AN INFORMATION SECURITY RISK ASSESSMENT MODEL BASED ON BAYESIAN NETWORK AND FUZZY INFERENCE SYSTEM

This study proposes a novel information security risk assessment approach based on Bayesian network and Fuzzy Inference System in order to evaluate and calculate both qualitative and / or quantitative risks. The proposed model is developed to analyse test processes for a software services company in order to evaluate the information security risks. Threats, vulnerabilities, risks, and their relations are constructed with a Bayesian network and marginal probabilities are calculated for each risk factor. Several fuzzy membership functions and fuzzy decision rules are designed and constructed for assets’ values, risks’ probabilities, and relative risk values. Finally, the impacts of risk values are calculated after the aggregation and defuzzification process. It is shown that this new model enables the business decision makers and managers to obtain more objective, reliable, and flexible information security risk assessment results