=Paper=
{{Paper
|id=Vol-2081/paper05
|storemode=property
|title=Comprehensive Approach to Information Security Risk Management
|pdfUrl=https://ceur-ws.org/Vol-2081/paper05.pdf
|volume=Vol-2081
|authors=Tatyana I. Buldakova,Dmitrii A. Mikov
}}
==Comprehensive Approach to Information Security Risk Management==
Comprehensive Approach to Information Security Risk Management Tatyana I. Buldakova, Dmitrii A. Mikov Information Security Department Bauman Moscow State Technical University Moscow, Russian Federation buldakova@bmstu.ru; mikovda@yandex.ru Abstract—Information security risk management as Each stage of information security risk management must important process of data protection in automated systems has be realized by different methods and tools, which are the most been presented. Such criteria as estimates consistency and effective for this particular stage. So, the main research adequacy, adaptability to qualitative data, assessment direction in the field of information security risk management subjectivity and uncertainty, risk sensitivity, which influence risk should be focused on the selection of such methods, which management effectiveness, have been identified. A task of maximally satisfy the needs of different stages of the process integrated methodology development has been formalized in [4]. accordance with presented criteria. A structural model of comprehensive methodology, which displays its components and Investigation of qualitative, quantitative and semi- relationships between them, has been designed as a flowchart. A qualitative information security risk management methods, method for drawing up the risk factors list, including such as hazard and operability study (HAZOP) [5], layer of information security threats, potentially possible damage, protection analysis (LOPA), preliminary hazard analysis automated system vulnerabilities, based on IDEF0 modeling, has (PHA), allows to find main disadvantages and formulate a set been proposed. An original expert survey method, which of effectiveness criteria for a comprehensive approach: provides compliance with the requirements of consistency and adequacy maximization for risk factors assessment, has been a(yk) = [0; 1] – consistency of risk factors estimates by suggested. A neuro-fuzzy network based on Takagi-Sugeno-Kang method yk; model for information security risk calculation from risk factors assessment has been developed in MATLAB. A countermeasures b(yk) = [0; 1] – adequacy of risk factors estimates by choice method based on game theory criteria has been illustrated. method yk; Keywords—information security risk management; estimates c(yk) = [0; 1] – adaptability of method yk to qualitative consistency; estimates adequacy; adaptability to qualitative data; data; risk assessment subjectivity; risk assessment uncertainty; risk d(yk) = [0; 1] – subjectivity of risk assessment by sensitivity; model IDEF0; expert survey; neuro-fuzzy network; method yk; game theory criteria e(yk) = [0; 1] – uncertainty of risk assessment by I. INTRODUCTION method yk (lack of accurate knowledge about the status of all risk factors in the system and fuzzy risk Reliability of functioning of automated systems mostly classification in the conditions of the particular system depends on ensuring their information security. Therefore, functioning); based on the specifics of automated systems, companies develop and implement a corresponding set of activities to f – risk sensitivity (uneven influence of various risk manage information security. An important component of this factors on the level of risk in certain conditions); process is information security risk management (e.g. [1-3]). The set of requirements to effectiveness criteria for a Information security risk management consists of: comprehensive information security risk management methodology is as in (1) and (2) drawing up the risk factors list (information security threats, potentially possible damage, automated system vulnerabilities); a(yk) × b(yk) × c(yk) → max expert survey for risk factors assessment; risk level calculation, based on risk factors estimates; d(yk) × e(yk) → min choice of the countermeasures for reducing the risk to acceptable level. 