A Multiple Attribute Decision Making For Improving .
International Journal of Computer Applications (0975 – 8887)Volume 89 – No.3, March 2014A Multiple Attribute Decision Making for ImprovingInformation Security Control AssessmentNadher Al-SafwaniSuhaidi HassanNorliza KatukInterNetWorks ResearchLaboratoryUniversiti Utara MalaysiaInterNetWorks ResearchLaboratoryUniversiti Utara MalaysiaInterNetWorks ResearchLaboratoryUniversiti Utara MalaysiaABSTRACTInformation security control assessment provides acomprehensive control analysis approach to assist anorganization in measuring the effectiveness of its current andplanned security controls. ISO/IEC 27005 is a riskmanagement framework that can manage and treat risks inorganizations. However, ISO/IEC 27005 does not define aclear guideline on how to select and prioritize informationsecurity control despite the need for an efficient securityanalysis method. The ISO 27005 framework mostly dependson subjective judgment and qualitative approaches forsecurity control analysis. This paper aims to improve the ISCanalysis method by proposing the concept of multiple attributedecision making to provide clear guidelines in solving theseissues. Order performance by similarity to ideal solution(TOPSIS) method was utilized to determine the criticalvulnerable controls on the basis of different evaluationcriteria. We argue that evaluating ISC by using TOPSIS leadsto a cost-effective analysis and an efficient assessment interms of testing and selecting ISCs in organizations.KeywordsInformation security controls assessment, multiple attributedecision making, security controls analysis.1. INTRODUCTIONInformation security is becoming increasingly important asthe basis and premise for information system security [4, 11].The principle goal of all business decision makers is to protectthe organization and the ability to protect their IT assets, aswell as to ensure the confidentiality, integrity, availability,and accountability features of the resources of theorganization [16].According to Singh [15], a risk assessment exercise involvesseveral steps: identification of controls to be tested, testing ofcontrols for their efficacy, analysis of test results, andrecommendations for security enhancements on the basis ofthe analysis. The implementation of control risk managementover the past few years has been ambiguous [9]. Numerousrisk analysis methods and models have been developed tosolve the issues and the challenges of these methods. Mostsecurity researchers attempt to enhance the framework toimprove security decisions by applying quantitative orqualitative modeling techniques [10]. Quantitative techniquesand methods that consider decision-making criteria and costeffective analysis remain lacking. Good references fromstandards organizations, such as ISO/IEC 27005, are availableon the process aspects of risk management [7]. However, thisframework typically and extensively focuses on the issue ofdefining a process around risk management. The frameworkmay be excellent from a process perspective but does notdefine a clear guideline on how to accomplish control securityassessment and mostly depends on a qualitative analysisapproach [15]. The remainder of the paper is organized asfollows. Section 2 provides a summary of ISO/IEC 27005related work on Information Security Control Assessment.Section 3 describes the multiple attribute decision making(MADM) concept and the TOPSIS method. Section 4 presentsthe experimental results of a case study. Section 5 discussesthe results. Finally, Section 6 provides the summarizedconclusions and the highlights of our future work.2. RELATED WORKThis section reviews the details of the ISO/IEC 27005 riskmanagement framework and identifies the gaps in riskassessment standards and methods.2.1 ISO/IEC 27005ISO 27005 [7] provides the guidelines for informationsecurity risk management in an organization and therequirements of an Information Security Management System(ISMS), as shown in Figure 1. The common concepts inISO/IEC 27001 are supported by the international standardand are designed to assist in the satisfactory implementationof information security according to the risk managementapproach. The process establishes the background andassesses the risks, which are mitigated