Bankacılık Sektöründe Bulanık HTEA Yöntemi Kullanılarak Bilgi Güvenliğinde Risk Analizi

Yıldız Merve Yeşilçimen; Özlem Müge Testik

doi:10.46520/bddkdergisi.1600281

Araştırma Makalesi

Bankacılık Sektöründe Bulanık HTEA Yöntemi Kullanılarak Bilgi Güvenliğinde Risk Analizi

Yıl 2024, Cilt: 18 Sayı: 2, 170 - 185, 12.12.2024

Yıldız Merve Yeşilçimen Özlem Müge Testik

https://doi.org/10.46520/bddkdergisi.1600281

Öz

İnternet ve bilişim teknolojilerinin hızla gelişmesi, kurumların iş süreçlerinde bilişim sistemlerine olan
bağımlılıklarını artırarak onları bilgi teknolojisi tehditlerine karşı daha savunmasız hale getirmektedir.
Bu durum, kurumların bilgi güvenliği risklerini etkili bir şekilde yönetmesini ve güvenilir kurum imajını
koruyarak iş sürekliliğini sağlamasını gerektirmektedir. Bilgi güvenliğindeki riskleri belirlemek ve
önlemek amacıyla bu makalede Hata Modu ve Etkileri Analizi (HTEA) yöntemi bulanık yaklaşımla birlikte
sunulmaktadır. Bulanık HTEA; klasik HTEA'ya göre daha pratik ve esnek bir risk değerlendirme yöntemi
olarak tercih edilmiştir. Çalışmanın amacı; bir kurumda taşınabilir ortam ve cihazlardaki bilgi güvenliğinin
gizlilik, bütünlük ve erişilebilirlik unsurlarında ortaya çıkabilecek riskleri belirleyerek, bu riskleri önleyici
veya etkilerini azaltıcı çözümler sunmaktır. Çalışmada, bilgi güvenliği alanında uzman 7 kişilik bir ekiple
çalışılmıştır. Hata modları belirlenirken Türkiye Cumhuriyeti Cumhurbaşkanlığı Dijital Dönüşüm Ofisi
tarafından hazırlanmış olan Bilgi ve İletişim Güvenliği Rehberi’nde yer alan ‘Taşınabilir Cihaz ve Ortam
Güvenliği’ başlığındaki tedbir maddelerinden yararlanılmış ve 21 adet hata modu belirlenmiştir. Hata
modlarının olasılık, şiddet ve tespit edilebilirlik parametreleri uzmanlar tarafından 10 farklı dilsel ölçekte
değerlendirilmiştir. Aykırı değerlerin elimine edilmesi amacıyla medyan ile hesaplamalar yapılmıştır.
Klasik ve Bulanık HTEA karşılaştırılması yapılarak iki yöntemin arasında güçlü bir uyum olduğu ancak
Bulanık HTEA’nın daha esnek ve pratik olduğu sonucuna ulaşılmıştır

