An information systems security risk assessment model under uncertain environment

Given there is a great deal of uncertainty in the process of information systems security (ISS) risk assessment, the handling of uncertainty is of great significance for the effectiveness of risk assessment. In this paper, we propose an ISS risk assessment model based on the improved evidence theory. Firstly, we establish the ISS index system and quantify index weights, based on which the evidential diagram is constructed. To deal with the uncertain evidence found in the ISS risk assessment, this model provides a new way to define the basic belief assignment in fuzzy measure. Moreover, the model also provides a method of testing the evidential consistency, which can reduce the uncertainty derived from the conflicts of evidence. Finally, the model is further demonstrated and validated via a case study, in which sensitivity analysis is employed to validate the reliability of the proposed model. (C) 2010 Elsevier B. V. All rights reserved.