by using a risktreatment plan to implement the recommended control anddecisions. The standards attempt to determine the actualcauses of the risks before deciding on what should be doneand when to reduce the risk to an acceptable level.Before risk assessment is conducted in the ISO/IEC 27005framework, the organization provides a general description ofthe entire goal of the risk assessment and its processes. In thisassessment, the risk should be identified, quantified,qualitatively described, and prioritized against the riskevaluation criteria and objectives relevant to the organization.The input of this assessment becomes the basic criteria, thescope and boundaries, and the roles and responsibilities of theorganization. The output of this assessment is a list ofassessed risks prioritized based on the risk evaluation criteria.Figure 2 illustrates the steps for risk assessment in ISO/IEC27005.19
International Journal of Computer Applications (0975 – 8887)Volume 89 – No.3, March 2014Fig 2. ISO/IEC 27005 Risk Analysis Steps [7].Fig 1. ISO 27005 Risk Management Framework [7].Step 3 is the identification of the existing controls that shouldbe made to avoid unnecessary work or cost. An existing orplanned control might be identified as ineffective, insufficient,or unjustified. However, Singh [15], [9] showed that ISO27005 does not clearly define a proper analysis for the currentcontrols despite having a generic guideline that describes themanaged approach to risk. ISO 27005 fails to provide granularguidance on the key steps of critical control identification andtends to focus on qualitative data, thus reducing the value ofthe approach for decision makers [5]. The process of selectingan ISC from common practices is difficult, and choosing thebest controls is based on the organization [13].The standard provides a process framework and leaves the actof defining the risk management process and approach to theprocess guidelines of the organization, such as InformationSecurity Management System (ISMS) or the context of riskmanagement. According to some researchers [3], [1], the ISOstandards family does not describe the practical aspects andshortens certain parts when evaluating the sufficiency ofsecurity mechanisms in a formal approach. The situation ofthe knowledge base has recently improved, but thestandardization of the entire risk assessment process remainsnecessary.3. MULTI-ATTRIBUTE DECISIONMAKINGMADM problems are encountered under various situationswhen the decision maker has several alternatives and actionsor when the candidates must be chosen on the basis of a set ofattributes [18]. MADM methods are classified into threeaccording to the type of information that the decision makerprovides: no information, information on attribute, andinformation on alternative [6], [17], [8]. Hence, the focus ofthe research will pay the attention to the type where thedecision maker provides information on the attribute.Therefore, we need to select information on attribute methods.The optimal MADM methods, i.e., SimpleAdaptiveWeighting (SAW), Hierarchical Adaptive Weighting (HAW),or TOPSIS, must be selected and applied in each study case.Several studies compared between these techniques and othersto find the optimal technique. TOPSIS is consideredtheoretically more robust than SAW because TOPSISconsiders the alternative on the basis of the most desirableresult by considering the distance of each result from the mostand least desirable method. TOPSIS further increases theaccuracy of the final result. Therefore, TOPSIS can beconsidered a stronger weighing model than MEW and SAW[14]. TOPSIS is also considered one of the major decisionmaking techniques. Opricovic and Tzeng [12] stated that thehighest ranked alternative by TOPSIS is the best in terms ofthe ranking index, which does not mean that the alternative isalways the closest to the ideal solution. However, they did not20
