=Paper=
{{Paper
|id=Vol-2081/paper05
|storemode=property
|title=Comprehensive Approach to Information Security Risk Management
|pdfUrl=https://ceur-ws.org/Vol-2081/paper05.pdf
|volume=Vol-2081
|authors=Tatyana I. Buldakova,Dmitrii A. Mikov
}}
==Comprehensive Approach to Information Security Risk Management==
https://ceur-ws.org/Vol-2081/paper05.pdf
Comprehensive Approach to Information Security
Risk Management
Tatyana I. Buldakova, Dmitrii A. Mikov
Information Security Department
Bauman Moscow State Technical University
Moscow, Russian Federation
buldakova@bmstu.ru; mikovda@yandex.ru
Abstract—Information security risk management as Each stage of information security risk management must
important process of data protection in automated systems has be realized by different methods and tools, which are the most
been presented. Such criteria as estimates consistency and effective for this particular stage. So, the main research
adequacy, adaptability to qualitative data, assessment direction in the field of information security risk management
subjectivity and uncertainty, risk sensitivity, which influence risk should be focused on the selection of such methods, which
management effectiveness, have been identified. A task of maximally satisfy the needs of different stages of the process
integrated methodology development has been formalized in [4].
accordance with presented criteria. A structural model of
comprehensive methodology, which displays its components and Investigation of qualitative, quantitative and semi-
relationships between them, has been designed as a flowchart. A qualitative information security risk management methods,
method for drawing up the risk factors list, including such as hazard and operability study (HAZOP) [5], layer of
information security threats, potentially possible damage, protection analysis (LOPA), preliminary hazard analysis
automated system vulnerabilities, based on IDEF0 modeling, has (PHA), allows to find main disadvantages and formulate a set
been proposed. An original expert survey method, which of effectiveness criteria for a comprehensive approach:
provides compliance with the requirements of consistency and
adequacy maximization for risk factors assessment, has been a(yk) = [0; 1] – consistency of risk factors estimates by
suggested. A neuro-fuzzy network based on Takagi-Sugeno-Kang method yk;
model for information security risk calculation from risk factors
assessment has been developed in MATLAB. A countermeasures b(yk) = [0; 1] – adequacy of risk factors estimates by
choice method based on game theory criteria has been illustrated. method yk;
Keywords—information security risk management; estimates
c(yk) = [0; 1] – adaptability of method yk to qualitative
consistency; estimates adequacy; adaptability to qualitative data; data;
risk assessment subjectivity; risk assessment uncertainty; risk d(yk) = [0; 1] – subjectivity of risk assessment by
sensitivity; model IDEF0; expert survey; neuro-fuzzy network; method yk;
game theory criteria
e(yk) = [0; 1] – uncertainty of risk assessment by
I. INTRODUCTION method yk (lack of accurate knowledge about the
status of all risk factors in the system and fuzzy risk
Reliability of functioning of automated systems mostly classification in the conditions of the particular system
depends on ensuring their information security. Therefore, functioning);
based on the specifics of automated systems, companies
develop and implement a corresponding set of activities to f – risk sensitivity (uneven influence of various risk
manage information security. An important component of this factors on the level of risk in certain conditions);
process is information security risk management (e.g. [1-3]).
The set of requirements to effectiveness criteria for a
Information security risk management consists of: comprehensive information security risk management
methodology is as in (1) and (2)
drawing up the risk factors list (information security
threats, potentially possible damage, automated
system vulnerabilities); a(yk) × b(yk) × c(yk) → max
expert survey for risk factors assessment;
risk level calculation, based on risk factors estimates; d(yk) × e(yk) → min
choice of the countermeasures for reducing the risk to
acceptable level.
21
� Practical investigation allows to develop a comprehensive feedbacks.
information security risk management methodology based on
presented set of effectiveness criteria (Fig. 1). Based on the characteristics of information security risk
management, it is necessary to have risk factors in the IDEF0-
model according to a set of principles (Fig. 2).
Fig. 2. The principle of risk factors location in the IDEF0 model
When countermeasures are choosing and adding to the
IDEF0 model, it is necessary understand that their list is
preliminary, as the identified risk factors have not been
evaluated yet by the expert group. Therefore, it is impossible to
make an unambiguous conclusion about the degree of their
impact on found threats and vulnerabilities. After risk factors
assessment and subsequently calculating the level of risk, when
all quantities acquire numerical values, the list of
countermeasures can be adjusted [10]. Therefore,
Fig. 1. Comprehensive methodology for information security risk management corresponding changes in the IDEF0-model are inevitable after
the implementation of further stages of management [11].
