Information Security Risk Assessment Model Based on Computing with Words
Abstract
The basis for company IT infrastructure security is information security risks assessment of IT services. The increased complexity, connectivity and rapid changes occurring in IT services make it impossible to apply traditional models of quantitative/qualitative risk assessment. Existing quantitative assessment models are time-consuming, at the same time, qualitative assessment models do not take into account the subjective expert assessments and the uncertainty of risk factors. This paper presents the new information security risk assessment model for IT services based on computing with words. The model methodology is based on OWASP risk rating methodology for web applications. To evaluate risk factors, it is proposed to use dictionary consisting of 16/32 granular terms (words). Problems of uncertainty in perceptual assessments of risk factors are taken into account using methods of the theory of discrete interval type-2 fuzzy sets and systems.
References
Wangen, G.: An initial insight into Information Security Risk Assessment practices. In: 2016 Federated Conference on Computer Science and Information Systems (FedCSIS), vol. 8, pp. 999–1008. IEEE, Gdansk, Poland (2016).
Lee, M.-C.: Information Security Risk Analysis Methods and Research Trends: AHP and Fuzzy Comprehensive Method. International Journal of Computer Science & Information Technology (IJCSIT), 6 (1), 29-45 (2014).
OWASP Risk Rating Methodology. https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology (2017). [Online; accessed 05-May-2017]
Common Vulnerability Scoring System. https://www.first.org/cvss (2017). [Online; accessed 05-May-2017]
Caralli, R.A., Stevens, J.F., Young, L.R. and Wilson, W.R.: Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Tech. report CMU. Software Engineering Institute (2007).
ISO/IEC 27005:2011: Information Technology, Security Techniques, Information Security Risk Management. 2nd edn. (2011).
Song, Y., Shen, Y., Zhang, G. and Hu, Y.: The information security risk assessment model based on GA - BP. In: 2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS), pp. 119-122. IEEE, Beijing, China (2016).
Wang, J., Fan, K., Mo, W., Xu, D.: A Method for Information Security Risk Assessment Based on the Dynamic Bayesian Network. In: 2016 International Conference on Networking and Network Applications, pp. 279-283. IEEE, Hakodate, Japan (2016)
IEC 31010:2009: Risk management, Risk assessment techniques. 1st edn. (2009).
Mendel, J.M, John, R.I.B.: Type-2 Fuzzy Sets Made Simple. IEEE Transactions on Fuzzy Systems, 10 (2), 117-127 (2002).
Mendel, J.M., Wu, D.: Perceptual Computing: Aiding People in Making Subjective Judgments. 1st edn. WileyIEEE (2010).
Petrenko, T., Tymchuk, O.: Package library and toolbox for discrete interval type-2 fuzzy logic systems. Proceedings of the 18th International Conference on Soft Computing (MENDEL), pp. 233-238. Brno, Czech Republic (2012).
MENDEL open access articles are normally published under a Creative Commons Attribution-NonCommercial-ShareAlike (CC BY-NC-SA 4.0) https://creativecommons.org/licenses/by-nc-sa/4.0/ . Under the CC BY-NC-SA 4.0 license permitted 3rd party reuse is only applicable for non-commercial purposes. Articles posted under the CC BY-NC-SA 4.0 license allow users to share, copy, and redistribute the material in any medium of format, and adapt, remix, transform, and build upon the material for any purpose. Reusing under the CC BY-NC-SA 4.0 license requires that appropriate attribution to the source of the material must be included along with a link to the license, with any changes made to the original material indicated.