IDEAS home Printed from https://ideas.repec.org/a/eee/ininma/v36y2016i1p25-34.html
   My bibliography  Save this article

Information security risk analysis model using fuzzy decision theory

Author

Listed:
  • de Gusmão, Ana Paula Henriques
  • e Silva, Lúcio Camara
  • Silva, Maisa Mendonça
  • Poleto, Thiago
  • Costa, Ana Paula Cabral Seixas

Abstract

This paper proposes a risk analysis model for information security assessment, which identifies and evaluates the sequence of events – referred to as alternatives – in a potential accident scenario following the occurrence of an initiating event corresponding to abuses of Information Technology systems. In order to perform this evaluation, this work suggests the use of Event Tree Analysis combined with fuzzy decision theory. The contributions of the present proposal are: the development of a taxonomy of events and scenarios, the ranking of alternatives based on the criticality of the risk, considering financial losses, and finally, the provision of information regarding the causes of information system attacks of highest managerial relevance for organizations. We included an illustrative example regarding a data center aiming to illustrate the applicability of the proposed model. To assess its robustness, we analyzed twelve alternatives considering two different methods of setting probabilities of the occurrence of events. Results showed that deliberate external database services attack represent the most risky alternative.

Suggested Citation

  • de Gusmão, Ana Paula Henriques & e Silva, Lúcio Camara & Silva, Maisa Mendonça & Poleto, Thiago & Costa, Ana Paula Cabral Seixas, 2016. "Information security risk analysis model using fuzzy decision theory," International Journal of Information Management, Elsevier, vol. 36(1), pages 25-34.
  • Handle: RePEc:eee:ininma:v:36:y:2016:i:1:p:25-34
    DOI: 10.1016/j.ijinfomgt.2015.09.003
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0268401215000900
    Download Restriction: Full text for ScienceDirect subscribers only