II. DRAWING UP THE RISK FACTORS LIST USING IDEF0
III. EXPERT SURVEY FOR RISK FACTORS ASSESSMENT
The initial stage of information security risk management is
the identification of risk factors (threats, possible damage, To ensure the consistency and adequacy of expert opinions
vulnerabilities) [4, 6, 7]. The solution of this problem is in assessment of risk factors from the list compiled with the
connected with the automated system modeling and the IDEF0 model, a special method of expert interview has been
investigation of the circulating information flows [8, 9]. developed. Assessment of threats, potentially possible damage
Comparative analysis of the ARIS, IDEF0, IDEF3, UML and vulnerabilities must be performed by the expert group in
methodologies showed that IDEF0 takes into account and accordance with (3), (4) and (5):
displays all necessary elements:
input documents and data; xij1 = kij1 × pij1 × fij1
output documents and data;
persons, who implements processes; xij2 = kij2 × pij2 × fij2
used tools;
control actions over the processes implementation; xij3 = kij3 × pij3 × fij3
22
� where: The linear constraint system of inequalities reduces to the
optimization problem of linear programming and can be solved
xij1 – threat estimate; using the simplex method [12].
kij1 ϵ [0; 10] – threat power;
pij1 ϵ [0; 1] – probability of threat realization; IV. NEURO-FUZZY NETWORK FOR RISK LEVEL ASSESSMENT
It is necessary to use a method that is adaptive to qualitative
fij1 ϵ [0; 1] – risk sensitivity to threat assessment;
data (c(yk)), minimizes subjectivity (d(yk)) and uncertainty
xij2 – potentially possible damage estimate; (e(yk)) of estimates and takes into account risk sensitivity to
various factors (f).
kij2 ϵ [0; 10] – asset value;
A comparative analysis of the approaches, based on
pij2 ϵ [0; 1] – probability of the highest damage; machine learning [13-15], soft calculations [16-18] and hybrid
fij2 ϵ [0; 1] – risk sensitivity to damage assessment; models [19, 20], showed the following results (Table I).
xij3 – vulnerability estimate;
TABLE I. COMPARATIVE ANALYSIS OF RISK ASSESSMENT APPROACHES
kij3 ϵ [0; 10] – vulnerability degree;
Effectiveness criteria values
pij3 ϵ [0; 1] – probability of vulnerability exploit; Methods c(yk) d(yk) e(yk) f
fij3 ϵ [0; 1] – risk sensitivity to vulnerability assessment; (max) (min) (min) (max)
i = {1, 2, ..., m} – experts; Bayesian networks 0,7 0,4 0,3 0,75
j = {1, 2, ..., n} – risk factors from the list. Genetic algorithms 0,3 0,5 0,85 0,35
Artificial neural networks 0,5 0,3 0,2 0,8
Cognitive maps
The consistency (a(yk)) of estimates is provided by 0,4 0,5 0,25 0,45
calculating the concordance coefficient W using (6), (7), (8), Support vector machine 0,2 0,3 0,65 0,45
(9): Analytic hierarchy process 0,8 0,5 0,2 0,55
Fuzzy systems 0,7 0,5 0,2 0,8
xj = ∑xij
Rough sets 0,35 0,5 0,55 0,3
Grey sets 0,35 0,5 0,55 0,3
x = 1/n × ∑xij Fuzzy measure theory 0,4 0,5 0,55 0,6
Neuro-fuzzy networks 0,7 0,3 0,2 0,8
S = ∑(xj - x) 2
Neural networks based on genetic
0,5 0,3 0,2 0,8
algorithms
Fuzzy Bayesian networks 0,7 0,4 0,2 0,8
2 3
W = 12S/(m (n - n)) Fuzzy hierarchy models 0,8 0,5 0,2 0,8
Then it is necessary to screen out extreme scores using an
algorithm based on the verbal-numeric Margolin and
Harrington scales (Fig. 1). The adequacy (b(yk)) of overall
threat (x1), potentially possible damage (x2) and vulnerability The results of the comparative analysis show that neuro-
(x3) estimates is provided by maximization of the objective fuzzy networks have the best effectiveness criteria values.
function (10): Therefore, a neuro-fuzzy network is chosen as a risk
assessment tool, which calculates risk level using three input
F(x) = x1 + x2 + x3 → max risk factors values received in the previous stage.