21 Practical investigation allows to develop a comprehensive feedbacks. information security risk management methodology based on presented set of effectiveness criteria (Fig. 1). Based on the characteristics of information security risk management, it is necessary to have risk factors in the IDEF0- model according to a set of principles (Fig. 2). Fig. 2. The principle of risk factors location in the IDEF0 model When countermeasures are choosing and adding to the IDEF0 model, it is necessary understand that their list is preliminary, as the identified risk factors have not been evaluated yet by the expert group. Therefore, it is impossible to make an unambiguous conclusion about the degree of their impact on found threats and vulnerabilities. After risk factors assessment and subsequently calculating the level of risk, when all quantities acquire numerical values, the list of countermeasures can be adjusted [10]. Therefore, Fig. 1. Comprehensive methodology for information security risk management corresponding changes in the IDEF0-model are inevitable after the implementation of further stages of management [11]. II. DRAWING UP THE RISK FACTORS LIST USING IDEF0 III. EXPERT SURVEY FOR RISK FACTORS ASSESSMENT The initial stage of information security risk management is the identification of risk factors (threats, possible damage, To ensure the consistency and adequacy of expert opinions vulnerabilities) [4, 6, 7]. The solution of this problem is in assessment of risk factors from the list compiled with the connected with the automated system modeling and the IDEF0 model, a special method of expert interview has been investigation of the circulating information flows [8, 9]. developed. Assessment of threats, potentially possible damage Comparative analysis of the ARIS, IDEF0, IDEF3, UML and vulnerabilities must be performed by the expert group in methodologies showed that IDEF0 takes into account and accordance with (3), (4) and (5): displays all necessary elements: input documents and data; xij1 = kij1 × pij1 × fij1 output documents and data; persons, who implements processes; xij2 = kij2 × pij2 × fij2 used tools; control actions over the processes implementation; xij3 = kij3 × pij3 × fij3 22 where: The linear constraint system of inequalities reduces to the optimization problem of linear programming and can be solved xij1 – threat estimate; using the simplex method [12]. kij1 ϵ [0; 10] – threat power; pij1 ϵ [0; 1] – probability of threat realization; IV. NEURO-FUZZY NETWORK FOR RISK LEVEL ASSESSMENT It is necessary to use a method that is adaptive to qualitative fij1 ϵ [0; 1] – risk sensitivity to threat assessment; data (c(yk)), minimizes subjectivity (d(yk)) and uncertainty xij2 – potentially possible damage estimate; (e(yk)) of estimates and takes into account risk sensitivity to various factors (f). kij2 ϵ [0; 10] – asset value; A comparative analysis of the approaches, based on pij2 ϵ [0; 1] – probability of the highest damage; machine learning [13-15], soft calculations [16-18] and hybrid fij2 ϵ [0; 1] – risk sensitivity to damage assessment; models [19, 20], showed the following results (Table I). xij3 – vulnerability estimate; TABLE I. COMPARATIVE ANALYSIS OF RISK ASSESSMENT APPROACHES kij3 ϵ [0; 10] – vulnerability degree; Effectiveness criteria values pij3 ϵ [0; 1] – probability of vulnerability exploit; Methods c(yk) d(yk) e(yk) f fij3 ϵ [0; 1] – risk sensitivity to vulnerability assessment; (max) (min) (min) (max) i = {1, 2, ..., m} – experts; Bayesian networks 0,7 0,4 0,3 0,75 j = {1, 2, ..., n} – risk factors from the list. Genetic algorithms 0,3 0,5 0,85 0,35 Artificial neural networks 0,5 0,3 0,2 0,8 Cognitive maps The consistency (a(yk)) of estimates is provided by 0,4 0,5 0,25 0,45 calculating the concordance coefficient W using (6), (7), (8), Support vector machine 0,2 0,3 0,65 0,45 (9): Analytic hierarchy process 0,8 0,5 0,2 0,55 Fuzzy systems 0,7 0,5 0,2 0,8 xj = ∑xij Rough sets 0,35 0,5 0,55 0,3 Grey sets 0,35 0,5 0,55 0,3 x = 1/n × ∑xij Fuzzy measure theory 0,4 0,5 0,55 0,6 Neuro-fuzzy networks 0,7 0,3 0,2 0,8 S = ∑(xj - x) 2 Neural networks based on genetic 0,5 0,3 0,2 0,8 algorithms Fuzzy Bayesian networks 0,7 0,4 0,2 0,8 2 3 W = 12S/(m (n - n)) Fuzzy hierarchy models 0,8 0,5 0,2 0,8 Then it is necessary to screen