Baden-baden_Vukelic.pdf

Embed Size (px)

Citation preview

  • 8/17/2019 Baden-baden_Vukelic.pdf

    1/7

    Vukeli! B., Polytechnic of Rijeka, Bo"i! Pavleti! Z., VPS Minerva Dugopolje,

    Mati! Vukeli! U., Astrila Translation Services

    Using multicriteria decision making method

    PROMETHEE&GAIA for information security risk managmentstandards selection

    Introduction

    Information technology risk is any risk related to information technology. This is a

    relatively new term due to an increasing awareness that information security is simply one

    facet of a multitude of risks that are relevant to IT and the real-world processes it supports.

    Generally speaking, risk is the product of the likelihood of an event occurring and the impact

    that event could have on an information technology asset.

    Due to this problem, companies look for standards organizations to provide guidance

    when it comes to best practices in information security. But, the choice of the best standard is

    a challenge. There are numerous standards available and many factors to evaluate, such as

    scope, usage and maturity. In the recent years several decision aid methods or decision

    support systems have been proposed to help in the selection of the best compromise

    alternatives.

    The following paper compares the three leading standards (ISO 27005, NIST SP 800-30 & OCTAVE) using multicriteria decision method PROMETHEE & GAIA. The purpose of

    this paper is not to explain in details the PROMETHEE methodology, only the results provided by the Visual PROMETHEE software on the abovementioned example. It is the

    only PROMETHEE-based software developed and supported by the authors of the

    PROMETHEE & GAIA methodology.

    PROMETHEE & GAIA Method

    PROMETHEE & GAIA is a multi-criteria decision aid methodology that has been

    developed by Jean-Pierre Brans and Bertrand Mareschal at the ULB and VUB universities

    since 1982. The GAIA descriptive approach appeared in 1989. [1]

    It is a ranking method quite simple in conception and application compared to other

    methods for multi-criteria analysis. It is well adapted to problems where a finite number of

    alternative actions are to be ranked considering several, sometimes conflicting, criteria. [2].

    The PROMETHEE method (preference ranking organization method for enrichment

    evaluation) is appropriate to treat the multi-criteria problem of the following type:

    max{f1(a), ... , fn(a)|a \A}, (1)

    where A is a finite set of possible alternatives, and fj are n criteria to be maximized. For each

    alternative, fj(a) is an evaluation of this alternative. When we compare two alternatives a, b \

     A, we must be able to express the result of these comparisons in terms of preference.

  • 8/17/2019 Baden-baden_Vukelic.pdf

    2/7

    One of the advantages of usages of PROMETHEE methods is the possibility of

    geometrical interpretation of the results by the GAIA method (geometrical analysis for

    interactive aid). In 1989 the introduction of GAIA added a descriptive complement to the

    PROMETHEE rankings. A graphical representation of the multi-criteria problem enables the

    decision maker to understand the available choices better and the necessary compromises he

    or she will have to make in order to make the best decision. GAIA can also be used to see the

    impact of the criteria weights on the PROMETHEE rankings.

    The PROMETHEE & GAIA methods are based on the Preference Modeling method,

    which increases the efficiency of any complex decision-making and is also based on the

    Pairwise Comparison method, where alternatives are compared to each other. It is highly

    recommended to read both more about both methods, to understand how it impacts the final

    decision. [3]

    Rather than pointing out the "right" decision, the PROMETHEE & GAIA method

    helps decision makers find the alternative that best suits their goal and their understanding of

    the problem. It provides a comprehensive and rational framework for structuring a decision

     problem, for identifying and quantifying its conflicts and synergies, clusters of actions and

    highlight the main alternatives and the structured reasoning behind. [3]

    Decision situations to which the PROMETHEE & GAIA can be applied include: [4]

    Choice – The selection of one alternative from a given set of alternatives, usually where there

    are multiple decision criteria involved.

     Prioritization – Determining the relative merit of members of a set of alternatives, as opposedto selecting a single one or merely ranking them.

