model, under the following aspects of consequences: those that are human, financial, and operational; and disruptions to local vehicular traffic. The use of information arising from analysis of the differences between risks enabled the decision maker to make an in-depth analysis of the range of possibilities over which alternatives may be chosen in order to implement preventive actions.
Article
Eine wesentliche Ursache für die geringe praktische Bedeutung statistischer Entscheidungsmodelle sind die ihnen zugrunde liegenden realitätsfremden Prämissen, insbesondere die hohen Anforderungen an den Informationsstand des Entscheidungsträgers. Dessen zumeist nur vages Wissen über die Menge aller in Betracht kommenden Alternativen A={ai}, i=1,2,..,m, die Menge der möglichen Umweltzustände S={sj}, j=1,2,..,n, die Konsequenzen, die sich aus der Entscheidung für eine Handlungsalternative ai ergeben, wenn sich der Umweltzustand sj einstellt, und die zumeist als Nutzen u(ai,sj) ausgedrückt werden, reicht im allgemeinen nicht aus, ein Entscheidungsmodell der klassischen Form <A,S,u> aufzustellen.
Article
The "Computer Crime and Security Survey", now on its 7th year, is conducted to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. For this year's survey, responses came from 503 computer security practitioners in the U.S. corporations, government agencies, financial institutions, medical institutions and universities. Data obtained indicate that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting.
Book
IntroductionBackground HistoryDefinitionsTheoryMethodologyWorksheetExample 1: Hardware Product FMEAExample 2: Functional FMEALevel of DetailAdvantages and DisadvantagesCommon Mistakes to AvoidSummary
Article
In technical systems like oil and gas drilling systems, an accident sequence starts with an Initiating Event (IE) and evolves over time through the interaction of barriers in terms of success or failure. As it has been dramatically demonstrated in a variety of cases, offshore oil rigs activities have severe consequences to people, asset, environment and reputation.A survey carried out on a leakage event in production phase. The barriers of the above IE are assessed by Event Tree Analysis (ETA) which evaluates the sequence of events in a potential accident scenario following the occurrence of an IE. In this research to calculate Failure Probability (FP) of barriers new approach is proposed. In this methodology, Reliability Block Diagram (RBD) and Fault Tree Analysis (FTA) are employed to quantify barriers FP. RBD is useful tool to quantify FP of barriers with logic diagram. FP of barriers with logic diagram is obtained by FTA. However it is often difficult to estimate precisely the FP of the components due to insufficient data. It has been reported that availability of the FP data pertaining to local conditions is surprisingly limited. In this study to overcome this problem using of expert judgment and then fuzzy logic is employed. Therefore, Fuzzy FTA (FFTA) is used to reduce uncertainty of expert judgment.
Article
This paper concentrates on the information security risk assessment model utilizing the improved wavelet neural network. The structure of wavelet neural network is similar to the multi-layer neural network, which is a feed-forward neural network with one or more inputs. Afterwards, we point out that the training process of wavelet neural networks is made up of four steps until the value of error function can satisfy a pre-defined error criteria. In order to enhance the quality of information security risk assessment, we proposed a modified version of wavelet neural network which can effectively combine all influencing factors in assessing information security risk by linear integrating several weights. Furthermore, the proposed wavelet neural network is trained by the BP algorithm with batch mode, and the weight coefficients of the wavelet are modified with the adopting mode. Finally, a series of experiments are conduct to make performance evaluation. From the experimental results, we can see that the proposed model can assess information security risk accurately and rapidly.
Book
Multiobjective and Multicriteria Problems and Decision Models.- Multiobjective and Multicriteria Decision Processes and Methods.- Basic Concepts on Risk Analysis, Reliability and Maintenance.- Multidimensional Risk Analysis.- Preventive Maintenance Decisions.- Decision Making in Condition-Based Maintenance.- Decision on Maintenance Outsourcing.- Spare Parts Planning Decisions.- Decision on Redundancy Allocation.- Design Selection Decisions.- Decisions on Priority Assignment for Maintenance Planning.- Other Risk, Reliability and Maintenance Decision Problems.
Article
Ordering fuzzy quantities and their comparison play a key tool in many applied models in the world and in particular decision-making procedures. However a huge number of researches is attracted to this filed but until now there is any unique accepted method to rank the fuzzy quantities. In fact, each proposed method may has some shortcoming. So we are going to present a novel method based on the angle of the reference functions to cover a wide range of fuzzy quantities by over coming the draw backs of some existing methods. In the mentioned firstly, the angle between the left and right membership functions (the reference functions) of every fuzzy set is called Angle of Fuzzy Set (AFS), and then in order to extend ranking of two fuzzy sets the angle of fuzzy sets and alpha-cuts is used. The method is illustrated by some numerical examples and in particular the results of ranking by the proposed method and some common and existing methods for ranking fuzzy sets is compared to verify the advantage of the new approach. In particular, based on the results of comparison of our method with well known methods which are exist in the literature, we will see that against of most existing ranking approaches, our proposed approach can rank fuzzy numbers that have the same mode and symmetric spreads. In fact, the proposed method in this paper can effectively rank symmetric fuzzy numbers as well as the effective methods which are appeared in the literature. Moreover, unlike of most existing ranking approaches, our proposed approach can rank non-normal fuzzy sets. Finally, we emphasize that the concept of fuzzy, ordering is one of key role in establishing the numerical algorithms in operations research such as fuzzy primal simplex algorithms, fuzzy dual simplex algorithms and as well as discussed in the works of Ebrahimnejad and Nasseri and coworkers [1-7].
Conference Paper
Within the fuzzy literature, the issue of ranking fuzzy intervals has been addressed by many authors, who proposed various solutions to the problem. Most of these solutions intend to find a total order on a given collection of fuzzy intervals. However, if one sees fuzzy intervals as descriptions of uncertain quantities, an alternative to rank them is to use ranking rules issued from the imprecise probabilistic literature. In this paper, we investigate ranking rules based on different statistical features (mean, median) and orderings, and relate the obtained (partial) orders to some classical proposals. In particular, we propose a generic expression of stochastic orderings, and then use it to systematically investigate extensions of the most usual stochastic orderings to fuzzy intervals. We also show some relations between those extensions, and explore their relation with existing fuzzy ranking proposals.
Article
A survey of decision-analysis-oriented methods based on the concept of a fuzzy number, is proposed, together with new results likely to improve the reviewed material. Fuzzy numbers are useful to perform sensitivity analysis on utility-based models or scoring methods, when probability or utility values, weights of attributes. . . cannot be precisely estimated but are obtained through verbal statements. Algorithms for computing fuzzy expectations of utility or fuzzy global ratings are provided. Lastly, new possibilistic scalar comparison indices are suggested for the purpose of ranking fuzzy numbers which represent the overall worth of alternative decisions.
Article
Because of the evolution and widespread use of the Internet, organisations are becoming more susceptible to attacks on Information Technology Systems. These attacks result in data losses and alterations, and impact services and business operations. Therefore, to minimise these potential failures, this paper presents an approach to information security risk management, encompassing Failure Mode and Effects Analysis (FMEA) and fuzzy theory. This approach analyses five dimensions of information security: access to information and systems, communication security, infrastructure, security management and secure information systems development. To illustrate the proposed model, it was applied to a University Research Group project. The results show that the most important aspects of information security risk are communication security, followed by infrastructure.
Article
Information security has become a vital entity to most organizations today due to current trends in information transfer through a borderless and vulnerable world. The concern and interest in information security is mainly due to the fact that information security risk assessment (ISRA) is a vital method to not only to identify and prioritize information assets but also to identify and monitor the specific threats that an organization induces; especially the chances of these threats occurring and their impact on the respective businesses. However, organizations wanting to conduct risk assessment may face problems in selecting suitable methods that would augur well in meeting their needs. This is due to the existence of numerous methodologies that are readily available. However, there is a lack in agreed reference benchmarking as well as in the comparative framework for evaluating these ISRA methods to access the information security risk. Generally, organizations will choose the most appropriate ISRA method by carrying out a comparative study between the available methodologies in detail before a suitable method is selected to conduct the risk assessment. This paper suggests a conceptual framework of info-structure for ISRA that was developed by comparing and analysing six methodologies which are currently available. The info-structure for ISRA aims to assist organizations in getting a general view of ISRA flow, gathering information on the requirements to be met before risk assessment can be conducted successfully. This info-structure can be conveniently used by organizations to complete all the required planning as well as the selection of suitable methods to complete the ISRA.
Article
As software-intensive systems become more and more complex, so does the assessment of the risks that these systems may have on people's businesses, privacy, livelihoods, and very lives. For very large long-lived industrial programmes, such as the Galileo programme of the European Space Agency (ESA), or the French Pentagon programme for the Ministry of Defence, traditional risk management approaches are now reaching their limit. This is true for tooling, but even more so for humans. This paper proposes novel techniques to deal with cognitive scalability issues in risk assessment studies, amongst which graphical extensions to traditional risk management approaches, such as chain diagrams, and the seamless integration of attack trees. Feedback and results were collected from security experts and other stakeholders, in a large industrial context (namely, the Galileo risk assessment programme) and through dedicated research and development demonstrations. The feedback and results show effective improvements with respect to standard practices, even though fine tuning is still needed to reach an adequate and financially acceptable equilibrium between: (i) dealing with a large number of small independent problems; and (ii) maintaining an overall understanding of the system’s risks and risks treatment.
Article
Fault tree analysis has been widely utilized as a tool for nuclear power plant probabilistic safety assessment. This analysis can be completed only if all basic events of the system fault tree have their quantitative failure rates or failure probabilities. However, it is difficult to obtain those failure data due to insufficient data, environment changing or new components. This study proposes a fuzzy-based reliability approach to evaluate basic events of system fault trees whose failure precise probability distributions of their lifetime to failures are not available. It applies the concept of failure possibilities to qualitatively evaluate basic events and the concept of fuzzy sets to quantitatively represent the corresponding failure possibilities. To demonstrate the feasibility and the effectiveness of the proposed approach, the actual basic event failure probabilities collected from the operational experiences of the David–Besse design of the Babcock and Wilcox reactor protection system fault tree are used to benchmark the failure probabilities generated by the proposed approach. The results confirm that the proposed fuzzy-based reliability approach arises as a suitable alternative for the conventional probabilistic reliability approach when basic events do not have the corresponding quantitative historical failure data for determining their reliability characteristics. Hence, it overcomes the limitation of the conventional fault tree analysis for nuclear power plant probabilistic safety assessment.
Article
This paper explores a risk measure of underground vaults that considers the consequences of arc faults. The increasing use of underground systems, together with the aging of networks, the lack of maintenance and interference from other (third party) underground systems nearby have caused many accidents in urban areas, thus endangering human life. The involvement of a large number (hundreds or thousands) of underground vaults with different characteristics, the lack of historical data on modes of failure, the rarity of the occurrence of some faults, the magnitude of their consequences and the involvement of a complex environment surrounding the hazard zone make risk management even more complex and uncertain. Furthermore, given that the (monetary, time, staff, etc.) resources of an electrical power company are limited and scarce, it is necessary to use decision-making tools that aggregate the consequences and the uncertainties to assess the risks jointly with the preference structure of the company, thus solving the problem more realistically. Therefore, this paper puts forward the use of an additional risk analysis for manhole events in underground electrical distribution networks with a view to its being used as a decision aid tool in risk management. As an illustration of the use of the risk measurement tool proposed, a numerical application is presented. The result rather than showing a ranking of underground vaults, gives a measure of the risk used that can show the decision-maker (DM) how much better one group of alternatives (formed by alternatives with quite similar risk values) is than other groups, based on the DM’s attitude to risk and grounded on the axiomatic structure of utility theory.
Article
For many companies the remaining barriers to adopting cloud computing services are related to security. One of these significant security issues is the lack of auditability for various aspects of security in the cloud computing environment. In this paper we look at the issue of cloud computing security auditing from three perspectives: user auditing requirements, technical approaches for (data) security auditing and current cloud service provider capabilities for meeting audit requirements. We also divide specific auditing issues into two categories: infrastructure security auditing and data security auditing. We find ultimately that despite a number of techniques available to address user auditing concerns in the data auditing area, cloud providers have thus far only focused on infrastructure security auditing concerns.
Article
With the increasing organizational dependence on information systems, information systems security has become a very critical issue in enterprise risk management. In information systems, security risks are caused by various interrelated internal and external factors. A security vulnerability could also propagate and escalate through the causal chains of risk factors via multiple paths, leading to different system security risks. In order to identify the causal relationships among risk factors and analyze the complexity and uncertainty of vulnerability propagation, a security risk analysis model (SRAM) is proposed in this paper. In SRAM, a Bayesian network (BN) is developed to simultaneously define the risk factors and their causal relationships based on the knowledge from observed cases and domain experts. Then, the security vulnerability propagation analysis is performed to determine the propagation paths with the highest probability and the largest estimated risk value. SRAM enables organizations to establish proactive security risk management plans for information systems, which is validated via a case study.
Article
A decision method for systems in which the state of the system and/or the utilities of the alternative actions are known imprecisely is presented. By assuming that these imprecise quantities may be represented using fuzzy sets, a decision procedure is presented which results in the fuzzy set representing an optimal alternative. This set gives us the best alternative and the rating of other alternatives in comparison to the optimal alternative. The computation procedure is illustrated using some examples.
Article
Decision-makingforthepurposeofadaptationtoclimatechangetypicallyinvolvesseveralstake- holders,regionsandsectors,aswellasmultipleobjectivesrelatedtotheuseofresourcesandbenefits. In thecaseofadaptingtoextremeevents,modellingoftheimpactpathwaysandconsequencesneedto be conductedinsomeway.Weexploretheroleofeventtreeanalysisofextremeeventsinthecontext of floodprotectionofcriticalinfrastructure.Expertsrepresentingpotentiallyaffectedinfrastructure servicesareconsultedontheusabilityoftheETAmethodforprovidingstructuredinformationonflood scenarios,systemimpactsandconsequences,risksandcountermeasures.Themainusersofthe analysisresultsaretheassetownersandthelocalpublicdecision-makerswhosejointeffortsare usuallyrequiredtofundandprioritizesuchmeasuresofadaptation.
Article
This paper analyses the risk probability of an underwater tunnel excavation using an earth pressure balance (EPB) type tunnel boring machine (TBM). An event tree analysis (ETA) has been applied to quantify the risk at the preliminary design stage of the tunnel. Probable results, which may be sequenced from specific initiating events, are analyzed, and adequate general countermeasures (safety functions) are selected to ensure safety against risks. To identify the initiating events, various data on underwater tunneling such as empirical analyses; design reports; case studies of practical problems; numerical analyses and model test results; and hydrological analysis results were used. Event trees corresponding to three significant initiating events were constructed. Each event tree consists of five countermeasures that construct 32 paths, and the probability of each path is calculated. A quantitative risk assessment was performed and the occurrence probabilities and criticalities of the paths depending on the initiating events were considered. Based on these ETA results, it was found that the selected underwater tunnel site still has a considerable probability of accidents in spite of common countermeasures. Based on the evaluated risks, improved target probabilities are proposed to reduce the probability of disaster during construction. Additional countermeasures, in other words mitigation actions, corresponding to the new target are considered. As a result, technical risks and economical losses of property can be minimized in a systematic way. It was found that the ETA is an effective method for the evaluation and quantitative analysis of probable risks and for the proposition of countermeasures for hazardous environmental conditions such as the underwater tunnel.
Article
The UK government took a bruising in the headlines (Sep 2008) after a Home Office contractor lost a USB stick containing unencrypted data on all 84,000 prisoners in England and Wales. As a result, the Home Office terminated the £1.5 million contract with the management consultancy firm.The world woke up to the largest attempted bank fraud ever when the UK’s National Hi-Tech Crime Unit foiled the world’s largest potential bank robbery in March 2005. With the help of the security supervisor, thieves masquerading as cleaning staff installed hardware keystroke loggers on computers within the London branch of a Japanese bank, to steal £220m.It is indeed sobering to imagine that any organisation could fall victim to such events and the damage an insider can do. The consulting firm lost the contract worth £1.5 million due to a small mistake by an employee. The London branch of the Japanese Bank would have lost £220 million had not the crime been foiled.Insider threat is a reality. Insiders commit fraud or steal sensitive information when motivated by money or revenge. Well-meaning employees can compromise the security of an organisation with their overzealousness in getting their job done. Every organisation has a varied mix of employees, consultants, management, partners and complex infrastructure and that makes handling insider threats a daunting challenge. With insider attacks, organisations face potential damage through loss of revenue, loss of reputation, loss of intellectual property or even loss of human life.The insider threat problem is more elusive and perplexing than any other threat. Assessing the insider threat is the first step to determine the likelihood of any insider attack. Technical solutions do not suffice since insider threats are fundamentally a people issue. Therefore, a three-pronged approach - technological, behavioural and organisational assessment is essential in facilitating the prediction of insider threats and pre-empt any insider attack thus improving the organization’s security, survivability, and resiliency in light of insider threats.
Conference Paper
The economics of information security has recently become a thriving and fastmoving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, incentives are becoming as important to dependability as technical design. The new field provides valuable insights not just into security topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability (the design of peer-to-peer systems and the optimal balance of effort by programmers and testers), and policy (particularly digital rights management). This research program has been starting to spill over into more general security questions (such as law-enforcement strategy), and into the interface between security and the social sciences. Most recently it has started to interact with psychology, both through the psychologyand- economics tradition and in response to phishing. The promise of this research program is a novel framework for analyzing information security problems - one that is both principled and effective.
Article
Results of research into the use of fuzzy sets for handling various forms of uncertainty in the optimal design and control of complex systems are presented. A general approach to solving a wide class of optimization problems containing fuzzy coefficients in objective functions and constraints is described. It involves a modification of traditional mathematical programming methods and is associated with formulating and solving one and the same problem within the framework of mutually conjugated models. This approach allows one to maximally cut off dominated alternatives from below as well as from above. The subsequent contraction of the decision uncertainty region is associated with reduction of the problem to multicriteria decision making in a fuzzy environment. The general approach is applied within the context of a fuzzy discrete optimization model that is based on a modification of discrete optimization algorithms. Prior to application of these algorithms there is a transition from a model with fuzzy coefficients in objective functions and constraints to an equivalent analog with fuzzy coefficients in objective functions alone. The results of the paper are of a universal character and are already being used to solve problems of power engineering.
