Information security risk analysis model using fuzzy decision theory

• A risk analysis model for information security was proposed.
• The model is based on fuzzy decision theory.
• A taxonomy of events and scenarios using ETA methodology was developed.
• Alternatives can be ranked based on the criticality of the risk.
• The model provides information regarding the criticality causes of attacks.
• Results show that deliberate external database attack is the most risky alternative.

This paper proposes a risk analysis model for information security assessment, which identifies and evaluates the sequence of events – referred to as alternatives – in a potential accident scenario following the occurrence of an initiating event corresponding to abuses of Information Technology systems. In order to perform this evaluation, this work suggests the use of Event Tree Analysis combined with fuzzy decision theory. The contributions of the present proposal are: the development of a taxonomy of events and scenarios, the ranking of alternatives based on the criticality of the risk, considering financial losses, and finally, the provision of information regarding the causes of information system attacks of highest managerial relevance for organizations. We included an illustrative example regarding a data center aiming to illustrate the applicability of the proposed model. To assess its robustness, we analyzed twelve alternatives considering two different methods of setting probabilities of the occurrence of events. Results showed that deliberate external database services attack represent the most risky alternative.