     Resource allocation – Allocating resources among a set of alternatives

     Ranking  – Putting a set of alternatives in order from most to least preferred

    Conflict resolution  – Settling disputes between parties with apparently incompatible

    objectives

    Criteria and alternatives

    Many companies have problems with information security. Because of lack of

    expertise, they look for consultation and guidance from standards organizations, which will

    help them find the best possible solution. Risk management encompasses three processes: risk

    assessment, risk mitigation, and evaluation and assessment. Risk management is the process

    that allows IT managers to balance the operational and economic costs of protective measures

    and achieve gains in mission capability by protecting the IT systems and data that support

    their organizations’ missions. This process is not unique to the IT environment; indeed it

     pervades decision-making in all areas of our daily lives. [6]

  • 8/17/2019 Baden-baden_Vukelic.pdf

    3/7

     

    Figure 1. Risk management process [4] 

    After having defined the problem, the first step in PROMETHEE & GAIA method is

    defining the objective, which is the choice of an optimal security standard. Furthermore, it is

    necessary to define criteria and alternatives, ISO 27005, NIST SP 800-30 & OCTAVE, which

    will be shortly described.

     ISO/IEC 27005:2008

    ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial

    enterprises, government agencies, non-profit organizations) which intend to manage risks that

    could compromise the organization’s information security. ISO 27005 is widely accepted

    methodology and it covers technology, people and process in risk assessment. Risk

    assessment is defined through identification, estimation and evaluation. The framework of

    ISO 27005 consists of two elements – risk analysis and risk evaluation. ISO/IEC

    27002:2005 Code of practice for information security management recommends to examine

    the following during a risk assessment: security policy, organization of information security,

    asset management, human resources security, physical and environmental security,

    communications and operations management, access control, information systems acquisition,

    development and maintenance, information security incident management, business

    continuity management and regulatory compliance. [5]

     NIST SP 800- 30

    The purpose of NIST SP 800-30 is to provide guidance for conducting riskassessments of federal information systems and organizations. Risk assessments, carried out

    at all three tiers in the risk management hierarchy, are part of an overall risk management process – providing senior leaders/executives with the information needed to determine

    appropriate courses of action in response to identified risks. It provides guidance for carrying

    out each of the steps in the risk assessment process (i.e., preparing for the assessment,

    conducting the assessment, communicating the results of the assessment, and maintaining theassessment) and how risk assessments and other organizational risk management processes

  • 8/17/2019 Baden-baden_Vukelic.pdf

    4/7

    complement and inform each other. Special Publication 800-30 also provides guidance to

    organizations on identifying specific risk factors to monitor on an ongoing basis, so that

    organizations can determine whether risks have increased to unacceptable levels (i.e.,

    exceeding organizational risk tolerance) and different courses of action should be taken. [7]

     NIST SP 800-30 is most suited for technology related risk assessment aligned with common

    criteria. The risk assessment methodology encompasses nine primary steps: SystemCharacterization, Threat Identification, Vulnerability Identification, Control Analysis,

    Likelihood Determination, Impact Analysis, Risk Determination, Control Recommendationsand Results Documentation.

     

    According to NIST SP 800-30, risk assessment is the analysis of

    threats in conjunction with vulnerabilities and existing controls.

    OCTAVE

    OCTAVE is a set of tools, techniques and methods for risk assessment and strategic planning of information security. OCTAVE is an acronym of the following English words: O 

    = Operationally, C = Critical, T = Threat, A = Asset, VE = Vulnerability Evaluation.

    According to OCTAVE standard, a risk assessment will provide information necessary

    for making risk managment decisions regarding the degree of security remediation. OCTAVE

    methods are founded on the OCTAVE criteria, a standard approach for a risk-driven and practice-based information security evaluation. The OCTAVE criteria establish the

    fundamental principles and attributes of risk management that are used by the OCTAVE

    methods. The OCTAVE methods are self-directed, which means that small teams of

    organizational personnel across business units and IT work together to address the security

    needs of the organization. They are also flexible, which means that each method can be

    tailored to the organization's unique risk environment, security and resiliency objectives, andskill level. Another important feature of OCTAVE methods is that they are evolved, which

    means that OCTAVE moved the organization toward an operational risk-based view ofsecurity and addresses technology in a business context.

    After defining and describing the alternatives, it is necessary to define criteria. There

    were 7 criteria, which will be explained below. Although PROMETHEE & GAIA method

    enable using quantitative and qualitative criteria, cost was intentionally left out as a

    quantitative value. It is one of the most important criteria, but it depends on the scope of

    implementation and the size of the organization. The qualitative criteria were compared.

