A Fuzzy Approach to Risk Analysis in Information Systems
Eloy Vicente, Antonio Jim´enez and Alfonso Mateos
Departamento de Inteligencia Artificial, Facultad de Inform´atica, Universidad Polit´ecnica de Madrid,
Campus de Montegancedo S/N, 28660, Boadilla del Monte, Madrid, Spain
Keywords:
Risk Analysis, Information Systems, Trapezoidal Fuzzy Numbers.
Abstract:
Assets are interrelated in risk analysis methodologies for information systems promoted by international stan-
dards. This means that an attack on one asset can be propagated through the network and threaten an organi-
zation’s most valuable assets. It is necessary to valuate all assets, the direct and indirect asset dependencies,
as well as the probability of threats and the resulting asset degradation. These methodologies do not, however,
consider uncertain valuations and use precise values on different scales, usually percentages. Linguistic terms
are used by the experts to represent assets values, dependencies and frequency and asset degradation associ-
ated with possible threats. Computations are based on the trapezoidal fuzzy numbers associated with these
linguistic terms.
1 INTRODUCTION
Information Systems (IS) are composed of a set of
data management elements designed to provide ser-
vices and benefits in areas as far a part as public ad-
ministration, industrial control, the banking or geo-
graphical and weather information.
Technological developments and the universal in-
ternet access has led to an increase in system vulner-
abilities. Therefore, ISs have to be analysed with a
view to risk minimization by means of well-planned
actions to protect information, processes and services
from possible threats. Threats range from act of ter-
rorism, industrial espionage, etc., or even a simple un-
intentional human error by an operator.
Standards promoted by the International Organi-
zation for Standardization [ISO/IEC](2005, 2011) on
IS security suggest three-stage risk analysis and man-
agement methodologies.
The planning stage establishes the necessary
points for starting up the project, defines objectives,
and identifies participants and competencies. The
analysis stage identifies the IS assets, as well as their
relations (dependencies), the threats to which they are
exposed and their frequency and asset degradation
levels. Finally, the risk management stage determines
the safeguards and strategies that reduce impact and
risk.
In this paper, we focus on the second stage, anal-
ysis. Assets are the IS or related resources, necessary
for an organization’s correct operation and for achiev-
ing the goals set by its manager. Assets can be data,
applications, software, facilities, hardware, services...
The asset dependencies are usually represented in
terms of percentages, signalling how likely the failure
of an asset is to affect another.
Often only a few elements (terminal assets), usu-
ally data or services, account for the total value of
an organization’s assets. The value of these assets is
transferred to other assets through the established de-
pendency relations. Thus, non-terminal assets have
no intrinsic values; they accumulate their value from
terminal assets.
However, the methodologies based on interna-
tional standards, such us (L´opez Crespo, Amutio-
G´omez, Candau and Ma˜nas, 2006a, 2006b, 2006c),
MEHARI [CSIF](2010), CRAMM [CCTA](2003),
OCTAVE-S (Alberts and Dorofee, 2005) or NIST
800-30 (Stoneburner and Gougen, 2002), obviate the
difficulty of correctly assigning asset dependencies,
as well as terminal asset values or the impact on the
entire system caused by the materialization of a threat
to an asset. Moreover, these methodologies do not
consider uncertainty concerning these assessments.
In this paper we propose a fuzzy risk analysis in
IS as a solution to these deficiencies.
Section 2 reviews some operations on trapezoidal
fuzzy numbers and introduces a fuzzy evaluation of
asset dependencies. Section 3 provides a fuzzy five-
component valuation of assets on the basis of five
328
Vicente E., Jiménez A. and Mateos A..
A Fuzzy Approach to Risk Analysis in Information Systems.
DOI: 10.5220/0004212001300133
In Proceedings of the 2nd International Conference on Operations Research and Enterprise Systems (ICORES-2013), pages 130-133
ISBN: 978-989-8565-40-2
Copyright
c
2013 SCITEPRESS (Science and Technology Publications, Lda.)
components is provided. Threats and asset risk im-
pact indicators are described in Section 4. In Section
5, we introduce the similarity function used to asso-
ciate a linguistic term from a set with a trapezoidal
fuzzy numbers. Finally, some conclusions and future
research are discussed in Section 6.
2 FUZZY VALUATION OF
DEPENDENCIES
We use the following arithmetic for fuzzy numbers
proposed in (Xu, Shang, Qian and Shul, 2010): If
e
A
1
= (a
1
, b
1
, c
1
, d
1
) and
e
A
2
= (a
2
, b
2
, c
2
, d
2
), then
e
A
1
⊕
e
A
2
= (a
1
+ a
2
− a
1
a
2
, b
1
+ b
2
− b
1
b
2
,
c
1
+ c
2
− c
1
c
2
, d
1
+ d
2
− d
1
d
2
),
e
A
1
⊗
e
A
2
= (a
1
·a
2
, b
1
·b
2
, c
1
·c
2
, d
1
·d
2
).
