دانلود رایگان مقاله انگلیسی ارزیابی عملکرد مکانیسم توصیه های شناسایی ریسک امنیت اطلاعات - الزویر 2018

Abstract

In recent decades, information security has become crucial for protecting the benefits of a business operation. Many organizations perform information security risk management in order to analyze their weaknesses, and enforce the security of the business processes. However, identifying the threat-vulnerability pairs for each information asset during the processes of risk assessment is not easy and time-consuming for the risk assessor. Furthermore, if the identified risk diverges from the real situation, the organization may put emphasis on the unnecessary controls to prevent the non-existing risk. In order to resolve the problem mentioned above, we utilize the data mining approach to discover the relationship between assets and threat-vulnerability pairs. In this paper, we propose a risk recommendation mechanism for assisting user in identifying threats and vulnerabilities. In addition, we also implement a risk assessment system to collect the historical selection records and measure the elapsed time. The result shows that with the assistance of risk recommendations, the mean elapsed time is shorter than with the traditional method by more than 21 %. The experimental results show that the risk recommendation system can improve both the performance of efficiency and accuracy of risk identification.

Conclusion and Future work

In this paper, we propose a recommendation mechanism to assist the risk assessor in selecting the most suitable threat-vulnerability pairs while performing risk identification. The recommendation list is created through the use of 300 Predictive Apriori with the historical selection data of the ISO/IEC 27001:2013 certified business unit. The results of a prior experiment performed by security experts confirmed that the recommendation list can help risk assessors in selecting the appropriate risk item. In addition, in order to evaluate the elapsed time of the risk identification, 305 we implemented a risk assessment system for helping risk assessors in the whole risk management cycle. Meanwhile, the system collects the historical selection records from risk assessors. More than a hundred of critical information systems were selected for performing the experiment. According to the experimental results, with the assistance of the recommendation list, risk assessors can 310 shorten the elapsed time of decision-making. Finally, this not only improves the efficiency, but also enhances the accuracy of selecting the appropriate threatvulnerability pair in the process of risk identification. In the future, we intend to expand the scope of the experiment, which will ensure that more data can be collected and analyzed . The more data we 315 collect, the more the model will be complete. In addition, the algorithm of the association rule adopted in this paper can be refined and extended so as to improve the performance and accuracy. Finally, much more research in general needs to be done to assist organizations in protecting their assets from harm within an acceptable price range.