Anahtar Kelimeler

Bilgi Güvemliği, Risk analizi, HTEA, Bulanık HTEA

Kaynakça

1. Ali, S. M., Hoq, S. N., Bari, A. M., Kabir, G., and Paul, S. K. (2022). Evaluating factors contributing to the failure of information system in the banking industry. Plos one, 17(3), e0265674.
2. Alizadeh, S. S., Solimanzadeh, Y., Mousavi, S., and Safari, G. H., (2022). Risk assessment of physical unit operations of wastewater treatment plant using fuzzy HTEA method: a case study in the northwest of Iran. Environmental Monitoring and Assessment, 194(9), 609.
3. Anderson, J. M., (2003). Why we need a new definition of information security. Computers & security, 22(4) 308-313.
4. Balaraju, J., Raj, M. G., and Murthy, C. S., (2019). Fuzzy-HTEA risk evaluation approach for LHD machine–A case study. Journal of Sustainable Mining, 18(4) 257-268.
5. Bidgoli, H., (2006). Handbook of information security, information warfare, social, legal, and international issues and security foundations, Vol. 2, John Wiley & Sons,.
6. Bojadziev, G., and Bojadziev, M., (1997). Fuzzy logic for business, finance, and management Vol. 12, World Scientific.
7. Bowles, J. B., and Peláez, C. E., (1995). Fuzzy logic prioritization of failures in a system failure mode, effects and criticality analysis. Reliability engineering & system safety, 50(2) 203-213.
8. Buriboev, A., Kang, H. K., Ko, M. C., Oh, R., Abduvaitov, A., and Jeon, H. S., (2019). Application of fuzzy logic for problems of evaluating states of a computing System, 9(15) 3021.
9. Carlson, C. S., (2012). Effective HTEAs: Achieving safe, reliable, and economical products and processes using failure mode and effects analysis, Vol. 1, John Wiley & Sons,
10. Chanamool, N., and Naenna, T., (2016). Fuzzy HTEA application to improve decision-making process in an emergency Department, 43 441-453.
11. Chen, G., and Pham, T. T., (2000). Introduction to fuzzy sets, fuzzy logic, and fuzzy control systems, CRC press, Boca Raton,
12. Chiozza, M. L., and Ponzetti, C., (2009). HTEA: a model for reducing medical errors. Clinica chimica acta, 404(1) 75-78.
13. de Gusmão, A. P. H., e Silva, L. C., Silva, M. M., Poleto, T., and Costa, A. P. C. S., (2016). Information security risk analysis model using fuzzy decision theory. International Journal of Information Management, 36(1) 25-34.
14. de Gusmão, A. P. H., Silva, M. M., Poleto, T., e Silva, L. C., and Costa, A. P. C. S., (2018). Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory, 43 248-260.
15. Dhillon, G., and Backhouse, J., (1996). Risks in the use of information technology within organizations, 16(1) 65-74.
16. Edu, A. S., Agoyi, M., & Agozie, D. (2021). Digital security vulnerabilities and threats implications for financial institutions deploying digital technology platforms and application: FMEA and FTOPSIS analysis. PeerJ Computer Science, 7, e658.
17. Ershadi, M. J., and Forouzandeh, M., (2019). Information Security Risk Management of Research Information Systems: A hybrid approach of Fuzzy HTEA, AHP, TOPSIS and Shannon Entropy. J. Digit. Inf. Manag., 17(6) 321.
18. Franceschini, F., and Galetto, M., (2001). New approach for evaluation of risk priorities of failure modes in HTEA. International journal of production research, 39(13) A 2991-3002. 19. Gilchrist, W., (1993).Modelling failure modes and effects analysis. International Journal of Quality & Reliability Management, 10(5)
20. Ghosh, M. (2010): 2017."Process failure mode effects analysis (PHTEA)." Retrieved January 5
21. International Standards Organization (ISO) (2005). ISO/IEC 17799 information technology security techniques: code of practice for information security management. Geneva: ISO;
