Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by sifat mamun

A Fusion of Cloud Model and Graph Theory

advertisement 
Innovative Risk Assessment in
Information Systems: A Fusion of
Cloud Model and Graph Theory
Muhammad
Abdullah Al Mamun
Puja Roy Rini
MASc. in Computer Engineering
Memorial University of
Newfoundland
muhammad@mun.ca
MASc. in Computer Engineering
Memorial University of
Newfoundland
amamun@mun.ca
MASc. in Computer Engineering
Memorial University of
Newfoundland
prrini@mun.ca
Abstract— The papers emphasize the importance of timely
prevention of information security threats through specialized
software and hardware as an effective foundation for businesses,
reducing reputational and financial risks. Protection must cover all
possible attack areas, and the FSTEC order No31 of March 14,
2014, in Russian legislation can be adopted as a basis for
implementing protection measures at different levels. Graph theory
is suggested to build an optimal enterprise information protection
system, where a ranked descending graph is constructed, and
critical paths are determined based on expert evaluations. The
second paper addresses the challenges of increasing threats and
uncertainty in information system security and proposes an
information security risk assessment approach based on the
multidimensional cloud model and entropy theory to enhance
objectivity and accuracy.
Index Terms—prevention, graph, security, cloud, protection
most appropriate information security tools based on expert
evaluations of preferences and capabilities.
Both papers underscore the significance of information security
in the modern age and highlight the need for comprehensive risk
assessment and protection measures. The first paper introduces a
novel approach using the multidimensional cloud model and
entropy theory to analyze information system risks objectively,
emphasizing targeted risk control measures for secure and stable
information systems. The second paper discusses the foundations
for effective business security, including timely threat prevention
and elimination, and outlines 21 levels of protection based on
Russian legislation. It proposes using graph theory to optimize an
enterprise's information security system, enabling the selection of
appropriate tools based on expert evaluations and available
resources.
II. CHALLENGES
I. INTRODUCTION
"Information system security risk assessment based on
multidimensional cloud model and the entropy theory"
emphasizes the significance of information security risk
assessment in the information age, where technology brings
both convenience and risks. The paper introduces an innovative
approach using a multidimensional cloud model and entropy
theory to comprehensively analyze various risk factors in
information systems. By integrating qualitative and quantitative
data, this method enhances objectivity and accuracy in risk
assessment while minimizing the impact of subjective factors. It
highlights the importance of understanding security status and
implementing targeted risk control measures to maintain
information system security.
"The information security system synthesis using the graphs
theory" discusses effective business foundations, including
timely prevention of information security threats and prompt
elimination of realized threat consequences. It emphasizes the
need for protection in all possible attack areas. Referring to
Russian Federation legislation, FSTEC order №31 of March 14,
2014, serves as the basis for "isolating" protection vectors and
outlines 21 levels or subsystems for information security
protection. The paper proposes applying graph theory to
optimize the construction of an enterprise's information security
system (ISS) based on required security levels and available
resources. By constructing a ranked descending graph and
solving the optimization problem, it enables the selection of the
"Information system security risk assessment based on
multidimensional cloud model and the entropy theory," includes
the complexity and resource intensity of implementing the novel
approach, requiring specialized expertise and significant effort
for integrating qualitative and quantitative data. The method's
effectiveness and applicability might vary across different
information systems, potentially limiting generalizability. "The
information security system synthesis using the graphs theory,"
challenges lie in the practical implementation of the graph
theory-based optimization approach, demanding advanced
technical knowledge and expertise. Accurately evaluating and
comparing information security tools based on expert evaluations
may introduce bias and variability, affecting the selection
process. Both papers may encounter difficulties in gaining realworld applicability and acceptance, necessitating efforts to
convince stakeholders of the benefits, and overcome resistance to
change or unfamiliar methodologies in the field of information
security
III. OBJECTIVES
•
Develop an Integrated Risk Assessment Framework:
The primary objective would be to create a
comprehensive and integrated risk assessment
framework that combines the multidimensional cloud
model, entropy theory, and graph theory. This
framework should be capable of analyzing various risk
factors in information systems and providing a holistic
view of security risks.
•
•
•
•
•
4.1 Information System Security Risk Assessment:
Information system security risk assessment is a critical process
in the context of the information age, where technology presents
both opportunities and risks. The assessment aims to identify,
analyze, and evaluate potential security threats that could impact
the confidentiality, integrity, and availability of information
systems. Traditional risk assessment methods often involve
subjective judgments, leading to potential biases and
inaccuracies. The merged paper introduces an innovative
approach that leverages the multidimensional cloud model and
Optimize Information Security System Construction:
entropy theory to comprehensively assess risk factors in
The objective is to use the graph theory-based
information systems. By integrating qualitative and quantitative
optimization approach to design and construct an
data, this method enhances the objectivity and accuracy of risk
effective information security system (ISS) for
assessment while reducing the influence of traditional subjective
enterprises. The ranked descending graph will help
factors. The objective is to provide a robust foundation for
identify critical paths and prioritize the selection of
appropriate security tools based on expert evaluations. understanding the security status of information systems and
implementing targeted risk control measures to maintain their
security.