As mentioned above, the assets in IS are con-
nected by dependency relationships, and a failure of
one asset may affect other assets. Asset A
j
dependson
the asset A
i
(or A
i
influences A
j
), denoted by (A
i
, A
j
)
(graphically A
i
→ A
j
), if a failure in asset A
i
causes a
failure in the asset A
j
with any given probability. This
probability is usually referred to as the degree of de-
pendency of A
j
with respect to A
i
or the influence of
A
i
over A
j
, which we denote it by dd(A
i
, A
j
).
Proposed IS risk analysis methodologies
(MAGERIT, MEHARI, OCTAVE...) assign just
a percentage to indicate the degree of dependency
between two assets, and sometimes even propose
the use of a Boolean value indicating whether or
not this dependency exists regardless of the degree
of dependency. We propose the use of trapezoidal
fuzzy numbers to represent these dependencies.
Consequently, the experts can build a linguistic term
set to intuitively define the dependency between two
assets under uncertainty.
Our aim then is to compute the indirect asset de-
pendencies since assets values are accumulated from
terminal assets through these dependencies.
The degree of dependency of asset A
k
with respect
to A
i
,
^
DD(A
i
, A
k
), is computed as follows
1
. We denote
by P={P
1
, ..., P
s
} the set of paths in the analysis of the
influence of A
i
over A
k
. Then,
A) If all assets (excluding A
i
and A
k
) in the paths in
P are influenced by only one asset, then
^
DD(A
i
, A
k
) =
s
⊕
j=1
^
DD(A
i
, A
k
|P
j
), (1)
1
To avoid ambiguity, we will write ”DD” to refer to total
dependency between two assets separated by other interme-
diate assets, and ”dd” when they are directly connected.
where
^
DD(A
i
, A
k
|P
j
) =
^
dd(A
i
, A
j1
) ⊗
^
dd(A
j1
, A
j2
)⊗...⊗
^
dd(A
jn
, A
k
), and P
j
: (A
i
→
A
j1
→ A
j2
→ ... → A
jn
→ A
k
).
B) Otherwise, we assume that the first r paths in P
are formed by assets (excluding A
i
and A
k
) influ-
enced by only one asset, and the remaining s− r
paths include at least one asset influenced by two
or more assets. Then, for the r first paths, we pro-
ceed as in A), and we denote by S the set including
the s − r remaining paths. We proceed with S as
follows:
(i) Compute the set of non-terminal assets in S
influenced by two or more assets, denoted by
I, and the subset of I including assets uninflu-
enced by any other asset in I, denoted by NI.
(ii) We consider an asset A
r
in NI. Then, we sim-
plify the paths in S that include asset A
r
mak-
ing A
i
→ A
r
→ ... → A
k
, with
^
dd(A
i
, A
r
) =
^
DD(A
i
, A
r
) (computed as in A)).
(iii) Remove repeated paths from S and keep only
one instance.
(iv) Build I and NI again from S.
(v) If NI is not empty, go to (ii). Otherwise, the
algorithm finishes.
Let us denote the resulting set of paths by S=
{P
′
1
, ..., P
′
m
}, with m ≤ s − r. Then, the degree of
dependency of A
k
regarding A
i
is
^
DD(A
i
, A
k
) =
r
⊕
j=1
^
DD(A
i
, A
k
|P
j
)
m
⊕
l=1
^
DD(A
i
, A
k
|P
′
l
).
(2)
Note that transactions between trapezoidal fuzzy
numbers representing linguistic terms from a set in
[0, 1] will remain in [0, 1], and the results of these op-
erations can be translated into one of the linguistic
terms of the set by means of a similarity function.
Furthermore, the operation ⊕ is consistent with the
methodologies established for risk analysis and man-
agement in IS, allowing performances in probabilistic
terms.
3 FUZZY VALUATION OF
ASSETS
MAGERIT defines the value of an asset as the losses
that would be sustained if the respective asset is no
longer available. These can be losses of money, user
confidence, the organizational prestige... Assets are
usually evaluated taking into account the following
five components (L´opez Crespo et al., 2006a, 2006b,
2006c):
AFuzzyApproachtoRiskAnalysisinInformationSystems
329
• Confidentiality. How much damage would it
cause if the asset is disclosed to someone it should
not be? This is a typical data inspection.
• Integrity. How much damage would it cause if the
asset is damaged or corrupt? This is a typical data
inspection. Data can be manipulated, be wholly
or partially false, or even missing.
• Authenticity. How much damage would it cause if
we do not exactly know who has done what? This
is a typical services (user authentication) and data
(authenticity of the person accessing data to write
or read) inspection.
