A hybrid information security risk assessment procedure considering interdependences between controls

► Risk assessment and prevention is essential for information systems to ensure information security and system functions; however, it is hard to identify and apply corrective measures to complex and interrelated critical risk factors that information systems are exposed to. ► In this paper, a hybri...

Full description

Saved in:
Bibliographic Details
Published in:Expert systems with applications 2012, Vol.39 (1), p.247-257
Main Authors: Lo, Chi-Chun, Chen, Wan-Jia
Format: Article
Language:English
Subjects:
Analytic Network Process (ANP)
Computer information security
Control equipment
Decision Making Trial and Evaluation Laboratory (DEMATEL)
Fuzzy
Fuzzy linguistic quantifiers
Information security
Information systems
Maximum entropy method
Order Weighted Averaging (OWA) operator
Organizations
Risk
Risk assessment
Risk levels
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:► Risk assessment and prevention is essential for information systems to ensure information security and system functions; however, it is hard to identify and apply corrective measures to complex and interrelated critical risk factors that information systems are exposed to. ► In this paper, a hybrid procedure for evaluating risk levels is proposed where Decision Making Trial and Evaluation Laboratory (DEMATEL), Analytic Network Process (ANP) and Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) methods are used to detect and rank interrelated influential factors amongst security control areas. ► A real world case was examined to verify the proposed procedure and results were successful where it certainly detected influential factors among security control areas and evaluated risk levels accurately by coping with interdependencies to determine required safeguards against threats for organizations. Risk assessment is the core process of information security risk management. Organizations use risk assessment to determine the risks within an information system and provide sufficient means to reduce these risks. In this paper, a hybrid procedure for evaluating risk levels of information security under various security controls is proposed. First, this procedure applies the Decision Making Trial and Evaluation Laboratory (DEMATEL) approach to construct interrelations among security control areas. Secondly, likelihood ratings are obtained through the Analytic Network Process (ANP) method; as a result, the proposed procedure can detect the interdependences and feedback between security control families and function in real world situations. Lastly, the Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) operator is used to aggregate impact values assessed by experts, applied to diminish the influence of extreme evaluations such as personal views and drastic perspectives. A real world application in a branch office of the health insurance institute in Taiwan was examined to verify the proposed procedure. By analyzing the acquired data, we confirm the proposed procedure certainly detects the influential factors among security control areas. This procedure also evaluates risk levels more accurately by coping with the interdependencies among security control families and determines the information systems safeguards required for better security, therefore enabling organizations to accomplish
ISSN:0957-4174
1873-6793
DOI:10.1016/j.eswa.2011.07.015