=Paper= {{Paper |id=Vol-2081/paper05 |storemode=property |title=Comprehensive Approach to Information Security Risk Management |pdfUrl=https://ceur-ws.org/Vol-2081/paper05.pdf |volume=Vol-2081 |authors=Tatyana I. Buldakova,Dmitrii A. Mikov }} ==Comprehensive Approach to Information Security Risk Management== https://ceur-ws.org/Vol-2081/paper05.pdf
     Comprehensive Approach to Information Security
                   Risk Management

                                             Tatyana I. Buldakova, Dmitrii A. Mikov
                                                   Information Security Department
                                              Bauman Moscow State Technical University
                                                     Moscow, Russian Federation
                                              buldakova@bmstu.ru; mikovda@yandex.ru


    Abstract—Information security risk management as                             Each stage of information security risk management must
important process of data protection in automated systems has               be realized by different methods and tools, which are the most
been presented. Such criteria as estimates consistency and                  effective for this particular stage. So, the main research
adequacy, adaptability to qualitative data, assessment                      direction in the field of information security risk management
subjectivity and uncertainty, risk sensitivity, which influence risk        should be focused on the selection of such methods, which
management effectiveness, have been identified. A task of                   maximally satisfy the needs of different stages of the process
integrated methodology development has been formalized in                   [4].
accordance with presented criteria. A structural model of
comprehensive methodology, which displays its components and                    Investigation of qualitative, quantitative and semi-
relationships between them, has been designed as a flowchart. A             qualitative information security risk management methods,
method for drawing up the risk factors list, including                      such as hazard and operability study (HAZOP) [5], layer of
information security threats, potentially possible damage,                  protection analysis (LOPA), preliminary hazard analysis
automated system vulnerabilities, based on IDEF0 modeling, has              (PHA), allows to find main disadvantages and formulate a set
been proposed. An original expert survey method, which                      of effectiveness criteria for a comprehensive approach:
provides compliance with the requirements of consistency and
adequacy maximization for risk factors assessment, has been                        a(yk) = [0; 1] – consistency of risk factors estimates by
suggested. A neuro-fuzzy network based on Takagi-Sugeno-Kang                        method yk;
model for information security risk calculation from risk factors
assessment has been developed in MATLAB. A countermeasures                         b(yk) = [0; 1] – adequacy of risk factors estimates by
choice method based on game theory criteria has been illustrated.                   method yk;

    Keywords—information security risk management; estimates
                                                                                   c(yk) = [0; 1] – adaptability of method yk to qualitative
consistency; estimates adequacy; adaptability to qualitative data;                  data;
risk assessment subjectivity; risk assessment uncertainty; risk                    d(yk) = [0; 1] – subjectivity of risk assessment by
sensitivity; model IDEF0; expert survey; neuro-fuzzy network;                       method yk;
game theory criteria
                                                                                   e(yk) = [0; 1] – uncertainty of risk assessment by
                       I.    INTRODUCTION                                           method yk (lack of accurate knowledge about the
                                                                                    status of all risk factors in the system and fuzzy risk
   Reliability of functioning of automated systems mostly                           classification in the conditions of the particular system
depends on ensuring their information security. Therefore,                          functioning);
based on the specifics of automated systems, companies
develop and implement a corresponding set of activities to                         f – risk sensitivity (uneven influence of various risk
manage information security. An important component of this                         factors on the level of risk in certain conditions);
process is information security risk management (e.g. [1-3]).
                                                                               The set of requirements to effectiveness criteria for a
   Information security risk management consists of:                        comprehensive information security risk management
                                                                            methodology is as in (1) and (2)
        drawing up the risk factors list (information security
         threats, potentially possible damage, automated
         system vulnerabilities);                                                           a(yk) × b(yk) × c(yk) → max                
        expert survey for risk factors assessment;
        risk level calculation, based on risk factors estimates;                               d(yk) × e(yk) → min                    
        choice of the countermeasures for reducing the risk to
         acceptable level.