out extreme scores using an algorithm based on the verbal-numeric Margolin and Harrington scales (Fig. 1). The adequacy (b(yk)) of overall threat (x1), potentially possible damage (x2) and vulnerability The results of the comparative analysis show that neuro- (x3) estimates is provided by maximization of the objective fuzzy networks have the best effectiveness criteria values. function (10): Therefore, a neuro-fuzzy network is chosen as a risk assessment tool, which calculates risk level using three input F(x) = x1 + x2 + x3 → max risk factors values received in the previous stage. The realized neuro-fuzzy network is transformed from It is necessary to construct a linear constraint system of Takagi-Sugeno-Kang fuzzy model and contains five layers: inequalities (11) containing the number of remaining estimates fuzzification, aggregation, activation, accumulation, of threats (ai1), potentially possible damage (ai2) and defuzzification (Fig. 3). vulnerabilities (ai3) for each expert, and the sum of each expert estimates (bi): ai1 × x1 + ai2 × x2 + ai3 × x3 ≤ bi 23 TABLE II. RISK ASSESSMENT SCALE Risk level Description Negligibly low (0) Risk can be neglected If the information is regarded as a very low risk, it is necessary to determine whether there is a need Very low (0,125) for corrective actions, or there is a possibility to take this risk The risk level allows to work, but there are Low (0,25) prerequisites for a malfunction Below average It is necessary to develop and apply a corrective (0,375) action plan within an acceptable period of time The risk level does not allow to work stably, there Average (0,5) is an urgent need for corrective actions that change the mode of work towards reducing the risk The system can continue to work, but the Above average corrective action plan must be applied as quickly as (0,625) possible The risk level is such that business processes are in High (0,75) an unstable state Fig. 3. Neuro-fuzzy network structure It is necessary to take measures to reduce the risk Very high (0,875) immediately The risk level is very high and unacceptable for the Characteristics of the neuro-fuzzy network: organization, which requires discontinuing the Critical (1) system operation and taking radical measures to structure – five-layered neuro-fuzzy network: reduce the risk fuzzy model type – Takagi-Sugeno-Kang; three input variables – threat, damage, vulnerability; five fuzzy sets for input variables – very low, low, medium, high, very high; trapezoidal membership function for input variables (Fig. 4); one output variable – information security risk level; nine values for output variable – negligibly low (0), very low (0,125), low (0,25), below average (0,375); average (0,5), above average (0,625), high (0,75), very high (0,875), critical (1); conjunction – algebraic product method; Fig. 4. Input membership function in MATLAB disjunction – algebraic sum method; V. CHOICE OF THE COUNTERMEASURES defuzzification – weighted average method. The developed method of the countermeasures choice is A verbal-numerical risk assessment scale, based on nine based on the above expert survey method, but uses the game initially specified values of the output variable, has been theory criteria for searching the optimal economic strategy. developed. The scale allows to interpret the risk level obtained There are three possible criteria – Wald’s maximin model, at the output in the form of a numerical index (Table II). Hurwicz criteria and Minimax regret [21]. If the neuro-fuzzy network shows that the risk level is Wald’s maximin model is aimed at minimizing the loss or unacceptable, it is necessary to select the appropriate guaranteed minimal result. The minimal impact of each countermeasures to reduce it. countermeasure on any risk factor is determined, after that the countermeasure with the maximal smallest influence is chosen. It is the lower price of the game. 24 Hurwicz criteria is based on the choice of the pessimism vd – cost of potentially possible damage (budget for the indicator in the range from 0 to 1. If the pessimism indicator is countermeasures implementation). maximal (equal to 1), Hurwicz criteria corresponds to Wald’s maximin model, realizing a pessimistic strategy. The minimal Each