Performance evaluation of the recommendation mechanism of information security risk identification

In recent decades, information security has become crucial for protecting the benefits of a business operation. Many organizations perform information security risk management in order to analyze their weaknesses, and enforce the security of the business processes. However, identifying the threat-vulnerability pairs for each information asset during the processes of risk assessment is not easy and time-consuming for the risk assessor. Furthermore, if the identified risk diverges from the real situation, the organization may put emphasis on the unnecessary controls to prevent the non-existing risk. In order to resolve the problem mentioned above, we utilize the data mining approach to discover the relationship between assets and threat-vulnerability pairs. In this paper, we propose a risk recommendation mechanism for assisting user in identifying threats and vulnerabilities. In addition, we also implement a risk assessment system to collect the historical selection records and measure the elapsed time. The result shows that with the assistance of risk recommendations, the mean elapsed time is shorter than with the traditional method by more than 21%. The experimental results show that the risk recommendation system can improve both the performance of efficiency and accuracy of risk identification.