Address Timely Prevention and Threat Elimination:
The merged approach should focus on addressing
4.2 Multidimensional Cloud Model and Entropy Theory:
timely prevention of information security threats and
prompt elimination of realized threat consequences. By The multidimensional cloud model is an extension of the oneimplementing protection measures at all possible attack dimensional cloud model that allows the representation of
areas, the ISS can be more resilient to potential threats. multidimensional qualitative concepts. In the context of
information system security risk assessment, the
multidimensional cloud model enables the incorporation of
Validate and Apply the Model: Conduct empirical
multiple dimensions of risk factors, considering their
validation of the merged risk assessment framework
using real-world data and case studies. The objective is interrelationships and uncertainties. This model allows for the
representation of fuzziness and randomness in the data, leading
to demonstrate the effectiveness and applicability of
the model in diverse organizational settings and various to a more comprehensive and realistic analysis. Alongside the
cloud model, the paper utilizes the entropy theory, which serves
industry sectors.
as a measure of uncertainty. By applying entropy theory, the
Promote Adoption and Standardization: The objective method calculates the degree of membership of risk factors in
different states or concepts, enhancing the objectivity of the risk
is to promote the adoption of the integrated risk
assessment framework across different industries and assessment process. The integration of the multidimensional
cloud model and entropy theory facilitates a holistic and accurate
organizations. Standardizing the approach would
evaluation of information system security risks.
ensure consistency in risk assessment practices and
Enhance Objectivity and Accuracy in Risk
Assessment: The merged approach should aim to
improve the objectivity and accuracy of information
security risk assessment by minimizing the influence of
subjective factors. By integrating both qualitative and
quantitative data, the objective evaluation of security
risks can be achieved.
facilitate better collaboration and knowledge sharing
among security professionals.
•
•
IV. LITERATURE REVIEW
4.3 Graph Theory for Information Security System Synthesis:
Graph theory is a powerful tool in the optimization and synthesis
of complex systems, and it finds application in the construction
Consider Legal and Regulatory Requirements: The
of an enterprise's information security system (ISS). The second
merged approach should take into account legal and
regulatory requirements, such as the FSTEC order №31 paper emphasizes the need for protection in all possible attack
of March 14, 2014, in the Russian Federation, to ensure areas and outlines 21 levels or subsystems for information
security protection based on Russian Federation legislation. By
that the information security system aligns with the
applying graph theory, a ranked descending graph is constructed,
applicable laws and guidelines.
where vertices represent expert information security tools at
specific levels (subsystems), and arcs connect these vertices
Enhance Resilience and Adaptability: The merged
based on their priority. The weights assigned to the arcs reflect
approach should aim to create an information security
the integration priority of each security tool into the information
system that is not only effective in the current context
system. Through optimization techniques and critical path
but also adaptable to evolving security threats. The
analysis, the most appropriate information security tools can be
objective is to enhance the resilience of the ISS and
selected based on expert evaluations of preferences and
enable it to respond proactively to emerging risks.
capabilities. The utilization of graph theory allows for an
effective synthesis of the ISS, enabling businesses to timely
prevent security threats and mitigate potential consequences.
V. DATA TABLE OVERVIEW
Methodology
Applies graph theory to construct
a ranked descending graph to
identify critical paths and select
the most appropriate information
security tools based on expert
evaluations.
The use of graph theory allows
for efficient optimization of the
ISS, covering all vulnerable
areas and ensuring effective
protection against security
threats.
Data Table for "Information System Security Risk Assessment
based on Multidimensional Cloud Model and the Entropy
Theory":
Key Findings
Topic/Aspect
Description
Paper Title
Information System Security
Risk Assessment based on
Multidimensional Cloud Model
and the Entropy Theory
To introduce a novel risk
assessment approach using a
multidimensional cloud model
and entropy theory to analyze
various risk factors in
information systems.
Main Objective
Importance
Discusses the criticality of
information security risk
assessment in the information age
to maintain system security and
implement targeted risk control
measures.
Methodology
Utilizes multidimensional cloud
models and entropy theory to
integrate qualitative and
quantitative data for enhanced
objectivity and accuracy in risk
assessment.
Key Findings
The approach reveals objective
objects with fuzziness and
randomness, reducing the
influence of traditional subjective
factors in risk assessment
Data Table for "The Information Security System Synthesis
using Graph Theory":
Topic/Aspect
Description
Paper Title
The Information Security System
Synthesis Using Graph Theory
Main Objective
To optimize the construction of
an enterprise's information
security system (ISS) based on
required security levels and
available resources using graph
theory.
IV.
1.
PROBLEM STATEMENT
"Information system security risk assessment based on
multidimensional cloud model and the entropy theory":
Problem Statement: The paper addresses the need for effective
information system security risk assessment in the information
age, considering the risks introduced by information technology.
The problem is to develop a comprehensive risk assessment
approach that can understand the security status of information
systems, implement targeted risk control measures, and construct
secure, stable, and upgradable information systems. The
challenge is to overcome traditional subjective factors and
enhance objectivity and accuracy in risk assessment.