expert needs to subtract his estimates of the pessimism indicator (equal to 0) should not be chosen, because countermeasures impact (cija, cijp) on risk factors from his the optimistic strategy is focused on maximizing the project's earlier estimates (xij1, xij2, xij3) as (13), (14) and (15): result, so the risk associated with unfavorable development of the external environment is not taken into account. Hurwicz x*ij1 = xij1 - cija criteria is the most flexible of all methods of the game theory, because it allows to compare several optimistic and pessimistic scenarios. The disadvantage is the subjectivity of the x*ij2 = xij2 - cija - cijp pessimism indicator choice by the researcher or the person making the decision. Minimax regret is based on a matrix of regrets, made up of x*ij3 = xij3 - cijp a matrix of strategies. Regrets are a lost result with a suboptimal strategy for each current state of the automated Finally, the neuro-fuzzy network calculates the residual risk system. At first the maximal impact on each risk factor among level after the countermeasures implementation. all countermeasures is determined. Further, lost results of all countermeasures are calculated, then the regression matrix is VI. CONCLUSION compiled, where the maximal ineffective result of each countermeasure is determined. The countermeasure with the The developed comprehensive information security risk smallest maximal lost result is selected. management methodology meets the required effectiveness criteria, has a complex and branched structure and represents a Each expert should complete two copies of the matrix of set of methods and models used to implement various stages of strategies (Table III) – for active countermeasures impact (cija) management. The methodology is based on the joint use and that reduces threats and damage, and for passive interaction of IDEF0 model, expert survey, neuro-fuzzy countermeasures impact (cijp) that reduces vulnerabilities and network, methods of game theory and allows the most effective damage. implementation of drawing up risk factors list, risk factors assessment, risk level calculation and countermeasures choice. TABLE III. THE MATRIX OF STRATEGIES Cost of REFERENCES b1 b2 ... bn countermeasures [1] Kostogryzov A., Krylov V., Nistratov A., Nistratov G., Popov V., a1 = v1 c11 c12 ... c1n Stepanov P. Mathematical models and applicable technologies to forecast, analyze, and optimize quality and risks for complex systems. In a2 = v2 c21 c22 ... c2n Proceedings of the First International Conference on Transportation Information and Safety (ICTIS), ASCE, 2011, pp. 845 – 854. DOI: ... ... ... ... ... 10.1061/9780784411773. a m = vm cm1 cm2 ... cmn [2] Brooks D.J. Mapping the consensual knowledge of security risk management experts. In Proceedings of the 7th Australian Information There are: Warfare and Security Conference (Edith Cowan University, Perth, Western Australia, 4-5 December 2006), 2006, 10 p. DOI: ai – countermeasures; 10.4225/75/57a823cbaa0d8. [3] Ruighaver T., Warren M., Ahmad A. Ascent of Asymmetric Risk in bj – risk factors; Information Security: An Initial Evaluation. In Proceedings of the 10th cij – impact of countermeasure on risk factor; Australian Information Warfare and Security Conference (Edith Cowan University, Perth, Western Australia, 1-3 December 2009), 2009, 8 p. vi – cost of countermeasure; DOI: 10.4225/75/57a7f620aa0c6. [4] Barabanov A.V., Markov A.S., Tsirlov V.L. Methodological Framework for Analysis and Synthesis of a Set of Secure Software Development Controls, Journal of Theoretical and Applied Information Technology, After choosing a countermeasure in accordance with any of 2016, vol. 88, No 1, pp. 77-88. three criteria, depending on the economic strategy, the [5] Marques P.H., Jacinto C. Human-HAZOP studies in the risk corresponding line is removed from the strategy matrix, after management of major accidents. In Proceedings of the International that it is necessary to conduct a new cycle. Countermeasures Symposium on Occupational Safety and Hygiene (SHO’2015, among the remaining are selected until their total value does Guimarães, Portugal, 12-13 February 2015), 2016, pp. 146-148. DOI: 10.13140/RG.2.1.4446.1684. not exceed the amount of potential damage (12): [6] Jakub B., Schindler F. Assets Dependencies Model in Information Security Risk Management. In Proceedings of the Second IFIP International Conference (ICT EurAsia, Bali, Indonesia), 2014, pp. 1-10. ∑v ≤ vd DOI: 10.13140/RG.2.1.3376.6480. where: ∑v – total cost of selected countermeasures; 25 [7] Alan A.R., Arshad Y., Ibrahim J., et al. IT Risk, Information Security & [14] Grigoras R., Mustata A.