International Journal of Computer Applications (0975 – 8887)Volume 89 – No.3, March 2014consider the trade-offs involved by normalization whenobtaining the aggregating function. Nevertheless, TOPSIS isconsidered one of the major multi-attribute decision making(MDAM) techniques with an advantage over other MDAMtechniques and group decision-making methods [2].In any MDAM ranking, fundamental terms must be definedsuch as the decision matrix (DM), the evaluation matrix (EM),the alternatives, and the criteria.The EM has m alternatives and must create n criteria. Theintersection of each alternative and criteria is given as xij .Therefore, we have a matrix (xij )m nC1A1 x11A x21D 2 Am xm1C2 Cnx12 x1nx22 x2n , xm2 xmnwhere A1 , A2 , , Am are the possible alternatives amongwhich the decision makers have to choose (i.e., technicalsecurity controls), C1 , C2 , , Cn are criteria with which thealternative performances are measured (i.e., vulnerabilities,threats, valid vulnerabilities, severity, and cost remediationeffort), xij is the rating of the alternative Ai with respect tocriterionCj , and Wj is the weight of criterion Cj (i.e., threatsweight, severity weight, and cost remediation weight). Certainprocesses must be performed to rank the alternatives, such asnormalization, maximization indicator, adding the weights,and other processes depending on the method.3.1 Technique for Order Performance bySimilarity to Ideal Solution Method3.1.1 Construct the normalized decision matrixThis process attempts to transform the various attributedimensions into non-dimensional attributes, which allows acomparison across the attributes. The matrix (xij )m n is thennormalized from (xij )m n to the matrix R (rij )m n by usingthe normalization method:mwj 1This process results in a new Matrix V, where V is as follows:v11v21 vm1v12v22 vm2V v1nw1 r11 v2nw1 r21 vmnw1 rm1 . 1A max vij j J , min vij j J ii v1 , v2 , , vj , vn A i 1,2, , m . 3 .min vij j J , max vij j J ii v1 , v2 , , vj , vn i 1,2, , m . 4 .J is a subset of i 1,2, , m , which presents the benefitattribute (e.g., size, robustness, and complexity). By contrast,J is the complement set of J, which can be noted as Jc or theset of cost attributes.3.1.4 Separation measurement calculation on thebasis of the Euclidean distanceSeparation measurement is conducted by calculating thedistance between each alternative in V and the ideal vector A by using the Euclidean distance, which is given byvij vj Si 2,i 1,2, m . 5j 1i 1This process results in a new Matrix R, where R is as follows:r11r21R rm1 wn r1n wn r2n. wn rmnIn this process, two artificial alternatives, A (the idealalternative) and A (the negative ideal alternative), are definedasnxij2w2 r12w2 r22 w2 rm23.1.3 Determining the ideal and negative idealsolutionsmrij xij . 2j 1r12r22 rm2 r1n r2n. rmn3.1.2 Construct the weighted normalized decisionmatrixInthisprocess,asetofweightsw w1 , w2 , w3 , , wj , , wn from the decision maker isaccommodated to the normalized DM. The resulting matrixcan be calculated by multiplying each column from thenormalized decision matrix (R) with its associated weight wj .The set of the weights is equal to 1:The separation measurement for each alternative in V from thenegative ideal A is similarly given bynvij vj Si 2,i 1,2, m 6j 1At the end of step 4, two values, namely, Si and Si , for eachalternative are counted. These two values represent thedistance between each and both alternatives (the ideal and thenegative ideal).3.1.5 Closeness to the ideal solution calculation.The closeness of Ai to the ideal solution A is defined asCi Si Si Si , 0 Ci 1, i 1,2, m . . 721
International Journal of Computer Applications (0975 – 8887)Volume 89 – No.3, March 2014Ci 1 if and only if (Ai A ). Similarly, Ci 0 if and onlyif (Ai A ).3.1.6 Step 6: Ranking the alternative according tothe closeness to the ideal solution.The set of the alternative Ai can now be ranked according tothe descending order of Ci . The highest value has the bestperformance.3.2 Experimental StudyThis section describes the experiments setup and theimplementation of TOPSIS steps within ISO 27005 standard.The experiments were conducted in a small- and medium-sizeenterprise (SME) based in Kuala Lumpur, Malaysia thatspecializes cyber security consulting. The scope of study is toexamine the information security controls of IT department.The organization assigned four people for the implementationwho are expert in vulnerability assessment and penetrationtest.3.3 Procedure and MaterialsThe study has determined the scope and infrastructureboundaries of security controls. Security controls areclassified into two types: technical and