                                                                       21
    Practical investigation allows to develop a comprehensive                                 feedbacks.
information security risk management methodology based on
presented set of effectiveness criteria (Fig. 1).                                   Based on the characteristics of information security risk
                                                                                  management, it is necessary to have risk factors in the IDEF0-
                                                                                  model according to a set of principles (Fig. 2).




                                                                                  Fig. 2. The principle of risk factors location in the IDEF0 model



                                                                                      When countermeasures are choosing and adding to the
                                                                                  IDEF0 model, it is necessary understand that their list is
                                                                                  preliminary, as the identified risk factors have not been
                                                                                  evaluated yet by the expert group. Therefore, it is impossible to
                                                                                  make an unambiguous conclusion about the degree of their
                                                                                  impact on found threats and vulnerabilities. After risk factors
                                                                                  assessment and subsequently calculating the level of risk, when
                                                                                  all quantities acquire numerical values, the list of
                                                                                  countermeasures can be adjusted [10]. Therefore,
Fig. 1. Comprehensive methodology for information security risk management        corresponding changes in the IDEF0-model are inevitable after
                                                                                  the implementation of further stages of management [11].
    II.    DRAWING UP THE RISK FACTORS LIST USING IDEF0
                                                                                        III.    EXPERT SURVEY FOR RISK FACTORS ASSESSMENT
    The initial stage of information security risk management is
the identification of risk factors (threats, possible damage,                         To ensure the consistency and adequacy of expert opinions
vulnerabilities) [4, 6, 7]. The solution of this problem is                       in assessment of risk factors from the list compiled with the
connected with the automated system modeling and the                              IDEF0 model, a special method of expert interview has been
investigation of the circulating information flows [8, 9].                        developed. Assessment of threats, potentially possible damage
Comparative analysis of the ARIS, IDEF0, IDEF3, UML                               and vulnerabilities must be performed by the expert group in
methodologies showed that IDEF0 takes into account and                            accordance with (3), (4) and (5):
displays all necessary elements:
         input documents and data;                                                                          xij1 = kij1 × pij1 × fij1              
         output documents and data;
         persons, who implements processes;                                                                 xij2 = kij2 × pij2 × fij2              
         used tools;
         control actions over the processes implementation;                                                 xij3 = kij3 × pij3 × fij3              




                                                                             22
    where:                                                                          The linear constraint system of inequalities reduces to the
                                                                                optimization problem of linear programming and can be solved
    xij1 – threat estimate;                                                     using the simplex method [12].
