Ana Paula Henriques de Gusmão

A multidimensional approach to information security risk management using FMEA and fuzzy theory

We proposed an approach to information security risk management, encompassing Failure Mode and Effects Analysis (FMEA) and fuzzy theory.This approach analyses five dimensions of information security.A numerical application was undertaken. Because of the evolution and widespread use of the Internet, organisations are becoming more susceptible to attacks on Information Technology Systems. These attacks result in data losses and alterations, and impact services and business operations. Therefore, to minimise these potential failures, this paper presents an approach to information security risk management, encompassing Failure Mode and Effects Analysis (FMEA) and fuzzy theory. This approach analyses five dimensions of information security: access to information and systems, communication security, infrastructure, security management and secure information systems development. To illustrate the proposed model, it was applied to a University Research Group project. The results show that the most important aspects of information security risk are communication security, followed by infrastructure.

Information security risk analysis model using fuzzy decision theory

A risk analysis model for information security was proposed.The model is based on fuzzy decision theory.A taxonomy of events and scenarios using ETA methodology was developed.Alternatives can be ranked based on the criticality of the risk.The model provides information regarding the criticality causes of attacks.Results show that deliberate external database attack is the most risky alternative. This paper proposes a risk analysis model for information security assessment, which identifies and evaluates the sequence of events - referred to as alternatives - in a potential accident scenario following the occurrence of an initiating event corresponding to abuses of Information Technology systems. In order to perform this evaluation, this work suggests the use of Event Tree Analysis combined with fuzzy decision theory. The contributions of the present proposal are: the development of a taxonomy of events and scenarios, the ranking of alternatives based on the criticality of the risk, considering financial losses, and finally, the provision of information regarding the causes of information system attacks of highest managerial relevance for organizations. We included an illustrative example regarding a data center aiming to illustrate the applicability of the proposed model. To assess its robustness, we analyzed twelve alternatives considering two different methods of setting probabilities of the occurrence of events. Results showed that deliberate external database services attack represent the most risky alternative.

Analysis of IT Outsourcing Services Failures Based on an Existing Risk Model

Outsourcing services have been one of the strategic measures adopted with regard to directing the focus of a company to its core business. However, companies which try to adopt Information Technology outsourcing have been faced with several threats. Therefore, the purpose of this paper is to show the applicability of an existing risk management model to deal with uncertainties in outsourcing services. The main idea is to combine Failure Modes and Effect Analysis (FMEA) with Fuzzy Logic to detect which of the different dimensions considered is more likely to fail. To show the applicability of the model, a hypothetical example was conducted with the knowledge of an expert. The result of the model is important as this will assist managers in preventing potential failures.

Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory

Abstract Cybersecurity, which is defined as information security aimed at averting cyberattacks, which are among the main issues caused by the extensive use of networks in industrial control systems. This paper proposes a model that integrates fault tree analysis, decision theory and fuzzy theory to (i) ascertain the current causes of cyberattack prevention failures and (ii) determine the vulnerability of a given cybersecurity system. The model was applied to evaluate the cybersecurity risks involved in attacking a website, e-commerce and enterprise resource planning (ERP), and to assess the possible consequences of such attacks; we evaluate these consequences, which include data dissemination, data modification, data loss or destruction and service interruption, in terms of criteria related to financial losses and time for restoration. The results of the model application demonstrate its usefulness and illustrate the increased vulnerability of e-commerce to cybersecurity attacks, relative to websites or ERP, due partly to frequent operator access, credit transactions and users’ authentication problems characteristic of e-commerce.

A Grey Theory Based Approach to Big Data Risk Management Using FMEA

Big data is the term used to denote enormous sets of data that differ from other classic databases in four main ways: (huge) volume, (high) velocity, (much greater) variety, and (big) value. In general, data are stored in a distributed fashion and on computing nodes as a result of which big data may be more susceptible to attacks by hackers. This paper presents a risk model for big data, which comprises Failure Mode and Effects Analysis (FMEA) and Grey Theory, more precisely grey relational analysis. This approach has several advantages: it provides a structured approach in order to incorporate the impact of big data risk factors; it facilitates the assessment of risk by breaking down the overall risk to big data; and finally its efficient evaluation criteria can help enterprises reduce the risks associated with big data. In order to illustrate the applicability of our proposal in practice, a numerical example, with realistic data based on expert knowledge, was developed. The numerical example analyzes four dimensions, that is, managing identification and access, registering the device and application, managing the infrastructure, and data governance, and 20 failure modes concerning the vulnerabilities of big data. The results show that the most important aspect of risk to big data relates to data governance.

A multicriteria model for characterizing the strategic role of IT in organizations

Knowledge of the strategic role of technology and information systems in organizations is of critical importance for future investments in this area. Therefore, several authors have proposed models that enable the role of information systems in organizational processes to be analyzed strategically. Given the lack of a formal model for sorting organizations with respect to the strategic positioning of information systems, this paper puts forward a multicriteria model for categorizing organizations from the categories defined by the proposed IS Strategic Impact Grid.

A model for evaluating efficiency - an application in information technology and systems investments

Despite being widely applied in real problems that tackle evaluating efficiency, Data Envelopment Analysis (DEA) models are frequently criticized on account of the weights of evaluation criteria often being defined loosely. Thus, approaches to incorporating value judgments in DEA models have been used in order to obtain more consistent results with managerial reality. It is against this background that this paper proposes a DEA model for evaluating efficiency, where the value judgments of those responsible for evaluation, regarding the criteria, are defined based on the philosophy of the SMARTS method and incorporated into the model by the Assurance Region (AR) method. The model proposed is applied using information about the investments made in the area of Information Technology and Information Systems by Brazilian banks The aim is to exemplify the application of the model and raise points for discussion with regard to its merits.