nontechnical. In thispaper, we evaluated the technical ISC. Technical controls aredefined as the safeguards built into the hardware and thecomputer software, such as firewalls, routers, databases, andservers.All tests were conducted in a real time network. First, weidentified a total of 18 technical security controls (seeTable 4). We conducted more than 50 experiments to identifythe vulnerabilities among these controls by using differentvulnerabilities assessment tools, such as Nessus, Nmap,Dumpsec, Kismet, and Acunetix Web Vulnerability Scanner.We then ran over 100 experiments by using differentpenetration testing tools, such as Metasploit, AirSnort,Nstealth, Paros Proxy, ISS Database Scanner, and Spike. Theaim of this step is to validate the analyzed data obtained fromthe vulnerability assessment.Finally, the severity of the attack classes and the costremediation effort level were evaluated based on the severityand cost remediation level scores as described in Table 4,respectively. We had to validate the data and obtain anaccurate result estimation prior to data analysis. Therefore, weconducted a group analysis panel with different experts toestimate the severity and cost of the remediation effort.Finally, we analyzed the obtained results by using the TOPSISmethod to prioritize the feedback and data of the expert. Theresults of TOPSIS experiment illustrated in detail in Section4.4. RESULTSThis section depicts the results obtained from the priorexperiments conducted in a small-medium enterprise, whereindifferent technical security controls are implemented. We runthe TOPSIS methods using java programming language. Thedeveloped program convert all mathematics equations into aprogramming code. The data of the five evaluation criteriasuch as know vulnerabilities, valid vulnerabilities, attackclasses, severity of attacks, and remediation effort level wereprioritized using TOPSIS methods. There are 18 securitycontrols for evaluation and ranked based on the evaluationcriteria. The weights of the evaluation criteria are defined byexternal cybersecurity team. The weight sum for eachevaluation criteria must be equal to 1. The first step andsecond step of TOPSIS have been conducted to extract thenormalized data based on weight rating as depicted in Table 1.In addition, ideal and negative ideals solution were identifiedto calculate the separation and closeness as described in Table1. Table 2 describes the separations, closeness, and theranking of the security controls. The separation measures ofthese criteria conducted through all mathematic equations.These results are discussed in detail in Section 5.Table 1. Weight of Normalized Decision 2A13A14A15A16A17A18A A 0.0170.0220.0650.0780.0520.0570.0780.0045. DISCUSSIONInaccurate ISC selection and evaluation can create an unclearview of the risk of an organization during risk assessmentexercise. The ISC prioritization method allows decisionmakers to create accurate decisions on the critical andimportant controls and threats to consider. We used theTOPSIS method to improve the ISO/IEC 27005 controlassessment and the security decision-making of theorganization by providing a clear prioritization steps to selectthe most vulnerable and critical controls. Security controlswere rated on a scale of 1 (critical risk) to 18 (low risk). Weselected the top eight critical risks of the ISC to theorganization. The list of critical security controls in Table 4shows that web application is the most important criticalcontrol to address, followed by the router, web server, PassiveMail server, VMware ESX server, CCTV server, database,and Active Directory. These controls are evaluated based onnot only the number of known vulnerabilities but also thedifferent evaluation criteria, such as severity and costremediation effort level.The controls for each criterion were ranked by using theTOPSIS method on the basis of the high risk of the control (1as most critical and 18 as least critical). The ranks for eachcriterion were then ranked by using the TOPSIS method todetermine an overall rank. Table 1 also shows that the mostsignificant controls of an organization are the Windowsupdate server and the development server.22
