Information Security Risk Assessment in Critical Infrastructure: A Hybrid MCDM Approach

Turskis, Zenonas; Goranin, Nikolaj; Nurusheva, Assel; Boranbayev, Seilkhan

doi:10.15388/informatica.2018.203

Cited by 16 publications

(4 citation statements)

References 62 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Furthermore, MCDM aids decision-makers in meeting compliance obligations, incorporating stakeholder considerations, and promoting transparency in the decision-making process (Vassoney et al, 2021) . The effectiveness of MCDM techniques in information security risk management is supported by various studies and research reports (Gardas et al, 2022;Turskis et al, 2019;Ershadi &, Forouzandeh ,2019). These sources offer empirical evidence and case studies that demonstrate the benefits of employing MCDM in guiding decision-making processes related to information security risk management.…”

Section: Research Motivationmentioning

confidence: 95%

Investigating information security risk management in Yemeni banks: An CILOS-TOPSIS approach

Al-Khulaidi,

Nasser,

Al-ashwal

et al. 2024

Multidiscip. Sci. J.

View full text Add to dashboard Cite

In today's digital age, the banking sector faces increasing challenges in ensuring operational resilience, protecting customer assets, and maintaining a competitive edge. Prioritizing information security risk management (ISRM) practices is crucial to effectively address these challenges. This paper aims to demonstrate the effectiveness of the multi-criteria decision-making (MCDM) method in evaluating and improving ISRM practices in Yemeni banks. The study employs an integrated CILOS-TOPSIS model, considering two criteria and five sub-criteria, with criteria weights determined using the CILOS method. The results highlight the significance of specific criteria in ISRM, with the existence of a comprehensive business continuity and disaster recovery plan (C2.1) standing out as a top priority (weight: 0.266). Additionally, the frequency of data backups and the presence of an active backup policy (C2.2) and the adequacy of physical security measures (C1.1) are identified as crucial factors (weights: 0.228 and 0.203, respectively). Furthermore, the TOPSIS method is employed to rank 13 banks based on these criteria, revealing the top-performing banks as B10, B4, B13, B1, and B12. Conversely, the 7th, 5th, and 6th ranked banks require attention for improvement. The paper provides comprehensive details on criteria weighting, bank ranking, and recommendations for enhancements. The findings presented in this paper offer valuable insights to decision-makers in the banking sector, enabling them to effectively guide their efforts and allocate resources to areas, controls, and banks that require greater attention.

show abstract

Section: Research Motivationmentioning

confidence: 95%

Investigating information security risk management in Yemeni banks: An CILOS-TOPSIS approach

Al-Khulaidi,

Nasser,

Al-ashwal

et al. 2024

Multidiscip. Sci. J.

View full text Add to dashboard Cite

show abstract

“…Gestão de risco em TI em universidades pode ser utilizada em práticas e estratégias de gestão, consistindo no gerenciamento e monitoramento dos riscos que a instituição pode estar exposta, por meio de um conjunto de procedimentos formalizados [1], [2], [3]. Todavia, o gerenciamento de risco em TI inserido em contextos que abordam múltiplos critérios, requer uma avaliação assertiva dessas informações, para identificar e propor ações corretivas necessárias [4], [5].…”

Section: Introductionunclassified

“…Os sistemas de apoio à decisão (SAD) são amplamente utilizados para avaliação de risco em TI [4], [6], [7], [8], pois tomadas de decisões nesse contexto são fatores que estão associados as consequências positivas e negativas. Logo, a atenção para construção de um modelo de avaliação de desempenho possibilita um gerenciamento eficaz desses riscos, abordando variáveis do processo, na qual propõe realizar um aperfeiçoamento contínuo, incluindo estratégias para os gestores realizarem suas tomadas de decisão [9], [10], [11] atendendo como um modelo de apoio a decisão.…”

