Risk analysis in information systems: A fuzzification of the MAGERIT methodology

Several methodologies based on ISO/IEC 27000 international standard have been developed to deal with risk analysis in information systems (IS). These methodologies do not, however, consider imprecise valuations, but use precise values on different, usually percentage, scales.We propose an extension of the MAGERIT methodology based on classical fuzzy computational models. A linguistic term scale is used to represent asset values, their dependencies and frequency and asset degradation associated with threats. Computations are based on trapezoidal fuzzy numbers associated with linguistic terms. A similarity function is used to associate a linguistic term on the previously defined scale to the trapezoidal fuzzy numbers resulting from computations. Finally, regarding the selection of preventive safeguards to reduce risks in IS, we propose a dynamic programming-based method that incorporates simulated annealing to tackle optimizations problems with the aim of minimizing costs while keeping the risk at acceptable levels.An example of an administrative unit using in-house and third-party information systems internally and to provide public information services is used to illustrate the methodology.