International Journal of Computer Applications (0975 – 8887)Volume 89 – No.3, March 2014Table 2. Summary Results of the TOPSIS pplicationWeb serverDHCP ServerActiveDirectoryCCTV ServerFile serverAntivirusServerDatabaseActive MailServerWindowsUpdate ServerVMware ESXServerPassive MailServer𝐒 𝐢 𝐒𝐢 𝐂𝐢 64430.12580.04410.25960.7101Wireless APEmail 03870.12890.76910.82776. CONCLUSIONControl assessment is a critical step in information securityrisk management. Control assessment and analysis methodshave become increasingly more important to organizationsthat consider a continued defense technique against threats.The current ISO/IEC 27005 framework does not provideenough practical details on ISC selection and evaluation. Theassessment process is niche and requires the use of moreresources when conducted in organizations, particularly if theorganization has a constant budget and limited resources toprovide an entire risk picture. Few studies focus on improvingthe issues and challenges of information security systems.This paper proposes TOPSIS, to enhance ISC selection andprioritization. Our solution improves the risk assessmentprocess by providing dynamic analysis methods to assistorganizations in accurately evaluating the ISC by consideringthe weight of each attribute or evaluation criteria. Thissolution assists the organization in determining and selectingthe effectiveness performance of security 3RemediationEffort levelRouterFirewallWeb ApplicationWeb serverDHCP ServerActive DirectoryCCTV ServerFile serverAntivirus ServerDatabaseActive Mail ServerWindows Update ServerVMware ESX ServerPassive Mail ServerWireless APEmail GatewayDNSDevelopment ServerSeverity123456789101112131415161718Attack ClassTechnical Security tiesTable 3: Ranking Summary of the Results21513108613117918541416121723
International Journal of Computer Applications (0975 – 8887)Volume 89 – No.3, March 2014RouterFirewallWeb ApplicationWeb serverDHCP ServerActive DirectoryCCTV ServerFile serverAntivirus ServerDatabaseActive Mail ServerWindows Update ServerVmware ESX ServerPassive Mail ServerWireless APEmail GatewayDNSDevelopment Server20181614121086420Figure 3. Technical Security Controls Ranking Using TOPSISIn the future, these data may be used for different MADMmethods. The results from this study can be examined todetermine the most effective MADM method. Future researchcan also concentrate in evaluating this study by interviewingexperts from organizations within similar industries.[10]7. REFERENCES[1][2][3][4][5][6][7][8][9]A. Asosheh, B. Dehmoubed, and A. Khani. A newquantitative approach for information security riskassessment. In Computer Science and InformationTechnology, 2009. ICCSIT 2009. 2nd IEEE InternationalConference on, pages 222–227, 2009.Shuo-Yan Chou, Yao-Hui Chang, and Chun-Ying Shen.A fuzzy simple additive weighting system under groupdecision-making for facility location selection withobjective/subjective attributes. European Journal ofOperational Research, 189(1):132 – 145, 2008.A. Ekelhart, S. Fenz, and T. Neubauer. Aurum: Aframework for information security risk management. InSystem Sciences, 2009. HICSS ’09. 42nd HawaiiInternational Conference on, pages 1 –10, jan. 2009.Nan Feng and Minqiang Li. An information systemssecurity risk assessment model under uncertainenvironment. Applied Soft Computing, 11(7):4332 –4340, 2011.Douglas W. Hubbard. The Failure of Risk Management :Why It is Broken and How to Fix It. Willy, NewJeresy,USA, 2009.C.L. Hwang and K.P. Yoon. Multiple Attribute DecisionMaking Methods and Applications: A State-of-the ArtSurvey. Lecture Notes in Economics and MathematicalSystems Series. Springer London, Limited, 1981.ISO/IEC. Iso 27005 information technology securitytechniques information security risk management, 2008.Cengiz Kahraman and Selçuk Çeb. A new multi-attributedecision making method: Hierarchical fuzzy axiomaticdesign. Expert Syst Appl., 36(3):4848–4861, 2009.E. Kiesling, C. Strausss, and C. Stummer. A multiobjective decision support framework for simulationbased security control selection. In a, editor, Availability,IJCATM : Reliability and Security (ARES), 2012 SeventhInternational Conference on, pages 454–462, 2012.S. Lauesen and H. Younessi. Six styles for usabilityrequirements. In Proceedings of the Fourth InternationalWorkshop on Requirements Engineering: Foundation forSoftware Quality: REFSQ’98, pages 155–166, Pisa,Italy, 1998. Presses Universitaires de Namur.Jun-Jie Lv, Yong-Sheng Zhou, and Yuan-Zhuo Wang. Amulti-criteria evaluation method of information securitycontrols. In Computational Sciences and Optimization(CSO), 2011 Fourth International Joint Conference on,pages 190–194, 2011.SerafimOpricovicandGwo-Hshiung Tzeng.Compromise solution by mcdm methods: A comparativeanalysis of vikor and topsis. European Journal ofOperational Research, 156(2):445 – 455, 2004.Angel R. Otero, Carlos E. Otero, and Abrar Qureshi. Amulti criteria evaluation of information security controlsusing boolean features. Network Security and ItsApplications (IJNSA), 2(4):1–11, October 2010.Hsu-Shih Shih, Huan-Jyh Shyur, and E. Stanley Lee. Anextension of topsis for group decision making.Mathematical and Computer Modelling, 45:801 – 813,2007.Anand Singh and David Lilja. Improving risk assessmentmethodology: a statistical design of experimentsapproach. In 4th International Conference Security ofInformation and Networks (SIN 2011), pages 21–29,Sydney, Australia, October 2009. ACM.Evan Wheeler. Building an Information Security RiskManagement Program from the Ground Up. Waltham,2011.K . Paul Yoon and Ching-Lai Hwang. Multiple AttributeDecision Making: An Introduction (QuantitativeApplications in the Social Sciences, volume 104:83.USA, SAGE Publications, Inc., 1995.Edmundas Kazimieras Zavadskas, Arturas Kaklauskas,Zenonas Turskis, and Jolanta Tamošaitien e. Multiattribute decision-making model by applying greynumbers. Informatica, 20(2):305–320, April 2009.24
ISO 27005 Risk Management Framework [7]. Step 3 is the identification of the existing controls that should be made to avoid unnecessary work or cost. An existing or planned control might be identified as ineffective, insufficient, or unjustified. However, Singh [15], [9] showed that ISO 27005 does not clearly define a proper analysis for the .
Derived attribute: attribute whose value can be determined based upon other data (e.g., a database that includes birthdate and age; age can be a derived attribute given birthdate). Base attribute: an attribute from which you derive another attribute. Descriptive
Aug 02, 2014 · a multivalued attribute for the “user” entity: derived attribute (or computed attribute) – an attribute whose value is calculated (derived) from other attributes. The derived attribute may or may not be physically stored in the database. In the Chen notation, this attribute is
B) a relational attribute. C) a derived attribute. D) a multivalued attribute. Answer: A LO: 2.5: Model each of the following constructs in an E-R diagram: composite attribute, multivalued attribute, derived attribute, associative entity, identifying relationship, and minimum and maximum cardinality constraints. Difficulty: Moderate
Prime attribute An attribute of relation schema R is called a prime attribute of R if it is a member of some candidate key of R. Nonprime attribute . atomic attribute. (one cell must contains only one value) There are 3 techniques to convert DEPARTMENT relation into 1NF: 1. Remove the attribute Dlocations that violates 1NF and place it in a .
Atomic attribute types, pictured by oval nodes Composite attribute types, achieved by concatenating simpler attribute types, pictured by trees of atomic attributes Multivalued attribute types A ‘blue and red’ shirt Derived attribute types displayed in dashed
attribute. The domain of attribute courseid might be the set of all text strings of a certain length. An attribute, as used in the E-R model, can be characterized by the following attribute types Simple and composite attributes. Single-valued and multi valued attributes. Derived attribute.
The farmer and decision-making Decision-making is central to farm management. Each decision has an impact on the farm and on the farm household. Even deciding to do nothing is a decision and has an impact. The more a farmer is aware of the decision-making processes that
Decision-making is a problem-solving process which ends when a satisfying solution is reached. Therefore, decision- . decision-making and reduce the costs of decision-making mistakes. Keywords: Decision, . stimulus may occur after reward presentation and might in-volve some varied regions of the brain in deciding about
