TY - JOUR
T1 - An Information Systems Security Risk Assessment Model under the Dempster-Shafer Theory of Belief Functions
AU - Mock, T.J.
AU - Sun, L.
AU - Srivastava, R.
PY - 2006/1/1
Y1 - 2006/1/1
N2 - This study develops an alternative methodology for the risk analysis of information systems security (iss), an evidential reasoning approach under the dempster-shafer theory of belief functions. The approach has the following important dimensions. First, the evidential reasoning approach provides a rigorous, structured manner to incorporate relevant iss risk factors, related countermeasures, and their interrelationships when estimating iss risk. Second, the methodology employs the belief function definition of risk--that is, iss risk is the plausibility of iss failures. The proposed approach has other appealing features, such as facilitating cost- benefit analyses to help promote efficient iss risk management. The paper elaborates the theoretical concepts and provides operational guidance for implementing the method. The method is illustrated using a hypothetical example from the perspective of management and a real-world example from the perspective of external assurance providers. Sensitivity analyses are performed to evaluate the impact of important parameters on the model's results.
AB - This study develops an alternative methodology for the risk analysis of information systems security (iss), an evidential reasoning approach under the dempster-shafer theory of belief functions. The approach has the following important dimensions. First, the evidential reasoning approach provides a rigorous, structured manner to incorporate relevant iss risk factors, related countermeasures, and their interrelationships when estimating iss risk. Second, the methodology employs the belief function definition of risk--that is, iss risk is the plausibility of iss failures. The proposed approach has other appealing features, such as facilitating cost- benefit analyses to help promote efficient iss risk management. The paper elaborates the theoretical concepts and provides operational guidance for implementing the method. The method is illustrated using a hypothetical example from the perspective of management and a real-world example from the perspective of external assurance providers. Sensitivity analyses are performed to evaluate the impact of important parameters on the model's results.
U2 - 10.2753/MIS0742-1222220405
DO - 10.2753/MIS0742-1222220405
M3 - Article
SN - 0742-1222
VL - 22
SP - 109
EP - 142
JO - Journal of Management Information Systems
JF - Journal of Management Information Systems
IS - 4
ER -