    kij1 ϵ [0; 10] – threat power;
    pij1 ϵ [0; 1] – probability of threat realization;                           IV.     NEURO-FUZZY NETWORK FOR RISK LEVEL ASSESSMENT
                                                                                    It is necessary to use a method that is adaptive to qualitative
    fij1 ϵ [0; 1] – risk sensitivity to threat assessment;
                                                                                data (c(yk)), minimizes subjectivity (d(yk)) and uncertainty
    xij2 – potentially possible damage estimate;                                (e(yk)) of estimates and takes into account risk sensitivity to
                                                                                various factors (f).
    kij2 ϵ [0; 10] – asset value;
                                                                                   A comparative analysis of the approaches, based on
    pij2 ϵ [0; 1] – probability of the highest damage;                          machine learning [13-15], soft calculations [16-18] and hybrid
    fij2 ϵ [0; 1] – risk sensitivity to damage assessment;                      models [19, 20], showed the following results (Table I).
    xij3 – vulnerability estimate;
                                                                                TABLE I.         COMPARATIVE ANALYSIS OF RISK ASSESSMENT APPROACHES
    kij3 ϵ [0; 10] – vulnerability degree;
                                                                                                                       Effectiveness criteria values
    pij3 ϵ [0; 1] – probability of vulnerability exploit;                                      Methods                c(yk)    d(yk)    e(yk)      f
    fij3 ϵ [0; 1] – risk sensitivity to vulnerability assessment;                                                    (max)    (min)    (min)    (max)
    i = {1, 2, ..., m} – experts;                                                          Bayesian networks          0,7       0,4     0,3      0,75
    j = {1, 2, ..., n} – risk factors from the list.                                       Genetic algorithms         0,3       0,5     0,85     0,35
                                                                                       Artificial neural networks     0,5       0,3     0,2       0,8
                                                                                            Cognitive maps
     The consistency (a(yk)) of estimates is provided by                                                              0,4       0,5     0,25     0,45
calculating the concordance coefficient W using (6), (7), (8),                          Support vector machine        0,2       0,3     0,65     0,45
(9):                                                                                   Analytic hierarchy process     0,8       0,5     0,2      0,55
                                                                                             Fuzzy systems            0,7       0,5     0,2       0,8
                               xj = ∑xij                          
                                                                                              Rough sets              0,35      0,5     0,55      0,3
                                                                                               Grey sets              0,35      0,5     0,55      0,3
                          x = 1/n × ∑xij                                           Fuzzy measure theory         0,4       0,5     0,55      0,6
                                                                                         Neuro-fuzzy networks         0,7       0,3     0,2       0,8
                             S = ∑(xj - x)  2
                                                                              Neural networks based on genetic
                                                                                                                      0,5       0,3     0,2       0,8
                                                                                             algorithms
                                                                                       Fuzzy Bayesian networks        0,7       0,4     0,2       0,8
                                     2   3
                       W = 12S/(m (n - n))                                         Fuzzy hierarchy models        0,8       0,5     0,2       0,8