Objectives: The main objective of the paper is to propose a novel
information system security risk assessment model using the
multidimensional cloud model and the entropy theory. This
model should comprehensively analyze various risk factors,
combining qualitative and quantitative data through the cloud
model. The aim is to provide an objective approach to risk
assessment, minimizing the influence of traditional subjective
factors and keeping information security risks within acceptable
limits.
2.
"The information security system synthesis using the
graphs theory":
Problem Statement: The paper aims to address the effective
foundations for businesses to deal with information security
threats promptly and protect vulnerable areas. The problem is to
optimize the construction of an enterprise's information security
system (ISS) by applying graph theory. This involves
determining critical paths and selecting appropriate security tools
based on expert evaluations of preferences and capabilities.
V. SYSTEM MODEL
Importance
Focuses on timely prevention of
information security threats and
prompt elimination of realized
threat consequences for effective
security protection.
The model presented in the paper is a comprehensive
"Information System Security Risk Assessment Model" that
integrates graph theory and regulatory approaches for
information security. It involves the development of threat and
intruder models, considering different potential levels for
intruders based on FSS and FSTEC classifications. The model
aids in identifying suitable defines strategies for state and nonstate information systems, neutralizing threats based on intruder
potential levels. Additionally, the model utilizes the
"Multidimensional Cloud Model" and "Entropy Theory" to
assess risks by determining the possibilities of security incidents
and measuring the relative importance of risk components. It
systematically evaluates information system security risks,
ensuring objectivity and accuracy through the consideration of
multiple factors
VI. DATA COLLECTION AND
ANALYSIS
To conduct data collection and analysis for the two papers, you
would typically follow these steps:
Data Collection for "Information System Security Risk
Assessment":
• Identify the information systems and organizations to
be studied for risk assessment.
• Gather relevant data on the information systems,
including their architecture, components, assets, and
vulnerabilities.
• Collect data on historical security incidents and their
impacts on the systems.
• Obtain expert opinions and knowledge from
professionals in the field of information security.
•
Solve the optimization problem to select the most
appropriate information security tools based on the
identified critical paths and expert evaluations.
For both papers, data analysis may involve using statistical
methods, mathematical calculations, and modeling techniques to
assess risk levels, vulnerability severity, and the effectiveness of
security measures. Additionally, expert judgment and qualitative
assessments may be integrated into the analysis to enhance the
accuracy of the findings. The goal is to provide practical and
effective risk assessment and information security system
synthesis solutions.
VII. PROPOSED MODEL
The model presented in the paper “The information security
system synthesis using the graphs theory” outlines a preparatory
stage for synthesizing an Information Security System (ISS)
using graph theory. During the preparatory stage of Information
Security System (ISS) synthesis using graph theory, we focus on
distinguishing the development stages of the threat model and
intruder model [1]. The model involves the development of both
a threat model and an intruder model. Different regulatory
Data Analysis for "Information System Security Risk
approaches for information security, as approved by Russia's
Assessment":
Federal Security Service (FSS) and the Federal Service for
Technical and Export Control (FSTEC) [3], are considered.
• Apply the multidimensional cloud model and entropy
These approaches are integrated based on intruder potential
theory to analyze the collected data.
levels, and the type of intruder is chosen depending on the
• Integrate qualitative and quantitative data using the
information system class [2]. For state information systems,
cloud model to reveal objective risk factors with
threats are neutralized based on the potential level of the intruder.
fuzziness and randomness.
For non-state systems, threats are neutralized based on the type
• Calculate risk scores based on the identified risk of undeclared capabilities in the system software presence
possessed by the intruder, categorized as high, medium, or low
factors and their levels of severity.
• Evaluate the impact and likelihood of potential security potential intruders. The model aids in identifying appropriate
defense strategies for different system classifications and
incidents on the information systems.
potential intruder levels.
Data Collection for "Information Security System Synthesis
Using Graph Theory":
•
•
•
Identify businesses or organizations that require an
information security system synthesis.
Collect information on the existing information
security measures and infrastructure.
Gather data on different protection measures, such as
access control, software restriction, antivirus
protection, and incident response.
VIII. PROPOSED SOLUTION
Proposed solutions of "Information system security risk
assessment based on multidimensional cloud model and the
entropy theory" paper:
1.
Novel Risk Assessment Approach: The paper proposes
a novel approach to information system security risk
assessment by using a multidimensional cloud model
and the entropy theory. This approach allows for a more
comprehensive analysis of various risk factors in
information systems, enhancing the objectivity and
accuracy of risk assessment.
2.
Integration of Qualitative and Quantitative Data: By
integrating qualitative and quantitative data through the
cloud model, the proposed method reveals objective
objects with fuzziness and randomness. This reduces the
influence of traditional subjective factors, making the
risk assessment more reliable and credible.
Data Analysis for "Information Security System Synthesis
Using Graph Theory":
•
•
•
Apply graph theory to optimize the construction of the
information security system.