22. ISO, ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection, www.iso. org/standard/27001 (Erişim tarihi: 1 Ekim2024)
23. Ivančan, J., and Lisjak, D. (2021). New HTEA risks ranking approach utilizing four fuzzy logic systems. Machines, 9(11) 292.
24. Jain, M. K., (2012). An Efficient Expert System Generator for Qualitative Feed-Back Loop Analysis. BRAIN. Broad Research in Artificial Intelligence and Neuroscience, 3(1) 5-18.
25. Karabacak, B., and Sogukpinar, I., (2005). ISRAM: information security risk analysis method. Computers & Security, 24(2) 147-159.
26. Kim, M.H., Toyib, W., and Park, M.G., (2013). An Integrative method of FTA and HTEA for software security analysis of a smart phone. KIPS Transactions on Computer and Communication Systems 2(12) 541-552.
27. Ledermüller, T., and Clarke, N. L., (2011). Risk assessment for mobile devices. Trust, Privacy and Security in Digital Business: 8th International Conference, TrustBus 2011, Toulouse, France, August 29-September 2, 2011, Proceedings 8. Springer Berlin Heidelberg,
28. Li, X., Li, H., Sun, B., and Wang, F., (2018). Assessing information security risk for an evolving smart city based on fuzzy and grey HTEA. Journal of Intelligent & Fuzzy Systems, 34(4) 2491- 2501.
29. Lipol, L. S., and Haq, J., (2011). Risk analysis method: HTEA/FMECA in the organizations. International Journal of Basic & Applied Sciences, 11(5) 74-82.
30. Mandal, S., and Maiti, J., (2014). Risk analysis using HTEA: Fuzzy similarity value and possibility theory based approach. Expert Systems with Applications, 41(7) 3527-3537.
31. Maués, L. M. F., Sá, J. A. S. D., Costa, C. T. D., Kern, A. P., and Duarte, A. A. A. M., (2019). Construction duration predictive model based on factorial analysis and fuzzy logic. Ambiente Construído, 19 115-133.
32. Schmittner, C., Gruber, T., Puschner, P., and Schoitsch, E., (2014). Security application of failure mode and effect analysis (HTEA). In Computer Safety, Reliability, and Security: 33rd International Conference, SAFECOMP 2014, September 10-12, 2014. Proceedings 33 Springer International Publishing, Florence, Italy, p. 310-325.
33. Shaikh, F. A., and Siponen, M., (2023). Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity. Computers & Security, 124 102974.
34. Sharma, R. K., Kumar, D., and Kumar, P., (2005). Systematic failure mode effect analysis (HTEA) using fuzzy linguistic modelling. International journal of quality & reliability management, 22(9) 986-1004.
35. Silva, M. M., de Gusmão, A. P. H., Poleto, T., e Silva, L. C., and Costa, A. P. C. S., (2014). A multidimensional approach to information security risk management using HTEA and fuzzy theory. International Journal of Information Management, 34(6) 733-740.
36. Stamatis, D. H., (2003). Failure mode and effect analysis, Quality Press
37. Stamp, M., (2011). Information security: principles and practice, John Wiley & Sons
38. Şen, Z. (2020). Bulanık mantık ilkeleri ve modelleme. Su Vakfı.
39. T.C. Cumhurbaşkanlığı Dijital Dönüşüm Ofisi, Bilgi ve İletişim Güvenliği Denetim Rehberi 2020,https://cbddo.gov.tr/SharedFolderServer/Projeler/File/BG_Denetim_Rehberi.pdf (Erişim tarihi: 1 Ekim 2024).
40. Türkiye Cumhuriyeti Cumhurbaşkanlığı Dijital Dönüşüm Ofisi, Bilgi ve İletişim Güvenliği Rehberi 2021, https://cbddo.gov.tr/SharedFolderServer/Genel/File/bg_rehber.pdf (Erişim tarihi: 1 Ekim 2024).
41. Xu, K., Tang, L. C., Xie, M., Ho, S. L., & Zhu, M. L. (2002). Fuzzy assessment of HTEA for engine systems. Reliability engineering & system safety, 75(1), 17-29.
42. Yang, Z., Bonsall,S., and Wang, J.. (2008). Fuzzy rule-based Bayesian reasoning approach for prioritization of failures in HTEA. IEEE Transactions on Reliability 57.3 517-528

