Information System Risk Assessment Model Based on Self-Adaptive Expert Weight

Abstract

Abstract: Aiming to the problems that it is difficult to set the expert weight reasonably and the assessment result is greatly affected by the subjectivity of experts in the process of risk assessment, an information system risk assessment model SAEW-ISRA based on self-adaptive expert weight is proposed， and an adaptive adjustment method of fine-grained expert weight is presented. Firstly, triangular fuzzy number is introduced to score the attribute of risk indicators in the process of assessment. Secondly, the level of expert’s knowledge is described according to the fuzziness of expert score, and the posterior weight is constructed according to the distance from the average score of expert group, making the expert’s weight be adjusted adaptively; At the same time, the fuzzy analytic hierarchy process is used to construct the weight of risk indicators. Then, a risk quantification method of information system risk indicators is proposed, which can calculate the risk value. Finally, through an example of risk assessment of an information system, it is verified that the proposed method can achieve higher evaluation accuracy, and solve the problem of unreasonable weight in the evaluation process to a certain extent.

Key words: information system, risk assessment, expert weight, triangular fuzzy number, fuzzy analytic hierarchy process

LU Sai, ZHUANG Yi. Information System Risk Assessment Model Based on Self-Adaptive Expert Weight[J]. Computer and Modernization, 2021, 0(08): 85-93.

References ［32］

［1］	EHRENFELD J M. Wannacry, cybersecurity and health information technology: A time to act［J］. Journal of Medical Systems, 2017,41(7):104.
［2］	Kaspersky Website. Kaspersky Security Bulletin 2019. Statistics［EB/OL］. （2019-12-12)［2020-11-01］. https://securelist. com/kaspersky-security-bulletin-2019-statistics/95475/.
［3］	WANGEN G B. Information security risk assessment: A method comparison［J］. Computer, 2017,50(4):52-61.
［4］	冯登国,张阳,张玉清. 信息安全风险评估综述［J］. 通信学报, 2004,25(7):10-18.
［5］	HE M X, AN X. Information security risk assessment based on analytic hierarchy process［J］. Indonesian Journal of Electrical Engineering and Computer Science, 2016,1(3):656-664.
［6］	WANG H, CHEN Z F, FENG X, et al. Research on network security situation assessment and quantification method based on analytic hierarchy process［J］. Wireless Personal Communications, 2018,102(2):1401-1420.
［7］	TAO L L, LIN H, SHEN Y J, et al. Optimal combination between subjective weighting and objective weighting based on maximum square sum of distance for information security risk assessment［C］// 2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS). 2016:471-474.
［8］	KOKANGUL A, POLAT U, DAGSUYU C. A new approximation for risk assessment using the AHP and Fine Kinney methodologies［J］. Safety Science, 2017,91:24-32.
［9］	彭道刚,卫涛,赵慧荣,等. 基于D-AHP和TOPSIS的火电厂控制系统信息安全风险评估［J］. 控制与决策, 2019,34(11):2445-2451.
［10］	LI W M, LIANG Y, WANG W Y, et al. Research on security risk assessment based on the improved FAHP［J］. IOP Conference Series: Materials Science and Engineering, 2020,719(1):012008.
［11］	HUANG X P, XU W. Method of information security risk assessment based on improved fuzzy theory of evidence［J］. International Journal of Online and Biomedical Engineering (iJOE), 2018,14(3):188-196.
［12］	WU X Q, SHEN Y J, ZHANG G D, et al. Information security risk assessment based on DS evidence theory and improved TOPSIS［C］// 2016 7th IEEE International Conference on Software Engineering and Service Science. 2016:153-156.
［13］	WANG D Q, LU Y M, GAN J F. An information security evaluation method based on entropy theory and improved TOPSIS［C］// 2017 IEEE 2nd International Conference on Data Science in Cyberspace. 2017:595-600.
［14］	弭乾坤,吴斌,杜宁,等. 基于不完全信息博弈模型的信息系统安全风险评估方法［J］. 计算机与现代化, 2019(4):118-126.
［15］	LUO H S, SHEN Y J, ZHANG G D, et al. Information security risk assessment based on two stages decision model with grey synthetic measure［C］// 2015 6th IEEE International Conference on Software Engineering and Service Science. 2015:795-798.
［16］	高志方,盛冠帅,彭定洪. 妥协率法在信息安全风险评估中的应用［J］. 计算机工程与应用, 2017,53(23):82-87.
［17］	DUAN Y C, CAI Y H, WANG Z K, et al. A novel network security risk assessment approach by combining subjective and objective weights under uncertainty［J］. Applied Sciences, 2018,8(3):428.
［18］	YU J J, HU M, WANG P. Evaluation and reliability analysis of network security risk factors based on DS evidence theory［J］. Journal of Intelligent & Fuzzy Systems, 2018,34(2):861-869.
［19］	HAMID T, AL-JUMEILY D, HUSSAIN A, et al. Cyber security risk evaluation research based on entropy weight method［C］// 2016 9th International Conference on Developments in eSystems Engineering. 2016:98-104.
［20］	XIE H Y, WANG Y, ZHANG X H, et al. The study of information security risk assessment based on support vector machine［J］. MATEC Web of Conferences, 2018,232:01043.
［21］	GAO Y Y, SHEN Y J, ZHANG G D, et al. Information security risk assessment model based on optimized support vector machine with artificial fish swarm algorithm［C］// 2015 6th IEEE International Conference on Software Engineering and Service Science. 2015:599-602.
［22］	WANG J, FAN K F, MO W, et al. A method for information security risk assessment based on the dynamic Bayesian network［C］// International Conference on Networking & Network Applications. 2016:279-283.
［23］	SU C M, LI Y G, MAO W, et al. Information network risk assessment based on AHP and neural network［C］// 2018 10th International Conference on Communication Software and Networks. 2018:227-231.
［24］	SONG Y Q, SHEN Y J, ZHANG G D, et al. The information security risk assessment model based on GA-BP［C］// 2016 7th IEEE International Conference on Software Engineering and Service Science. 2016.
［25］	李森宇,毕方明,刘晋,等. ICS-BPNN在信息安全风险评估中的应用［J］. 中国科技论文, 2018,13(2):171-175.
［26］	DONG G S, LI W C, WANG S W, et al. The assessment method of network security situation based on improved BP neural network［C］// International Conference on Computer Engineering and Networks. 2018:67-76.
［27］	HU J J, GUO S S, KUANG X H, et al. I-HMM-based multidimensional network security risk assessment［J］. IEEE Access, 2019,8:1431-1442.
［28］	VAN LAARHOVEN P J M, PEDRYCZ W. A fuzzy extension of Saaty’s priority theory［J］. Fuzzy Sets and Systems 1983,11(1):199-227.
［29］	LIOU T S, WANG M J J. Ranking fuzzy numbers with integral value［J］. Fuzzy Sets and Systems, 1992,50(3):247-255.
［30］	张吉军. 模糊层次分析法(FAHP)［J］. 模糊系统与数学, 2000,14(2):80-88.
［31］	阮民荣,王玉燕. 基于模糊一致判断矩阵排序方法的比较［J］. 统计与决策, 2006(23):16-17.
［32］	ZHI H, ZHANG G D, LIU Y Q, et al. A novel risk assessment model on software system combining modified fuzzy entropy-weight and AHP［C］// 2017 8th IEEE International Conference on Software Engineering and Service Science. 2017:451-545.

