A Hybrid Approach of Evidence Theory and Rough Sets for ISS Risk Assessment

In electronic business environment, it is critical for an enterprise to assess information systems security (ISS) risks. In this paper we propose an evidence theory and rough sets based approach to objectively represent uncertainty inherent in the ISS risk assessment. Uncertainty in security risk management stems from the incompleteness and vagueness of the conditioning attributes that characterize a risk. In the hybrid approach, evidence theory provides a consistent approach to model experts’ beliefs and develop an evidential diagram to assess the ISS risk that contains various variables such as the IS assets, the related threats, and the corresponding countermeasures. While rough set theory is ideally suited for dealing with vague and incomplete information. Integrating these two approaches provides a way to deal with the uncertain evidence found in the ISS risk assessment and the uncertainty derived from the conflicts of evidence. In a case study, the effectiveness of the proposed approach is evaluated by comparing it with other methods.