Abstract: In allusion to accuracy of security risk assessment for information systems in campus, put forth a method to evaluate security risks of the information system combining fuzzy set with the entropy theory. By analyzing risk factors involved in the information system with fuzzy set, this method constituted the matrix on dependence degrees of evaluation sets corresponding to various factors and then determined weights of risk factors with the entropy coefficient method to reduce subjective bias. During the evaluating process, security risk values of different factors have been integrated with the system integration method, so that levels on security risks of information system in campus can be determined. Case analysis proved that this method can be effectively applied in security risk assessment for information system in campus.
INTRODUCTION
In today’s information age when cyber attacks are increasingly expanding the scale, security risks confronted to information system in campus are getting serious day by day, whose security concerns fundamental interests of the country and information systems users. As a result of its special nature, campus has a lot of important and confidential information resources. Unfortunately, defense capability of the campus on information security is relatively weak compared to other industries. In order to protect their operation in safe and normal states, we must find out the serious flaws that could lead to standstill and one of the effective ways to solve this problem is to conduct security risk assessment for information systems of the campus. In view of literatures at home and abroad, a number of scholars have established evaluation models for security risks of the information system by applying fuzzy mathematics theory (Fu et al., 2010) grey system theory (Zhang et al., 2012), rough set theory, neural network, Bayesian network (Fu et al., 2006) and others, who have made some achievements in evaluating process and method (Dzazali and Zolait, 2012). Gehani (2003) proposed a set of host-based models for risk management and decision-making in his doctoral thesis. Basic idea on decision-making methods relating to information security risks proposed by Bilar (2003) in his doctoral thesis goes as: A variety of harmful consequences are owing to vulnerability of software in the network host, if overall risk of those software exceeds the threshold value set by the system administrator, security decision-making shall be made, i.e., replace software to reduce its overall risk. Zhao et al. (2007) proposed the model of fuzzy risk assessment for information system and got the final comprehensive evaluation with the weight sum. Although, the method is simple, there are still relatively great subjective preferences on systematic characteristics and accuracy. Zhang et al. (2010) have evaluated the overall risk by constructing risk matrix, but this method is not applicable for analysis on models in multi-level structure with many risk factors.
Evaluation on security risk is an important part of safety engineering for information system, acting as the basis and prerequisite for building up the security system. Security risk of information system refers to the combination of potential possibility of impact and potential impact onto asset or asset group in the system produced by threats which make use of existing vulnerability (Liu et al., 2010). Under evaluation method proposed by this study for security risks of the information system, it was analyzed from the perspective of system engineering, constituted matrix about dependence degrees of evaluation sets with fuzzy sets on the basis of overall analysis for various risk factors involved in information system, determined weight vectors of those factors with the entropy coefficient method (Ahmed et al., 2012) and thus obtained the security risk value for the system. This method is simple and practical with strong sense of pertinence, providing comprehensive evaluation on security risks of information system with a new thought in scientific and feasible manners, which serves as the directional guidance for designing the supportive system to evaluate security risks of the information system.
PRELIMINARIES
Security risk assessment for information system: According to BS 7799 standard (BS 7799-2, 1999), risk is defined as the possibility of loss or damage caused by main threat taking advantage of vulnerability of the assets. Security risk of the information system-R is seen as a function among asset, threat and vulnerability, namely:
R = g (a, t, v)
where, A stands for the impact onto assets; t refers to frequency of the threat towards system, v is the severity of vulnerability (Zhang et al., 2008). By analyzing the concept and physical logic about security of the information system, the relational graph relating to basic elements of risk assessment was obtained as shown in Fig. 1. GB/T 20984-2007 standard defined asset impact, threat frequency and severity of vulnerability all in five grades, specifically stated as: Very high, high, medium, low, very low.