Article
We propose here to extend the decision trees method to the case when the involved data (probabilities, cost, profits, losses) appear as words belonging to the common language whose semantic representations are fuzzy sets. First we discuss the reasons why such an extension is to be aimed at. Then in the fuzzy case we carry out a reformalization of the basic concepts of probability and utility theory. Finally we show how these reformalized concepts can be applied to fuzzy decision trees.
Article
In this paper an insider attack is considered to be deliberate misuse by those who are authorized to use computers and networks. Applying this definition in real-life settings to determine whether or not an attack was caused by an insider is often, however, anything but straightforward. We know very little about insider attacks, and misconceptions concerning insider attacks abound. The belief that “most attacks come from inside” is held by many information security professionals, for example, even though empirical statistics and firewall logs indicate otherwise. This paper presents a framework based on previous studies and models of insider behavior as well as first-hand experience in dealing with insider attacks. This framework defines relevant types of insider attack-related behaviors and symptoms—“indicators” that include deliberate markers, meaningful errors, preparatory behaviors, correlated usage patterns, verbal behavior and personality traits. From these sets of indicators, clues can be pieced together to predict and detect an attack. The presence of numerous small clues necessitates the use of quantitative methods; multiple regression equations appear to be a particularly promising approach for quantifying prediction.
Article
Many ranking methods have been proposed so far. However, there is yet no method that can always give a satisfactory solution to every situation; some are counterintuitive, not discriminating; some use only the local information of fuzzy values; some produce different rankings for the same situation. For overcoming the above problems, we propose a new method for ranking fuzzy numbers by distance method. Our method is based on calculating the centroid point, where the distance means from original point to the centroid point (), and the index is the same as Murakami et al.'s . However, the index is integrated from the inverse functions of an LR-type fuzzy number. Thus, we use ranking function (distance index) as the order quantities in a vague environment. Our method can rank more than two fuzzy numbers simultaneously, and the fuzzy numbers need not be normal. Furthermore, we also propose the coefficient of variation (CV index) to improve Lee and Li's method [Comput. Math. Appl.15 (1988) 887–896]. Lee and Li rank fuzzy numbers based on two different criteria, namely, the fuzzy mean and the fuzzy spread of the fuzzy numbers, and they pointed out that human intuition would favor a fuzzy number with the following characteristics: higher mean value and at the same time lower spread. However, when higher mean value and at the same time higher spread/or lower mean value and at the same time lower spread exists, it is not easy to compare its orderings clearly. Our CV index is defined as CV = σ (standard error)/μ (mean), which can overcome Lee and Li's problem efficiently. In this way, our proposed method can also be easily calculated by the “Mathematica” package to solve problems of ranking fuzzy numbers. At last, we present three numerical examples to illustrate our proposed method, and compare with other ranking methods.
Article
The paper presents a decision model for risk assessment and for risk ranking of sections of natural gas pipelines based on multi-attribute utility theory. Pipeline hazard scenarios are surveyed and the reasons for a risk assessment model based on a multi-attribute approach are presented. Three dimensions of impact and the need to translate decision-makers’ preferences into risk management decisions are highlighted. The model approaches these factors by using a multi-attribute utility function, in order to produce multi-dimensional risk measurements. By using decision analysis concepts, this model quantitatively incorporates the decision-maker's preferences and behavior regarding risk within clear and consistent risk measurements. In order to support the prioritizing of critical sections of pipeline in natural gas companies, this multi-attribute model also allows sections of pipeline to be ranked into a risk hierarchy. A numerical application based on a real case study was undertaken so that the effectiveness of the decision model could be verified.
Article
As a continuation of the first part related to the first and second class of ordering approaches this paper deals with the fulfilment of reasonable properties in the third class of ordering approaches. To do so we briefly introduce fuzzy relations on which the third class of approaches is based. Then we recall some transitivity-related concepts and an ordering procedure based on a acyclic fuzzy relation. Acyclicity is a very weak restriction on a fuzzy relation. We prove that many fuzzy relations used for the comparison of fuzzy quantities satisfy some conditions stronger than acyclicity. So we give a widely applicable formulation to derive a total ranking order from a fuzzy relation. With our formulation we examine all the ordering indices in the third class with respect to the proposed axioms in part I.