Subjectivity Reduction of Qualitative Approach in Information Security Risk Analysis
Subject Areas : Business StrategyAlireza TamjidYamcholo 1 , Abbas Toloie Eshlaghy 2
1 - Department of Management, Science and Research Branch, Islamic Azad University , Tehran, Iran
2 - Department of Management, Science and Research Branch, Islamic Azad University , Tehran,
Iran
Keywords: Risk analysis, Risk Assessment, subjectivity, Information security, qualitative,
Abstract :
Qualitative information security risk assessments are somewhat subjective and the high degree of subjectivity associated with the perception of risk means that management is often skeptical of risk analysis results, and is unwilling to make important decisions based on that. Besides, the process of information security risk assessment is quite complex and rife with uncertainty and without taken into account the uncertainty of information security risk assessment the results can be misleading. Therefore, in this paper, the Fuzzy Multi Criteria Group Decision Making (FMCGDM) model is proposed to address the above-mentioned problems. The focus group method used to identify risk parameters and the Delphi method is used to construct a hierarchy for risk parameters. The findings of this research would be useful for the information security department to become more capable in analyzing the InfoSec risks and reducing the consequences of subjective assessment. A case study involving an actual information security risk management project was presented to illustrate the use of the proposed model. Computational results demonstrated the efficiency and effectiveness of the presented model that can assist InfoSec risk analyst to better evaluate InfoSec risk.
Aroms, E. (2012). NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems.
Alberts, C. J., & Dorofee, A. (2002). Managing information security risks: the OCTAVE approach. Addison-Wesley Longman Publishing Co., Inc..
Alali, M., Almogren, A., Hassan, M. M., Rassan, I. A., & Bhuiyan, M. Z. A. (2018). Improving risk assessment model of cyber security using fuzzy logic inference system. Computers & Security, 74, 323-339. https://doi.org/10.1016/j.cose.2017.09.011
Brunner, M., Sauerwein, C., Felderer, M., & Breu, R. (2020). Risk Management Practices in Information Security: Exploring the Status Quo in the DACH Region. Computers & Security, 101776. https://doi.org/10.1016/j.cose.2020.101776
Chang, D. Y. (1996). Applications of the extent analysis method on fuzzy AHP. European journal of operational research, 95(3), 649-655. https://doi.org/10.1016/0377-2217(95)00300-2
Conway, D., Taib, R., Harris, M., Yu, K., Berkovsky, S., & Chen, F. (2017). A qualitative investigation of bank employee experiences of information security and phishing. In Thirteenth Symposium on Usable Privacy and Security ({SOUPS} 2017) (pp. 115-129).
Caralli, R. A., Stevens, J. F., Young, L. R., & Wilson, W. R. (2007). Introducing octave allegro: Improving the information security risk assessment process (No. CMU/SEI-2007-TR-012). Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.
Ecer, F. (2020). Multi-criteria decision making for green supplier selection using interval type-2 fuzzy AHP: a case study of a home appliance manufacturer. Operational Research, 1-35. https://doi.org/10.1007/s12351-020-00552-y
Eloff, J. H. P., & Eloff, M. M. (2005). Information security architecture. Computer Fraud & Security, 2005(11), 10-16. https://doi.org/10.1016/S1361-3723(05)70275-X
El-Gayar, O. F., & Fritz, B. D. (2010). A web-based multi-perspective decision support system for information security planning. Decision Support Systems, 50(1), 43-54. https://doi.org/10.1016/j.dss.2010.07.001
Elky, S. (2006). An introduction to information systems risk management.
Fenz, S., & Neubauer, T. (2018). Ontology-based information security compliance determination and control selection on the example of ISO 27002. Information & Computer Security.