• Traceability. How much damage would it cause
if it is not known for whom the service is being
provided?, i.e. who does what and when? How
much damage would it cause if it is not known
who accessed what data and what they did with
them?
• Availability. How much damage would it cause if
the asset is not available or cannot be used? This
is a typical services inspection.
Only the terminal assets have an associated value
for the above components. The other assets accumu-
late value from terminal assets on the basis of depen-
dency relationships. We again use the set of linguistic
terms that represent trapezoidal fuzzy numbers to rep-
resent uncertainty when valuating the terminal assets.
Let us denote assets by ev
j
=
(ev
j
(1)
, ev
j
(2)
, ev
j
(3)
, ev
j
(4)
, ev
j
(5)
), where ev
j
(i)
is a lin-
guistic term assigned by an expert for the ith value
component in asset A
j
. If we denote by TAS the
terminal asset set, then the value of asset A
j
with
respect to terminal assets is:
ev
j
(l)
= ⊕
A
k
inTAS
(
^
DD(A
j,
A
k
) ⊗ ev
k
(l)
).
4 THREATS
Next, we assess threats and estimate indicators of the
impact on and risk to assets. A threat is an event that
can trigger an incident in our organization, causing
damage or intangible material loss to the assets, and
an attack is any deliberate action aimed at violating
the IS security mechanisms. MAGERIT suggests two
threat assessment measures: degradation, the damage
that the threat can cause to the asset, and frequency,
how often the threat materializes.
We will again use fuzzy linguistic terms rather
than percentages and probabilities to represent degra-
dation and frequency. A threat is a vector
−→
eu = (
e
D,
e
f)
whose components are degradation and frequency.
Note that the degradation has to be established for
each the the five asset components described in the
previous section,
−→
e
D = (
e
d
1
,
e
d
2
,
e
d
3
,
e
d
4
,
e
d
5
),
i.e., the threat causes a degradation
e
d
i
in the ith com-
ponent of the asset.
Let us consider a threat on the asset A
j
. When the
threat is realized, each component is affected by the
expression
e
I
j
(i)
=
e
d
i
⊗ ev
j
(i)
, (3)
where
e
I
j
(i)
is the impact on the ith component of the
attacked asset (A
j
).
We use Eq. (4) below to compute the risk to the
attacked asset
e
R
j
(i)
=
e
I
j
(i)
⊗
e
f. (4)
After computing the impact caused by a materi-
alized threat on an asset, we can compute the impact
transmitted from the attacked asset to its dependent
assets. If A
j
is the asset on which the threat has mate-
rialized and the degree of dependency of A
j
with re-
spect to A
k
is
^
DD(A
k
, A
j
), then the attack on asset A
j
has an impact on A
k
of
e
I
k
(i)
=
^
DD(A
k
, A
j
) ⊗
e
d
i
⊗ ev
j
(i)
.
Thus, the risk to asset A
k
is
e
R
k
(i)
=
e
I
k
(i)
⊗
e
f =
^
DD(A
k
, A
j
) ⊗
e
d
i
⊗ ev
j
(i)
⊗
e
f. (5)
5 SIMILARITY FUNCTION
A similarity function is required to associate the re-
sulting trapezoidal fuzzy number with an element in
the linguistic term set. This function can also be used
at any step of the methodology to derive the linguistic
terms associated with the respective trapezoidal fuzzy
numbers output to represent dependencies, accumu-
lated values...
Several authors have proposed different similarity
functions, which are based on the centroid of a fuzzy
number and the distance between the components of
the fuzzy numbers, see (Lee, 1999; Chen and Chen
2001, 2007). Finally, a more recent similarity func-
tion was proposed in (Xu et al., 2010) and compared
with the proposal reported in (Chen and Chen, 2007).
We use the function proposed in Vicente, Mateos
and Jim´enez (2012), which considers another param-
eter consisting of the ratio between the common area
and the joint area under the membership functions of
trapezoidal fuzzy numbers. Moreover, we use the dis-
tance l
∞
between centroids since the use of distances
with non-rectangular spheres is inconsistent with the
intuitive perception of similarity.
ICORES2013-InternationalConferenceonOperationsResearchandEnterpriseSystems
330
Given
e
A and
e
B, the similarity function can be de-
fined as
S(
e
A,
e
B) = 1− w
1
1−
R
1
0
µ
e
A
∩
e
B
(x)dx
R
1
0
µ
e
A
∪
e
B
(x)dx
− w
2
∑
|a
i
−b
i
|
4
−
−w
2
∑
|a
i
−b
i
|
4
− w
3
l
∞
[(X
e
A
, Y
e
A
), (X
e
B
, Y
e
B
)],
where w
1
+ w
2
+ w
3
= 1, (X
e
A
, Y
e
A
) and (X
e
B
, Y
e
B
) are the
centroids of
e
A and
e
B, respectively, i.e.
