BAYES AĞI VE BULANIK ÇIKARIM SİSTEMİ TABANLI BİR BİLGİ GÜVENLİĞİ RİSK DEĞERLENDİRME MODELİ

Year 2019, Volume: 10 Issue: 1, 13 - 33, 25.01.2019

Sevilay Beken Mete Eminağaoğlu

https://doi.org/10.18354/esam.507794

Abstract

Bu çalışmada, nitel ve / veya nicel riskleri değerlendirmek ve hesaplamak
için Bayes ağı ve bulanık çıkarım sistemine dayanan yeni bir bilgi güvenliği
risk değerlendirme yaklaşımı ortaya konmuştur. Önerilen model, bir yazılım
şirketinin için test süreçlerini analiz etmek üzere geliştirilmiştir.
Tehditler, güvenlik açıkları, riskler ve bunların bağlantılarının tanımlandığı
bir Bayes ağı tasarlanmış ve her bir risk faktörü için bileşen olasılıkları
hesaplanmıştır. Bilgi varlıklarının değerleri, riskleri, olasılıkları ve
göreceli risk değerleri için bulanık üyelik fonksiyonları ve bulanık karar
kuralları tasarlanmış ve oluşturulmuştur. Son aşamada da, risk değerlerinin
etkileri, bulanık toparlama ve durulaştırma işlemleri ile hesaplanmış ve
sıralanmıştır. Bu yeni model, kurumlardaki yöneticilerin daha objektif,
güvenilir ve esnek bir şekilde bilgi güvenliği risk değerlendirme sonuçları
elde etmelerine ve kullanmalarına olanak sağlamaktadır.

Keywords

Bilgi Güvenliği Yönetimi, Risk Değerlendirmesi, Bulanık Çıkarım Sistemi, Bayes ağları

AN INFORMATION SECURITY RISK ASSESSMENT MODEL BASED ON BAYESIAN NETWORK AND FUZZY INFERENCE SYSTEM

Abstract

This study proposes a novel
information security risk assessment approach based on Bayesian network and
Fuzzy Inference System in order to evaluate and calculate both qualitative and /
or quantitative risks. The proposed model is developed to analyse test
processes for a software services company in order to evaluate the information
security risks. Threats, vulnerabilities, risks, and their relations are
constructed with a Bayesian network and marginal probabilities are calculated
for each risk factor. Several fuzzy membership functions and fuzzy decision
rules are designed and constructed for assets’ values, risks’ probabilities,
and relative risk values. Finally, the impacts of risk values are calculated
after the aggregation and defuzzification process. It is shown that this new model
enables the business decision makers and managers to obtain more objective,
reliable, and flexible information security risk assessment results.

Keywords

Information Security Management, Risk Assessment, Fuzzy Inference System, Bayesian networks