The realized neuro-fuzzy network is transformed from
It is necessary to construct a linear constraint system of Takagi-Sugeno-Kang fuzzy model and contains five layers:
inequalities (11) containing the number of remaining estimates fuzzification, aggregation, activation, accumulation,
of threats (ai1), potentially possible damage (ai2) and defuzzification (Fig. 3).
vulnerabilities (ai3) for each expert, and the sum of each expert
estimates (bi):
ai1 × x1 + ai2 × x2 + ai3 × x3 ≤ bi
23
� TABLE II. RISK ASSESSMENT SCALE
Risk level Description
Negligibly low (0) Risk can be neglected
If the information is regarded as a very low risk, it
is necessary to determine whether there is a need
Very low (0,125)
for corrective actions, or there is a possibility to
take this risk
The risk level allows to work, but there are
Low (0,25)
prerequisites for a malfunction
Below average It is necessary to develop and apply a corrective
(0,375) action plan within an acceptable period of time
The risk level does not allow to work stably, there
Average (0,5) is an urgent need for corrective actions that change
the mode of work towards reducing the risk
The system can continue to work, but the
Above average
corrective action plan must be applied as quickly as
(0,625)
possible
The risk level is such that business processes are in
High (0,75)
an unstable state
Fig. 3. Neuro-fuzzy network structure It is necessary to take measures to reduce the risk
Very high (0,875)
immediately
The risk level is very high and unacceptable for the
Characteristics of the neuro-fuzzy network: organization, which requires discontinuing the
Critical (1)
system operation and taking radical measures to
structure – five-layered neuro-fuzzy network: reduce the risk
fuzzy model type – Takagi-Sugeno-Kang;
three input variables – threat, damage, vulnerability;
five fuzzy sets for input variables – very low, low,
medium, high, very high;
trapezoidal membership function for input variables
(Fig. 4);
one output variable – information security risk level;
nine values for output variable – negligibly low (0),
very low (0,125), low (0,25), below average (0,375);
average (0,5), above average (0,625), high (0,75),
very high (0,875), critical (1);
conjunction – algebraic product method; Fig. 4. Input membership function in MATLAB
disjunction – algebraic sum method;
V. CHOICE OF THE COUNTERMEASURES
defuzzification – weighted average method. The developed method of the countermeasures choice is
A verbal-numerical risk assessment scale, based on nine based on the above expert survey method, but uses the game
initially specified values of the output variable, has been theory criteria for searching the optimal economic strategy.
developed. The scale allows to interpret the risk level obtained There are three possible criteria – Wald’s maximin model,
at the output in the form of a numerical index (Table II). Hurwicz criteria and Minimax regret [21].
If the neuro-fuzzy network shows that the risk level is Wald’s maximin model is aimed at minimizing the loss or
unacceptable, it is necessary to select the appropriate guaranteed minimal result. The minimal impact of each
countermeasures to reduce it. countermeasure on any risk factor is determined, after that the
countermeasure with the maximal smallest influence is chosen.
It is the lower price of the game.
24
� Hurwicz criteria is based on the choice of the pessimism vd – cost of potentially possible damage (budget for the
indicator in the range from 0 to 1. If the pessimism indicator is countermeasures implementation).
maximal (equal to 1), Hurwicz criteria corresponds to Wald’s
maximin model, realizing a pessimistic strategy. The minimal Each expert needs to subtract his estimates of the
pessimism indicator (equal to 0) should not be chosen, because countermeasures impact (cija, cijp) on risk factors from his
the optimistic strategy is focused on maximizing the project's earlier estimates (xij1, xij2, xij3) as (13), (14) and (15):
result, so the risk associated with unfavorable development of
the external environment is not taken into account. Hurwicz x*ij1 = xij1 - cija
criteria is the most flexible of all methods of the game theory,
because it allows to compare several optimistic and pessimistic
scenarios. The disadvantage is the subjectivity of the x*ij2 = xij2 - cija - cijp
pessimism indicator choice by the researcher or the person
making the decision.