Feng, N., & Li, M. (2011). An information systems security risk assessment model under uncertain environment. Applied Soft Computing, 11(7), 4332-4340 https://doi.org/10.1016/j.asoc.2010.06.005
Hsu, Y. L., Lee, C. H., & Kreng, V. B. (2010). The application of Fuzzy Delphi Method and Fuzzy AHP in lubricant regenerative technology selection. Expert Systems with Applications, 37(1), 419-425. https://doi.org/10.1016/j.eswa.2009.05.068
Heidari, S., Bavarsad, B., Nili Ahmad Abadi, M., & Mullah Alizadeh Zavardehi, S. (2021). Identifying and Prioritizing Supply Chain Sustainability Indicators for Perishable Products Via Grounded Theory and Fuzzy Hierarchical Analysis Approach. Journal of System Management, 7(1), 233-264. 10.30495/jsm.2021.1919814.1427
Imamverdiev, Y. N., & Derakshande, S. A. (2011). Fuzzy OWA model for information security risk management. Automatic Control and Computer Sciences, 45(1), 20-28 https://doi.org/10.3103/S0146411611010056
Intharathirat, R., & Salam, P. A. (2020). Analytical Hierarchy Process-Based Decision Making for Sustainable MSW Management Systems in Small and Medium Cities. In Sustainable Waste Management: Policies and Case Studies (pp. 609-624). Springer, Singapore. https://doi.org/10.1007/978-981-13-7071-7_55
Kwong, C. K., & Bai, H. (2003). Determining the importance weights for the customer requirements in QFD using a fuzzy AHP with an extent analysis approach. iie Transactions, 35(7), 619-626.
Karabacak, B., & Sogukpinar, I. (2005). ISRAM: information security risk analysis method. Computers & Security, 24(2), 147-159. https://doi.org/10.1016/j.cose.2004.07.004
Landoll, D. J., & Landoll, D. (2005). The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press.
Lee, A. H. (2009). A fuzzy AHP evaluation model for buyer–supplier relationships with the consideration of benefits, opportunities, costs and risks. International Journal of Production Research, 47(15), 4255-4280
Lo, C. C., & Chen, W. J. (2012). A hybrid information security risk assessment procedure considering interdependences between controls. Expert Systems with Applications, 39(1), 247-257. https://doi.org/10.1016/j.eswa.2011.07.015
Lo, C. C., & Chen, W. J. (2012). A hybrid information security risk assessment procedure considering interdependences between controls. Expert Systems with Applications, 39(1), 247-257. https://doi.org/10.1016/j.eswa.2011.07.015
Liu, F., Dai, K., Wang, Z., & Ma, J. (2005, April). Research on fuzzy group decision making in security risk assessment. In International Conference on Networking (pp. 1114-1121). Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31957-3_127
Le, A., Chen, Y., Chai, K. K., Vasenev, A., & Montoya, L. (2019). Incorporating FAIR into Bayesian Network for Numerical Assessment of Loss Event Frequencies of Smart Grid Cyber Threats. Mobile Networks and Applications, 24(5), 1713-1721. https://doi.org/10.1007/s11036-018-1047-6
Lee, H. M. (1996). Group decision making using fuzzy sets theory for evaluating the rate of aggregative risk in software development. Fuzzy sets and Systems, 80(3), 261-271. https://doi.org/10.1016/0165-0114(95)00201-4
Lyu, H. M., Sun, W. J., Shen, S. L., & Zhou, A. N. (2020). Risk assessment using a new consulting process in fuzzy AHP. Journal of Construction Engineering and Management, 146(3), 04019112.
Lee, S. H. (2010). Using fuzzy AHP to develop intellectual capital evaluation model for assessing their performance contribution in a university. Expert systems with applications, 37(7), 4941-4947. https://doi.org/10.1016/j.eswa.2009.12.020
Mandic, K., Delibasic, B., Knezevic, S., & Benkovic, S. (2014). Analysis of the financial parameters of Serbian banks through the application of the fuzzy AHP and TOPSIS methods. Economic Modelling, 43, 30-37. https://doi.org/10.1016/j.econmod.2014.07.036
Proletarsky, A., Berezkin, D., Popov, A., Terekhov, V., & Skvortsova, M. (2020). Decision Support System to Prevent Crisis Situations in the Socio-political Sphere. In Cyber-Physical Systems: Industry 4.0 Challenges (pp. 301-314). Springer, Cham.
Peltier, T. R. (2005). Information security risk analysis. CRC press.
