Information Security Risk Assessment in Critical Infrastructure: A Hybrid MCDM Approach

Turskis, Zenonas; Goranin, Nikolaj; Nurusheva, Assel; Boranbayev, Seilkhan

doi:10.15388/Informatica.2019.203

Informatica

Information Security Risk Assessment in Critical Infrastructure: A Hybrid MCDM Approach

Volume 30, Issue 1 (2019), pp. 187–211

Zenonas Turskis Nikolaj Goranin Assel Nurusheva Seilkhan Boranbayev

https://doi.org/10.15388/Informatica.2019.203

Pub. online: 1 January 2019 Type: Research Article

Open Access

Received
1 September 2018

Accepted
1 January 2019

Published
1 January 2019

Abstract

The risk analysis has always been one of the essential procedures for any areas. The majority of security incidents occur because of ignoring risks or their inaccurate assessment. It is especially dangerous for critical infrastructures. Thus, the article is devoted to the description of the developed model of risk assessment for the essential infrastructures. The goal of the model is to provide a reliable method for multifaceted risk assessment of information infrastructure. The purpose of the article is to present a developed model based on integrated MCDM approaches that allow to correctly assess the risks of the critical information infrastructures.

References

Allen, D.E., McAleer, M., Singh, A.K. (2017). Risk measurement and risk modelling using applications of Vine copulas. Sustainability, 9(10), 1762.

Allesch, A., Brunner, P.H. (2014). Assessment methods for solid waste management: a literature review. Waste Management & Research, 32(6), 461–473.

Ananda, J., Herath, G. (2009). A critical review of multi-criteria decision making methods with special reference to forest management and planning. Ecological Economics, 68(10), 2535–2548.

Aloini, D., Dulmin, R., Mininno, V. (2012). Risk assessment in ERP projects. Information Systems, 37(3), 183–199.

Akbari, M., Afshar, A., Mousavi, S.J. (2014). Multi-objective reservoir operation under emergency condition: abbaspour reservoir case study with non-functional spillways. Journal of Flood Risk Management, 7(4), 374–384.

Bamakan, S.M.H., Dehghanimohammadabadi, M. (2015). A weighted Monte Carlo simulation approach to risk assessment of information security management system. International Journal of Enterprise Information Systems (IJEIS), 11(4), 63–78.

Bannerman, P.L. (2008). Risk and risk management in software projects: A reassessment. Journal of Systems and Software, 81(12), 2118–2133.

Bates, M.E., Sparrevik, M., De Lichy, N., Linkov, I. (2014). The value of information for managing contaminated sediments. Environmental Science & Technology, 48(16), 9478–9485.

Baynal, K., Sari, T., Akpinar, B. (2018). Risk management in automotive manufacturing process based on FMEA and grey relational analysis: a case study. Advances In Production Engineering & Management, 13(1), 69–80.

Bell, T.E. (1989). Managing Murphy’s law: engineering a minimum-risk system. IEEE Spectrum, 26(6), 24–27.

Boehm, B.W. (1991). Software risk management: principles and practices. IEEE Software, 8(1), 32–41.

Boranbayev, A., Boranbayev, S., Nurusheva, A., Yersakhanov, K. (2018a). The modern state and the further development prospects of information security in the Republic of Kazakhstan. In: Information Technology – New Generations. Springer, Cham, pp. 33–38.

Boranbayev, A., Boranbayev, S., Nurusheva, A., Yersakhanov, K. (2018b). Development of a software system to ensure the reliability and fault tolerance in information systems. Journal of Engineering and Applied Sciences, 13(23), 10080–10085.

Boranbayev, A., Boranbayev, S., Yersakhanov, Y., Nurusheva, A., Taberkhan, R. (2018c). Methods of ensuring the reliability and fault tolerance of information systems. In: Information Technology – New Generations. Springer, Cham, pp. 729–730.

Boranbayev, S., Goranin, N., Nurusheva, A. (2018d). The methods and technologies of reliability and security of information systems and information and communication infrastructures. Journal of Theoretical and Applied Information Technology, 96(18), 6172–6188.

Cagliano, A.C., Grimaldi, S., Rafele, C. (2015). Choosing project risk management techniques. A theoretical framework. Journal of Risk Research, 18(2), 232–248.

