Sevilay Beken, Mete Eminağaoğlu
2019 Ege Stratejik Araştırmalar Dergisi  
This study proposes a novel information security risk assessment approach based on Bayesian network and Fuzzy Inference System in order to evaluate and calculate both qualitative and / or quantitative risks. The proposed model is developed to analyse test processes for a software services company in order to evaluate the information security risks. Threats, vulnerabilities, risks, and their relations are constructed with a Bayesian network and marginal probabilities are calculated for each risk
more » ... factor. Several fuzzy membership functions and fuzzy decision rules are designed and constructed for assets' values, risks' probabilities, and relative risk values. Finally, the impacts of risk values are calculated after the aggregation and defuzzification process. It is shown that this new model enables the business decision makers and managers to obtain more objective, reliable, and flexible information security risk assessment results. Öz Bu çalışmada, nitel ve / veya nicel riskleri değerlendirmek ve hesaplamak için Bayes ağı ve bulanık çıkarım sistemine dayanan yeni bir bilgi güvenliği risk değerlendirme yaklaşımı ortaya konmuştur. Önerilen model, bir yazılım şirketinin için test süreçlerini analiz etmek üzere geliştirilmiştir. Tehditler, güvenlik açıkları, riskler ve bunların bağlantılarının tanımlandığı bir Bayes ağı tasarlanmış ve her bir risk faktörü için bileşen olasılıkları hesaplanmıştır. Bilgi varlıklarının değerleri, riskleri, olasılıkları ve göreceli risk değerleri için bulanık üyelik fonksiyonları ve bulanık karar kuralları tasarlanmış ve oluşturulmuştur. Son aşamada da, risk değerlerinin etkileri, bulanık toparlama ve durulaştırma işlemleri ile hesaplanmış ve sıralanmıştır. Bu yeni model, kurumlardaki yöneticilerin daha objektif, güvenilir ve esnek bir şekilde bilgi güvenliği risk değerlendirme sonuçları elde etmelerine ve kullanmalarına olanak sağlamaktadır. size and complexity (Vercellis, 2009; TBD 4. Çalışma Grubu, 2006). Information security can be defined as the protection of data or information to prevent loss, unauthorized access, or misuse. Companies should ensure that systems and applications operate effectively while protecting their information assets with an acceptable level of risk that could be derived from any kind of theft or loss, misuse, unauthorized access, or modification (Pfleeger, 2007) . The fundamental objectives of information security are confidentiality, integrity, and availability (Pfleeger, 2007) . Each objective focuses on different part of protection for information. National Information Assurance (IA) Glossary defines confidentiality as "the property that information is not disclosed to users, processes or devices unless they have been authorized to access the information" (Committee on National Security Systems, 2010). Confidentiality is "the property that data or information is not made available or disclosed to unauthorized people or processes that aims the protection of information against unauthorized access, uses, and disclosures". Integrity can be simply described as the property that information must not be altered or destroyed by unauthorized processes, people, or events. "Integrity factor indicates that information must protect against improper destruction or alteration of data and must provide appropriate backup in the event of a threat, hazard, or natural disaster" (Committee on National Security Systems, 2010). According to IA Glossary, availability can be defined as "the property that data or information is accessible and usable upon demand by an authorized entity". This factor indicates that authorized personal must be able to access to the information. In addition, disaster recovery and business continuity plans for business, governmental, educational, etc. operations should be identified and planned in order to keep the organization operational. In order to sustain confidentiality, integrity, and availability objectives of information security, risk assessment methodologies should be applied for the organization's operations. The information security risk assessment can be defined as a process of determining the security risks, resolving security problems, and eliminating these risk factors to an acceptable level (Layton, 2007) . Information assets, vulnerabilities, threats, and risk factors should be identified, analysed, and controlled within the scope of security risk assessment process according to ISO 27005 standard (ISO / IEC 27005, 2011). The assets are the main objects for organizations that need to be protected based on information security policies (Dhillon, 2007) . Assets can be valuable information or resources such as computers, employees, internet connection and so on. The threat is defined as "the potential causes of accidents that may cause harm to systems or organizations", and vulnerability is described as "the weak link of an asset that may be exposed by the threat" (ISO / IEC 27001, 2013). Determining assets, threats, vulnerabilities, risk values, and likelihood is critical for information strategy (Layton, 2007) . Information security risk assessment can provide the managers the strategic information and decisions they need to mitigate or control the information risks (Tipton and Krause, 2007) . This study focuses on constructing an accurate and effective information security risk assessment model. Hence, in this study, in order to evaluate and calculate both qualitative and quantitative risks, an information security risk assessment approach is proposed based on Bayesian network and fuzzy inference system. Information security risk factors can be
doi:10.18354/esam.507794 fatcat:vpmurfj35bbw7brzvsdvjyvbpq