-M., Teodorescu C. Predicting the state of Governance Practices in Malaysia IHLs. In Proceedings of the security using neural networks. In Proceedings of the 9th International International Research Invention, Innovation, and Exhibition 2014 Scientific Conference on eLearning and Software for Education (IRIIE 2014, IIUM, Kuala Lumpur, Malaysia), 2014, pp. 459-459. DOI: (Bucharest, Romania, 25-26 April 2013), 2013, pp. 362-367. DOI: 10.13140/2.1.2868.5440. 10.12753/2066-026X-17-167. [8] Pandey P, Shekkens E.A. An Assessment of Market Methods for [15] Starodubtsev Yu.I., Grechishnikov E.V., Komolov D.V. Use of neural Information Security Risk Management. In Proceedings of the 16th networks to ensure stability of communication networks in conditions of IEEE International Conference on High Performance and external impacts. Telecommunications and Radio Engineering. 2011. V. Communications 2014 (WiP Track, Paris, France), 2014, 8 p. DOI: 70. N 14. P. 1263-1275. 10.13140/2.1.4348.5445. [16] Beheshti H., Alborzi M. Using Fuzzy Logic to Increase the Accuracy of [9] Yilmaz R., Yalman Y. A Comparative Analysis of University E-Commerce Risk Assessment Based on an Expert System. Information Systems within the Scope of the Information Security Risks. Engineering, Technology & Applied Science Research. 2017. V. 7. N 6. TEM Journal. 2016. V. 5. N 2. P. 180–191. DOI: 10.18421/TEM52-10. P 2205-2209. DOI: 10.5281/zenodo.1118299. [10] Moore T.W., Probst C.W., Ranneberg K., van Eeten M. Assessing ICT [17] Sasidevi J., Sugumar R., Priya P.S. A Cost-Effective Privacy Preserving Security Risks in Socio-Technical Systems. Dagstuhl Reports. 2017. V. Using Anonymization Based Hybrid Bat Algorithm With Simulated 6. N 11. P. 63–89. DOI: 10.4230/DagRep.6.11.63. Annealing Approach For Intermediate Data Sets Over Cloud [11] Aleksandrov A.A., Neusipin K.A., Proletarsky A.V., Fang K. Innovation Computing. International Journal of Computational Research and development trends of modern management systems of educational Development. 2017. V. 2. N 2. P. 173-181. DOI: organizations. In: 2012 International Conference on Information 10.5281/zenodo.1069736. Management, Innovation Management and Industrial Engineering. [18] Vorobiev E.G., Petrenko S.A., Kovaleva I.V., Abrosimov I.K. Analysis IEEE, Sanya, China, 2012, pp. 187 - 189. DOI: of computer security incidents using fuzzy logic. In Proceedings of the 10.1109/ICIII.2012.6339951. 20th IEEE International Conference on Soft Computing and [12] Buldakova T.I., Mikov D.A. Ensuring the Concordance and the Measurements (24-26 May 2017, St. Petersburg, Russia). SCM 2017, Adequacy of Information Security Risk Factors Assessment. Voprosy 2017, pp. 369 - 371. DOI: 10.1109/SCM.2017.7970587. kiberbezopasnosti [Cybersecurity issues]. 2017. N 3 (21), pp. 8-15. [19] Singh R., Prasad T.V. Exploration of Hybrid Neuro Fuzzy Systems. In DOI: 10.21581/2311-3456-2017-2-8-15. Proceedings of the National Conference on Advances in Knowledge [13] McNaught K., Sutovsky P. Representing Variable Source Credibility in Management (NCAKM 2010, At Lingaya’s University, Faridabad, Intelligence Analysis with Bayesian Networks. In Proceedings of the 5th Haryana, India), 2010, 6 p. DOI: 10.13140/RG.2.1.3570.0327. Australian Security and Intelligence Conference (Novotel Langley [20] Derugo P. Application of competitive and transition Petri layers in Hotel, Perth, Western Australia, 3-5 December 2012), 2013, pp. 44-51. adaptive neuro-fuzzy controller. Power Electronics and Drives Berlin. DOI: 10.4225/75/57a03050ac5cb. 2016. V. 1(36). N 1. P. 103-115. DOI: 10.5277/PED160108. [21] Schauer S., Stamer M., Bosse C., et al. An adaptive supply chain cyber risk management methodology. In Proceedings of the Hamburg International Conference of Logistics (HICL, Hamburg, Germany), 2017, pp. 405-425. DOI: 10.15480/882.149. 26