[1]	WANG Xiao-yu, SUN Ka. Visualization of 3D Virtual Campus Based on osgEarth [J]. Computer and Modernization, 2020, 0(11): 89-93.
[2]	CUI Wen-di, DUAN Peng-fei, ZHU Hong-qiang, LIU Na. Security Risk Assessmenton of Attack Graph and HMM Industrial Control Network [J]. Computer and Modernization, 2020, 0(07): 32-37.
[3]	YE Qian1,WANG Yu-fei2,FU Yi3,TANG Yu-lan1. GQM-based Risk Assessment Method for Industrial Control Systems [J]. Computer and Modernization, 2019, 0(08): 92-.
[4]	DAI Yong-qiang， WANG Lian-guo. Evaluation of Surface Soil Heavy Metal Pollution in City [J]. Computer and Modernization, 2019, 0(08): 105-.
[5]	MI Qian-kun1, WU Bin2, DU Ning1,QIN Xi1. Information System Security Risk Assessment Based on Incomplete Information Game Model [J]. Computer and Modernization, 2019, 0(04): 118-.
[6]	YUAN Jie， ZHANG Min-lei. Research on Fault Recovery Mechanism of Power Information System Based on SDN [J]. Computer and Modernization, 2018, 0(11): 7-.
[7]	WANG Yin， GUO Hong-yu. CART-based Risk Assessment of Community Correction Staff [J]. Computer and Modernization, 2018, 0(08): 73-.
[8]	HUANG Yujie, TANG Zuoqi. Information Security Risk Assessment Based on Improved Bayesian Network Model [J]. Computer and Modernization, 2018, 0(04): 95-.
[9]	XU Rui1,2, YOU Jia1,2, LIU Kun1,2, MA Feng1,2, DUAN Ke2, ZHONG Yan-tao3. Identification System for Enterprise Users Based on [J]. Computer and Modernization, 2018, 0(03): 102-.
[10]	LI Yan-ling1, WU Jian-wei1, ZHU Ye-hang2. A Method for Determining Expert’s Weight Based on Consistency of Judgment Matrix [J]. Computer and Modernization, 2017, 0(6): 20-24+29.
[11]	JIANG Hua， XU Guo-cun， YANG Jing. Design and Implementation of Housing Levy and Compensation #br# Information System on State-owned Land [J]. Computer and Modernization, 2017, 0(5): 109-112.
[12]	MA Jia-yan, WANG Ping, SHEN Hong-wei. Design of Competitive Data Distribution System Based on Middleware [J]. Computer and Modernization, 2017, 0(12): 94-97.
[13]	SUN Xiao-jun. Matrix Algorithm for Minimum Spanning Tree Problem on Fuzzy Weighted Network [J]. Computer and Modernization, 2016, 0(9): 21-24.
[14]	YU Yue-yang, MIAO Hong, GE Shi-lun, WANG Nian-xin. Optimization of Enterprise Information System Menu Using Association [J]. Computer and Modernization, 2016, 0(11): 99-103.
[15]	QU Zhong, JIANG Shao-hua, ZHOU Biao. Female Village Officers Information Support Network System [J]. Computer and Modernization, 2016, 0(1): 12-15.