Pan, L., & Tomlinson, A. (2016). A systematic review of information security risk assessment. International Journal of Safety and Security Engineering, 6(2), 270-281. 10.2495/SAFE-V6-N2-270-281
Peng, X., & Dai, F. (2009, May). Information systems risk evaluation based on the AHP-fuzzy algorithm. In 2009 International Conference on Networking and Digital Society (Vol. 2, pp. 178-180). IEEE. 10.1109/ICNDS.2009.124
Redmill, F. (2002). Risk analysis-a subjective process. Engineering Management Journal, 12(2), 91-96. 10.1049/em:20020206
Ryan, J. J., Mazzuchi, T. A., Ryan, D. J., De la Cruz, J. L., & Cooke, R. (2012). Quantifying information security risks using expert judgment elicitation. Computers & Operations Research, 39(4), 774-784 https://doi.org/10.1016/j.cor.2010.11.013
Roghani, M., Modiri, M., Fathi Hafshjani, K., & Alirezaei, A. (2021). Futurology of Multi-Criteria Decision Making Techniques Using Philosophical Assumptions of Paradigms in Scenario Writing. Journal of System Management, 6(3), 139-168. 10.30495/jsm.2021.678899
Sadeghi, A., Bagheri, H., Garcia, J., & Malek, S. (2016). A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software. IEEE Transactions on Software Engineering, 43(6), 492-530 10.1109/TSE.2016.2615307
Sadathosseini Khajouei, M., & Pilevari, N. (2021). Application of Adaptive Neuro-Based Fuzzy Inference System to Evaluate the Resilience of E-learning in Education Systems, During the Covid-19 Pandemic. Journal of System Management, 7(3), 1-34. 10.30495/jsm.2021.1939375.1518
Schmitz, C., & Pape, S. (2020). LiSRA: Lightweight Security Risk Assessment for decision support in information security. Computers & Security, 90, 101656. https://doi.org/10.1016/j.cose.2019.101656
Suh, B., & Han, I. (2003). The IS risk analysis based on a business model. Information & Management, 41(2), 149-158. https://doi.org/10.1016/S0378-7206(03)00044-2
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. Nist special publication, 800(30), 800-30.
Saaty, T. L. (1988). What is the analytic hierarchy process? In Mathematical models for decision support (pp. 109-121). Springer, Berlin, Heidelberg.
Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & security, 57, 14-30. https://doi.org/10.1016/j.cose.2015.11.001
Tan, Z., & Li, P. (2012). Group decision-making information security risk assessment based on AHP and information entropy. Research J. of Applied Sciences, Engineering and Technology, 4(15), 2361-2366.
UK, G. (2018). Cyber security breaches survey 2018
Vahidnia, M. H., Alesheikh, A. A., & Alimohammadi, A. (2009). Hospital site selection using fuzzy AHP and its derivatives. Journal of environmental management, 90(10), 3048-3056. https://doi.org/10.1016/j.jenvman.2009.04.010
Wheeler, E. (2011). Security risk management: Building an information security risk management program from the Ground Up. Elsevier.
Whitman, M. (2018). Challenges in the Instruction of Risk Management.
Wangen, G. (2017). Information security risk assessment: a method comparison. Computer, 50(4), 52-61.
Yazar, Z. (2002). A qualitative risk analysis and management tool–CRAMM. SANS InfoSec Reading Room White Paper, 11, 12-32.
Yang, Y. P. O., Shieh, H. M., & Tzeng, G. H. (2013). A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 232, 482-500 https://doi.org/10.1016/j.ins.2011.09.012
Zadeh, L. A. (1979). Fuzzy sets and information granularity. Advances in fuzzy set theory and applications, 11, 3-18.
Zhiwei, Y., & Zhongyuan, J. (2012). A survey on the evolution of risk evaluation for information systems security. Energy Procedia, 17, 1288-1294. https://doi.org/10.1016/j.egypro.2012.02.240
Web references
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf
https://www.iso27001security.com/html/27005.html
https://www.iso.org/standard/75281.html
https://www.fairinstitute.org/
http://www.thecramm.com
https://www.microsoft.com/en-us/cybersecurity/content-hub/risk-management-for-cybersecurity-security-baselines
http://coras.sourceforge.net/
https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_mehari.html https://dictionary.cambridge.org/dictionary/english/subjectivity?q=Subjectivity