Minimax regret is based on a matrix of regrets, made up of x*ij3 = xij3 - cijp
a matrix of strategies. Regrets are a lost result with a
suboptimal strategy for each current state of the automated Finally, the neuro-fuzzy network calculates the residual risk
system. At first the maximal impact on each risk factor among level after the countermeasures implementation.
all countermeasures is determined. Further, lost results of all
countermeasures are calculated, then the regression matrix is
VI. CONCLUSION
compiled, where the maximal ineffective result of each
countermeasure is determined. The countermeasure with the The developed comprehensive information security risk
smallest maximal lost result is selected. management methodology meets the required effectiveness
criteria, has a complex and branched structure and represents a
Each expert should complete two copies of the matrix of set of methods and models used to implement various stages of
strategies (Table III) – for active countermeasures impact (cija) management. The methodology is based on the joint use and
that reduces threats and damage, and for passive interaction of IDEF0 model, expert survey, neuro-fuzzy
countermeasures impact (cijp) that reduces vulnerabilities and network, methods of game theory and allows the most effective
damage. implementation of drawing up risk factors list, risk factors
assessment, risk level calculation and countermeasures choice.
TABLE III. THE MATRIX OF STRATEGIES
Cost of REFERENCES
b1 b2 ... bn
countermeasures [1] Kostogryzov A., Krylov V., Nistratov A., Nistratov G., Popov V.,
a1 = v1 c11 c12 ... c1n Stepanov P. Mathematical models and applicable technologies to
forecast, analyze, and optimize quality and risks for complex systems. In
a2 = v2 c21 c22 ... c2n Proceedings of the First International Conference on Transportation
Information and Safety (ICTIS), ASCE, 2011, pp. 845 – 854. DOI:
... ... ... ... ... 10.1061/9780784411773.
a m = vm cm1 cm2 ... cmn [2] Brooks D.J. Mapping the consensual knowledge of security risk
management experts. In Proceedings of the 7th Australian Information
There are: Warfare and Security Conference (Edith Cowan University, Perth,
Western Australia, 4-5 December 2006), 2006, 10 p. DOI:
ai – countermeasures; 10.4225/75/57a823cbaa0d8.
[3] Ruighaver T., Warren M., Ahmad A. Ascent of Asymmetric Risk in
bj – risk factors; Information Security: An Initial Evaluation. In Proceedings of the 10th
cij – impact of countermeasure on risk factor; Australian Information Warfare and Security Conference (Edith Cowan
University, Perth, Western Australia, 1-3 December 2009), 2009, 8 p.
vi – cost of countermeasure; DOI: 10.4225/75/57a7f620aa0c6.
[4] Barabanov A.V., Markov A.S., Tsirlov V.L. Methodological Framework
for Analysis and Synthesis of a Set of Secure Software Development
Controls, Journal of Theoretical and Applied Information Technology,
After choosing a countermeasure in accordance with any of 2016, vol. 88, No 1, pp. 77-88.
three criteria, depending on the economic strategy, the [5] Marques P.H., Jacinto C. Human-HAZOP studies in the risk
corresponding line is removed from the strategy matrix, after management of major accidents. In Proceedings of the International
that it is necessary to conduct a new cycle. Countermeasures Symposium on Occupational Safety and Hygiene (SHO’2015,
among the remaining are selected until their total value does Guimarães, Portugal, 12-13 February 2015), 2016, pp. 146-148. DOI:
10.13140/RG.2.1.4446.1684.
not exceed the amount of potential damage (12):
[6] Jakub B., Schindler F. Assets Dependencies Model in Information
Security Risk Management. In Proceedings of the Second IFIP
International Conference (ICT EurAsia, Bali, Indonesia), 2014, pp. 1-10.
∑v ≤ vd DOI: 10.13140/RG.2.1.3376.6480.
where: ∑v – total cost of selected countermeasures;
25
�[7] Alan A.R., Arshad Y., Ibrahim J., et al. IT Risk, Information Security & [14] Grigoras R., Mustata A.-M., Teodorescu C. Predicting the state of
Governance Practices in Malaysia IHLs. In Proceedings of the security using neural networks. In Proceedings of the 9th International
International Research Invention, Innovation, and Exhibition 2014 Scientific Conference on eLearning and Software for Education
(IRIIE 2014, IIUM, Kuala Lumpur, Malaysia), 2014, pp. 459-459. DOI: (Bucharest, Romania, 25-26 April 2013), 2013, pp. 362-367. DOI:
10.13140/2.1.2868.5440. 10.12753/2066-026X-17-167.