References

• Altuzarra, A., Moreno-Jimnez, J., and Salvador, M. (2007). "A Bayesian prioritization procedure for AHP-group decision making". European Journal of Operation Research, 18(1), pp. 367-382.
• Ariyanti, R., Kusumadewi, S., and Paputungan, I. (2010). "Beck Depression Inventory Test Assessment Using Fuzzy Inference System", Proccedings of IEEE Intelligent Systems. Modelling and Simulation 2010 International Conference, Liverpool, UK, pp. 6-9.
• Award, G., Suitan, E., Ahmad, N., Ithnan, N., and Beg, A. (2011). "Multi-objective model to process security risk assessment based on AHP-PSO". Modern Applied Science, 5(3), pp. 246-250.
• Barber, D. (2011). Bayesian Reasoning and Machine Learning. Cambridge University Press, UK.
• Bayraktarlı, Y., Ulfkjaer, J., Yazgan, U., and Faber, M. (2005). "On the Application of Bayesian Probabilistic Networks for Earthquake Risk Management", Proceedings of 9th International Conference on Structural Safety and Reliability (ICOSSAR 05), Rome, Italy, pp. 20-23.
• Çiçekli, U. G. and Karaçizmeli, A. (2013). "Bulanık Analitik Hiyerarşi Süreci ile Başarılı Öğrenci Seçimi: Ege Üniversitesi İktisadi ve İdari Bilimler Fakültesi Örneği". Ege Stratejik Araştırmalar Dergisi, 4(1), pp.71-94.
• Beken S. and Eminağaoğlu M. (2018). “Information Security Risk Assessment using Bayesian Network and Fuzzy Inference System: A Case Study”, ICATCES2018, Proceedings of International Conference on Advanced Technologies, Computer Engineering and Science, May 11-13, 2018, Safranbolu, Turkey, pp: 1-8.
• Chin, K., Tang, D., Yang, J., Wong, S., and Wang, H. (2009). "Assessing New Product Development Project Risk By Bayesian Network With a Systematic Probability Generation Methodology". Expert Systems with Applications, 36(6), pp. 9879-9890.
• Committee on National Security Systems. (2010). National Information Assurance (IA) Glossary. Committee on National Security Systems.
• Denys, P. (2006). "Efficiency of Risk Assessment Methods", Proceedings of IEEE Modern Problems of Radio Engineering, Telecommunications and Computer Science, Lviv, Ukraine, pp. 353-354.
• Foroughi, F. (2008). "Information Security Risk Assessment by Using Bayesian Learning Technique", Proceedings of the World Congress on Engineering, London, UK, Vol. 1. pp. 133-137.
• Frigault, M., Wang, L., Singhal, A., and Jajodia, S. (2008). "Measuring Network Security Using Dynamic Bayesian Network", Proceedings of the 4th ACM Workshop on Quality of Protection, Alexandria, USA, pp. 23-30.
• Fu, S. and Xiao, Y. (2012). "Strengthening The Research for Information Security Risk Assessment", International Conference on Biological and Biomedical Science Advanced in Biomedical Engineering. Vol 9, pp. 386-392.
• GeNIe Modeler, BayesFusion, LLC, https://www.bayesfusion.com/genie/, Erişim: 20.10.2018.
• Insight Consulting, Siemens. (2005). "The Logic Behind CRAMM's Assessment of Measures of Risk and Determination of Appropriate Countermeasures". Technical report.
• ISO/IEC 27001. (2013). Information Security Management Systems. Information Technology, Security Techniques, Geneve, Switzerland.
• ISO/IEC 27005. (2011). Information Security Risk Management. Geneva, Switzerland.
• Karabacak, B. and Soğukpınar, I. (2005). "ISRAM: Information Security Risk Analysis Method". Computers & Security, 24(2), pp. 147-159
• Landoll, D. (2006). The Security Risk Assessment Handbook. Auerbach Publications
• Lee, M. (2014). "Information Security Risk Analysis Methods and Research Trends: AHP and Fuzzy Comprehensive Method". International Journal of Computer Science & Information Technology. 6(1), pp. 29-45.
• Mc Neill, F. M. and Thro, E. (1994). Fuzzy Logic: A Practical Approach. Morgan Kaufmann Publications.
• MATLAB, The MathWorks, Inc., https://www.mathworks.com/products/matlab.html, Erişim: 22.10.2018.
• NIST National Institute of Standards and Technology. (2011). "Guide for Conducting Risk Assessments". Special Publication 800-30 rev.1, USA.
• Omar, A. and Herrera, R. (2002). "Graphical Risk Analysis (GRA): A Methodology to Aid In Modeling Systems For Information Security Risk Analysis", pp.1-12.
• Pitman J. (2006). Combinatorial Stochastic Processes. University of California, Berkeley, USA.
• Ross, T. J. (2004). Fuzzy Logic with Engineering Applications, 2nd edition. John Wiley & Sons Ltd.
• Takçı, H., Akyüz, T., Uğur, A., Karabağ, R., Soğukpınar and Soğukpınar, İ. (2010). "Bilgi Güvenliği Yönetiminde Risk Değerlendirmesi İçin Bir Model". Türkiye Bilişim Vakfı Bilgisayar Bilimleri ve Mühendisliği Dergisi, 3(1), pp. 47-52
• Wang, J., Fan, K., Mo, W., and Xu, D. (2016). "A Method for Information Security Risk Assessment Based on the Dynamic Bayesian Network", IEEE International Conference on Networking and Network Applications, Hakodate, Japan, pp. 279-283.
• Yong, Q., Long, X., and Qianmu, L. (2008). "Information Security Risk Assessment Method Based on CORAS Frame", IEEE International Conference on Computer Science and Software Engineering, Hubei, China, Vol. 3, pp. 571-574.
• Yuhan, H., Xiaoyan, C., Linqiao, D., Songsong, Z., Min, W., and Yanxiong, H. (2013). "The Reclamation Soil Suitability Study of the Highway Dumping Site Based on Fuzzy Comprehensive Evaluation Method". Nature Environment and Pollution Technology, 12(1), pp. 51-56.
• Zhao, D. M., Wang, J. H., Wu, J., and Ma, J. F. (2005). "Using fuzzy logic and entropy theory to risk assessment of the information security", Proceedings of IEEE International Conference on Machine Learning and Cybernetics, Guangzhou, China, pp. 2448-2453.