Can, G.F. (2018). An intuitionistic approach based on failure mode and effect analysis for prioritizing corrective and preventive strategies. Human Factors and Ergonomics in Manufacturing & Service Industries, 28(3), 130–147.

Caplinskas, A., Dzemyda, G., Kiss, F., Lupeikiene, A. (2012). Processing of undesirable business events in advanced production planning systems. Informatica, 23(4), 563–579.

de Almeida, A.T., Ferreira, R.J.P., Cavalcante, C.A.V. (2015). A review of the use of multicriteria and multi-objective models in maintenance and reliability. IMA Journal of Management Mathematics, 26(3), 249–271.

Dubois, D., Prade, H. (1978). Operations on fuzzy numbers. International Journal of Systems Science, 9(6), 613–626.

Eckenrode, R.T. (1965). Weighting multiple criteria. Management Science, 12(3), 180–192.

Garcez, T.V., de Almeida, A.T. (2014). Multidimensional risk assessment of manhole events as a decision tool for ranking the vaults of an underground electricity distribution system. IEEE Transactions on Power Delivery, 29(2), 624–632.

Garcia, M.N.M., Roman, I., Garcia, P.F., Bonilla, M. (2008). An association rule mining method for estimating the impact of project management policies on software quality, development time and effort. Expert Systems with Applications, 34(1), 522–529.

Ginevicius, R. (2011). A new determining method for the criteria weights in multicriteria evaluation. International Journal of Information Technology & Decision Making, 10(6), 1067–1095.

Giraud, L., Galy, B. (2018). Fault tree analysis and risk mitigation strategies for mine hoists. Safety Science, 110, 222–234.

Govindan, K., Chaudhuri, A. (2016). Interrelationships of risks faced by third party logistics service providers: a DEMATEL based approach. Transportation Research Part E: Logistics and Transportation Review, 90, 177–195.

Grabauskyte, I., Tamosiunas, A., Kavaliauskas, M., Radisauskas, R., Bernotiene, G., Janilionis, V. (2018). A comparison of decision tree induction with binary logistic regression for the prediction of the risk of cardiovascular diseases in adult men. Informatica, 29(4), 675–692.

Jin, F., Pei, L., Chen, H., Zhou, L. (2014). Interval-valued intuitionistic fuzzy continuous weighted entropy and its application to multi-criteria fuzzy group decision making. Knowledge-Based Systems, 59, 132–141.

Jozi, S.A., Majd, N.M. (2014). Health, safety, and environmental risk assessment of steel production complex in central Iran using TOPSIS. Environmental Monitoring and Assessment, 186(10), 6969–6983.

Haimes, Y.Y. (1991). Total risk management. Risk Analysis, 11(2), 169–171.

Han, W.M. (2015). Discriminating risky software project using neural networks. Computer Standards & Interfaces, 40, 15–22.

Hwang, C.L., Yoon, K. (1981). Multiple Attribute Decision Making: Methods and Applications. Springer-Verlag, Berlin, pp. 15–22.

Hu, K.H., Jianguo, W., Tzeng, G.H. (2017). Risk factor assessment improvement for China’s cloud computing auditing using a new hybrid MADM model. International Journal of Information Technology & Decision Making, 16(03), 737–777.

Ijadi Maghsoodi, A., Hafezalkotob, A., Azizi Ari, I., Ijadi Maghsoodi, S., Hafezalkotob, A. (2018). Selection of waste lubricant oil regenerative technology using entropy-weighted risk-based fuzzy axiomatic design approach. Informatica, 29(1), 41–74.

Immawan, T., Sutrisno, W., Rachman, A.K. (2018). Operational risk analysis with fuzzy FMEA (Failure Mode and Effect Analysis) approach (case study: optimus creative bandung). In: MATEC Web Conference, Vol. 154, 01084. EDP Sciences.

Kaklauskas, A., Dzemyda, G., Tupenaite, L., Voitau, I., Kurasova, O., Naimaviciene, J., Rassokha, Y., Kanapeckiene, L. (2018). Artificial neural network-based decision support system for development of an energy-efficient built environment. Energies, 11(8).