[8] Pandey P, Shekkens E.A. An Assessment of Market Methods for [15] Starodubtsev Yu.I., Grechishnikov E.V., Komolov D.V. Use of neural
Information Security Risk Management. In Proceedings of the 16th networks to ensure stability of communication networks in conditions of
IEEE International Conference on High Performance and external impacts. Telecommunications and Radio Engineering. 2011. V.
Communications 2014 (WiP Track, Paris, France), 2014, 8 p. DOI: 70. N 14. P. 1263-1275.
10.13140/2.1.4348.5445. [16] Beheshti H., Alborzi M. Using Fuzzy Logic to Increase the Accuracy of
[9] Yilmaz R., Yalman Y. A Comparative Analysis of University E-Commerce Risk Assessment Based on an Expert System.
Information Systems within the Scope of the Information Security Risks. Engineering, Technology & Applied Science Research. 2017. V. 7. N 6.
TEM Journal. 2016. V. 5. N 2. P. 180–191. DOI: 10.18421/TEM52-10. P 2205-2209. DOI: 10.5281/zenodo.1118299.
[10] Moore T.W., Probst C.W., Ranneberg K., van Eeten M. Assessing ICT [17] Sasidevi J., Sugumar R., Priya P.S. A Cost-Effective Privacy Preserving
Security Risks in Socio-Technical Systems. Dagstuhl Reports. 2017. V. Using Anonymization Based Hybrid Bat Algorithm With Simulated
6. N 11. P. 63–89. DOI: 10.4230/DagRep.6.11.63. Annealing Approach For Intermediate Data Sets Over Cloud
[11] Aleksandrov A.A., Neusipin K.A., Proletarsky A.V., Fang K. Innovation Computing. International Journal of Computational Research and
development trends of modern management systems of educational Development. 2017. V. 2. N 2. P. 173-181. DOI:
organizations. In: 2012 International Conference on Information 10.5281/zenodo.1069736.
Management, Innovation Management and Industrial Engineering. [18] Vorobiev E.G., Petrenko S.A., Kovaleva I.V., Abrosimov I.K. Analysis
IEEE, Sanya, China, 2012, pp. 187 - 189. DOI: of computer security incidents using fuzzy logic. In Proceedings of the
10.1109/ICIII.2012.6339951. 20th IEEE International Conference on Soft Computing and
[12] Buldakova T.I., Mikov D.A. Ensuring the Concordance and the Measurements (24-26 May 2017, St. Petersburg, Russia). SCM 2017,
Adequacy of Information Security Risk Factors Assessment. Voprosy 2017, pp. 369 - 371. DOI: 10.1109/SCM.2017.7970587.
kiberbezopasnosti [Cybersecurity issues]. 2017. N 3 (21), pp. 8-15. [19] Singh R., Prasad T.V. Exploration of Hybrid Neuro Fuzzy Systems. In
DOI: 10.21581/2311-3456-2017-2-8-15. Proceedings of the National Conference on Advances in Knowledge
[13] McNaught K., Sutovsky P. Representing Variable Source Credibility in Management (NCAKM 2010, At Lingaya’s University, Faridabad,
Intelligence Analysis with Bayesian Networks. In Proceedings of the 5th Haryana, India), 2010, 6 p. DOI: 10.13140/RG.2.1.3570.0327.
Australian Security and Intelligence Conference (Novotel Langley [20] Derugo P. Application of competitive and transition Petri layers in
Hotel, Perth, Western Australia, 3-5 December 2012), 2013, pp. 44-51. adaptive neuro-fuzzy controller. Power Electronics and Drives Berlin.
DOI: 10.4225/75/57a03050ac5cb. 2016. V. 1(36). N 1. P. 103-115. DOI: 10.5277/PED160108.
[21] Schauer S., Stamer M., Bosse C., et al. An adaptive supply chain cyber
risk management methodology. In Proceedings of the Hamburg
International Conference of Logistics (HICL, Hamburg, Germany),
2017, pp. 405-425. DOI: 10.15480/882.149.
26