Using the Fuzzy FMEA Method Risk Analysis in Information Security

Yıl 2024, Cilt: 18 Sayı: 2, 170 - 185, 12.12.2024

Yıldız Merve Yeşilçimen Özlem Müge Testik

https://doi.org/10.46520/bddkdergisi.1600281

Öz

Kaynakça

1. Ali, S. M., Hoq, S. N., Bari, A. M., Kabir, G., and Paul, S. K. (2022). Evaluating factors contributing to the failure of information system in the banking industry. Plos one, 17(3), e0265674.
2. Alizadeh, S. S., Solimanzadeh, Y., Mousavi, S., and Safari, G. H., (2022). Risk assessment of physical unit operations of wastewater treatment plant using fuzzy HTEA method: a case study in the northwest of Iran. Environmental Monitoring and Assessment, 194(9), 609.
3. Anderson, J. M., (2003). Why we need a new definition of information security. Computers & security, 22(4) 308-313.
4. Balaraju, J., Raj, M. G., and Murthy, C. S., (2019). Fuzzy-HTEA risk evaluation approach for LHD machine–A case study. Journal of Sustainable Mining, 18(4) 257-268.
5. Bidgoli, H., (2006). Handbook of information security, information warfare, social, legal, and international issues and security foundations, Vol. 2, John Wiley & Sons,.
6. Bojadziev, G., and Bojadziev, M., (1997). Fuzzy logic for business, finance, and management Vol. 12, World Scientific.
7. Bowles, J. B., and Peláez, C. E., (1995). Fuzzy logic prioritization of failures in a system failure mode, effects and criticality analysis. Reliability engineering & system safety, 50(2) 203-213.
8. Buriboev, A., Kang, H. K., Ko, M. C., Oh, R., Abduvaitov, A., and Jeon, H. S., (2019). Application of fuzzy logic for problems of evaluating states of a computing System, 9(15) 3021.
9. Carlson, C. S., (2012). Effective HTEAs: Achieving safe, reliable, and economical products and processes using failure mode and effects analysis, Vol. 1, John Wiley & Sons,
10. Chanamool, N., and Naenna, T., (2016). Fuzzy HTEA application to improve decision-making process in an emergency Department, 43 441-453.
11. Chen, G., and Pham, T. T., (2000). Introduction to fuzzy sets, fuzzy logic, and fuzzy control systems, CRC press, Boca Raton,
12. Chiozza, M. L., and Ponzetti, C., (2009). HTEA: a model for reducing medical errors. Clinica chimica acta, 404(1) 75-78.
13. de Gusmão, A. P. H., e Silva, L. C., Silva, M. M., Poleto, T., and Costa, A. P. C. S., (2016). Information security risk analysis model using fuzzy decision theory. International Journal of Information Management, 36(1) 25-34.
14. de Gusmão, A. P. H., Silva, M. M., Poleto, T., e Silva, L. C., and Costa, A. P. C. S., (2018). Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory, 43 248-260.
15. Dhillon, G., and Backhouse, J., (1996). Risks in the use of information technology within organizations, 16(1) 65-74.
16. Edu, A. S., Agoyi, M., & Agozie, D. (2021). Digital security vulnerabilities and threats implications for financial institutions deploying digital technology platforms and application: FMEA and FTOPSIS analysis. PeerJ Computer Science, 7, e658.
17. Ershadi, M. J., and Forouzandeh, M., (2019). Information Security Risk Management of Research Information Systems: A hybrid approach of Fuzzy HTEA, AHP, TOPSIS and Shannon Entropy. J. Digit. Inf. Manag., 17(6) 321.
18. Franceschini, F., and Galetto, M., (2001). New approach for evaluation of risk priorities of failure modes in HTEA. International journal of production research, 39(13) A 2991-3002. 19. Gilchrist, W., (1993).Modelling failure modes and effects analysis. International Journal of Quality & Reliability Management, 10(5)
20. Ghosh, M. (2010): 2017."Process failure mode effects analysis (PHTEA)." Retrieved January 5
21. International Standards Organization (ISO) (2005). ISO/IEC 17799 information technology security techniques: code of practice for information security management. Geneva: ISO;
22. ISO, ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection, www.iso. org/standard/27001 (Erişim tarihi: 1 Ekim2024)
23. Ivančan, J., and Lisjak, D. (2021). New HTEA risks ranking approach utilizing four fuzzy logic systems. Machines, 9(11) 292.