    Then it is necessary to screen out extreme scores using an
algorithm based on the verbal-numeric Margolin and
Harrington scales (Fig. 1). The adequacy (b(yk)) of overall
threat (x1), potentially possible damage (x2) and vulnerability                    The results of the comparative analysis show that neuro-
(x3) estimates is provided by maximization of the objective                     fuzzy networks have the best effectiveness criteria values.
function (10):                                                                       Therefore, a neuro-fuzzy network is chosen as a risk
                                                                                assessment tool, which calculates risk level using three input
                   F(x) = x1 + x2 + x3 → max                             risk factors values received in the previous stage.
                                                                                   The realized neuro-fuzzy network is transformed from
    It is necessary to construct a linear constraint system of                  Takagi-Sugeno-Kang fuzzy model and contains five layers:
inequalities (11) containing the number of remaining estimates                  fuzzification,    aggregation, activation,  accumulation,
of threats (ai1), potentially possible damage (ai2) and                         defuzzification (Fig. 3).
vulnerabilities (ai3) for each expert, and the sum of each expert
estimates (bi):

                ai1 × x1 + ai2 × x2 + ai3 × x3 ≤ bi           




                                                                           23
                                                                                            TABLE II.      RISK ASSESSMENT SCALE
                                                                              Risk level                              Description
                                                                          Negligibly low (0)                     Risk can be neglected
                                                                                                  If the information is regarded as a very low risk, it
                                                                                                  is necessary to determine whether there is a need
                                                                          Very low (0,125)
                                                                                                  for corrective actions, or there is a possibility to
                                                                                                  take this risk
                                                                                                  The risk level allows to work, but there are
                                                                             Low (0,25)
                                                                                                  prerequisites for a malfunction
                                                                           Below average          It is necessary to develop and apply a corrective
                                                                              (0,375)             action plan within an acceptable period of time
                                                                                                  The risk level does not allow to work stably, there
                                                                            Average (0,5)         is an urgent need for corrective actions that change
                                                                                                  the mode of work towards reducing the risk
                                                                                                  The system can continue to work, but the
                                                                           Above average
                                                                                                  corrective action plan must be applied as quickly as
                                                                              (0,625)
                                                                                                  possible
                                                                                                  The risk level is such that business processes are in
                                                                             High (0,75)
                                                                                                  an unstable state
Fig. 3. Neuro-fuzzy network structure                                                             It is necessary to take measures to reduce the risk
                                                                          Very high (0,875)
                                                                                                  immediately
                                                                                                  The risk level is very high and unacceptable for the
   Characteristics of the neuro-fuzzy network:                                                    organization, which requires discontinuing the
                                                                             Critical (1)
                                                                                                  system operation and taking radical measures to
        structure – five-layered neuro-fuzzy network:                                            reduce the risk
        fuzzy model type – Takagi-Sugeno-Kang;
        three input variables – threat, damage, vulnerability;
        five fuzzy sets for input variables – very low, low,
         medium, high, very high;
        trapezoidal membership function for input variables
         (Fig. 4);
        one output variable – information security risk level;
        nine values for output variable – negligibly low (0),
         very low (0,125), low (0,25), below average (0,375);
         average (0,5), above average (0,625), high (0,75),
         very high (0,875), critical (1);
        conjunction – algebraic product method;                        Fig. 4. Input membership function in MATLAB
        disjunction – algebraic sum method;
                                                                                     V.        CHOICE OF THE COUNTERMEASURES
        defuzzification – weighted average method.                        The developed method of the countermeasures choice is
    A verbal-numerical risk assessment scale, based on nine             based on the above expert survey method, but uses the game
initially specified values of the output variable, has been             theory criteria for searching the optimal economic strategy.
developed. The scale allows to interpret the risk level obtained        There are three possible criteria – Wald’s maximin model,
at the output in the form of a numerical index (Table II).              Hurwicz criteria and Minimax regret [21].
   If the neuro-fuzzy network shows that the risk level is                   Wald’s maximin model is aimed at minimizing the loss or
unacceptable, it is necessary to select the appropriate                 guaranteed minimal result. The minimal impact of each
countermeasures to reduce it.                                           countermeasure on any risk factor is determined, after that the
                                                                        countermeasure with the maximal smallest influence is chosen.
                                                                        It is the lower price of the game.