Construct a ranked descending graph to determine
critical paths and interconnections between security
measures.
Evaluate the preferences and capabilities of available
security tools and resources.
enterprise information system and assessing the threat realization
probability and danger assessment. The paper outlines the
necessary steps to compile an actual information security threats
list and identifies the factors for selecting optimal software,
hardware, and firmware from the market based on the protection
requirements.
The integration of the FSS and FSTEC approaches involves
categorizing potential intruders based on the FSS classification.
Low potential intruders under FSTEC align with intruders
classified as H1-H3 by FSS, while average potential intruders
align with H4-H5, and high potential intruders align with H6.
Proposed solutions of "The information security system
Depending on the information system's classification, a specific
synthesis using the graphs theory" paper:
intruder type is chosen for defense. For state information
1. Comprehensive Protection: The paper emphasizes the systems, FSTEC Order No. 17 is referenced [4], and threats are
importance of protecting all possible areas vulnerable neutralized based on the intruder's potential level, with high
potential intruders for first-class systems, average potential for
to attacks. By utilizing graph theory to optimize the
second-class, and low potential for third and fourth-class
construction of an enterprise's information security
systems. For non-state systems, Government Decision No. 1119
system (ISS), the proposed solution ensures a
is used [5], with threats neutralized according to the intruder's
comprehensive approach to protection, covering
undeclared capabilities in system software presence, ranging
various aspects such as access control, software
from high potential for the first type, medium potential for the
restriction, antivirus protection, and incident response. second type, and low potential for the third type. The enterprise
information system's initial security level (prior to the ISS
implementation) is also determined, which is necessary to
2. Customized Security System: The application of graph compile an actual information security threats list (Table I).
theory enables the identification of critical paths and
the selection of the most appropriate information
security tools based on expert evaluations. This
customization ensures that the information security
system is tailored to the specific security requirements
and available resources of the organization, enhancing
its efficiency and effectiveness.
3.
Targeted Risk Control Measures: Effectively
evaluating information system risks enables a better
understanding of the security status, facilitating the
implementation of targeted risk control measures. This
helps in keeping information security risks within
acceptable limits and contributes to the construction of
secure, stable, and upgradable information systems.
3.
Compliance with Legislation: Referring to the FSTEC
order №31 [4], the proposed solution provides a basis
for "isolating" protection vectors and outlines 21 levels
or subsystems for information security protection. This
ensures that the constructed information security
system aligns with relevant Russian Federation
legislation, promoting legal compliance and adherence
to regulatory requirements.
IX. RESULTS AND FINDINGS
The model presented in the paper “The information security
system synthesis using the graphs theory” involves the
development of both a threat model and an intruder model as a
preparatory stage for synthesizing an Information Security
System (ISS) using graph theory. The intruder model considers
different regulatory approaches for information security,
specifically those approved by the Russian Federal Security
Service (FSS) and the Federal Service for Technical and Export
Control (FSTEC). These approaches are integrated based on
intruder potential levels, and the type of intruder is chosen
depending on the information system class. For state
information systems, threats are neutralized based on the
potential level of the intruder, and for non-state systems, threats
are neutralized based on the type of undeclared capabilities in
the system software presence possessed by the intruder,
categorized as high, medium, or low potential intruders. The
model also involves determining the initial security level of the
Table I. Initial security level determination
The protection initial degree is a method of assessing the security
level of an information system based on specific characteristics.
An information system is considered to have a high initial
security level if at least 70% of its characteristics correspond to
the "high" security level, with the remaining characteristics at an
"average" security level. If the conditions for high initial security
are not met, and at least 70% of the characteristics are at a level
not lower than "average," the system is categorized as having an
average initial security level; otherwise, it is classified as having
a low initial security level. Each level of initial security is
assigned a numerical coefficient (Y1) – 0 for high, 5 for average,
and 10 for low. The threat realization probability is then assessed
based on expert judgment, with four verbal gradations: unlikely
(Y2 = 0), low probability (Y2 = 2), average probability (Y2 = 5),
and high probability (Y2 = 10). The threat realizability factor (Y)
is calculated by combining the security level evaluation (Y1)
and threat probability (Y2) using the formula Y = (Y1 + Y2)/20
[11]. The final information security threat danger assessment is
determined verbally as low risk, medium danger, or high
danger, based on the calculated threat realization possibility.
Based on the assigning rules for security threats outlined in
Table II, the enterprise's information system can categorize and
identify which threats are actual and relevant to its security. By
comparing the characteristics of the identified threats with the
rules specified in the table, the system can determine whether a
particular threat poses a real risk and requires appropriate
measures to address it or if it is irrelevant and can be
disregarded in the security assessment. This process helps in
prioritizing and focusing on the actual threats that need
immediate attention and mitigation efforts, ensuring a more
effective and targeted approach to information system security.
Figure 1.
