A new information security risk analysis method based on membership degree

Kybernetes ◽  
2014 ◽  
Vol 43 (5) ◽  
pp. 686-698 ◽  
Author(s):  
Jiqiang Chen ◽  
Witold Pedrycz ◽  
Litao Ma ◽  
Chao Wang

Purpose – In a risk analysis system, different underlying indices often play different roles in identifying the risk scale of the total target in a system, so a concept of discriminatory weight is introduced first. With the help of discriminatory weight and membership functions, a new method for information security risk analysis is proposed. The purpose of this paper is to discuss the above issues. Design/methodology/approach – First, a concept of discriminatory weight is introduced. Second, with the help of fuzzy sets, risk scales are captured in terms of fuzzy sets (namely their membership functions). Third, a new risk analysis method involving discriminatory weights is proposed to realize a transformation from the membership degrees of the underlying indices to the membership degrees of the total target. At last, an example of information security risk analysis shows the effectiveness and feasibleness of the new method. Findings – The new method generalizes the weighted-average method. The comparative analysis done with respect to other two methods show that the proposed method exhibits higher classification accuracy. Therefore, the proposed method can be applied to other risk analysis system with a hierarchial. Originality/value – This paper proposes a new method for information security risk analysis with the help of membership functions and the concept of discriminatory weight. The new method generalizes the weighted-average method. Comparative analysis done with respect to other two methods show that the proposed method exhibits higher classification accuracy in E-government information security system. What is more, the proposed method can be applied to other risk analysis system with a hierarchial.

2005 ◽  
Vol 24 (2) ◽  
pp. 147-159 ◽  
Author(s):  
Bilge Karabacak ◽  
Ibrahim Sogukpinar

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Hao Chen ◽  
Ofir Turel ◽  
Yufei Yuan

PurposeElectronic waste (e-waste) such as discarded computers and smartphones may contain large amounts of confidential data. Improper handling of remaining information in e-waste can, therefore, drive information security risk. This risk, however, is not always properly assessed and managed. The authors take the protection motivation theory (PMT) lens of analysis to understand intentions to protect one's discarded electronic assets.Design/methodology/approachBy applying structural equation modeling, the authors empirically tested the proposed model with survey data from 348 e-waste handling users.FindingsResults highlight that (1) protection intention is influenced by the perceived threat of discarding untreated e-waste (a threat appraisal) and self-efficacy to treat the discarded e-waste (a coping appraisal) and (2) optimism bias plays a dual-role in a direct and moderating way to reduce the perceived threat of untreated e-waste and its effect on protection intentions.Originality/valueResults support the assertions and portray a unique theoretical account of the processes that underline people's motivation to protect their data when discarding e-waste. As such, this study explains a relatively understudied information security risk behavior in the e-waste context, points to the role of optimism bias in such decisions and highlights potential interventions that can help to alleviate this information security risk behavior.


Author(s):  
Hamed H. Dadmarz

Risk analysis is required in all companies to help the business owners or top managers make decisions about risk management strategy, which itself provides an organization with a roadmap for information and information infrastructure protection aligned to business goals and the organization's risk profile. This chapter identifies information assets including network, electricity, hardware, service, software, and human resources in the ICT department of a health insurance company and their relevant risks. To determine the risks, the level of confidentiality, level of integrity, level of availability, the likelihood of threat occurrence, and intensity of vulnerability have been assessed and rated. Assessment is done based on the opinions of 30 experts in the field of information security. According to the results, the highest information security risk is on the network.


2015 ◽  
Vol 17 (2) ◽  
pp. 193-219 ◽  
Author(s):  
Palaniappan Shamala ◽  
Rabiah Ahmad ◽  
Ali Hussein Zolait ◽  
Shahrin bin Sahib

Purpose – Information security has become an essential entity for organizations across the globe to eliminate the possible risks in their organizations by conducting information security risk assessment (ISRA). However, the existence of numerous different types of risk assessment methods, standards, guidelines and specifications readily available causes the organizations to face the daunting tasks in determining the most suitable method that would augur well in meeting their needs. Therefore, to overcome this tedious process, this paper suggests collective information structure model for ISRA. Design/methodology/approach – The proposed ISRA model was developed by deploying a questionnaire using close-ended questions administrated to a group of information security practitioners in Malaysia (N = 80). The purpose of the survey was to strengthen and add more relevant additional features to the existing framework, as it was developed based on secondary data. Findings – Previous comparative and analyzed studies reveals that all the six types of ISRA methodologies have features of the same kind of information with a slight difference in form. Therefore, questionnaires were designed to insert additional features to the research framework. All the additional features chosen were based on high frequency of more than half percentage agreed responses from respondents. The analyses results inspire in generating a collective information structure model which more practical in the real environment of the workplace. Practical implications – Generally, organizations need to make comparisons between methodologies and decide on the best due to the inexistence of agreed reference benchmark in ISRA methodologies. This tedious process leads to unwarranted time, money and energy consumption. Originality/value – The collective information structure model for ISRA aims to assist organizations in getting a general view of ISRA flow and gathering information on the requirements to be met before risk assessment can be conducted successfully. This model can be conveniently used by organizations to complete all the required planning as well as to select the suitable methods to complete the ISRA.


2019 ◽  
Vol 27 (3) ◽  
pp. 358-372 ◽  
Author(s):  
Erik Bergström ◽  
Martin Lundgren ◽  
Åsa Ericson

Purpose The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices. Design/methodology/approach The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel. Findings Managerial and organisational concerns that go beyond a technical perspective have been found, which affect the ongoing social build-up of knowledge in everyday information security work.. Research limitations/implications The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work. Practical implications The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs. Originality/value Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches.


Sign in / Sign up

Export Citation Format

Share Document