Kersuliene, V., Zavadskas, E.K., Turskis, Z. (2010). Selection of rational dispute resolution method by applying new step?wise weight assessment ratio analysis (SWARA). Journal of Business Economics and Management, 11(2), 243–258.

Keshavarz-Ghorabaee, M., Amiri, M., Zavadskas, E.K., Turskis, Z., Antucheviciene, J. (2018). An extended step-wise weight assessment ratio analysis with symmetric interval type-2 fuzzy sets for determining the subjective weights of criteria in multi-criteria decision-making problems. Symmetry, 10(4), 91.

Kosseff, J. (2018). Cybersecurity of the Person. Law Review, 103(3), 985–1031.

Linkov, I., Satterstrom, F.K., Kiker, G., Batchelor, C., Bridges, T., Ferguson, E. (2006). From comparative risk assessment to multi-criteria decision analysis and adaptive management: Recent developments and applications. Environment International, 32(8), 1072–1093.

Linstone, H.A., Turoff, M. (2002). The Delphi Method: Techniques and Applications. Addison-Wesley Publishing Company: Advanced Book Program, 18.

Lo, H.W., Liou, J.J.H. (2018). A novel multiple-criteria decision-making-based FMEA model for risk assessment. Applied Soft Computing, 73, 684–696.

Lough, K.G., Stone, R.B., Tumer, I. (2008). Implementation procedures for the risk in early design (red) method. Journal of Industrial and Systems Engineering (JISE), 2(2), 126–143.

Ma, J., Bai, Y., Shen, J., Zhou, F. (2013). Examining the impact of adverse weather on urban rail transit facilities on the basis of fault tree analysis and fuzzy synthetic evaluation. Journal of Transportation Engineering, 140(3), 04013011.

Macary, F., Dias, J.A., Figueira, J.R., Roy, B. (2014). A multiple criteria decision analysis model based on ELECTRE TRI-C for erosion risk assessment in agricultural areas. Environmental Modeling & Assessment, 19(3), 221–242.

Medineckiene, M., Zavadskas, E.K., Bjork, F., Turskis, Z. (2015). Multi-criteria decision-making system for sustainable building assessment/certification. Archives of Civil and Mechanical Engineering, 15, 11–18.

Mena, D.M., Papapanagiotou, I., Yang, B.J. (2018). Internet of things: survey on security. Information Security Journal, 27(3), 162–182.

Miao, X., Yu, B., Xi, B., Tangd, Y.H. (2010). Modeling of bilevel games and incentives for a sustainable critical infrastructure system. Technological and Economic Development of Economy, 16(3), 365–379.

Muniz, M.V.P., Lima, G.B.A., Caiado, R.G.G., Quelhas, O.L.G. (2018). Bow tie to improve risk management of natural gas pipelines. Process Safety Progress, 37(2), 169–175.

Navickiene, O., Sprindys, J., Siaulys, J. (2018). The Gerber–Shiu discounted penalty function for the bi-seasonal discrete time risk model. Informatica, 29(4), 733–756.

Olifer, D., Goranin, N., Janulevicius, J., Kaceniauskas, A., Cenys, A. (2017). Improvement of security costs evaluation process by using data automatically captured from BPMN and EPC models. In: International Conference on Business Process Management. Springer, Cham, pp. 698–709.

Papamichail, K.N., French, S. (2012). 25 years of MCDA in nuclear emergency management. IMA Journal of Management Mathematics, 24(4), 481–503.

Pfeifer, J., Barker, K., Ramirez-Marquez, J.E., Morshedlou, N. (2015). Quantifying the risk of project delays with a genetic algorithm. International Journal of Production Economics, 170, 34–44.

Saaty, T.L., Erdener, E. (1979). A new approach to performance measurement the analytic hierarchy process. Design Methods and Theories, 13(2), 62–68.

Saaty, T.L., Ergu, D. (2015). When is a decision-making method trustworthy? Criteria for evaluating multi-criteria decision-making methods. International Journal of Information Technology & Decision Making, 14(6), 1171–1187.

Safari, H., Faraji, Z., Majidian, S. (2016). Identifying and evaluating enterprise architecture risks using FMEA and fuzzy VIKOR. Journal of Intelligent Manufacturing, 27(2), 475–486.