The theory of risk analysis
The model introduces the Multidimensional Cloud Model
(MDCM) and Entropy Theory for risk assessment. MDCM
extends the one-dimensional cloud model to accommodate
qualitative concepts in an m-dimensional field U, where X
represents an element in the field with a membership degree μ in
the qualitative concept T [13]. The m-dimensional normal cloud
model is characterized by 3m numerical features: expectations
(Ex1, Ex2,..., Exm), entropies (En1, En2,..., Enm), and hyper
entropies (He1, He2,..., Hem). The Mathematical Expected
Hyper Surface (MEHS) equation of the dimensional cloud model
is expressed as MEHS (x1, x2,..., xm) =
exp[−(1/2)∑i=1m(x−EXi)^2/En2i].
Table II. Rules for determining the threat urgency
The Multidimensional Cloud Generator Algorithm includes a
forward cloud generator and a backward cloud generator. The
Once the information system category and class have been
determined, along with the threat and intruder models, and the forward cloud generator generates K numbers of m-dimensional
normal random numbers (xj) based on expectations and
levels (subsystems) that require protection from potential
variances, and K values for m-dimensional normal random
attackers have been identified, the next step is to conduct a
numbers (yi) based on other expectations and variances. The
comprehensive market analysis of software, hardware, and
degree of membership (μi) is calculated as μi =
firmware options. The goal is to select the most suitable
solutions that align with the specific needs and requirements of exp[−(1/2)∑j=1m(xji−Exj)^2/y2ji]. The cloud generator
the system in terms of price, quality, and functionality. This step generates cloud droplets based on these parameters [12].
involves evaluating a wide range of available options to find the
optimal combination that best meets the organization's
information security needs.
Whereas the other one paper model utilizes the
Multidimensional Cloud Model and Entropy Theory for risk
assessment [13]. It considers security incidents from threats
exploiting vulnerabilities, incorporates cloud models to reflect
qualitative concepts, and assigns weights based on relative
importance to calculate "Value at Risk," providing a systematic
approach for accurate information system security risk
assessment. Information system security risk assessment
involves evaluating the potential security incidents resulting
from threats exploiting vulnerabilities through appropriate
methods and tools. It includes assessing the losses caused by
these incidents based on the asset values and vulnerability
severity. The influence on the information system is then
calculated considering the probabilities of security incidents and
their associated losses. The value at risk (Y) is computed using
the formula Y = R (A, T, V) = R(L(T, V), F(Ia, Va)), where R is
the information security risk calculation function [11], A
represents the assets of the information system, T denotes the
threats to the system, and V represents the vulnerabilities of the
system. Ia stands for the asset value of the security incident, and
Va represents the severity of the vulnerability. L refers to the
possibility of exploiting the vulnerability by a threat, and F
represents the loss caused by security incidents. The theory of
risk analysis is illustrated in Figure 1.
Figure 2.
Forward cloud generator
The application of Entropy Weight Theory and the Multiplicative
Method. Entropy is a measure of uncertainty in information
theory [9], and it is represented by the formula H(p1, p2, ..., pn)
= -∑i=1 to n (pi * ln(pi)), where pi is the probability of the
system being in state Si. The Multiplicative Method is used to
determine an element (θ) based on two or more elements (α and
β) and is represented by the formula θ = α⊗β, which ⊗ denotes
taking the square root after multiplying α and β [6]. These
mathematical techniques are employed to assess and calculate the
uncertainty and relationships between various elements in the
context of information security risk assessment.
The model involves three main steps:
1.
Determining the Evaluation Index Set: This step
includes structuring risk sets for assets, threats, and
vulnerabilities. Each factor is assigned a level of risk
based on appropriate evaluation sets, represented by
numerical characteristics (Ex, En, He).
2.
Determining the Degree of Membership of Risk: This information system security. Table of risk grade is shown as
follows.
step involves generating cloud models for the
possibility of security incidents based on threats and
vulnerabilities, and cloud models for the loss of
security incidents based on assets and vulnerabilities.
The membership matrix of security incidents and the
membership matrix of the loss of security incidents are
Table I. Risk grade table
calculated using these cloud models [6].
These mathematical techniques are used to assess and quantify
the risks associated with different factors in information
security, enhancing the objectivity and accuracy of the risk
assessment process [7]. As well as calculating the membership
matrix of the loss of security incidents based on the cloud model
of the losses of security incidents. They are described as
follows.
The underlying premise is that security incidents can lead to five
types of losses, each associated with five specific threats and
corresponding vulnerabilities. The risk level assignment table of
factors is shown as follows.
Table II. Risk level assignment table
Step 3: Calculate the membership matrix of security incidents
and the membership matrix of the loss of security incidents
based on the generated cloud models [8].
The risk grades for asset factors, threat factors, and vulnerability
factors in the system are provided as follows:
Asset factors (A'): 4.5, 3.69, 2.6, 2.99, 3.8
Threat factors (T'): 4.3, 2.8, 2.5, 1.8, 1.7
Vulnerability factors (V'): 4.0, 2.3, 2.8, 3.0, 2.9
Next, the process involves calculating the expectations,
entropies, and hyper entropies of assets, threats, and
vulnerabilities for different risk levels based on historical data.
After this, two-dimensional cloud models of the possibilities of
security incidents and two-dimensional cloud models of losses of
security incidents are generated [9].