    File URL: https://libkey.io/10.1016/j.ijinfomgt.2015.09.003?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Rosqvist, Tony & Molarius, Riitta & Virta, Hanna & Perrels, Adriaan, 2013. "Event tree analysis for flood protection—An exploratory study in Finland," Reliability Engineering and System Safety, Elsevier, vol. 112(C), pages 1-7.
    2. Rasheed, Hassan, 2014. "Data and infrastructure security auditing in cloud computing environments," International Journal of Information Management, Elsevier, vol. 34(3), pages 364-368.
    3. Grant, Kevin & Edgar, David & Sukumar, Arun & Meyer, Martin, 2014. "‘Risky business’: Perceptions of e-business risk by UK small and medium sized enterprises (SMEs)," International Journal of Information Management, Elsevier, vol. 34(2), pages 99-122.
    4. Garcez, Thalles Vitelli & de Almeida, Adiel Teixeira, 2014. "A risk measurement tool for an underground electricity distribution system considering the consequences and uncertainties of manhole events," Reliability Engineering and System Safety, Elsevier, vol. 124(C), pages 68-80.
    5. Bojanc, Rok & Jerman-Blažič, Borka, 2008. "An economic modelling approach to information security risk management," International Journal of Information Management, Elsevier, vol. 28(5), pages 413-422.
    6. Adiel Teixeira de Almeida & Cristiano Alexandre Virgínio Cavalcante & Marcelo Hazin Alencar & Rodrigo José Pires Ferreira & Adiel Teixeira de Almeida-Filho & Thalles Vitelli Garcez, 2015. "Multicriteria and Multiobjective Models for Risk, Reliability and Maintenance Decision Analysis," International Series in Operations Research and Management Science, Springer, edition 127, number 978-3-319-17969-8, December.
    7. Cooke, Roger M. & ElSaadany, Susie & Huang, Xinzheng, 2008. "On the performance of social network and likelihood-based expert weighting schemes," Reliability Engineering and System Safety, Elsevier, vol. 93(5), pages 745-756.
    8. Brender, Nathalie & Markov, Iliya, 2013. "Risk perception and risk management in cloud computing: Results from a case study of Swiss companies," International Journal of Information Management, Elsevier, vol. 33(5), pages 726-733.
    9. Silva, Maisa Mendonça & de Gusmão, Ana Paula Henriques & Poleto, Thiago & Silva, Lúcio Camara e & Costa, Ana Paula Cabral Seixas, 2014. "A multidimensional approach to information security risk management using FMEA and fuzzy theory," International Journal of Information Management, Elsevier, vol. 34(6), pages 733-740.
    10. Brito, A.J. & de Almeida, A.T., 2009. "Multi-attribute risk assessment for risk ranking of natural gas pipelines," Reliability Engineering and System Safety, Elsevier, vol. 94(2), pages 187-198.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Henriques de Gusmão, Ana Paula & Mendonça Silva, Maisa & Poleto, Thiago & Camara e Silva, Lúcio & Cabral Seixas Costa, Ana Paula, 2018. "Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory," International Journal of Information Management, Elsevier, vol. 43(C), pages 248-260.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Henriques de Gusmão, Ana Paula & Mendonça Silva, Maisa & Poleto, Thiago & Camara e Silva, Lúcio & Cabral Seixas Costa, Ana Paula, 2018. "Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory," International Journal of Information Management, Elsevier, vol. 43(C), pages 248-260.
    2. Haqaf, Husam & Koyuncu, Murat, 2018. "Understanding key skills for information security managers," International Journal of Information Management, Elsevier, vol. 43(C), pages 165-172.
    3. Medeiros, Cristina Pereira & da Silva, Lucas Borges Leal & Alencar, Marcelo Hazin & de Almeida, Adiel Teixeira, 2021. "A new method for managing multidimensional risks in Natural Gas Pipelines based on non-Expected Utility," Reliability Engineering and System Safety, Elsevier, vol. 214(C).
    4. Wu, Shaomin & Wu, Di & Peng, Rui, 2023. "Considering greenhouse gas emissions in maintenance optimisation," European Journal of Operational Research, Elsevier, vol. 307(3), pages 1135-1145.
    5. Baillette, Paméla & Barlette, Yves & Leclercq-Vandelannoitte, Aurélie, 2018. "Bring your own device in organizations: Extending the reversed IT adoption logic to security paradoxes for CEOs and end users," International Journal of Information Management, Elsevier, vol. 43(C), pages 76-84.
    6. Rogerson, Ellen C. & Lambert, James H., 2012. "Prioritizing risks via several expert perspectives with application to runway safety," Reliability Engineering and System Safety, Elsevier, vol. 103(C), pages 22-34.
    7. Marlow, David R. & Beale, David J. & Mashford, John S., 2012. "Risk-based prioritization and its application to inspection of valves in the water sector," Reliability Engineering and System Safety, Elsevier, vol. 100(C), pages 67-74.
    8. Martín León-Santiesteban & Martha Cecilia Mendez-Prada & Yolanda Patricia Cardona-Arce & Nelly Guerrero-Mosquera, 2023. "Multicriteria Model for Measuring the Potential of Cultural Identity in the Tourism Development of Sincelejo, Colombia," Sustainability, MDPI, vol. 15(20), pages 1-15, October.
    9. Peng Hou & Xiaojian Yi & Haiping Dong, 2020. "A Spatial Statistic Based Risk Assessment Approach to Prioritize the Pipeline Inspection of the Pipeline Network," Energies, MDPI, vol. 13(3), pages 1-16, February.
    10. Marie-Anne Le-Dain & Lamiae Benhayoun & Judy Matthews & Marine Liard, 2023. "Barriers and opportunities of digital servitization for SMEs: the effect of smart Product-Service System business models," Service Business, Springer;Pan-Pacific Business Association, vol. 17(1), pages 359-393, March.
    11. Yin, Yuanbo & Yang, Hao & Duan, Pengfei & Li, Luling & Zio, Enrico & Liu, Cuiwei & Li, Yuxing, 2022. "Improved quantitative risk assessment of a natural gas pipeline considering high-consequence areas," Reliability Engineering and System Safety, Elsevier, vol. 225(C).
    12. Cavalcante, C.A.V. & Lopes, R.S. & Scarf, P.A., 2018. "A general inspection and opportunistic replacement policy for one-component systems of variable quality," European Journal of Operational Research, Elsevier, vol. 266(3), pages 911-919.
    13. Thalles Vitelli Garcez & Helder Tenório Cavalcanti & Adiel Teixeira de Almeida, 2021. "A hybrid decision support model using Grey Relational Analysis and the Additive-Veto Model for solving multicriteria decision-making problems: an approach to supplier selection," Annals of Operations Research, Springer, vol. 304(1), pages 199-231, September.
    14. Erin Baker & Olaitan Olaleye, 2013. "Combining Experts: Decomposition and Aggregation Order," Risk Analysis, John Wiley & Sons, vol. 33(6), pages 1116-1127, June.
    15. Deepa Mishra & Sameer Kumar & Elkafi Hassini, 2019. "Current trends in disaster management simulation modelling research," Annals of Operations Research, Springer, vol. 283(1), pages 1387-1411, December.
    16. Renan Felinto de Farias Aires & Luciano Ferreira, 2022. "A New Multi-Criteria Approach for Sustainable Material Selection Problem," Sustainability, MDPI, vol. 14(18), pages 1-20, September.
    17. Hsu, Pei-Fang & Ray, Soumya & Li-Hsieh, Yu-Yu, 2014. "Examining cloud computing adoption intention, pricing mechanism, and deployment model," International Journal of Information Management, Elsevier, vol. 34(4), pages 474-488.
    18. Bolger, Fergus & Wright, George, 2017. "Use of expert knowledge to anticipate the future: Issues, analysis and directions," International Journal of Forecasting, Elsevier, vol. 33(1), pages 230-243.
    19. Mohammad Taghi Taghavifard & Setareh Majidian, 2022. "Identifying Cloud Computing Risks based on Firm’s Ambidexterity Performance using Fuzzy VIKOR Technique," Global Journal of Flexible Systems Management, Springer;Global Institute of Flexible Systems Management, vol. 23(1), pages 113-133, March.
    20. Gangadharan, Lata & Harrison, Glenn W. & Leroux, Anke D., 2019. "Are risks over multiple attributes traded off? A case study of aid," Journal of Economic Behavior & Organization, Elsevier, vol. 164(C), pages 166-198.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ininma:v:36:y:2016:i:1:p:25-34. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-information-management .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.