Browse > Article

Multi-Attribute Threat Index for Information Security : Simulation and AHP Approach  

Lee, Kang-Soo ((주)드림와이즈)
Kim, Ki-Yoon (광운대학교 경영학과)
Na, Kwan-Sik (서원대학교 경영정보학과)
Publication Information
Journal of Information Technology Services / v.7, no.1, 2008 , pp. 117-130 More about this Journal
Abstract
Multi-attribute risk assessments provide a useful framework for systematic quantitative risk assessment that the security manager can use to prioritize security requirements and threats. In the first step, the security managers identify the four significant outcome attributes(lost revenue, lost productivity, lost customer, and recovery cost). Next. the security manager estimates the frequency and severity(three points estimates for outcome attribute values) for each threat and rank the outcome attributes according to AHP(Analytic Hierarchy Process). Finally, we generate the threat index by using muiti-attribute function and make sensitivity analysis with simulation package(Crystal Ball). In this paper, we show how multi-attribute risk analysis techniques from the field of security risk management can be used by security managers to prioritize their organization's threats and their security requirements, eventually they can derive threat index. This threat index can help security managers to decide whether their security investment is consistent with the expected risks. In addition, sensitivity analysis allows the security manager to explore the estimates to understand how they affect the selection.
Keywords
Information Security; Multi-Attribute Threat Index; Simulation;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 김배현, 나원식, 유인태, 권문택, '국방 정보 보호 기술 발전 동향', 정보보호학회지, 한국정보보호학회, 제12권, 제6호(2002), pp.58-66
2 Thomas L., Saaty, The Analytic Hierarchy Process, McGraw-Hill, New York, 1980
3 W., Edward, 'How to Use Multi-attribute Utility Measurement for Social Decision- Making', IEEE Transactions on Systems, Man and Cybernetics, (1977), pp. 326-340
4 K. Paul Yoon and Ching-Lai Hwang, Multiple Attribute Decision Making:An Introduction, Sage Publications, 1995
5 Shawn A., Butler and Paul Fischbeck, 'Multi- Attribute Risk Assessment', Technical Report CMU-CS-01-169, 2001
6 Ralph L., Keeney and H. Raiffa, Decision with Multiple Objectives:Preference and alue Trade Offs, John Wiley and Sons, 1976
7 한국정보보호진흥원(KISA) 인터넷침해사고 대응지원센터, '인터넷 침해사고 동향 및 분석월보', 2005, http://www.krcert.or.kr
8 김기윤, 나관식, '다속성 위험평가기법을 이용한 정보시스템의 위협지수 측정', 리스크 관리연구, 한국리스크관리학회, 제15권, 제2호(2004), pp.103-126
9 장양철, 안병석, 'AHP를 이용한 정보시스템 개발업체 선정에 관한 연구', 한국IT서비스학회지, 제5권, 제3호(2006), pp.187-201   과학기술학회마을
10 Shawn A., Butler, 'Security Attribute Evaluation Method:A Cost Benefit Approach', 24th International Conference on Software Engineering Proceedings, (2000), pp.220- 240