Sangaiah, A.K., Samuel, O.W., Li, X., Abdel-Basset, M., Wang, H. (2018). Towards an efficient risk assessment in software projects – fuzzy reinforcement paradigm. Computers & Electrical Engineering, 71, 833–846.

Saparauskas, J., Zavadskas, E.K., Turskis, Z. (2011). Selection of facade’s alternatives of commercial and public buildings based on multiple criteria. International Journal of Strategic Property Management, 15(2), 189–203.

Sherman, A.T., DeLatte, D., Neary, M., Oliva, L., Phatak, D., Scheponik, T., Herman, G.L., Thompson, J. (2018). Cybersecurity: exploring core concepts through six scenarios. Cryptologia, 42(4), 337–377.

Sherwood, J., Clark, A., Lynas, D. (2005). Enterprise Security Architecture: A Business-Driven Approach. Computer Security Institute, CMPBooks, CA, USA, Gail Saari.

Sivilevicius, H., Zavadskas, E.K., Turskis, Z. (2008). Quality attributes and complex assessment methodology of the asphalt mixing plant. Baltic Journal of Road & Bridge Engineering, 3(3), 161–166.

Tamilselvi, J.J. (2018). Fuzzy multi-criteria random seed and cutoff point approach for credit risk assessment. Journal of Theoretical and Applied Information Technology, 96(4), 1150–1163.

Tavana, M., Khalili-Damghani, K., Abtahi, A.R. (2013). A hybrid fuzzy group decision support framework for advanced-technology prioritization at NASA. Expert Systems Applications, 40(2), 480–491.

Taylor, J.R. (2017). Automated HAZOP revisited. Process Safety and Environmental Protection, 111, 635–651.

Turskis, Z., Lazauskas, M., Zavadskas, E.K. (2012). Fuzzy multiple criteria assessment of construction site alternatives for non-hazardous waste incineration plant in Vilnius city, applying ARAS-F and AHP methods. Journal of Environmental Engineering and Landscape Management, 20(2), 110–120.

Turskis, Z., Zavadskas, E.K., Antucheviciene, J., Kosareva, N.A. (2015). Hybrid model based on fuzzy AHP and fuzzy WASPAS for construction site selection. International Journal of Computers Communications & Control, 10(6), 873–888.

Turskis, Z., Dzitac, S., Stankiuviene, A., Sukys, R. (2019). A fuzzy group decision-making model for determining the most influential persons in the sustainable prevention of accidents in the construction SMEs. International Journal of Computers, Communications & Control, 14(1), 90–106. https://doi.org/10.15837/ijccc.2019.1.3364.

Vrhovec, S.L., Hovelja, T., Vavpotic, D., Krisper, M. (2015). Diagnosing organizational risks in software projects: Stakeholder resistance. International Journal of Project Management, 33(6), 1262–1273.

Woodward, M., Kapelan, Z., Gouldby, B. (2014). Adaptive flood risk management under climate change uncertainty using real options and optimization. Risk Analysis, 34(1), 75–92.

Yan, F., Xu, K. (2018). A set pair analysis based layer of protection analysis and its application in quantitative risk assessment. Journal of Loss Prevention in the Process Industries, 55, 313–319.

Yasseri, S., Mahani, R. (2013). Quantitative Risk Assessment for Oil and Gas Facilities. Smart Petroleum Ltd., Manchester, UK.

Yusta, J.M., Correa, G.J., Lacal-Arántegui, R. (2011). Methodologies and applications for critical infrastructure protection: state-of-the-art. Energy Policy, 39(10), 6100–6119.

Zadeh, L.A. (1965). Fuzzy sets. Information and Control, 8(3), 338–353.

Zavadskas, E.K., Antucheviciene, J., Saparauskas, J., Turskis, Z. (2013). MCDM methods WASPAS and MULTIMOORA: verification of robustness of methods when assessing alternative solutions. Economic Computation and Economic Cybernetics Studies and Research, 47(2), 5–20.

Zavadskas, E.K., Antucheviciene, J., Turskis, Z., Adeli, H. (2016a). Hybrid multiple-criteria decision-making methods: A review of applications in engineering. Scientia Iranica. Transaction A, Civil Engineering, 23(1), 1–20.