24. Jain, M. K., (2012). An Efficient Expert System Generator for Qualitative Feed-Back Loop Analysis. BRAIN. Broad Research in Artificial Intelligence and Neuroscience, 3(1) 5-18.
25. Karabacak, B., and Sogukpinar, I., (2005). ISRAM: information security risk analysis method. Computers & Security, 24(2) 147-159.
26. Kim, M.H., Toyib, W., and Park, M.G., (2013). An Integrative method of FTA and HTEA for software security analysis of a smart phone. KIPS Transactions on Computer and Communication Systems 2(12) 541-552.
27. Ledermüller, T., and Clarke, N. L., (2011). Risk assessment for mobile devices. Trust, Privacy and Security in Digital Business: 8th International Conference, TrustBus 2011, Toulouse, France, August 29-September 2, 2011, Proceedings 8. Springer Berlin Heidelberg,
28. Li, X., Li, H., Sun, B., and Wang, F., (2018). Assessing information security risk for an evolving smart city based on fuzzy and grey HTEA. Journal of Intelligent & Fuzzy Systems, 34(4) 2491- 2501.
29. Lipol, L. S., and Haq, J., (2011). Risk analysis method: HTEA/FMECA in the organizations. International Journal of Basic & Applied Sciences, 11(5) 74-82.
30. Mandal, S., and Maiti, J., (2014). Risk analysis using HTEA: Fuzzy similarity value and possibility theory based approach. Expert Systems with Applications, 41(7) 3527-3537.
31. Maués, L. M. F., Sá, J. A. S. D., Costa, C. T. D., Kern, A. P., and Duarte, A. A. A. M., (2019). Construction duration predictive model based on factorial analysis and fuzzy logic. Ambiente Construído, 19 115-133.
32. Schmittner, C., Gruber, T., Puschner, P., and Schoitsch, E., (2014). Security application of failure mode and effect analysis (HTEA). In Computer Safety, Reliability, and Security: 33rd International Conference, SAFECOMP 2014, September 10-12, 2014. Proceedings 33 Springer International Publishing, Florence, Italy, p. 310-325.
33. Shaikh, F. A., and Siponen, M., (2023). Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity. Computers & Security, 124 102974.
34. Sharma, R. K., Kumar, D., and Kumar, P., (2005). Systematic failure mode effect analysis (HTEA) using fuzzy linguistic modelling. International journal of quality & reliability management, 22(9) 986-1004.
35. Silva, M. M., de Gusmão, A. P. H., Poleto, T., e Silva, L. C., and Costa, A. P. C. S., (2014). A multidimensional approach to information security risk management using HTEA and fuzzy theory. International Journal of Information Management, 34(6) 733-740.
36. Stamatis, D. H., (2003). Failure mode and effect analysis, Quality Press
37. Stamp, M., (2011). Information security: principles and practice, John Wiley & Sons
38. Şen, Z. (2020). Bulanık mantık ilkeleri ve modelleme. Su Vakfı.
39. T.C. Cumhurbaşkanlığı Dijital Dönüşüm Ofisi, Bilgi ve İletişim Güvenliği Denetim Rehberi 2020,https://cbddo.gov.tr/SharedFolderServer/Projeler/File/BG_Denetim_Rehberi.pdf (Erişim tarihi: 1 Ekim 2024).
40. Türkiye Cumhuriyeti Cumhurbaşkanlığı Dijital Dönüşüm Ofisi, Bilgi ve İletişim Güvenliği Rehberi 2021, https://cbddo.gov.tr/SharedFolderServer/Genel/File/bg_rehber.pdf (Erişim tarihi: 1 Ekim 2024).
41. Xu, K., Tang, L. C., Xie, M., Ho, S. L., & Zhu, M. L. (2002). Fuzzy assessment of HTEA for engine systems. Reliability engineering & system safety, 75(1), 17-29.
42. Yang, Z., Bonsall,S., and Wang, J.. (2008). Fuzzy rule-based Bayesian reasoning approach for prioritization of failures in HTEA. IEEE Transactions on Reliability 57.3 517-528

Toplam 41 adet kaynakça vardır.

Ayrıntılar

Birincil Dil	Türkçe
Konular	Finansal Kurumlar, Bankacılık ve Sigortacılık (Diğer)
Bölüm	Araştırma Makaleleri
Yazarlar	Yıldız Merve Yeşilçimen Bu kişi benim Özlem Müge Testik
Yayımlanma Tarihi	12 Aralık 2024
Gönderilme Tarihi	30 Ekim 2024
Kabul Tarihi	28 Kasım 2024
Yayımlandığı Sayı	Yıl 2024 Cilt: 18 Sayı: 2

Kaynak Göster

APA	Yeşilçimen, Y. M., & Testik, Ö. M. (2024). Bankacılık Sektöründe Bulanık HTEA Yöntemi Kullanılarak Bilgi Güvenliğinde Risk Analizi. BDDK Bankacılık Ve Finansal Piyasalar Dergisi, 18(2), 170-185. https://doi.org/10.46520/bddkdergisi.1600281

Kapak Resmi İndir

Makale Dosyaları

Tam Metin