A Fuzzy Approach based on Dynamic Programming and Metaheuristics for Selecting Safeguards for Risk Management for Information Systems

E. Vicente, A. Mateos, A. Jiménez-Martín

Abstract

In this paper we focus on the selection of safeguards in a fuzzy risk analysis and management methodology for information systems (IS). Assets are connected by dependency relationships, and a failure of one asset may affect other assets. After computing impact and risk indicators associated with previously identified threats, we identify and apply safeguards to reduce risks in the IS by minimizing the transmission probabilities of failures throughout the asset network. However, as safeguards have associated costs, the aim is to select the safeguards that minimize costs while keeping the risk within acceptable levels. To do this, we propose a dynamic programming-based method that incorporates simulated annealing to tackle optimizations problems.

References

  1. Cerny, V. (1985). Thermodynamical Approach to the Traveling Salesman Problem: An Efficient Simulation Algorithm, Journal of Optimization Theory and Applications, 45, 41-51.
  2. Chen, S.-M. (1996). New Methods for Subjective Mental Workload Assessment and Fuzzy Risk Analysis, Cybernetics Systems, 27, 449-472.
  3. Chen, S.-J. and Chen, S.-M. (2003). Fuzzy Risk Analysis Based on Similarity Measures of Generalized Fuzzy Numbers. IEEE Transactions on Fuzzy Systems, 11, 45-56.
  4. Chen, S.-J. and Chen, S.-M. (2009). Fuzzy Risk Analysis Based on the Ranking of Generalized Trapezoidal Fuzzy Numbers. Applied Intelligence, 26, 1-11.
  5. CCTA Risk Analysis and Management Method (CRAMM), Version 5.0. London: Central Computing and Telecommunications Agency (CCTA), 2003.
  6. Finetti, B. (1964). Foresight: its Logical Laws, its Subjective Sources. In: H.E. Kyburg and H.E. Smokler (eds.), Studies in Subjective Probability. New York: Wiley.
  7. Gomathi, V.L. and Sivaraman, G. (2012). A Novel Similarity Measure between Generalized Fuzzy Numbers. International Journal of Computer Theory and Engineering, 4, 448-450.
  8. ISO/IEC Serie 27000 International Organization for Standardization.
  9. Hejazi, S. R., Doostparast, A. and Hosseini, S.M. (2011). An Improved Fuzzy Risk Analysis based on a New Similarity Measures of Generalized Fuzzy Numbers. Expert Systems with Applications, 38, 9179-9185.
  10. Kirkpatrick, S., Gelatt., C.D. and Vecchi, M. P. (1983). Optimization by Simulated Annealing. Science, 220 (4598), 671-680.
  11. López Crespo, F., Amutio-Gómez, M.A., Candau, J. and Man˜as, J.A. (2006). Methodology for Information Systems Risk. Analysis and Management (MAGERIT version 2). Book I, Book II and Book III. Madrid: Ministerio de Administraciones Públicas.
  12. Savage, L. J. (1954). The Foundations of Statistics. New York: Wiley.
  13. Sridevi, B. and Nadarajan, R. (2009). Fuzzy Similarity Measure for Generalized Fuzzy Numbers. International Journal of Open Problems in Computer Science and Mathematics, 2, 111-116.
  14. Stoneburner, G. and Gougen, A. (2002). NIST 800-30 Risk Management. Guide for Information Technology Systems. Gaithersburg: National Institute of Standard and Technology.
  15. Vicente, E., Jiménez, A. and Mateos, A. (2013a). A Fuzzy Approach to Risk Analysis in Information Systems. Proceedings of the 2nd International Conference on Operations Research and Enterprise Systems, 130- 133.
  16. Vicente, E., Mateos, A. and Jiménez, A. (2013b). A New Similarity Function for Generalized Trapezoidal Fuzzy Numbers. Lecture Notes on Computer Science, 7894, 400-411.
  17. Vicente, E., Jiménez, A. and A. Mateos, A. (2013c). An interactive method of fuzzy probability elicitation in risk analysis, Intelligent Systems and Decision Making for Risk Analysis and Crisis Response, New York: CRC Press, 223-228.
  18. Xu, Z., Shang, S., Qian, W. and Shu, W. (2010). A Method for Fuzzy Risk Analysis based on the New Similarity of Trapezoidal Fuzzy Numbers. Expert Systems with Applications, 37, 1920-1927.
  19. Zu, L. and R. Xu (2012). Fuzzy risk analysis based on similarity measure of generalized fuzzy numbers. Fuzzy Engineering and Operations Research. Berlin/Heidleberg: Springer, 569-587.
Download


Paper Citation


in Harvard Style

Vicente E., Mateos A. and Jiménez-Martín A. (2014). A Fuzzy Approach based on Dynamic Programming and Metaheuristics for Selecting Safeguards for Risk Management for Information Systems . In Proceedings of the 3rd International Conference on Operations Research and Enterprise Systems - Volume 1: ICORES, ISBN 978-989-758-017-8, pages 35-45. DOI: 10.5220/0004807800350045


in Bibtex Style

@conference{icores14,
author={E. Vicente and A. Mateos and A. Jiménez-Martín},
title={A Fuzzy Approach based on Dynamic Programming and Metaheuristics for Selecting Safeguards for Risk Management for Information Systems},
booktitle={Proceedings of the 3rd International Conference on Operations Research and Enterprise Systems - Volume 1: ICORES,},
year={2014},
pages={35-45},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004807800350045},
isbn={978-989-758-017-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Operations Research and Enterprise Systems - Volume 1: ICORES,
TI - A Fuzzy Approach based on Dynamic Programming and Metaheuristics for Selecting Safeguards for Risk Management for Information Systems
SN - 978-989-758-017-8
AU - Vicente E.
AU - Mateos A.
AU - Jiménez-Martín A.
PY - 2014
SP - 35
EP - 45
DO - 10.5220/0004807800350045