These mathematical techniques allow for a systematic and
objective assessment of information security risks, considering
various factors and enhancing the accuracy of risk evaluation.
The process of determining weights in the Information System
Security Risk Assessment Model using Entropy Weight Theory
can be summarized as follows:
Determining the Weights:
Table III. Expectation value
Measure the relative importance of security risk component Zi
using the entropy value ei, calculated with the formula: ei = 1/ln(r) ∑(zij*ln(zij)), where zij (j=1,2,...,r) represents the risk
components [9].
Normalize the entropy values to obtain the weight of each
security risk component Zij. The normalized weight φi is given
by: φi = 1/(q - E)(1 - ei), where E = ∑(ei), and q is the number
of risk components.
Establish the weights k1, k2, ..., kr for evaluating factors b1, b2,
..., br based on the risk classification, where ∑(ki) = 1.
Table IV. Entropy value
The Calculation of Value at Risk:
Using the membership matrix of risk component values, the
weights of risk component values (φ1, φ2, ..., φq), and the
weights of the risk level in the evaluation set (k1, k2, ..., kr),
compute the risk value R' with the formula: R' = (φ1, φ2, ..., φq)
∙ Z ∙ (k1, k2, ..., kr).
These steps allow for the quantification and assessment of risk
factors, providing valuable insights for decision-making in
Table V. Hyper entropy value
Two-dimensional cloud models of possibilities of security
incidents are shown as follows.
Figure 6.
The cloud model of security incidents
Figure 3.
The cloud model of security incidents
Figure 7.
The cloud model of security incidents
Figure 4.
The cloud model of security incidents
Figure 8.
The cloud model of security incidentally losses
Figure 5.
The cloud model of security incidents
Two-dimensional cloud models of losses of security incident are
shown as follows.
The clouds of possibilities of security incidents form very high
risk to very low risk are figure 3, figure 4, figure 5, figure
6, figure 7.
Figure 9.
The cloud model of security incident losses
Figure 12.
The cloud model of security incident losses
The clouds of losses of security incidents form very high risk to
very low risk is figure 8, figure 9, figure 10, figure 11, figure 12.
The given data involves several steps in risk assessment:
Step 1: A matrix P represents the risk grades of asset factors,
threat factors, and vulnerability factors in the system .
Step 2: Calculate the membership matrix L of possibilities of
security incidents and membership matrix L of losses of security
incidents [10].
Step 3: Calculate the membership matrix Z of risk components
using the multiplicative method.
Figure 10.
The cloud model of security incident losses
Step 4: The risk level of the system is determined to be middle
according to the risk grade table, and appropriate measures can
be taken to make the system safer.
Step 5: Calculate the weights φ of risk components and weights
K of risk grades.
Step 6: Calculating the value R' at risk.
Overall, the steps involve analyzing risk grades, possibilities of
security incidents, losses of security incidents, and risk
components to assess the risk level of the system and determine
appropriate risk control measures.
Figure 11.
The cloud model of security incident losses
On the other hand, the process of software and hardware
selection for each ISS subsystem involves implementing
information protection at 21 levels, prioritized based on the
attacker's potential violation order. Each level requires specific
security tools, and experts choose these tools based on their
functions and the enterprise's capabilities. The selection process
results in a ranked descending graph, where vertices represent
security tools, and arcs represent transitions between subsystems
with assigned weights indicating priority levels. The weights can
vary based on integration priority and service functions. The
paper has constructed a ranked top-down graph in which the
vertices are expert information security tools located at a specific
level (subsystem), which in turn are systematized in the attacker's
protection alleged violation order, and the vertices are connected
by arcs, the weight of each is determined by priority in the
transition to this vertex (Fig. 13).
tools based on expert evaluations of their preferences
and capabilities, ensuring an efficient and effective
security system.
3.
Compliance with Legislation: Referring to the FSTEC
order №31, the paper provides a basis for "isolating"
protection vectors and outlines 21 levels or subsystems
for information security protection. This ensures that the
constructed information security system aligns with
relevant Russian Federation legislation, enhancing legal
compliance.
Figure. 13.
Cons common to both papers:
The ranked descending graph level corresponding to the security
events registration subsystem
1. Complexity: Both papers propose sophisticated
methodologies that might be challenging to implement
X. PROS AND CONS
and require specialized expertise, potentially limiting
their practical adoption by organizations without the
Pros of "Information system security risk assessment based on
necessary resources or technical knowledge.
multidimensional cloud model and the entropy theory" paper:
2. Context-Specificity: The effectiveness and applicability
1. Comprehensive Risk Assessment: The paper introduces
of the proposed approaches in real-world scenarios may
a novel approach that uses the multidimensional cloud
vary depending on the specific information systems,
model and entropy theory to comprehensively analyze
industry sectors, or regulatory environments, limiting
various risk factors in information systems. This
their generalizability.
enables a more thorough and holistic assessment of
information security risks.