X
e
A
= Y
e
A
(a
3
+ a
2
) + (1−Y
e
A
)(a
4
+ a
1
) and
Y
e
A
=
a
3
−a
2
a
4
−a
1
+2
6
, if a
4
− a
1
6= 0
1
2
, if a
4
− a
1
= 0
,
µ
χ
is the membership function of χ,
µ
e
A∩
e
B
(x) = min
0≤x≤1
{µ
e
A
(x), µ
e
B
(x)},
µ
e
A∪
e
B
(x) = max
0≤x≤1
{µ
e
A
(x), µ
e
B
(x)},
and
l
∞
((x
1
, y
1
), (x
2
, y
2
)) = max{| x
1
− x
2
|, | y
1
− y
2
|}.
Note that w
1
, w
2
and w
3
represent the relative im-
portance of the three elements considered in the sim-
ilarity function. Analysts will assign the values that
best fits their own model.
6 CONCLUSIONS
We have developed a fuzzy risk analysis model for
information systems that conforms to international
standards, particularly the MAGERIT methodology.
The model is an improvement on this and other exist-
ing methodologies since it includes uncertainty about
the assessments by means of linguistic terms, which
have associated trapezoidal fuzzy numbers. The pro-
posed methodology makes computations on the basis
of trapezoidal fuzzy numbers to accumulate depen-
dencies between assets and asset valuations and to
determine impacts and risk from the threat degrada-
tion and frequency, respectively. Moreover, similarity
functions can be used at any step in the methodology
to derive a linguistic term for the trapezoidal fuzzy
number output.
ACKNOWLEDGEMENTS
The paper was supported by Madrid Regional Gov-
ernment project S-2009/ESP-1685 and the Span-
ish Ministry of Science and Innovation project
MTM2011-28983-C03-03.
REFERENCES
Alberts, C. and Dorofee, A. (2005). OCTAVE-s Method Im-
plementation Guide Version 2.0. Pittsburgh: Canergie
Mellon University.
Chen, S.-J. and Chen, S.-M. (2001). A New Method to
Measure the Similarity between Fuzzy Numbers. Pro-
ceedings of the 10th IEEE International Conference
on Fuzzy Systems, 208-214.
Chen, S.-J. and Chen, S.-M. (2007). Fuzzy Risk Analy-
sis Based on the Ranking of Generalized Trapezoidal
Fuzzy Numbers. Applied Intelligence, 26, 1-11.
CCTA Risk Analysis and Management Method (CRAMM),
Version 5.0. London: Central Computing and
Telecommunications Agency (CCTA), 2003.
ISO/IEC 17799:2005, Information technology - Security
techniques - Code of practice for information security
management. Geneva: International Organization for
Standarization.
ISO/IEC 27005:2011, Information technology - Security
techniques - Information security risk management.
Geneva: International Organization for Standariza-
tion.
Lee, H.S. (1999). An Optimal Aggregation Method for
Fuzzy Opinions of Group Decision. Proceedings of
the 1999 IEEE International Conference on Systems,
Management and Cybernetics, 314-319.
L´opez Crespo, F., Amutio-G´omez, M.A., Candau, J. and
Ma˜nas, J.A. (2006a). Methodology for Information
Systems Risk. Analysis and Management (MAGERIT
version 2). Book I-The Method. Madrid: Ministerio
de Administraciones P´ublicas.
L´opez Crespo, F., Amutio-G´omez, M.A., Candau, J. and
Ma˜nas, J.A. (2006b). Methodology for Information
Systems Risk Analysis and Management (MAGERIT
version 2). Book II-Catalogue of Elements. Madrid:
Ministerio de Administraciones P´ublicas.
L´opez Crespo, F., Amutio-G´omez, M.A., Candau, J. and
Ma˜nas, J.A. (2006c). Methodology for Information
Systems Risk Analysis and Management (MAGERIT
version 2). Book III-The Techniques. Madrid: Minis-
terio de Administraciones P´ublicas.
Mehari 2010 - Risk Analysis and Treatment Guide. Paris:
Club de la S´ecurit´e de l’Information Francais (CSIF).
Stoneburner, G. and Gougen, A. (2002). NIST 800-30 Risk
Management. Guide for Information Technology Sys-
tems. Gaithersburg: National Institute of Standard and
Technology.
Vicente, E., Mateos, A. and Jim´enez, A. (2012). A New
Similarity Measure of Trapezoidal Fuzzy Numbers.
Expert Systems with Applications, under review.
Xu, Z., Shang, S., Qian, W. and Shu, W. (2010). A Method
for Fuzzy Risk Analysis based on the New Similarity
of Trapezoidal Fuzzy Numbers. Expert Systems with
Applications, 37, 1920-1927.
AFuzzyApproachtoRiskAnalysisinInformationSystems
331