Fuzzy mathematics and fuzzy set: In practice, fuzzy mathematics is extensively and successfully applied in different areas of the national economy, especially in science and technology, economic management and social sciences.
| Fig. 1: | Relation among basic elements of risk assessment |
Fuzzy mathematics has been founded by L.A. Zadeh in 1921 an American cyberneticist. In 1965, he published the paper entitled as "Fuzzy Sets", which declared the birth of fuzzy mathematics.
Definition: Set U as the discourse domain, called as mapping:
μA: U→{0, 1}, x|→XA (x)∈[0, 1]
Which determines the fuzzy subset A on U. Mapping μA is called as A’s membership function, μA(x) is called as x’s degree of membership corresponding to A. The above definition showed that fuzzy subset A is solely determined by the membership function μA. Afterwards, fuzzy subset A is always considered as equal to membership function μA. The collection of fuzzy subsets on U is called as U’s fuzzy power set and recorded as P(A). For simplicity, μA(x) can be replaced by A(x). Fuzzy subset is simply called as fuzzy set and degree of membership is called as membership degree. Membership degree and membership function are basic ideas of fuzzy mathematics.
Information entropy theory: The concept of entropy was first proposed in 1865 by the German physicist Rudolf Clausius. In 1948, father of the information theory-Claude Elwood Shannon introduced the concept of entropy into the field of information, which used "Information entropy" as a measure to estimate disorder degree of the information (Liang and Qian, 2008). Shannon systematically presented the measuring method:
for information going as used entropy to measure uncertainty or information quantity of a random event with probability statistics, which laid the scientific theoretical basis for modern information theory and extended the quantified application of entropy into studies on uncertainty and random quantification of the system (Ding et al., 2010).
In different systems, entropy can be used to measure state confusion or disorder, uncertainty or lack of information, inhomogeneities or richness and etc. Therefore, appraising order degree of the system architecture with extensive application of the theory on information entropy became a new approach for today’s system architecture evaluation.
METHOD ON SECURITY RISK ASSESSMENT FOR INFORMATION SYSTEM BASED ON FUZZY SET AND ENTROPY THEORY
To determine entropy coefficients of risk factors: Assume that the system may be in n different states: {S1, S2,…, Sn}, Pi presents the probability of the system in the state of Si, where:
then entropy of the system X is:
| (1) |
Extreme values of the entropy showed that entropy value will get larger as Pi closer to equal, where uncertainty of the security risk factors for evaluation on system risks will be greater. Thus, weight of indicators with information entropy according to supportive degree Pij of various security risk factors for indicators in the judgment set can be calculated. Relative importance of the risk factor Ai can be measured by entropy:
| (2) |
Entropy has the extreme value. When the system state is in equal probability, i.e., Pi = 1/n, entropy reaches to the maximum value: Hmax = lnm. Conducting normalization for Eq. 2 with Hmax, we can get the entropy value of relative importance for measuring the security risk factor Ai:
| (3) |
When pij (j = 1, 2,…, m) are at equal values, entropy ei reaches to the maximum 1. Namely, as 0≤ei≤1 when entropy reaches to the maximum, we can use (1-ei) to measure weight of the security risk factor Ai. After the normalization, we can obtain weight φi of the risk factor Ai as:
| (4) |
Where:
φi met with:
Fuzzy set and membership matrix: Among factors involved in security risk assessment for information system, those with more obvious fuzzy features include asset impact, threat frequency and severity of vulnerability. An analysis can be conducted by applying fuzzy set, where steps for constructing security risk factor set and judgment set are as follows: (1) Constitute the security risk factor set, set U = {u1, u2, …, un}, where n is the number of factors. (2) Constitute the judgment set. Relatively with different criteria on the previous level, experts make comments on risk degree to each risk factor and divide them into m levels to measure performance on each indicator and relevant risk degrees therefrom. Different judgment sets can be established for different criteria. For example, set judgment sets of V = {v1, v2, …, vm} for asset, threat and vulnerability, where m is the number of elements in the judgment set. (3) Invite experts to evaluate factors in the risk factor set U by referring to judgment set V and constitute fuzzy mapping f: U→F(V), where F(V) refers to all those in the fuzzy set on V, ui|→f(ui) = (pi1, pi2,..., pim)∈F(V), fuzzy mapping f indicates supportive degree of risk factor ui for comments in the judgment set. f can induce a fuzzy relation Rf∈F(U×V), namely, Rf(ui, vj) = f(ui) (vj) = pij, which can obtain the membership matrix P [10] as follows:
Different membership matrix will be made for asset impact, threat frequency and severity of vulnerability according to impacts onto assets imposed by factors relating to security risks of the information system, respectively as Pa, Pt and Pv, where corresponding weight vectors is φ = (φ1, φ2,..., φn). As calculating the asset impact, endow indicators in the judgment set with appropriate weight to obtain the indicator weight vector U = (u1, u2, …, un1), where n1 is the number of elements in the judgment set of asset impact going as:
Ra = φ•Pa•U’
Similarly, we obtain the indicator weight vector of judgment set for threat frequency going as V = (v1, v2, …, vn2), where n2 is the number of elements in the judgment set of threat frequency and the threat frequency is Ri = φ•Pa•U’; Then, we obtain the indicator weight vector of judgment set for severity of vulnerability going as W = (w1, w2, …, wn3), where n3 is the number of elements in the judgment set of vulnerability severity and vulnerability severity is Rv = φ•Pv•U’.
Security risk rating: We can obtain values of asset impact, threat frequency and severity degree (Ra, Rt, Rv) in the way of calculating described above. By integrating security risk value of each element with system integration method, we can obtain system risk values as follows:
where, k1, k2 and k3 represent the relative importance of the three elements and k1+k2+k3 = 1. Determining risk rating with Table 1, resolving action priority in accordance with risk rating and developing appropriate measures, we can ultimately make a reasonable and feasible plan for risk disposal.
RESULTS AND DISCUSSION
Taking database server of the information system in a university at the central region as an example, calculates security risks in comprehensive manners with the evaluation model we have built.
| Table 1: | Risk level description and quantitative expression |
| Fig. 2: | Factors on security risk of database server |
Risk factors S influencing security of the database server include S = {S1, S2, S3, S4, S5} = {database management system, database server operating system, database server applications, hardware, communication device}, as shown in Fig. 2.
These five groups of risk factors are composed by the following risk factors (Gong et al., 2011):
| • | S1 = {S11, S12, S13, S14} = {data file destroyed, errors occur during query or restoration, errors occur during data modification, deletion error} |
| • | S2 = {S21, S22, S23, S24, S25} = {buffer overflow, register destruction, file and directory structure damaged, rewriting of user account and priority, conflict among different applications} |
| • | S3 = {S31, S32, S33, S34} = {function error, can not access the required resources, illegal data input, the conflict with the operating system version} |
| • | S4 = {S41, S42, S43, S44, S45} = {memory failure, CPU failure, hard drive failure, power failure, bus malfunction} |
| • | S5 = {S51, S52, S53} = {network hardware or interface failure, communication protocol failure, router failure} |
According to the expertise and experience of experts and aiming at five groups of risk factors mentioned above, respectively determine weight coefficient for indicators relating to security risks confronted with database server and calculate the value on comprehensive security risk.
Step 1: Constitute factor set and judgment set on security risk: Taking "hardware (S4)" as an example for analysis, the security risk factor set U = {u1, u2, u3, u4, u5}, where ui (i = 1, 2, 3, 4, 5), respectively representing judgment sets U for risk factor sets of ""memory failure", "CPU failure," "hard drive failure," "power failure" and "bus malfunction" including Va = {va1, va2, va3, va4, va5}, Vt = {vt1, vt2, vt3, vt4, vt5}, Vv = {vv1, vv2, vv3, vv4, vv5}.
