Journal of Information Technology Services (한국IT서비스학회지)

Korea Society of IT Services (한국IT서비스학회)
권호 표지

Multi-Attribute Threat Index for Information Security : Simulation and AHP Approach

정보보호를 위한 다속성 위협지수 : 시뮬레이션과 AHP 접근방법

  • Published : 2008.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

Multi-attribute risk assessments provide a useful framework for systematic quantitative risk assessment that the security manager can use to prioritize security requirements and threats. In the first step, the security managers identify the four significant outcome attributes(lost revenue, lost productivity, lost customer, and recovery cost). Next. the security manager estimates the frequency and severity(three points estimates for outcome attribute values) for each threat and rank the outcome attributes according to AHP(Analytic Hierarchy Process). Finally, we generate the threat index by using muiti-attribute function and make sensitivity analysis with simulation package(Crystal Ball). In this paper, we show how multi-attribute risk analysis techniques from the field of security risk management can be used by security managers to prioritize their organization's threats and their security requirements, eventually they can derive threat index. This threat index can help security managers to decide whether their security investment is consistent with the expected risks. In addition, sensitivity analysis allows the security manager to explore the estimates to understand how they affect the selection.

Keywords

References

  1. 김기윤, 나관식, '다속성 위험평가기법을 이용한 정보시스템의 위협지수 측정', 리스크 관리연구, 한국리스크관리학회, 제15권, 제2호(2004), pp.103-126
  2. 김배현, 나원식, 유인태, 권문택, '국방 정보 보호 기술 발전 동향', 정보보호학회지, 한국정보보호학회, 제12권, 제6호(2002), pp.58-66
  3. 장양철, 안병석, 'AHP를 이용한 정보시스템 개발업체 선정에 관한 연구', 한국IT서비스학회지, 제5권, 제3호(2006), pp.187-201
  4. 한국정보보호진흥원(KISA) 인터넷침해사고 대응지원센터, '인터넷 침해사고 동향 및 분석월보', 2005, http://www.krcert.or.kr
  5. K. Paul Yoon and Ching-Lai Hwang, Multiple Attribute Decision Making:An Introduction, Sage Publications, 1995
  6. Ralph L., Keeney and H. Raiffa, Decision with Multiple Objectives:Preference and alue Trade Offs, John Wiley and Sons, 1976
  7. Shawn A., Butler, 'Security Attribute Evaluation Method:A Cost Benefit Approach', 24th International Conference on Software Engineering Proceedings, (2000), pp.220- 240
  8. Shawn A., Butler and Paul Fischbeck, 'Multi- Attribute Risk Assessment', Technical Report CMU-CS-01-169, 2001
  9. Thomas L., Saaty, The Analytic Hierarchy Process, McGraw-Hill, New York, 1980
  10. W., Edward, 'How to Use Multi-attribute Utility Measurement for Social Decision- Making', IEEE Transactions on Systems, Man and Cybernetics, (1977), pp. 326-340