                                                                   24
    Hurwicz criteria is based on the choice of the pessimism                          vd – cost of potentially possible damage (budget for the
indicator in the range from 0 to 1. If the pessimism indicator is                     countermeasures implementation).
maximal (equal to 1), Hurwicz criteria corresponds to Wald’s
maximin model, realizing a pessimistic strategy. The minimal                        Each expert needs to subtract his estimates of the
pessimism indicator (equal to 0) should not be chosen, because                  countermeasures impact (cija, cijp) on risk factors from his
the optimistic strategy is focused on maximizing the project's                  earlier estimates (xij1, xij2, xij3) as (13), (14) and (15):
result, so the risk associated with unfavorable development of
the external environment is not taken into account. Hurwicz                                                  x*ij1 = xij1 - cija                       
criteria is the most flexible of all methods of the game theory,
because it allows to compare several optimistic and pessimistic
scenarios. The disadvantage is the subjectivity of the                                                    x*ij2 = xij2 - cija - cijp                   
pessimism indicator choice by the researcher or the person
making the decision.
    Minimax regret is based on a matrix of regrets, made up of                                               x*ij3 = xij3 - cijp                       
a matrix of strategies. Regrets are a lost result with a
suboptimal strategy for each current state of the automated                         Finally, the neuro-fuzzy network calculates the residual risk
system. At first the maximal impact on each risk factor among                   level after the countermeasures implementation.
all countermeasures is determined. Further, lost results of all
countermeasures are calculated, then the regression matrix is
                                                                                                            VI.    CONCLUSION
compiled, where the maximal ineffective result of each
countermeasure is determined. The countermeasure with the                           The developed comprehensive information security risk
smallest maximal lost result is selected.                                       management methodology meets the required effectiveness
                                                                                criteria, has a complex and branched structure and represents a
    Each expert should complete two copies of the matrix of                     set of methods and models used to implement various stages of
strategies (Table III) – for active countermeasures impact (cija)               management. The methodology is based on the joint use and
that reduces threats and damage, and for passive                                interaction of IDEF0 model, expert survey, neuro-fuzzy
countermeasures impact (cijp) that reduces vulnerabilities and                  network, methods of game theory and allows the most effective
damage.                                                                         implementation of drawing up risk factors list, risk factors
                                                                                assessment, risk level calculation and countermeasures choice.
                   TABLE III.     THE MATRIX OF STRATEGIES
        Cost of                                                                                                REFERENCES
                            b1           b2          ...     bn
    countermeasures                                                             [1]   Kostogryzov A., Krylov V., Nistratov A., Nistratov G., Popov V.,
        a1 = v1             c11         c12          ...     c1n                      Stepanov P. Mathematical models and applicable technologies to
                                                                                      forecast, analyze, and optimize quality and risks for complex systems. In
        a2 = v2             c21         c22          ...     c2n                      Proceedings of the First International Conference on Transportation
                                                                                      Information and Safety (ICTIS), ASCE, 2011, pp. 845 – 854. DOI:
          ...               ...          ...         ...     ...                      10.1061/9780784411773.
        a m = vm            cm1         cm2          ...     cmn                [2]   Brooks D.J. Mapping the consensual knowledge of security risk
                                                                                      management experts. In Proceedings of the 7th Australian Information
      There are:                                                                      Warfare and Security Conference (Edith Cowan University, Perth,
                                                                                      Western Australia, 4-5 December 2006), 2006, 10 p. DOI:
       ai – countermeasures;                                                          10.4225/75/57a823cbaa0d8.
                                                                                [3]   Ruighaver T., Warren M., Ahmad A. Ascent of Asymmetric Risk in
       bj – risk factors;                                                             Information Security: An Initial Evaluation. In Proceedings of the 10th
       cij – impact of countermeasure on risk factor;                                 Australian Information Warfare and Security Conference (Edith Cowan
                                                                                      University, Perth, Western Australia, 1-3 December 2009), 2009, 8 p.
       vi – cost of countermeasure;                                                   DOI: 10.4225/75/57a7f620aa0c6.
                                                                                [4]   Barabanov A.V., Markov A.S., Tsirlov V.L. Methodological Framework
                                                                                      for Analysis and Synthesis of a Set of Secure Software Development
                                                                                      Controls, Journal of Theoretical and Applied Information Technology,
    After choosing a countermeasure in accordance with any of                         2016, vol. 88, No 1, pp. 77-88.
three criteria, depending on the economic strategy, the                         [5]   Marques P.H., Jacinto C. Human-HAZOP studies in the risk
corresponding line is removed from the strategy matrix, after                         management of major accidents. In Proceedings of the International
that it is necessary to conduct a new cycle. Countermeasures                          Symposium on Occupational Safety and Hygiene (SHO’2015,
among the remaining are selected until their total value does                         Guimarães, Portugal, 12-13 February 2015), 2016, pp. 146-148. DOI:
                                                                                      10.13140/RG.2.1.4446.1684.
not exceed the amount of potential damage (12):
                                                                                [6]   Jakub B., Schindler F. Assets Dependencies Model in Information
                                                                                      Security Risk Management. In Proceedings of the Second IFIP
                                                                                      International Conference (ICT EurAsia, Bali, Indonesia), 2014, pp. 1-10.
                                  ∑v ≤ vd                                      DOI: 10.13140/RG.2.1.3376.6480.

      where: ∑v – total cost of selected countermeasures;