Invite a number of experts to rate the risk factor set U. Calculate the probability of risk factors as member of various indicators and then we can obtain the membership matrix Pa, Pt and Pv as shown in Table 2, 3 and 4.
Step 2: Calculate entropy coefficient for risk factors: Referring to Table 2, use Eq. 3 to calculate the ei vector for "asset" membership matrix.
| Table 2: | "Asset" membership matrix Pa |
| Table 3: | "Threat" membership matrix Pt |
| Table 4: | "Vulnerability" membership matrix Pv |
Similarly, to obtain e2, e3, …, e5. Thus, ei vector goes as (0.7952, 0.7416, 0.7952, 0.6398, 0.8445). And then, calculate weight vector φi of each risk factor according to Eq. 4:
Similarly, to obtain φ2, φ3, …, φ5, then the weight vector φi goes as (0.1730, 0.2183, 0.1730, 0.3043, 0.1313).
Table 3, use Eq. 3 to calculate the ei vector for "threat" membership matrix going as (0.8814, 0.8445, 0.7952, 0.9350, 0.7584). Calculate weight vector φi of each risk factor with Eq. 4 going as (0.1510, 0.1979, 0.2607, 0.0828, 0.3076).
Table 4, use Eq. 3 to calculate the ei vector for "vulnerability" membership matrix going as (0.7416, 0.6398, 0.9675, 0.9350, 0.7584). Calculate weight vector φi of each risk factor with Eq. 4 going as (0.2698, 0.3761, 0.0339, 0.0679, 0.2522).
To sum up:
Step 3: Determine weight of indicators in the evaluation set: On the "asset" membership matrix, determine weight of standard w1, w2, …, w5, respectively as 1/15, 2/15, 3/15, 4/15, 5/15. Thus, weight of indicators in this evaluation set goes as:
Similarly, we can get:
Step 4: Calculate security risk values for "hardware (S4)" and other groups: To obtain security risk values for elements of "hardware (S4)" by calculating:
Similarly, we can get:
As k1 = k2 = k3 = 1/3, then:
Similarly, we can get security risk values of "database management system (S1)", "database server operating system (S2)", "database server application (S3)" and "communication device (S5)", respectively going as R1 = 0.2317, R2 = 0.1618, R3 = 0.3154, R5 = 0.1967.
Step 5: Calculate values of the database server on comprehensive security risk: Under the thought of comprehensive evaluation for the system, giving full consideration to relative importance of each module in the database server, calculate security risk values of the database server with weighed average method. Assume each module has same extent of significance to the entire database server, that is:
g1 = g2 = g3 = g4 = g5 = 1/5
Then, the comprehensive security risk value goes as:
Table 1 showed that security risk of this database server was at a low risk level and the system was relatively safe and reliable, it consistent with their security situation in actual operation. The case verified the proposed method can better make up the lack of certainty in indicators, it will help further improve the scientific of decision-making. Compared with the risk assessment values obtained in the references, the proposed method can better meet the needs of practical applications and have good maneuverability.
CONCLUSION
Aiming at security risk assessment for information system in campus and combining risk factors under fuzzy set involved in database server, this study conducted analysis from asset impact, threat frequency and severity of vulnerability and made corresponding descriptions on rating, constituted membership matrix of each factor matched along with judgment set and determined weight of factors with entropy coefficient to reduce subjective bias resulted from traditional method for weight determination. By calculating risks of a database server in a campus information system, we know that method proposed by this study has strong sense of pertinence, feasibility and effectiveness, which provides an effective approach to realize intellectual evaluation for security risks of the information system in campus.
ACKNOWLEDGMENTS
This study was supported by the Scientific Research Fund of Hunan Provincial Education Department (No. 14C0184) and also supported by the Hunan Province Philosophy and Social Science Foundation (No. 14YBA065). Supported by the construct program of the key discipline in Hunan province.