3. Practical Adoption: Convincing stakeholders and
2. Objective and Accurate Assessment: By integrating
organizations to adopt these novel approaches might be
qualitative and quantitative data through the cloud
challenging, as they may require significant changes in
model, the method reveals objective objects with
existing risk assessment or security practices, leading to
fuzziness and randomness, reducing the influence of
potential resistance or reluctance to embrace unfamiliar
traditional subjective factors. This enhances the
methodologies.
objectivity and accuracy of information security risk
assessment.
XI. MATHEMATICAL TERM
3. Improved Risk Control: Effectively evaluating
information system risks allows for a better
The mathematical terms used in these two papers are not
understanding of the security status and targeted
explicitly provided in the given summaries. However, based on
implementation of risk control measures. This helps in the context, we can identify some potential mathematical terms
keeping information security risks within acceptable
and concepts that might be discussed in the papers:
limits and ensuring the construction of secure, stable,
and upgradable information systems.
"Information system security risk assessment based on
multidimensional cloud model and the entropy theory":
Pros of "The information security system synthesis using the
graphs theory" paper:
1.
Tailored Protection Measures: The paper emphasizes
the need for protection measures covering all possible
areas vulnerable to attacks. By utilizing graph theory to
optimize the construction of an enterprise's information
security system (ISS), the approach allows for tailored
and customized protection strategies based on required
security levels and available resources.
•
•
•
•
2.
Optimal Tool Selection: The application of graph
theory to construct a ranked descending graph and
solve the optimization problem facilitates the
identification of critical paths. This enables the
selection of the most appropriate information security
Multidimensional Cloud Model: A mathematical model
that extends the one-dimensional cloud model to
represent multidimensional qualitative concepts and
uncertainty.
Entropy Theory: A concept from information theory
used to measure uncertainty and randomness in a
system.
Risk Assessment: The process of quantifying and
evaluating the potential risks to an information system
using mathematical methods.
Fuzziness and Randomness: Terms related to
uncertainty and vagueness in data, often represented
using fuzzy logic or probability theory.
"The information security system synthesis using the graphs
theory":
• Graph Theory: A mathematical theory that deals with
the study of graphs, which are structures consisting of
nodes (vertices) and edges (arcs) that represent
relationships between them [5].
• Optimization Problem: A mathematical problem that
involves finding the best solution (maximum or
minimum) among a set of possible solutions based on
specified criteria.
• Critical Paths: In the context of graph theory, critical
paths refer to the longest or shortest paths between
nodes in a graph, which are important for optimizing
the information security system construction.
XII. FUTURE WORKS
The future work, after merging these two papers, could involve
the following:
Integration of Risk Assessment Models: Explore the possibility
of integrating the multidimensional cloud model and entropy
theory from the first paper with the graph theory approach from
the second paper. This integration could lead to a more
comprehensive and robust risk assessment model that considers
both qualitative and quantitative factors while optimizing the
construction of an enterprise's information security system.
threats and vulnerabilities.
XIII. CONCLUSION
The papers propose two different approaches to address
information security challenges. The first approach focuses on
the labor-intensive and expert-driven synthesis of an enterprise's
information security system, aiming to minimize material waste
and financial losses in the face of potential threats. The second
approach introduces a model for information security risk
assessment, utilizing the multidimensional normal cloud model
and entropy weight theory to enhance the objectivity and
accuracy of risk assessment. Both methods aim to improve
information security measures and mitigate potential risks for
businesses.
15.1 Summary of Findings:
We have explored two essential aspects of information security:
risk assessment and system synthesis using innovative
methodologies. The first part of the paper focuses on information
system security risk assessment, where we introduced a novel
approach based on the multidimensional cloud model and
entropy theory. Through the integration of qualitative and
quantitative data, this approach enhances the objectivity and
accuracy of risk assessment, effectively addressing the
challenges posed by the information age. The findings reveal the
significance of understanding security status and implementing
targeted risk control measures to ensure the maintenance of
information system security.
Empirical Validation: Conduct empirical studies and real-world
case studies to validate the effectiveness of the merged risk
assessment model. Gather data from various organizations and
assess the accuracy and objectivity of the model in predicting
The second part of the paper delves into the information security
and mitigating information security risks.
system synthesis using graph theory. We emphasized the need
for effective business foundations, highlighting the timely
Automation and Machine Learning: Investigate the potential of prevention of security threats and prompt elimination of realized
automating the risk assessment process using machine learning threat consequences. The application of graph theory allows us to
algorithms. Develop automated tools that can efficiently analyze optimize the construction of an enterprise's information security
large datasets and identify potential security threats, thus
system based on required security levels and available resources.
reducing the manual effort required for risk assessment.
The findings showcase the power of constructing ranked
descending graphs and solving optimization problems to
Continuous Monitoring and Adaptation: Implement a system for facilitate the selection of the most appropriate information
continuous monitoring of the information security landscape
security tools based on expert evaluations of preferences and
and adapt the risk assessment model accordingly. Information
capabilities.
security threats are constantly evolving, and the model should
be dynamic enough to accommodate new risks and
15.2 Contributions and Practical Implications:
vulnerabilities.