                                                                           25
[7]  Alan A.R., Arshad Y., Ibrahim J., et al. IT Risk, Information Security &        [14] Grigoras R., Mustata A.-M., Teodorescu C. Predicting the state of
     Governance Practices in Malaysia IHLs. In Proceedings of the                         security using neural networks. In Proceedings of the 9th International
     International Research Invention, Innovation, and Exhibition 2014                    Scientific Conference on eLearning and Software for Education
     (IRIIE 2014, IIUM, Kuala Lumpur, Malaysia), 2014, pp. 459-459. DOI:                  (Bucharest, Romania, 25-26 April 2013), 2013, pp. 362-367. DOI:
     10.13140/2.1.2868.5440.                                                              10.12753/2066-026X-17-167.
[8] Pandey P, Shekkens E.A. An Assessment of Market Methods for                      [15] Starodubtsev Yu.I., Grechishnikov E.V., Komolov D.V. Use of neural
     Information Security Risk Management. In Proceedings of the 16th                     networks to ensure stability of communication networks in conditions of
     IEEE International Conference on High Performance and                                external impacts. Telecommunications and Radio Engineering. 2011. V.
     Communications 2014 (WiP Track, Paris, France), 2014, 8 p. DOI:                      70. N 14. P. 1263-1275.
     10.13140/2.1.4348.5445.                                                         [16] Beheshti H., Alborzi M. Using Fuzzy Logic to Increase the Accuracy of
[9] Yilmaz R., Yalman Y. A Comparative Analysis of University                             E-Commerce Risk Assessment Based on an Expert System.
     Information Systems within the Scope of the Information Security Risks.              Engineering, Technology & Applied Science Research. 2017. V. 7. N 6.
     TEM Journal. 2016. V. 5. N 2. P. 180–191. DOI: 10.18421/TEM52-10.                    P 2205-2209. DOI: 10.5281/zenodo.1118299.
[10] Moore T.W., Probst C.W., Ranneberg K., van Eeten M. Assessing ICT               [17] Sasidevi J., Sugumar R., Priya P.S. A Cost-Effective Privacy Preserving
     Security Risks in Socio-Technical Systems. Dagstuhl Reports. 2017. V.                Using Anonymization Based Hybrid Bat Algorithm With Simulated
     6. N 11. P. 63–89. DOI: 10.4230/DagRep.6.11.63.                                      Annealing Approach For Intermediate Data Sets Over Cloud
[11] Aleksandrov A.A., Neusipin K.A., Proletarsky A.V., Fang K. Innovation                Computing. International Journal of Computational Research and
     development trends of modern management systems of educational                       Development. 2017. V. 2. N 2. P. 173-181. DOI:
     organizations. In: 2012 International Conference on Information                      10.5281/zenodo.1069736.
     Management, Innovation Management and Industrial Engineering.                   [18] Vorobiev E.G., Petrenko S.A., Kovaleva I.V., Abrosimov I.K. Analysis
     IEEE,     Sanya,    China,    2012,      pp.   187     -    189.   DOI:              of computer security incidents using fuzzy logic. In Proceedings of the
     10.1109/ICIII.2012.6339951.                                                          20th IEEE International Conference on Soft Computing and
[12] Buldakova T.I., Mikov D.A. Ensuring the Concordance and the                          Measurements (24-26 May 2017, St. Petersburg, Russia). SCM 2017,
     Adequacy of Information Security Risk Factors Assessment. Voprosy                    2017, pp. 369 - 371. DOI: 10.1109/SCM.2017.7970587.
     kiberbezopasnosti [Cybersecurity issues]. 2017. N 3 (21), pp. 8-15.             [19] Singh R., Prasad T.V. Exploration of Hybrid Neuro Fuzzy Systems. In
     DOI: 10.21581/2311-3456-2017-2-8-15.                                                 Proceedings of the National Conference on Advances in Knowledge
[13] McNaught K., Sutovsky P. Representing Variable Source Credibility in                 Management (NCAKM 2010, At Lingaya’s University, Faridabad,
     Intelligence Analysis with Bayesian Networks. In Proceedings of the 5th              Haryana, India), 2010, 6 p. DOI: 10.13140/RG.2.1.3570.0327.
     Australian Security and Intelligence Conference (Novotel Langley                [20] Derugo P. Application of competitive and transition Petri layers in
     Hotel, Perth, Western Australia, 3-5 December 2012), 2013, pp. 44-51.                adaptive neuro-fuzzy controller. Power Electronics and Drives Berlin.
     DOI: 10.4225/75/57a03050ac5cb.                                                       2016. V. 1(36). N 1. P. 103-115. DOI: 10.5277/PED160108.
                                                                                     [21] Schauer S., Stamer M., Bosse C., et al. An adaptive supply chain cyber
                                                                                          risk management methodology. In Proceedings of the Hamburg
                                                                                          International Conference of Logistics (HICL, Hamburg, Germany),
                                                                                          2017, pp. 405-425. DOI: 10.15480/882.149.




                                                                                26