A Fuzzy Approach to Risk Analysis in Information Systems

Eloy Vicente, Antonio Jiménez, Alfonso Mateos

Abstract

Assets are interrelated in risk analysis methodologies for information systems promoted by international standards. This means that an attack on one asset can be propagated through the network and threaten an organization’s most valuable assets. It is necessary to valuate all assets, the direct and indirect asset dependencies, as well as the probability of threats and the resulting asset degradation. These methodologies do not, however, consider uncertain valuations and use precise values on different scales, usually percentages. Linguistic terms are used by the experts to represent assets values, dependencies and frequency and asset degradation associated with possible threats. Computations are based on the trapezoidal fuzzy numbers associated with these linguistic terms.

References

  1. Alberts, C. and Dorofee, A. (2005). OCTAVE-s Method Implementation Guide Version 2.0. Pittsburgh: Canergie Mellon University.
  2. Chen, S.-J. and Chen, S.-M. (2001). A New Method to Measure the Similarity between Fuzzy Numbers. Proceedings of the 10th IEEE International Conference on Fuzzy Systems, 208-214.
  3. Chen, S.-J. and Chen, S.-M. (2007). Fuzzy Risk Analysis Based on the Ranking of Generalized Trapezoidal Fuzzy Numbers. Applied Intelligence, 26, 1-11.
  4. CCTA Risk Analysis and Management Method (CRAMM), Version 5.0. London: Central Computing and Telecommunications Agency (CCTA), 2003.
  5. ISO/IEC 17799:2005, Information technology - Security techniques - Code of practice for information security management. Geneva: International Organization for Standarization.
  6. ISO/IEC 27005:2011, Information technology - Security techniques - Information security risk management. Geneva: International Organization for Standarization.
  7. Lee, H.S. (1999). An Optimal Aggregation Method for Fuzzy Opinions of Group Decision. Proceedings of the 1999 IEEE International Conference on Systems, Management and Cybernetics, 314-319.
  8. L ópez Crespo, F., Amutio-Gómez, M.A., Candau, J. and Man˜as, J.A. (2006a). Methodology for Information Systems Risk. Analysis and Management (MAGERIT version 2). Book I-The Method. Madrid: Ministerio de Administraciones P úblicas.
  9. L ópez Crespo, F., Amutio-Gómez, M.A., Candau, J. and Man˜as, J.A. (2006b). Methodology for Information Systems Risk Analysis and Management (MAGERIT version 2). Book II-Catalogue of Elements. Madrid: Ministerio de Administraciones P úblicas.
  10. L ópez Crespo, F., Amutio-Gómez, M.A., Candau, J. and Man˜as, J.A. (2006c). Methodology for Information Systems Risk Analysis and Management (MAGERIT version 2). Book III-The Techniques. Madrid: Ministerio de Administraciones P úblicas.
  11. Mehari 2010 - Risk Analysis and Treatment Guide. Paris: Club de la Sécurité de l'Information Francais (CSIF).
  12. Stoneburner, G. and Gougen, A. (2002). NIST 800-30 Risk Management. Guide for Information Technology Systems. Gaithersburg: National Institute of Standard and Technology.
  13. Vicente, E., Mateos, A. and Jiménez, A. (2012). A New Similarity Measure of Trapezoidal Fuzzy Numbers. Expert Systems with Applications, under review.
  14. Xu, Z., Shang, S., Qian, W. and Shu, W. (2010). A Method for Fuzzy Risk Analysis based on the New Similarity of Trapezoidal Fuzzy Numbers. Expert Systems with Applications, 37, 1920-1927.
Download


Paper Citation


in Harvard Style

Vicente E., Jiménez A. and Mateos A. (2013). A Fuzzy Approach to Risk Analysis in Information Systems . In Proceedings of the 2nd International Conference on Operations Research and Enterprise Systems - Volume 1: ICORES, ISBN 978-989-8565-40-2, pages 130-133. DOI: 10.5220/0004212001300133


in Bibtex Style

@conference{icores13,
author={Eloy Vicente and Antonio Jiménez and Alfonso Mateos},
title={A Fuzzy Approach to Risk Analysis in Information Systems},
booktitle={Proceedings of the 2nd International Conference on Operations Research and Enterprise Systems - Volume 1: ICORES,},
year={2013},
pages={130-133},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004212001300133},
isbn={978-989-8565-40-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Operations Research and Enterprise Systems - Volume 1: ICORES,
TI - A Fuzzy Approach to Risk Analysis in Information Systems
SN - 978-989-8565-40-2
AU - Vicente E.
AU - Jiménez A.
AU - Mateos A.
PY - 2013
SP - 130
EP - 133
DO - 10.5220/0004212001300133