The papers offer significant contributions to the field of
Standardization and Adoption: Work towards standardizing the information security. Firstly, the introduction of the
merged risk assessment model and promoting its adoption
multidimensional cloud model and entropy theory for risk
across different industries and organizations. This would
assessment provides a comprehensive and objective analysis of
facilitate a consistent and systematic approach to information
various risk factors in information systems. By considering both
security risk assessment.
qualitative and quantitative data, this approach enhances the
accuracy of risk assessment and reduces the influence of
Collaboration with Industry Experts: Collaborate with
subjective factors. This contributes to more informed decisioninformation security experts from different domains to gather
making in risk management, allowing organizations to
insights and feedback on the merged model. Engage in
implement targeted risk control measures effectively.
discussions and workshops to refine the model and make it more
practical and applicable in real-world scenarios.
Secondly, the application of graph theory in information security
system synthesis offers practical implications for businesses and
By pursuing these future works, the merged paper can
enterprises. By utilizing a ranked descending graph and
contribute significantly to the field of information security risk optimization techniques, organizations can construct robust and
assessment, providing a valuable tool for organizations to
tailored information security systems based on their specific
proactively safeguard their information systems from potential security needs and available resources. This ensures a cost-
effective and efficient allocation of security measures, reducing
the likelihood of security breaches and mitigating potential risks
effectively.
In practical terms, the findings from these papers can serve as
valuable guidelines for information security professionals and
decision-makers. Organizations can adopt the multidimensional
cloud model and entropy theory to assess their information
system security risks comprehensively and objectively.
Additionally, the use of graph theory can aid in the optimal
design and implementation of information security systems,
aligning security measures with business goals and regulatory
requirements.
Overall, these papers reinforce the importance of risk
assessment and system synthesis in information security,
providing innovative methodologies that can be applied to
enhance the resilience and protection of information systems in
the ever-evolving information age. By embracing these
approaches, organizations can proactively safeguard their
valuable assets and sensitive information, thus fostering a secure
and trustworthy digital environment.
XIV. REFERENCES
The threats basic model to the personal data security
when processing them in personal data information
systems (extract): officer.text, Moscow:FSTEC of
Russia, pp. 69, 2008.
[2] "Methodological recommendations for the regulatory
legal acts development that determine threats to the
personal data relevant security to the personal data
processing in personal data information systems
operated in the relevant activities conduct" in Center
Russia FSS management, Moscow, no. 149/7/2/6-432,
pp. 22, March 2015.
[1]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
Identifying threats methodology to information security
in information systems (Project), Moscow:Russia
FSTEC, pp. 43, 2015.
The Russia FSTEC order dated February 11, 2013. №
17 “On the requirements approval for the information
security that is not a state secret contained in
government information systems, 04 2017, [online]
Available: http://fstec.ru.
On approving the requirements for the personal data
protection when processing them in personal data
information systems, 04 2017, [online].
Wang Zhenxue, Zhou Anmin and Fang Yong,
"Information System Security Risk Estimation and
Control Theory[M]" in , Science Press, vol. 20, no. 11,
pp. 13-90.
Wang Guoying, Li Deyi, Yao Yiyu, Liang Jiye, Miao
Duoqian, Zhang Yanping, et al., "Cloud model and
granular computing[M]" in , Science Press, vol. 20, no.
12, pp. 2-22.
Gang Zhao and Huan Liu, "Practical risk assessment
based on multiple fuzzy comprehensive evaluations
and entropy weighting[J]", J Tsinghua Uni(Sci&Tech),
vol. 52, no. 10, pp. 1382-1387, 2012.
Yu Fu, Xiao-ping Wu, Qing Ye and Xi Peng, "An
Approach for Information System Security Risk
Assessment on Fuzzy Set and EntropyWeight[J]", ACTA ELECTRONICA SINICA, vol. 38,
no. 7, pp. 1490-1493, 2010.
[10] Guo-ying Zhang, Yun Sha, Xu-hong Liu and Yu-shu
Liu, "High Dimensional Cloud Model and Its
Applicationin in Multiple Attribute
Evaluation[J]", Transactions of Beijing Institute of
Technology, vol. 24, no. 12, pp. 1064-1069, 2004.
Hong-hui Niu and Ling-xia Liu, "Research on Risk
Assessment of Information Security Based on Improved
Neural Network", Computer Simulation[J], vol. 28, no.
6, pp. 117-118, 2011.
[12] Zhao-Hui Yang and De-Yi Li, "Planar Model and Its
Application in Prediction[J]", Chinese Journal
[13] Rong-xiao Guo, Jing-bo Xia, Shu-fu Dong and Men.
LONG, "Multiple Attribute Evaluation Method Based
on Mutidimensinal Cloud Model[J]", Computer
Science, vol. 37, no. 11, pp. 75-77, 2010.
[11]
Related documents
ELEMENTS OF WEATHER SUMMARY
ELEMENTS OF WEATHER SUMMARY
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
Cloud Based Business Growth Support Processes
Cloud Based Business Growth Support Processes
Download
advertisement