A hybrid information security risk assessment procedure considering interdependences between controls

摘要

Risk assessment is the core process of information security risk management. Organizations use risk assessment to determine the risks within an information system and provide sufficient means to reduce these risks. In this paper, a hybrid procedure for evaluating risk levels of information security under various security controls is proposed. First, this procedure applies the Decision Making Trial and Evaluation Laboratory (DEMATEL) approach to construct interrelations among security control areas. Secondly, likelihood ratings are obtained through the Analytic Network Process (ANP) method; as a result, the proposed procedure can detect the interdependences and feedback between security control families and function in real world situations. Lastly, the Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) operator is used to aggregate impact values assessed by experts, applied to diminish the influence of extreme evaluations such as personal views and drastic perspectives. A real world application in a branch office of the health insurance institute in Taiwan was examined to verify the proposed procedure. By analyzing the acquired data, we confirm the proposed procedure certainly detects the influential factors among security control areas. This procedure also evaluates risk levels more accurately by coping with the interdependencies among security control families and determines the information systems safeguards required for better security, therefore enabling organizations to accomplish their missions.