An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions

  • Authors:
  • Lili Sun;Rajendra P. Srivastava;Theodore J. Mock

  • Affiliations:
  • Rutgers Business School;University of Kansas;University of Southern California (USC) and Maastricht University, the Netherlands

  • Venue:
  • Journal of Management Information Systems
  • Year:
  • 2006

Quantified Score

Hi-index 0.00

Visualization

Abstract

This study develops an alternative methodology for the risk analysis of information systems security (ISS), an evidential reasoning approach under the Dempster-Shafer theory of belief functions. The approach has the following important dimensions. First, the evidential reasoning approach provides a rigorous, structured manner to incorporate relevant ISS risk factors, related countermeasures, and their interrelationships when estimating ISS risk. Second, the methodology employs the belief function definition of risk--that is, ISS risk is the plausibility of ISS failures. The proposed approach has other appealing features, such as facilitating cost- benefit analyses to help promote efficient ISS risk management. The paper elaborates the theoretical concepts and provides operational guidance for implementing the method. The method is illustrated using a hypothetical example from the perspective of management and a real-world example from the perspective of external assurance providers. Sensitivity analyses are performed to evaluate the impact of important parameters on the model's results.