Zavadskas, E.K., Govindan, K., Antucheviciene, J., Turskis, Z. (2016b). Hybrid multiple criteria decision-making methods: a review of applications for sustainability issues. Economic Research-Ekonomska Istrazivanja, 29(1), 857–887.

Zavadskas, E.K., Kaklauskas, A., Turskis, Z., Kalibatas, D. (2009). An approach to multi-attribute assessment of indoor environment before and after refurbishment of dwellings. Journal of Environmental Engineering and Landscape Management, 17(1), 5–11.

Zavadskas, E.K., Turskis, Z., Antucheviciene, J., Zakarevicius, A. (2012). Optimization of weighted aggregated sum product assessment. Elektronika ir Elektrotechnika, 122(6), 3–6.

Zavadskas, E.K., Turskis, Z., Antucheviciene, J. (2015a). Selecting a contractor by using a novel method for multiple attribute analysis: weighted aggregated sum product assessment with grey values (WASPAS-G). Studies in Informatics and Control, 24(2), 141–150.

Zavadskas, E.K., Turskis, Z., Bagocius, V. (2015b). Multi-criteria selection of a deep-water port in the Eastern Baltic Sea. Applied Soft Computing, 26, 180–192.

Zolfani, S.H., Zavadskas, E.K., Turskis, Z. (2013). Design of products with both International and Local perspectives based on Yin-Yang balance theory and SWARA method. Economic Research-Ekonomska Istrazivanja, 26(2), 153–166.

Zhao, H., You, J.X., Liu, H.C. (2017). Failure mode and effect analysis using MULTIMOORA method with continuous weighted entropy under interval-valued intuitionistic fuzzy environment. Soft Computing, 21(18), 5355–5367.

Zhou, Q., Thai, V.V. (2016). Fuzzy and grey theories in failure mode and effect analysis for tanker equipment failure prediction. Safety Science, 83, 74–79.

Biographies

Turskis Zenonas

zenonas.turskis@vgtu.lt

Z. Turskis is prof. dr. of technical sciences, professor at the Department of Construction Management and Real Estate, chief research fellow at the Laboratory of Operational Research, Research Institute of Sustainable Construction, Vilnius Gediminas Technical University, Lithuania. Research interests: building technology and management, decisionmaking theory, computer-aided automation in design, expert systems. He is the author of more than 120 research papers, which are referred in the Web of Science database.

Goranin Nikolaj

nikolaj.goranin@vgtu.lt

N. Goranin, PhD, associated professor at the Department of Information Systems, vice-dean for research and international relations at Faculty of Fundamental Sciences at Vilnius Gediminas Technical University. Has job experience as a system administrator, FP6 and EU structural funds project coordinator. Member of ISACA Lithuania Board. Keeps the position of Chief Information Security Officer at Level 1 (VISA classification) service provider (responsible for PCI DSS compliance and certification). Keeps the CISM and CISA certificates. Has published over 30 papers. Research interests: information security technologies, information security management, artificial intelligence in information security, information security process modelling.

Nurusheva Assel

A. Nurusheva is a PhD student at the Department of Information Systems, Gumilyov Eurasian National University, Astana, Kazakhstan. Research interests: information technologies, risk management, reliability, decision-making theory, computer-aided automation in design, expert systems.

Boranbayev Seilkhan

sboranba@yandex.kz

S. Boranbayev is prof. dr. of technical sciences, professor at the Department of Information Systems, Gumilyov Eurasian National University, Astana, Kazakhstan. Member of American Mathematical Society (2006), academician of the International Academy of Informatization (2009). The author and co-author of more than 100 papers and monographs. Scientific interests: information and computer technologies, reliability and security of information and computer systems, mathematical cybernetics, mathematical and computer modelling, system analysis, artificial intelligence.

Full article Related articles Cited by

Open access article under the CC BY license.

Keywords

information security fuzzy risk assessment infrastructure AHP Delphi method Eckenrode method MCDM

Metrics (since January 2020)

2374 Article info views	1501 Full article views
1268 PDF downloads	323 XML downloads

RSS

Authors

Abstract

References

Biographies

Export citation

Copy and paste formatted citation

Download citation in file