Section: Introductionunclassified

Avaliação De Desempenho Na Gestão De Risco De Ti De Uma Universidade

Maria Corrêa,

César Bortoluzzi,

Romano Brustolin Baldo

2023

Anais Do International Conference on Production Research Americas

View full text Add to dashboard Cite

A gestão de risco de Tecnologia da Informação (TI) em universidades aborda aspectos como, segurança da informação, confiabilidade, disponibilidade, autenticidade e integridade das informações que estão sujeita à riscos, podendo prejudicar a gestão e os indivíduos que estão inseridos no contexto. Na literatura, observa-se que a avaliação de desempenho em gestão de riscos de TI nas universidades é negligenciada como ferramenta de apoio à tomada de decisão. Nesse sentido, a pesquisa teve como objetivo desenvolver um modelo de avaliação de desempenho para a gestão de riscos de TI de uma universidade pública brasileira. Para a construção do modelo, foi utilizada a Metodologia Multicritério de Apoio à Decisão -Construtivista (MCDA-C), que possui a finalidade de auxiliar o decisor a desenvolver um conhecimento amplo sobre o contexto em que está inserido, identificando seus objetivos, valores e preocupações, ordenados em uma estrutura hierárquica, resultando em 80 descritores, capazes de mensuração, possibilitando identificar o Status Quo da gestão de risco de TI da universidade. A pesquisa apresenta contribuições teóricas quanto ao preenchimento de lacunas na literatura, baseado a visão construtivista, um modelo criado a partir da visão e valores do decisor para avaliar o desempenho da gestão de risco de TI de uma universidade pública brasileira.

show abstract

“…This approach allows for the customization of metric weights based on specific organizational requirements and risk factors. Early uses of AHP in security metrics (e.g., Moeti and Kalema [41] and Turskis et al [42]) purely rely on human judgements (not using well-established computed metrics). Sun et al [22] design an automatic security analysis tool that integrates security metrics collection, management, and visualization to understand the security of computer systems.…”

Section: Related Workmentioning

confidence: 99%

Risk Score Aggregation for Security Evaluation in Network Environments

Lei

View full text Add to dashboard Cite

With the increasing complexity of network environments, evaluating security risks can be a challenge. Quantitatively scoring computer systems or networks based on specific threats or concerns can facilitate the comparison of their security levels. Such scoring needs considering multiple security risk factors and multiple systems to enable meaningful comparisons, determining whether one system or network is relatively more secure than another. Our research aims to address this challenge by developing a comprehensive risk score aggregation methodology for evaluating security in modern network environments. In this thesis, we present two approaches to risk score aggregation: multi-factor aggregation for systems and multi-target aggregation for networks.In the first work, we propose an aggregation approach that combines machine measurements with human decision making for aggregating well-established individual risk factors into a risk score for a system. Specifically, we modify the Analytic Hierarchy Process (AHP) to facilitate group decision-making among selected "experts" who can derive the weights of individual risk factors for aggregation. We showcase the feasibility of our approach by selecting several common metrics to measure the target systems in our testbed and conducting an AHP survey with seventeen experts. The resulting overall aggregated scores for the target systems demonstrate how our approach enables the comparison of the overall security between those systems. By considering cloud-oriented settings, we also showcase how this approach i can be applicable to today's virtualized environments.The existing state-of-the-art approaches for aggregating multiple systems only consider one target in a network. The aggregation of risks scores of multiple targets is still yet to be explored. To this end, we propose another aggregation approach that uses the well-established attack paths as inter-system influences, treating each system as a potential target, to calculate cumulative attack probabilities for each system. We further aggregate these probabilities (i.e., the risk scores) into a single risk score for the entire network. To evaluate this approach, we consider several typical network types, including virtually hosted telecom networks such as 5G core and 5G Mobile Access Edge Computing (MEC) along with two additional network types. We employed the dataset collected from a real research data center. The results show that our approach can be generalized and applied to assess the security of various type of network.By considering multiple risk factors and interconnected entities/systems in network environments, we believe that our proposed methodologies for risk score aggregation can provide valuable insights and contribute to the research on risk assessments in modern IT environments. Prior PublicationA publication has arisen as a direct result of the research in this thesis and another manuscript under review. While these works represent joint contributions of all authors, any sections reproduced in this th...

show abstract

Information Security Risk Assessment in Critical Infrastructure: A Hybrid MCDM Approach

Cited by 16 publications

References 62 publications

Investigating information security risk management in Yemeni banks: An CILOS-TOPSIS approach

Investigating information security risk management in Yemeni banks: An CILOS-TOPSIS approach

Avaliação De Desempenho Na Gestão De Risco De Ti De Uma Universidade

Risk Score Aggregation for Security Evaluation in Network Environments

Contact Info

Product

Resources

About