Risk analysis in information systems: A fuzzification of the MAGERIT methodology

作者:

Highlights:

摘要

Several methodologies based on ISO/IEC 27000 international standard have been developed to deal with risk analysis in information systems (IS). These methodologies do not, however, consider imprecise valuations, but use precise values on different, usually percentage, scales.We propose an extension of the MAGERIT methodology based on classical fuzzy computational models. A linguistic term scale is used to represent asset values, their dependencies and frequency and asset degradation associated with threats. Computations are based on trapezoidal fuzzy numbers associated with linguistic terms. A similarity function is used to associate a linguistic term on the previously defined scale to the trapezoidal fuzzy numbers resulting from computations. Finally, regarding the selection of preventive safeguards to reduce risks in IS, we propose a dynamic programming-based method that incorporates simulated annealing to tackle optimizations problems with the aim of minimizing costs while keeping the risk at acceptable levels.An example of an administrative unit using in-house and third-party information systems internally and to provide public information services is used to illustrate the methodology.

论文关键词:Risk analysis,Information systems,Trapezoidal fuzzy numbers,MAGERIT methodology,Selection of safeguards

论文评审过程:Received 27 July 2013, Revised 21 February 2014, Accepted 25 February 2014, Available online 15 March 2014.

论文官网地址:https://doi.org/10.1016/j.knosys.2014.02.018