    Information gathering  refers to different methods of data gathering from the employees

    (interview, questionnaire etc.).

    Simplicity of use.  It evaluates whether the method is applicable for the organization and

    whether the method can be adapted for needs of a specific field. It also describes the amount

    of human and technical resources necessary for implementation.

    Spread of use.  This criterion evaluates the importance of maturity of the standard as a

    selection criterion. It encompasses the spread of use of the method, such as how long the

    method exists, how often it is updated and its geographical spread of use, along withavailability of open market or licensed consultants. 

  • 8/17/2019 Baden-baden_Vukelic.pdf

    5/7

    Software and Tools. This criterion evaluates the availability of software and tools which are

    necessary for the implementation.

    Documentation.  It refers to available documentation, available helplines, manuals and

    instruction guides.

    Risk assessment.  It evaluates how well the standard solves identification, analysis and

    evaluation of risks.

    Risk treatment.  It involves selecting and implementing measures to modify risk. Risk

    treatment measures can include avoiding, optimizing, transferring or retaining risk.

    Each criterion was explained in a verbal scale, that is, through the following values:

    very bad, bad, average, good and very good .

    Verbal scale

    Very bad

    BadAverage

    Good

    Very good

    The abovementioned criteria and alternatives were processed in Visual PROMETHEE

    software. Figure 2 shows main window. The spreadsheet contains three collapsible sections:

    Preferences, Statistics and Evaluations. 

    Figure 2. The VisualPROMETHEE main spreadsheet 

    Table 1. Verbal scale 

  • 8/17/2019 Baden-baden_Vukelic.pdf

    6/7

    Figure 3 shows that the PROMETHEE I Partial Ranking is based on the comparison of

    the leaving flow (Phi+) and the entering flow (Phi-). The left column corresponds to the Phi+

    scores and the right column to the Phi- scores. They are oriented such that the best scores are

    upwards. This way the middle column corresponds to the net flow (Phi- scores). On the left

    side you can see the ranking of the actions according to Phi+.On the right side you can see the

    ranking of the actions according to Phi-. For each action a line is drawn from its Phi+ score toits Phi- score.

    When a line is completely on top of another one, it means that the corresponding

    action is better on both Phi+ and Phi-. This action is thus preferred to the other in thePROMETHEE I Partial Ranking.

    Figure 4 indicates that the percentage of information retained in the GAIA display is

    shown. A color code is used to differentiate results: green indicates a satisfying quality level

    while red corresponds to a too low level.

    Figure 3. PROMETHEE I Partial ranking

    Figure 4. GAIA Visual analysis 

  • 8/17/2019 Baden-baden_Vukelic.pdf

    7/7

    Conclusion

    The abovementioned standards differ from each other in various organizational and

    technical aspects, such as methodology, human resources and software tools. The

    PROMETHEE-GAIA methodology, which was used in this paper, has several advantages in

    relation to some other methods of multiple criteria because it provides a complete ranking of

    alternatives (from best to worst) and criteria and alternative analysis. The paper has shown

    that this method can help us choose optimal security standard. In this case, it turned out to be

    ISO 27005.

    Literature

    [1] PROMETHEE & GAIA method,http://homepages.ulb.ac.be/~bmaresc/PROMETHEE.htm

    [2] Prvulovic S. et al.: Application of Promethee-Gaia Methodology in the Choice of Systems for Drying Paltry-Seeds and Powder Materials, Strojni#ki vestnik - Journal of Mechanical Engineering 57(2011)10, p. 778-784

    [3] D-Sight PROMETHEE & GAIA Methodology, http://www.d-sight.com/learning-center/promethee-gaia-

    software

    [4] Preference ranking organization method for enrichment evaluation,

    http://en.wikipedia.org/wiki/Preference_ranking_organization_method_for_enrichment_evaluation

    [5] COMPARISON BETWEEN ISO 27005, OCTAVE & NIST SP 800-30,

    http://sisainfosec.com/blog/comparison-between-iso-27005-octave-nist-sp-800-30-2/

    [6] Gary Stoneburner, Alice Goguen, and Alexis Feringa: Risk Management Guide for Information TechnologySystems, NIST Special publication 800-30

    [7] Guide for Conducting Risk Assessments, NIST, September 2012,

    http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf