research article a cooperative model for is security risk...
TRANSCRIPT
Research ArticleA Cooperative Model for IS Security Risk Management inDistributed Environment
Nan Feng and Chundong Zheng
College of Management and Economics Tianjin University 92 Weijin Road Nankai District Tianjin 300072 China
Correspondence should be addressed to Nan Feng fengnantjueducn
Received 24 August 2013 Accepted 21 November 2013 Published 19 January 2014
Academic Editors J Shu and F Yu
Copyright copy 2014 N Feng and C Zheng This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited
Given the increasing cooperation between organizations the flexible exchange of security information across the alliedorganizations is critical to effectively manage information systems (IS) security in a distributed environment In this paper wedevelop a cooperative model for IS security risk management in a distributed environment In the proposed model the exchangeof security information among the interconnected IS under distributed environment is supported by Bayesian networks (BNs) Inaddition for an organizationrsquos IS a BN is utilized to represent its security environment and dynamically predict its security risklevel by which the security manager can select an optimal action to safeguard the firmrsquos information resources The actual casestudied illustrates the cooperative model presented in this paper and how it can be exploited to manage the distributed IS securityrisk effectively
1 Introduction
With the increasing of collaboration between organizationsthe management of information systems (IS) security risk isdistributed across the allied organizations and the cooper-ative activities between organizations are imperative [1ndash4]Therefore formore effectively assessing the security risk levelof the IS in a distributed environment it is critical to developa system for the exchange of security information among theinterconnected IS However how to achieve the flexibleexchange of security information under distributed environ-ment is a significant challenge in the process ofmodelling [5]Unfortunately few previous studies on IS security take theabove issue into account
In this paper a cooperative model for IS security riskmanagement is proposed to estimate the risk level of eachassociated organizationrsquos IS and support the decision makingof security risk treatment in a distributed environment In themodel the exchange of security information among the inter-connected IS is achieved through Bayesian networks (BNs)Moreover a BN is also exploited tomodel the security enviro-nment of an organizationrsquos IS and predict its security risklevel However it is difficult and critical task for a security
manager to establish an appropriate BN which is suitable forthe environment of organizationrsquos information systems [6ndash8]To address this issue in this paper we develop an algorithm tosupport the BN initiation Finally based on the security risklevel for an organizationrsquos IS the security manager selects anoptimal action to protect its information resources
The remaining sections of this paper are organized as fol-lowsWe first review the relevant literature in Section 2Thenwe discuss the development of the cooperativemodel in detailin Sections 3 and 4 The proposed model is further demon-strated and validated in Section 5 via a case study Finally wesummarize our contributions and point out further researchdirections
2 Literature Review
There has been increased academic interest in the IS securityrisk management From the technical literature the securityprotocols [9] fire wall and intrusion detection techniques [1011] and authentication technologies [12 13] have been exam-ined From an economics perspective some researchers haveinvestigated the investment on information systems security[14 15] economics of vulnerability disclosure [16 17] and
Hindawi Publishing Corporatione Scientific World JournalVolume 2014 Article ID 167497 6 pageshttpdxdoiorg1011552014167497
2 The Scientific World Journal
Table 1 Information exchange in the interactive process
Exchangeinformation Description
Search request
It consists of the requesterrsquos id IP address and the required input variables Theestimation component has a set of sharing variables To find components capable ofproviding required input data the estimation component sends a search request to theregistration component
Search replyIt consists of the requested variable name the IP address and status of the componentpublishing the variable Based on receiving a search request the registration componentsearches its database to determine which components can provide the requested variables
Registrationmessage
It consists of component id IP address list of published variables and their possiblestates Each estimation component registers with the registration component whichissues an acknowledgment message for entering the new component in its database
Communicationbetween estimationcomponents
It consists of the request id the senderrsquos id and the probability distribution of therequested variable Upon receiving the list of components capable of providing therequired input from the registration component the request component sends requestsdirectly to these components Then the sender sends the probability distribution of therequested variable
the characteristics of internet security breaches that impactthe market value of breached firms [18]
In recent years a newmanagerial perspective on IS secur-ity has emerged from the literature This perspective focuseson the managerial processes that control the effective deploy-ment of technical approaches and security resources to createa secure IS environment in an organization From this per-spective Feng and Li [19] proposed an IS security risk eval-uationmodel based on the improved evidence theory For thehandling of uncertain evidence found in IS security risk ana-lysis their model provided a novel approach to define thebasic belief assignment of evidence theory In addition themodel also presented a method of testing the evidential con-sistency which is capable of resolving the conflicts fromuncertain evidence Then in order to identify the causal rel-ationships among security risk factors and analyze the com-plexity of vulnerability propagation they also developed asecurity risk analysis model (SRAM) [20] in which the vul-nerability propagation analysis is performed to determine thepropagation paths with the highest IS security risk level Yan[21] presented a conceptual model for IS security analysiswhich can facilitate to identify potential security risks Chenet al [22] focus on controlling the risks in the formof the faultof information networks They developed an approach toestimate the risk level on the vulnerability of informationnetworks
Bayesian networks (BNs) also known as probabilisticbelief networks is a knowledge representation tool capable ofrepresenting dependence and independence relationshipsamong random variables [23] A BN 119873 = (119883 119866 119875) consistsof a directed acyclic graph119866 and a set of conditional probabil-ity distributions (beliefs) 119875 for variables 119883 BN inferencemeans computing the conditional probability for some vari-ables given the evidence which is defined as a collection offindings This operation is also called probability updating orbelief updating
In this paper the developed BN is not only used to facilit-ate the dynamical prediction of the security risk level of
an organizationrsquos IS but also exploited to model the IS secu-rity environment
3 Model Architecture
In a distributed environment the proposedmodel consists ofmany interconnected network information systems We callthese network information systems as ldquoassociated membersrdquoEach associated member is installed with three kinds of com-ponents monitor component estimation component andtreatment component Besides the above three kinds of com-ponents the registration component contains the informa-tion about each estimation component It is required that allestimation components in the distributed environment mustregister with the registration component The cooperativemodel architecture is demonstrated in Figure 1
The interactions among the estimation component andthe registration component are shown in Figure 2 In theinteractive process as shown inTable 1 there are four kinds ofsharing information search request search reply registrationmessage and communication between estimation compo-nents
4 Bayesian Network Development
In this section we present an algorithm based on ant colonyoptimization (shown in Algorithm 1) to develop the Bayesiannetwork (BN) which is able to model the security environ-ment of an associated member under distributed environ-ment
The equations appearing in the algorithm are as follows(1) Heuristic information
120578119894119895
= 119891 (119909119894 119875119886 (119909
119894) cup 119909
119895) minus 119891 (119909
119894 119875119886 (119909
119894)) (1)
(2) Updating rule
120591119894119895
larr997888 (1 minus 120588) 120591119894119895
+ 120588Δ120591119894119895 (2)
The Scientific World Journal 3
Internet
Registrationcomponent
Treatment component
Estimation component
Monitor component
Member 1
Treatment component
Estimation component
Monitor component
Member i
Treatment component
Estimation component
Monitor component
Member n
middot middot middot middot middot middot
Figure 1 Model architecture
Estimation component i
Registration
Request
Reply
Registration
Request
Reply
Registrationcomponent
Communication
Bayesiannetwork i
Bayesiannetwork j
Estimation component j
Figure 2 Interactions among the components
in which
Δ120591119894119895
=
1
1003816100381610038161003816119891 (119866lowast 119863)
1003816100381610038161003816
if 119909119895
997888rarr 119909119894isin 119866lowast
120591119894119895
if 119909119895
997888rarr 119909119894notin 119866lowast
(3)
in the arc 119909119895
rarr 119909119894 120591119894119895is the pheromonersquos degree and 120588 (0 lt
120588 le 1) is a variable which can control the pheromone valueMoreover 119866
lowast is the BN structure suitable for the organiza-tionrsquos IS best
(3) Probabilistic transition
119903 119897 =
arg max119894119895isin119865119866
[120591119894119895]120572
[120578119894119895]120573
if 119902 le 1199020
119868 119869 if 119902 gt 1199020
(4)
in which 119868 and 119869 are two nodes chosen randomly based on thefollowing equation
119901119896
(119894 119895) =
[120591119894119895]120572
[120578119894119895]120573
sum119906Visin119865119866 [120591
119906V]120572[120578119906V]120573
if 119894 119895 isin 119865119866
0 otherwise
(5)
5 Case Study
In this section the proposedmodel is applied to a distributedenvironment which is composed of four associatedmemberswith interconnected IS two suppliers (S1 and S2) a manufac-turer (M1) and a downstream transporter (DT1)
Based on the algorithm presented in Section 4 wedevelop the BN for each associated member Taking M1 and
4 The Scientific World Journal
Input Set of allcandidate edgesOutput Bayesian network
(1) repeat(2) for 119896 = 1 tom do(3) for 119894 = 1 to n do 119875119886 (119909
119894) = 120601
(4) for 119894 = 1 and 119895 = 1 to 119899 do(5) if (119894 = 119895) then 120578
119894119895= 119891 (119909
119894 119909119895) minus 119891 (119909
119894 120601)
(6) end(7) repeat(8) Select two indexes 119894 and 119895 by using (4) and (5) and assign edge 119890
119894119895to 119866119896
(9) if (120578119894119895
gt 0) then 119875119886 (119909119894) = 119875119886 (119909
119894) cup 119909
119895
(10) 120578119894119895
= minusinfin(11) for all 119909
119886isin 119860119899119888119890119904119905119900119903119904 (119909
119895) cup 119909
119895 and 119909
119887isin 119863119890119904119888119890119899119889119886119899119905119904 (119909
119894) cup 119909
119894 do 120578
119886119887= minusinfin
(12) for 119896 = 1 to 119899 do(13) if (120578
119894119896gt minusinfin) then 120578
119894119895= 119891 (119909
119894 119875119886 (119909
119894) cup 119909
119896) minus 119891 (119909
119894 119875119886 (119909
119894))
(14) end(15) 120591
119894119895= (1 minus 120588) sdot 120591
119894119895+ 120588 sdot 120591
0
(16) until forall119894 119895 (120578119894119895
le 0 or 120578119894119895
= minusinfin)(17) end(18) 119866
119887= arg max
119896 1119898119891 (119866119896
119863)(19) if 119891 (119866
119887 119863) ge 119891 (119866
lowast 119863) then 119866
lowast= 119866119887
(20) Update pheromone according to (2) using f (Glowast D)(21) 119873iter ++(22) until 119873iter = 119873max(23) return Bayesian network with structure 119866
lowast
Algorithm 1 Bayesian network development algorithm
Table 2 BN information of M1
Node ID Node name State space Parent nodes Children nodesM1 1 Network access control Effective average ineffective Φ M1 7
M1 2 Network security audit Comprehensive incomprehensive Φ M1 7
M1 3 Change management Effective average ineffective Φ M1 9
M1 4 Supplier threat level 0 1 2 3 4 5 Φ M1 8
M1 5 Transporter threat level 0 1 2 3 4 5 Φ M1 8
M1 6 Operational procedures and responsibilities Very standard standard non-standard Φ M1 9
M1 7 Network security High medium low M1 1 M1 2 M1 10
M1 8 External systems security High medium low M1 4 M1 5 M1 10
M1 9 Operation security High medium low M1 3 M1 6 M1 10
M1 10 M1 threat level 0 1 2 3 4 5 M1 7 M1 8 M1 9 Φ
Table 3 BN information of S1
Node ID Node name State space Parent nodes Children nodesS1 1 Communication secrecy High medium low Φ S1 6
S1 2 Audit logging Secure average insecure Φ S1 6
S1 3 Network access control Effective average ineffective Φ S1 5S1 4 Network security audit Comprehensive incomprehensive Φ S1 5S1 5 Network security High medium low S1 3 S1 4 S1 7
S1 6 Communication security High medium low S1 1 S1 2 S1 7
S1 7 S1 threat level 0 1 2 3 4 5 S1 5 S1 6 Φ
The Scientific World Journal 5
Information sharing
M1 1
M1 2 M1 4 M1 5
M1 8
M1 7
M1 9
M1 3 M1 6
S1 3 S1 4 S1 1 S1 2
S1 6S1 5
S1 7
M1_10
Figure 3 BN structures of M1 and S1
Figure 4 Security manager interface
S1 for example their information of BN nodes is given inTables 2 and 3 and their BN structures are shown in Figure 3
Themanager interface of our proposedmodel is shown inFigure 4 in which the security manager can specify the BNfor each associated organization
Once the new evidence is obtained through the monitorcomponents the estimation component is able to make theBNmodify its own belief (probability distribution on variableof risk level) in real time and exchange the update of beliefs ofthe security state with other associated members
6 Conclusions
In a distributed environment in order to effectively manageinformation systems (IS) security a cooperative model based
on Bayesian networks is presented and illustrated in thispaper We contribute to the IS security literature by support-ing the exchange of security information among intercon-nected IS Furthermore for themodelling of IS security envir-onment an algorithm based on ant colony optimization facil-itates to predict IS threat level more objectively The modelproposed in this paper has great potential for future exten-sions and refinements to providemore utility for themanage-ment of IS security
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
6 The Scientific World Journal
Acknowledgments
The research was supported by the National Natural ScienceFoundation of China (nos 70901054 and 71271149) and theProgram for New Century Excellent Talents in University(NCET) It was also supported by the China PostdoctoralScience Foundation funded Project (no 2012M520025) Theauthors are very grateful to all anonymous reviewers whoseinvaluable comments and suggestions substantially helpedimprove the quality of this paper
References
[1] I A Tsoukalas and P D Siozos ldquoPrivacy and anonymity in theinformation societymdashchallenges for the european unionrdquo The-ScientificWorldJournal vol 11 pp 458ndash462 2011
[2] Y Zhang XDengDWei andYDeng ldquoAssessment of E-Com-merce security using AHP and evidential reasoningrdquo ExpertSystems with Applications vol 39 no 3 pp 3611ndash3623 2012
[3] S Ransbotham and S Mitra ldquoChoice and chance a conceptualmodel of paths to information security compromiserdquo Informa-tion Systems Research vol 20 no 1 pp 121ndash139 2009
[4] B Bulgurcu H Cavusoglu and I Benbasat ldquoInformation secu-rity policy compliance an empirical study of rationality-basedbeliefs and information security awarenessrdquoMISQuarterly vol34 no 3 pp 523ndash548 2010
[5] E Gal-Or and A Chose ldquoThe economic incentives for sharingsecurity informationrdquo Information Systems Research vol 16 no2 pp 186ndash208 2005
[6] C-F Fan and Y-C Yu ldquoBBN-based software project risk man-agementrdquo Journal of Systems and Software vol 73 no 2 pp 193ndash203 2004
[7] L Sun R P Srivastava and T J Mock ldquoAn information systemssecurity risk assessment model under the Dempster-Shafer the-ory of belief functionsrdquo Journal ofManagement Information Sys-tems vol 22 no 4 pp 109ndash142 2006
[8] W T Yue M Cakanyildirim Y U Ryu and D Liu ldquoNetworkexternalities layered protection and IT security risk manage-mentrdquo Decision Support Systems vol 44 no 1 pp 1ndash16 2007
[9] R Di Pietro and L V Mancini ldquoSecurity and privacy issues ofhandheld and wearable wireless devicesrdquo Communications ofthe ACM vol 46 no 9 pp 74ndash79 2003
[10] P Ning Y Cui D S Reeves and D Xu ldquoTechniques and toolsfor analyzing intrusion alertsrdquo ACM Transactions on Informa-tion and System Security vol 7 no 2 pp 274ndash318 2004
[11] R Sarathy and K Muralidhar ldquoThe security of confidentialnumerical data in databasesrdquo Information Systems Research vol13 no 4 pp 389ndash403 2002
[12] N Li and M V Tripunitara ldquoSecurity analysis in role-basedaccess controlrdquo ACM Transactions on Information and SystemSecurity vol 9 no 4 pp 391ndash420 2006
[13] S Rinderle-Ma andM Reichert ldquoComprehensive life cycle sup-port for access rules in information systems the CEOSIS pro-jectrdquo Enterprise Information Systems vol 3 no 3 pp 219ndash2512009
[14] L A Gordon and M P Loeb ldquoThe economics of informationsecurity investmentrdquo ACM Transactions on Information andSystem Security vol 5 no 4 pp 438ndash457 2002
[15] H S B Herath and T C Herath ldquoInvestments in informationsecurity a real options perspective with Bayesian postauditrdquo
Journal of Management Information Systems vol 25 no 3 pp337ndash375 2009
[16] K Kannan and R Telang ldquoMarket for software vulnerabilitiesThink againrdquo Management Science vol 51 no 5 pp 726ndash7402005
[17] M N Azaiez and V M Bier ldquoOptimal resource allocation forsecurity in reliability systemsrdquo European Journal of OperationalResearch vol 181 no 2 pp 773ndash786 2007
[18] H Cavusoglu B Mishra and S Raghunathan ldquoThe effect ofinternet security breach announcements on market value cap-ital market reactions for breached firms and internet securitydevelopersrdquo International Journal of Electronic Commerce vol9 no 1 pp 69ndash104 2004
[19] N Feng andM Li ldquoAn information systems security risk assess-ment model under uncertain environmentrdquo Applied Soft Com-puting Journal vol 11 no 7 pp 4332ndash4340 2011
[20] N Feng H J Wang and M Li ldquoA security risk analysis modelfor information systems causal relationships of risk factors andvulnerability propagation analysisrdquo Information Sciences vol256 pp 57ndash73 2014
[21] Q Yan ldquoA security evaluation approach for information systemsin telecommunication enterprisesrdquo Enterprise Information Sys-tems vol 2 no 3 pp 309ndash324 2008
[22] P-Y Chen G Kataria and R Krishnan ldquoCorrelated failuresdiversification and information security risk managementrdquoMIS Quarterly vol 35 no 2 pp 397ndash422 2011
[23] J Pearl Probabilistic Reasoning in Intelligent Systems Networksof Plausible Inference Morgan-Kaufmann Publishers SanMateo Calif USA 1998
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
2 The Scientific World Journal
Table 1 Information exchange in the interactive process
Exchangeinformation Description
Search request
It consists of the requesterrsquos id IP address and the required input variables Theestimation component has a set of sharing variables To find components capable ofproviding required input data the estimation component sends a search request to theregistration component
Search replyIt consists of the requested variable name the IP address and status of the componentpublishing the variable Based on receiving a search request the registration componentsearches its database to determine which components can provide the requested variables
Registrationmessage
It consists of component id IP address list of published variables and their possiblestates Each estimation component registers with the registration component whichissues an acknowledgment message for entering the new component in its database
Communicationbetween estimationcomponents
It consists of the request id the senderrsquos id and the probability distribution of therequested variable Upon receiving the list of components capable of providing therequired input from the registration component the request component sends requestsdirectly to these components Then the sender sends the probability distribution of therequested variable
the characteristics of internet security breaches that impactthe market value of breached firms [18]
In recent years a newmanagerial perspective on IS secur-ity has emerged from the literature This perspective focuseson the managerial processes that control the effective deploy-ment of technical approaches and security resources to createa secure IS environment in an organization From this per-spective Feng and Li [19] proposed an IS security risk eval-uationmodel based on the improved evidence theory For thehandling of uncertain evidence found in IS security risk ana-lysis their model provided a novel approach to define thebasic belief assignment of evidence theory In addition themodel also presented a method of testing the evidential con-sistency which is capable of resolving the conflicts fromuncertain evidence Then in order to identify the causal rel-ationships among security risk factors and analyze the com-plexity of vulnerability propagation they also developed asecurity risk analysis model (SRAM) [20] in which the vul-nerability propagation analysis is performed to determine thepropagation paths with the highest IS security risk level Yan[21] presented a conceptual model for IS security analysiswhich can facilitate to identify potential security risks Chenet al [22] focus on controlling the risks in the formof the faultof information networks They developed an approach toestimate the risk level on the vulnerability of informationnetworks
Bayesian networks (BNs) also known as probabilisticbelief networks is a knowledge representation tool capable ofrepresenting dependence and independence relationshipsamong random variables [23] A BN 119873 = (119883 119866 119875) consistsof a directed acyclic graph119866 and a set of conditional probabil-ity distributions (beliefs) 119875 for variables 119883 BN inferencemeans computing the conditional probability for some vari-ables given the evidence which is defined as a collection offindings This operation is also called probability updating orbelief updating
In this paper the developed BN is not only used to facilit-ate the dynamical prediction of the security risk level of
an organizationrsquos IS but also exploited to model the IS secu-rity environment
3 Model Architecture
In a distributed environment the proposedmodel consists ofmany interconnected network information systems We callthese network information systems as ldquoassociated membersrdquoEach associated member is installed with three kinds of com-ponents monitor component estimation component andtreatment component Besides the above three kinds of com-ponents the registration component contains the informa-tion about each estimation component It is required that allestimation components in the distributed environment mustregister with the registration component The cooperativemodel architecture is demonstrated in Figure 1
The interactions among the estimation component andthe registration component are shown in Figure 2 In theinteractive process as shown inTable 1 there are four kinds ofsharing information search request search reply registrationmessage and communication between estimation compo-nents
4 Bayesian Network Development
In this section we present an algorithm based on ant colonyoptimization (shown in Algorithm 1) to develop the Bayesiannetwork (BN) which is able to model the security environ-ment of an associated member under distributed environ-ment
The equations appearing in the algorithm are as follows(1) Heuristic information
120578119894119895
= 119891 (119909119894 119875119886 (119909
119894) cup 119909
119895) minus 119891 (119909
119894 119875119886 (119909
119894)) (1)
(2) Updating rule
120591119894119895
larr997888 (1 minus 120588) 120591119894119895
+ 120588Δ120591119894119895 (2)
The Scientific World Journal 3
Internet
Registrationcomponent
Treatment component
Estimation component
Monitor component
Member 1
Treatment component
Estimation component
Monitor component
Member i
Treatment component
Estimation component
Monitor component
Member n
middot middot middot middot middot middot
Figure 1 Model architecture
Estimation component i
Registration
Request
Reply
Registration
Request
Reply
Registrationcomponent
Communication
Bayesiannetwork i
Bayesiannetwork j
Estimation component j
Figure 2 Interactions among the components
in which
Δ120591119894119895
=
1
1003816100381610038161003816119891 (119866lowast 119863)
1003816100381610038161003816
if 119909119895
997888rarr 119909119894isin 119866lowast
120591119894119895
if 119909119895
997888rarr 119909119894notin 119866lowast
(3)
in the arc 119909119895
rarr 119909119894 120591119894119895is the pheromonersquos degree and 120588 (0 lt
120588 le 1) is a variable which can control the pheromone valueMoreover 119866
lowast is the BN structure suitable for the organiza-tionrsquos IS best
(3) Probabilistic transition
119903 119897 =
arg max119894119895isin119865119866
[120591119894119895]120572
[120578119894119895]120573
if 119902 le 1199020
119868 119869 if 119902 gt 1199020
(4)
in which 119868 and 119869 are two nodes chosen randomly based on thefollowing equation
119901119896
(119894 119895) =
[120591119894119895]120572
[120578119894119895]120573
sum119906Visin119865119866 [120591
119906V]120572[120578119906V]120573
if 119894 119895 isin 119865119866
0 otherwise
(5)
5 Case Study
In this section the proposedmodel is applied to a distributedenvironment which is composed of four associatedmemberswith interconnected IS two suppliers (S1 and S2) a manufac-turer (M1) and a downstream transporter (DT1)
Based on the algorithm presented in Section 4 wedevelop the BN for each associated member Taking M1 and
4 The Scientific World Journal
Input Set of allcandidate edgesOutput Bayesian network
(1) repeat(2) for 119896 = 1 tom do(3) for 119894 = 1 to n do 119875119886 (119909
119894) = 120601
(4) for 119894 = 1 and 119895 = 1 to 119899 do(5) if (119894 = 119895) then 120578
119894119895= 119891 (119909
119894 119909119895) minus 119891 (119909
119894 120601)
(6) end(7) repeat(8) Select two indexes 119894 and 119895 by using (4) and (5) and assign edge 119890
119894119895to 119866119896
(9) if (120578119894119895
gt 0) then 119875119886 (119909119894) = 119875119886 (119909
119894) cup 119909
119895
(10) 120578119894119895
= minusinfin(11) for all 119909
119886isin 119860119899119888119890119904119905119900119903119904 (119909
119895) cup 119909
119895 and 119909
119887isin 119863119890119904119888119890119899119889119886119899119905119904 (119909
119894) cup 119909
119894 do 120578
119886119887= minusinfin
(12) for 119896 = 1 to 119899 do(13) if (120578
119894119896gt minusinfin) then 120578
119894119895= 119891 (119909
119894 119875119886 (119909
119894) cup 119909
119896) minus 119891 (119909
119894 119875119886 (119909
119894))
(14) end(15) 120591
119894119895= (1 minus 120588) sdot 120591
119894119895+ 120588 sdot 120591
0
(16) until forall119894 119895 (120578119894119895
le 0 or 120578119894119895
= minusinfin)(17) end(18) 119866
119887= arg max
119896 1119898119891 (119866119896
119863)(19) if 119891 (119866
119887 119863) ge 119891 (119866
lowast 119863) then 119866
lowast= 119866119887
(20) Update pheromone according to (2) using f (Glowast D)(21) 119873iter ++(22) until 119873iter = 119873max(23) return Bayesian network with structure 119866
lowast
Algorithm 1 Bayesian network development algorithm
Table 2 BN information of M1
Node ID Node name State space Parent nodes Children nodesM1 1 Network access control Effective average ineffective Φ M1 7
M1 2 Network security audit Comprehensive incomprehensive Φ M1 7
M1 3 Change management Effective average ineffective Φ M1 9
M1 4 Supplier threat level 0 1 2 3 4 5 Φ M1 8
M1 5 Transporter threat level 0 1 2 3 4 5 Φ M1 8
M1 6 Operational procedures and responsibilities Very standard standard non-standard Φ M1 9
M1 7 Network security High medium low M1 1 M1 2 M1 10
M1 8 External systems security High medium low M1 4 M1 5 M1 10
M1 9 Operation security High medium low M1 3 M1 6 M1 10
M1 10 M1 threat level 0 1 2 3 4 5 M1 7 M1 8 M1 9 Φ
Table 3 BN information of S1
Node ID Node name State space Parent nodes Children nodesS1 1 Communication secrecy High medium low Φ S1 6
S1 2 Audit logging Secure average insecure Φ S1 6
S1 3 Network access control Effective average ineffective Φ S1 5S1 4 Network security audit Comprehensive incomprehensive Φ S1 5S1 5 Network security High medium low S1 3 S1 4 S1 7
S1 6 Communication security High medium low S1 1 S1 2 S1 7
S1 7 S1 threat level 0 1 2 3 4 5 S1 5 S1 6 Φ
The Scientific World Journal 5
Information sharing
M1 1
M1 2 M1 4 M1 5
M1 8
M1 7
M1 9
M1 3 M1 6
S1 3 S1 4 S1 1 S1 2
S1 6S1 5
S1 7
M1_10
Figure 3 BN structures of M1 and S1
Figure 4 Security manager interface
S1 for example their information of BN nodes is given inTables 2 and 3 and their BN structures are shown in Figure 3
Themanager interface of our proposedmodel is shown inFigure 4 in which the security manager can specify the BNfor each associated organization
Once the new evidence is obtained through the monitorcomponents the estimation component is able to make theBNmodify its own belief (probability distribution on variableof risk level) in real time and exchange the update of beliefs ofthe security state with other associated members
6 Conclusions
In a distributed environment in order to effectively manageinformation systems (IS) security a cooperative model based
on Bayesian networks is presented and illustrated in thispaper We contribute to the IS security literature by support-ing the exchange of security information among intercon-nected IS Furthermore for themodelling of IS security envir-onment an algorithm based on ant colony optimization facil-itates to predict IS threat level more objectively The modelproposed in this paper has great potential for future exten-sions and refinements to providemore utility for themanage-ment of IS security
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
6 The Scientific World Journal
Acknowledgments
The research was supported by the National Natural ScienceFoundation of China (nos 70901054 and 71271149) and theProgram for New Century Excellent Talents in University(NCET) It was also supported by the China PostdoctoralScience Foundation funded Project (no 2012M520025) Theauthors are very grateful to all anonymous reviewers whoseinvaluable comments and suggestions substantially helpedimprove the quality of this paper
References
[1] I A Tsoukalas and P D Siozos ldquoPrivacy and anonymity in theinformation societymdashchallenges for the european unionrdquo The-ScientificWorldJournal vol 11 pp 458ndash462 2011
[2] Y Zhang XDengDWei andYDeng ldquoAssessment of E-Com-merce security using AHP and evidential reasoningrdquo ExpertSystems with Applications vol 39 no 3 pp 3611ndash3623 2012
[3] S Ransbotham and S Mitra ldquoChoice and chance a conceptualmodel of paths to information security compromiserdquo Informa-tion Systems Research vol 20 no 1 pp 121ndash139 2009
[4] B Bulgurcu H Cavusoglu and I Benbasat ldquoInformation secu-rity policy compliance an empirical study of rationality-basedbeliefs and information security awarenessrdquoMISQuarterly vol34 no 3 pp 523ndash548 2010
[5] E Gal-Or and A Chose ldquoThe economic incentives for sharingsecurity informationrdquo Information Systems Research vol 16 no2 pp 186ndash208 2005
[6] C-F Fan and Y-C Yu ldquoBBN-based software project risk man-agementrdquo Journal of Systems and Software vol 73 no 2 pp 193ndash203 2004
[7] L Sun R P Srivastava and T J Mock ldquoAn information systemssecurity risk assessment model under the Dempster-Shafer the-ory of belief functionsrdquo Journal ofManagement Information Sys-tems vol 22 no 4 pp 109ndash142 2006
[8] W T Yue M Cakanyildirim Y U Ryu and D Liu ldquoNetworkexternalities layered protection and IT security risk manage-mentrdquo Decision Support Systems vol 44 no 1 pp 1ndash16 2007
[9] R Di Pietro and L V Mancini ldquoSecurity and privacy issues ofhandheld and wearable wireless devicesrdquo Communications ofthe ACM vol 46 no 9 pp 74ndash79 2003
[10] P Ning Y Cui D S Reeves and D Xu ldquoTechniques and toolsfor analyzing intrusion alertsrdquo ACM Transactions on Informa-tion and System Security vol 7 no 2 pp 274ndash318 2004
[11] R Sarathy and K Muralidhar ldquoThe security of confidentialnumerical data in databasesrdquo Information Systems Research vol13 no 4 pp 389ndash403 2002
[12] N Li and M V Tripunitara ldquoSecurity analysis in role-basedaccess controlrdquo ACM Transactions on Information and SystemSecurity vol 9 no 4 pp 391ndash420 2006
[13] S Rinderle-Ma andM Reichert ldquoComprehensive life cycle sup-port for access rules in information systems the CEOSIS pro-jectrdquo Enterprise Information Systems vol 3 no 3 pp 219ndash2512009
[14] L A Gordon and M P Loeb ldquoThe economics of informationsecurity investmentrdquo ACM Transactions on Information andSystem Security vol 5 no 4 pp 438ndash457 2002
[15] H S B Herath and T C Herath ldquoInvestments in informationsecurity a real options perspective with Bayesian postauditrdquo
Journal of Management Information Systems vol 25 no 3 pp337ndash375 2009
[16] K Kannan and R Telang ldquoMarket for software vulnerabilitiesThink againrdquo Management Science vol 51 no 5 pp 726ndash7402005
[17] M N Azaiez and V M Bier ldquoOptimal resource allocation forsecurity in reliability systemsrdquo European Journal of OperationalResearch vol 181 no 2 pp 773ndash786 2007
[18] H Cavusoglu B Mishra and S Raghunathan ldquoThe effect ofinternet security breach announcements on market value cap-ital market reactions for breached firms and internet securitydevelopersrdquo International Journal of Electronic Commerce vol9 no 1 pp 69ndash104 2004
[19] N Feng andM Li ldquoAn information systems security risk assess-ment model under uncertain environmentrdquo Applied Soft Com-puting Journal vol 11 no 7 pp 4332ndash4340 2011
[20] N Feng H J Wang and M Li ldquoA security risk analysis modelfor information systems causal relationships of risk factors andvulnerability propagation analysisrdquo Information Sciences vol256 pp 57ndash73 2014
[21] Q Yan ldquoA security evaluation approach for information systemsin telecommunication enterprisesrdquo Enterprise Information Sys-tems vol 2 no 3 pp 309ndash324 2008
[22] P-Y Chen G Kataria and R Krishnan ldquoCorrelated failuresdiversification and information security risk managementrdquoMIS Quarterly vol 35 no 2 pp 397ndash422 2011
[23] J Pearl Probabilistic Reasoning in Intelligent Systems Networksof Plausible Inference Morgan-Kaufmann Publishers SanMateo Calif USA 1998
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World Journal 3
Internet
Registrationcomponent
Treatment component
Estimation component
Monitor component
Member 1
Treatment component
Estimation component
Monitor component
Member i
Treatment component
Estimation component
Monitor component
Member n
middot middot middot middot middot middot
Figure 1 Model architecture
Estimation component i
Registration
Request
Reply
Registration
Request
Reply
Registrationcomponent
Communication
Bayesiannetwork i
Bayesiannetwork j
Estimation component j
Figure 2 Interactions among the components
in which
Δ120591119894119895
=
1
1003816100381610038161003816119891 (119866lowast 119863)
1003816100381610038161003816
if 119909119895
997888rarr 119909119894isin 119866lowast
120591119894119895
if 119909119895
997888rarr 119909119894notin 119866lowast
(3)
in the arc 119909119895
rarr 119909119894 120591119894119895is the pheromonersquos degree and 120588 (0 lt
120588 le 1) is a variable which can control the pheromone valueMoreover 119866
lowast is the BN structure suitable for the organiza-tionrsquos IS best
(3) Probabilistic transition
119903 119897 =
arg max119894119895isin119865119866
[120591119894119895]120572
[120578119894119895]120573
if 119902 le 1199020
119868 119869 if 119902 gt 1199020
(4)
in which 119868 and 119869 are two nodes chosen randomly based on thefollowing equation
119901119896
(119894 119895) =
[120591119894119895]120572
[120578119894119895]120573
sum119906Visin119865119866 [120591
119906V]120572[120578119906V]120573
if 119894 119895 isin 119865119866
0 otherwise
(5)
5 Case Study
In this section the proposedmodel is applied to a distributedenvironment which is composed of four associatedmemberswith interconnected IS two suppliers (S1 and S2) a manufac-turer (M1) and a downstream transporter (DT1)
Based on the algorithm presented in Section 4 wedevelop the BN for each associated member Taking M1 and
4 The Scientific World Journal
Input Set of allcandidate edgesOutput Bayesian network
(1) repeat(2) for 119896 = 1 tom do(3) for 119894 = 1 to n do 119875119886 (119909
119894) = 120601
(4) for 119894 = 1 and 119895 = 1 to 119899 do(5) if (119894 = 119895) then 120578
119894119895= 119891 (119909
119894 119909119895) minus 119891 (119909
119894 120601)
(6) end(7) repeat(8) Select two indexes 119894 and 119895 by using (4) and (5) and assign edge 119890
119894119895to 119866119896
(9) if (120578119894119895
gt 0) then 119875119886 (119909119894) = 119875119886 (119909
119894) cup 119909
119895
(10) 120578119894119895
= minusinfin(11) for all 119909
119886isin 119860119899119888119890119904119905119900119903119904 (119909
119895) cup 119909
119895 and 119909
119887isin 119863119890119904119888119890119899119889119886119899119905119904 (119909
119894) cup 119909
119894 do 120578
119886119887= minusinfin
(12) for 119896 = 1 to 119899 do(13) if (120578
119894119896gt minusinfin) then 120578
119894119895= 119891 (119909
119894 119875119886 (119909
119894) cup 119909
119896) minus 119891 (119909
119894 119875119886 (119909
119894))
(14) end(15) 120591
119894119895= (1 minus 120588) sdot 120591
119894119895+ 120588 sdot 120591
0
(16) until forall119894 119895 (120578119894119895
le 0 or 120578119894119895
= minusinfin)(17) end(18) 119866
119887= arg max
119896 1119898119891 (119866119896
119863)(19) if 119891 (119866
119887 119863) ge 119891 (119866
lowast 119863) then 119866
lowast= 119866119887
(20) Update pheromone according to (2) using f (Glowast D)(21) 119873iter ++(22) until 119873iter = 119873max(23) return Bayesian network with structure 119866
lowast
Algorithm 1 Bayesian network development algorithm
Table 2 BN information of M1
Node ID Node name State space Parent nodes Children nodesM1 1 Network access control Effective average ineffective Φ M1 7
M1 2 Network security audit Comprehensive incomprehensive Φ M1 7
M1 3 Change management Effective average ineffective Φ M1 9
M1 4 Supplier threat level 0 1 2 3 4 5 Φ M1 8
M1 5 Transporter threat level 0 1 2 3 4 5 Φ M1 8
M1 6 Operational procedures and responsibilities Very standard standard non-standard Φ M1 9
M1 7 Network security High medium low M1 1 M1 2 M1 10
M1 8 External systems security High medium low M1 4 M1 5 M1 10
M1 9 Operation security High medium low M1 3 M1 6 M1 10
M1 10 M1 threat level 0 1 2 3 4 5 M1 7 M1 8 M1 9 Φ
Table 3 BN information of S1
Node ID Node name State space Parent nodes Children nodesS1 1 Communication secrecy High medium low Φ S1 6
S1 2 Audit logging Secure average insecure Φ S1 6
S1 3 Network access control Effective average ineffective Φ S1 5S1 4 Network security audit Comprehensive incomprehensive Φ S1 5S1 5 Network security High medium low S1 3 S1 4 S1 7
S1 6 Communication security High medium low S1 1 S1 2 S1 7
S1 7 S1 threat level 0 1 2 3 4 5 S1 5 S1 6 Φ
The Scientific World Journal 5
Information sharing
M1 1
M1 2 M1 4 M1 5
M1 8
M1 7
M1 9
M1 3 M1 6
S1 3 S1 4 S1 1 S1 2
S1 6S1 5
S1 7
M1_10
Figure 3 BN structures of M1 and S1
Figure 4 Security manager interface
S1 for example their information of BN nodes is given inTables 2 and 3 and their BN structures are shown in Figure 3
Themanager interface of our proposedmodel is shown inFigure 4 in which the security manager can specify the BNfor each associated organization
Once the new evidence is obtained through the monitorcomponents the estimation component is able to make theBNmodify its own belief (probability distribution on variableof risk level) in real time and exchange the update of beliefs ofthe security state with other associated members
6 Conclusions
In a distributed environment in order to effectively manageinformation systems (IS) security a cooperative model based
on Bayesian networks is presented and illustrated in thispaper We contribute to the IS security literature by support-ing the exchange of security information among intercon-nected IS Furthermore for themodelling of IS security envir-onment an algorithm based on ant colony optimization facil-itates to predict IS threat level more objectively The modelproposed in this paper has great potential for future exten-sions and refinements to providemore utility for themanage-ment of IS security
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
6 The Scientific World Journal
Acknowledgments
The research was supported by the National Natural ScienceFoundation of China (nos 70901054 and 71271149) and theProgram for New Century Excellent Talents in University(NCET) It was also supported by the China PostdoctoralScience Foundation funded Project (no 2012M520025) Theauthors are very grateful to all anonymous reviewers whoseinvaluable comments and suggestions substantially helpedimprove the quality of this paper
References
[1] I A Tsoukalas and P D Siozos ldquoPrivacy and anonymity in theinformation societymdashchallenges for the european unionrdquo The-ScientificWorldJournal vol 11 pp 458ndash462 2011
[2] Y Zhang XDengDWei andYDeng ldquoAssessment of E-Com-merce security using AHP and evidential reasoningrdquo ExpertSystems with Applications vol 39 no 3 pp 3611ndash3623 2012
[3] S Ransbotham and S Mitra ldquoChoice and chance a conceptualmodel of paths to information security compromiserdquo Informa-tion Systems Research vol 20 no 1 pp 121ndash139 2009
[4] B Bulgurcu H Cavusoglu and I Benbasat ldquoInformation secu-rity policy compliance an empirical study of rationality-basedbeliefs and information security awarenessrdquoMISQuarterly vol34 no 3 pp 523ndash548 2010
[5] E Gal-Or and A Chose ldquoThe economic incentives for sharingsecurity informationrdquo Information Systems Research vol 16 no2 pp 186ndash208 2005
[6] C-F Fan and Y-C Yu ldquoBBN-based software project risk man-agementrdquo Journal of Systems and Software vol 73 no 2 pp 193ndash203 2004
[7] L Sun R P Srivastava and T J Mock ldquoAn information systemssecurity risk assessment model under the Dempster-Shafer the-ory of belief functionsrdquo Journal ofManagement Information Sys-tems vol 22 no 4 pp 109ndash142 2006
[8] W T Yue M Cakanyildirim Y U Ryu and D Liu ldquoNetworkexternalities layered protection and IT security risk manage-mentrdquo Decision Support Systems vol 44 no 1 pp 1ndash16 2007
[9] R Di Pietro and L V Mancini ldquoSecurity and privacy issues ofhandheld and wearable wireless devicesrdquo Communications ofthe ACM vol 46 no 9 pp 74ndash79 2003
[10] P Ning Y Cui D S Reeves and D Xu ldquoTechniques and toolsfor analyzing intrusion alertsrdquo ACM Transactions on Informa-tion and System Security vol 7 no 2 pp 274ndash318 2004
[11] R Sarathy and K Muralidhar ldquoThe security of confidentialnumerical data in databasesrdquo Information Systems Research vol13 no 4 pp 389ndash403 2002
[12] N Li and M V Tripunitara ldquoSecurity analysis in role-basedaccess controlrdquo ACM Transactions on Information and SystemSecurity vol 9 no 4 pp 391ndash420 2006
[13] S Rinderle-Ma andM Reichert ldquoComprehensive life cycle sup-port for access rules in information systems the CEOSIS pro-jectrdquo Enterprise Information Systems vol 3 no 3 pp 219ndash2512009
[14] L A Gordon and M P Loeb ldquoThe economics of informationsecurity investmentrdquo ACM Transactions on Information andSystem Security vol 5 no 4 pp 438ndash457 2002
[15] H S B Herath and T C Herath ldquoInvestments in informationsecurity a real options perspective with Bayesian postauditrdquo
Journal of Management Information Systems vol 25 no 3 pp337ndash375 2009
[16] K Kannan and R Telang ldquoMarket for software vulnerabilitiesThink againrdquo Management Science vol 51 no 5 pp 726ndash7402005
[17] M N Azaiez and V M Bier ldquoOptimal resource allocation forsecurity in reliability systemsrdquo European Journal of OperationalResearch vol 181 no 2 pp 773ndash786 2007
[18] H Cavusoglu B Mishra and S Raghunathan ldquoThe effect ofinternet security breach announcements on market value cap-ital market reactions for breached firms and internet securitydevelopersrdquo International Journal of Electronic Commerce vol9 no 1 pp 69ndash104 2004
[19] N Feng andM Li ldquoAn information systems security risk assess-ment model under uncertain environmentrdquo Applied Soft Com-puting Journal vol 11 no 7 pp 4332ndash4340 2011
[20] N Feng H J Wang and M Li ldquoA security risk analysis modelfor information systems causal relationships of risk factors andvulnerability propagation analysisrdquo Information Sciences vol256 pp 57ndash73 2014
[21] Q Yan ldquoA security evaluation approach for information systemsin telecommunication enterprisesrdquo Enterprise Information Sys-tems vol 2 no 3 pp 309ndash324 2008
[22] P-Y Chen G Kataria and R Krishnan ldquoCorrelated failuresdiversification and information security risk managementrdquoMIS Quarterly vol 35 no 2 pp 397ndash422 2011
[23] J Pearl Probabilistic Reasoning in Intelligent Systems Networksof Plausible Inference Morgan-Kaufmann Publishers SanMateo Calif USA 1998
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
4 The Scientific World Journal
Input Set of allcandidate edgesOutput Bayesian network
(1) repeat(2) for 119896 = 1 tom do(3) for 119894 = 1 to n do 119875119886 (119909
119894) = 120601
(4) for 119894 = 1 and 119895 = 1 to 119899 do(5) if (119894 = 119895) then 120578
119894119895= 119891 (119909
119894 119909119895) minus 119891 (119909
119894 120601)
(6) end(7) repeat(8) Select two indexes 119894 and 119895 by using (4) and (5) and assign edge 119890
119894119895to 119866119896
(9) if (120578119894119895
gt 0) then 119875119886 (119909119894) = 119875119886 (119909
119894) cup 119909
119895
(10) 120578119894119895
= minusinfin(11) for all 119909
119886isin 119860119899119888119890119904119905119900119903119904 (119909
119895) cup 119909
119895 and 119909
119887isin 119863119890119904119888119890119899119889119886119899119905119904 (119909
119894) cup 119909
119894 do 120578
119886119887= minusinfin
(12) for 119896 = 1 to 119899 do(13) if (120578
119894119896gt minusinfin) then 120578
119894119895= 119891 (119909
119894 119875119886 (119909
119894) cup 119909
119896) minus 119891 (119909
119894 119875119886 (119909
119894))
(14) end(15) 120591
119894119895= (1 minus 120588) sdot 120591
119894119895+ 120588 sdot 120591
0
(16) until forall119894 119895 (120578119894119895
le 0 or 120578119894119895
= minusinfin)(17) end(18) 119866
119887= arg max
119896 1119898119891 (119866119896
119863)(19) if 119891 (119866
119887 119863) ge 119891 (119866
lowast 119863) then 119866
lowast= 119866119887
(20) Update pheromone according to (2) using f (Glowast D)(21) 119873iter ++(22) until 119873iter = 119873max(23) return Bayesian network with structure 119866
lowast
Algorithm 1 Bayesian network development algorithm
Table 2 BN information of M1
Node ID Node name State space Parent nodes Children nodesM1 1 Network access control Effective average ineffective Φ M1 7
M1 2 Network security audit Comprehensive incomprehensive Φ M1 7
M1 3 Change management Effective average ineffective Φ M1 9
M1 4 Supplier threat level 0 1 2 3 4 5 Φ M1 8
M1 5 Transporter threat level 0 1 2 3 4 5 Φ M1 8
M1 6 Operational procedures and responsibilities Very standard standard non-standard Φ M1 9
M1 7 Network security High medium low M1 1 M1 2 M1 10
M1 8 External systems security High medium low M1 4 M1 5 M1 10
M1 9 Operation security High medium low M1 3 M1 6 M1 10
M1 10 M1 threat level 0 1 2 3 4 5 M1 7 M1 8 M1 9 Φ
Table 3 BN information of S1
Node ID Node name State space Parent nodes Children nodesS1 1 Communication secrecy High medium low Φ S1 6
S1 2 Audit logging Secure average insecure Φ S1 6
S1 3 Network access control Effective average ineffective Φ S1 5S1 4 Network security audit Comprehensive incomprehensive Φ S1 5S1 5 Network security High medium low S1 3 S1 4 S1 7
S1 6 Communication security High medium low S1 1 S1 2 S1 7
S1 7 S1 threat level 0 1 2 3 4 5 S1 5 S1 6 Φ
The Scientific World Journal 5
Information sharing
M1 1
M1 2 M1 4 M1 5
M1 8
M1 7
M1 9
M1 3 M1 6
S1 3 S1 4 S1 1 S1 2
S1 6S1 5
S1 7
M1_10
Figure 3 BN structures of M1 and S1
Figure 4 Security manager interface
S1 for example their information of BN nodes is given inTables 2 and 3 and their BN structures are shown in Figure 3
Themanager interface of our proposedmodel is shown inFigure 4 in which the security manager can specify the BNfor each associated organization
Once the new evidence is obtained through the monitorcomponents the estimation component is able to make theBNmodify its own belief (probability distribution on variableof risk level) in real time and exchange the update of beliefs ofthe security state with other associated members
6 Conclusions
In a distributed environment in order to effectively manageinformation systems (IS) security a cooperative model based
on Bayesian networks is presented and illustrated in thispaper We contribute to the IS security literature by support-ing the exchange of security information among intercon-nected IS Furthermore for themodelling of IS security envir-onment an algorithm based on ant colony optimization facil-itates to predict IS threat level more objectively The modelproposed in this paper has great potential for future exten-sions and refinements to providemore utility for themanage-ment of IS security
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
6 The Scientific World Journal
Acknowledgments
The research was supported by the National Natural ScienceFoundation of China (nos 70901054 and 71271149) and theProgram for New Century Excellent Talents in University(NCET) It was also supported by the China PostdoctoralScience Foundation funded Project (no 2012M520025) Theauthors are very grateful to all anonymous reviewers whoseinvaluable comments and suggestions substantially helpedimprove the quality of this paper
References
[1] I A Tsoukalas and P D Siozos ldquoPrivacy and anonymity in theinformation societymdashchallenges for the european unionrdquo The-ScientificWorldJournal vol 11 pp 458ndash462 2011
[2] Y Zhang XDengDWei andYDeng ldquoAssessment of E-Com-merce security using AHP and evidential reasoningrdquo ExpertSystems with Applications vol 39 no 3 pp 3611ndash3623 2012
[3] S Ransbotham and S Mitra ldquoChoice and chance a conceptualmodel of paths to information security compromiserdquo Informa-tion Systems Research vol 20 no 1 pp 121ndash139 2009
[4] B Bulgurcu H Cavusoglu and I Benbasat ldquoInformation secu-rity policy compliance an empirical study of rationality-basedbeliefs and information security awarenessrdquoMISQuarterly vol34 no 3 pp 523ndash548 2010
[5] E Gal-Or and A Chose ldquoThe economic incentives for sharingsecurity informationrdquo Information Systems Research vol 16 no2 pp 186ndash208 2005
[6] C-F Fan and Y-C Yu ldquoBBN-based software project risk man-agementrdquo Journal of Systems and Software vol 73 no 2 pp 193ndash203 2004
[7] L Sun R P Srivastava and T J Mock ldquoAn information systemssecurity risk assessment model under the Dempster-Shafer the-ory of belief functionsrdquo Journal ofManagement Information Sys-tems vol 22 no 4 pp 109ndash142 2006
[8] W T Yue M Cakanyildirim Y U Ryu and D Liu ldquoNetworkexternalities layered protection and IT security risk manage-mentrdquo Decision Support Systems vol 44 no 1 pp 1ndash16 2007
[9] R Di Pietro and L V Mancini ldquoSecurity and privacy issues ofhandheld and wearable wireless devicesrdquo Communications ofthe ACM vol 46 no 9 pp 74ndash79 2003
[10] P Ning Y Cui D S Reeves and D Xu ldquoTechniques and toolsfor analyzing intrusion alertsrdquo ACM Transactions on Informa-tion and System Security vol 7 no 2 pp 274ndash318 2004
[11] R Sarathy and K Muralidhar ldquoThe security of confidentialnumerical data in databasesrdquo Information Systems Research vol13 no 4 pp 389ndash403 2002
[12] N Li and M V Tripunitara ldquoSecurity analysis in role-basedaccess controlrdquo ACM Transactions on Information and SystemSecurity vol 9 no 4 pp 391ndash420 2006
[13] S Rinderle-Ma andM Reichert ldquoComprehensive life cycle sup-port for access rules in information systems the CEOSIS pro-jectrdquo Enterprise Information Systems vol 3 no 3 pp 219ndash2512009
[14] L A Gordon and M P Loeb ldquoThe economics of informationsecurity investmentrdquo ACM Transactions on Information andSystem Security vol 5 no 4 pp 438ndash457 2002
[15] H S B Herath and T C Herath ldquoInvestments in informationsecurity a real options perspective with Bayesian postauditrdquo
Journal of Management Information Systems vol 25 no 3 pp337ndash375 2009
[16] K Kannan and R Telang ldquoMarket for software vulnerabilitiesThink againrdquo Management Science vol 51 no 5 pp 726ndash7402005
[17] M N Azaiez and V M Bier ldquoOptimal resource allocation forsecurity in reliability systemsrdquo European Journal of OperationalResearch vol 181 no 2 pp 773ndash786 2007
[18] H Cavusoglu B Mishra and S Raghunathan ldquoThe effect ofinternet security breach announcements on market value cap-ital market reactions for breached firms and internet securitydevelopersrdquo International Journal of Electronic Commerce vol9 no 1 pp 69ndash104 2004
[19] N Feng andM Li ldquoAn information systems security risk assess-ment model under uncertain environmentrdquo Applied Soft Com-puting Journal vol 11 no 7 pp 4332ndash4340 2011
[20] N Feng H J Wang and M Li ldquoA security risk analysis modelfor information systems causal relationships of risk factors andvulnerability propagation analysisrdquo Information Sciences vol256 pp 57ndash73 2014
[21] Q Yan ldquoA security evaluation approach for information systemsin telecommunication enterprisesrdquo Enterprise Information Sys-tems vol 2 no 3 pp 309ndash324 2008
[22] P-Y Chen G Kataria and R Krishnan ldquoCorrelated failuresdiversification and information security risk managementrdquoMIS Quarterly vol 35 no 2 pp 397ndash422 2011
[23] J Pearl Probabilistic Reasoning in Intelligent Systems Networksof Plausible Inference Morgan-Kaufmann Publishers SanMateo Calif USA 1998
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World Journal 5
Information sharing
M1 1
M1 2 M1 4 M1 5
M1 8
M1 7
M1 9
M1 3 M1 6
S1 3 S1 4 S1 1 S1 2
S1 6S1 5
S1 7
M1_10
Figure 3 BN structures of M1 and S1
Figure 4 Security manager interface
S1 for example their information of BN nodes is given inTables 2 and 3 and their BN structures are shown in Figure 3
Themanager interface of our proposedmodel is shown inFigure 4 in which the security manager can specify the BNfor each associated organization
Once the new evidence is obtained through the monitorcomponents the estimation component is able to make theBNmodify its own belief (probability distribution on variableof risk level) in real time and exchange the update of beliefs ofthe security state with other associated members
6 Conclusions
In a distributed environment in order to effectively manageinformation systems (IS) security a cooperative model based
on Bayesian networks is presented and illustrated in thispaper We contribute to the IS security literature by support-ing the exchange of security information among intercon-nected IS Furthermore for themodelling of IS security envir-onment an algorithm based on ant colony optimization facil-itates to predict IS threat level more objectively The modelproposed in this paper has great potential for future exten-sions and refinements to providemore utility for themanage-ment of IS security
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
6 The Scientific World Journal
Acknowledgments
The research was supported by the National Natural ScienceFoundation of China (nos 70901054 and 71271149) and theProgram for New Century Excellent Talents in University(NCET) It was also supported by the China PostdoctoralScience Foundation funded Project (no 2012M520025) Theauthors are very grateful to all anonymous reviewers whoseinvaluable comments and suggestions substantially helpedimprove the quality of this paper
References
[1] I A Tsoukalas and P D Siozos ldquoPrivacy and anonymity in theinformation societymdashchallenges for the european unionrdquo The-ScientificWorldJournal vol 11 pp 458ndash462 2011
[2] Y Zhang XDengDWei andYDeng ldquoAssessment of E-Com-merce security using AHP and evidential reasoningrdquo ExpertSystems with Applications vol 39 no 3 pp 3611ndash3623 2012
[3] S Ransbotham and S Mitra ldquoChoice and chance a conceptualmodel of paths to information security compromiserdquo Informa-tion Systems Research vol 20 no 1 pp 121ndash139 2009
[4] B Bulgurcu H Cavusoglu and I Benbasat ldquoInformation secu-rity policy compliance an empirical study of rationality-basedbeliefs and information security awarenessrdquoMISQuarterly vol34 no 3 pp 523ndash548 2010
[5] E Gal-Or and A Chose ldquoThe economic incentives for sharingsecurity informationrdquo Information Systems Research vol 16 no2 pp 186ndash208 2005
[6] C-F Fan and Y-C Yu ldquoBBN-based software project risk man-agementrdquo Journal of Systems and Software vol 73 no 2 pp 193ndash203 2004
[7] L Sun R P Srivastava and T J Mock ldquoAn information systemssecurity risk assessment model under the Dempster-Shafer the-ory of belief functionsrdquo Journal ofManagement Information Sys-tems vol 22 no 4 pp 109ndash142 2006
[8] W T Yue M Cakanyildirim Y U Ryu and D Liu ldquoNetworkexternalities layered protection and IT security risk manage-mentrdquo Decision Support Systems vol 44 no 1 pp 1ndash16 2007
[9] R Di Pietro and L V Mancini ldquoSecurity and privacy issues ofhandheld and wearable wireless devicesrdquo Communications ofthe ACM vol 46 no 9 pp 74ndash79 2003
[10] P Ning Y Cui D S Reeves and D Xu ldquoTechniques and toolsfor analyzing intrusion alertsrdquo ACM Transactions on Informa-tion and System Security vol 7 no 2 pp 274ndash318 2004
[11] R Sarathy and K Muralidhar ldquoThe security of confidentialnumerical data in databasesrdquo Information Systems Research vol13 no 4 pp 389ndash403 2002
[12] N Li and M V Tripunitara ldquoSecurity analysis in role-basedaccess controlrdquo ACM Transactions on Information and SystemSecurity vol 9 no 4 pp 391ndash420 2006
[13] S Rinderle-Ma andM Reichert ldquoComprehensive life cycle sup-port for access rules in information systems the CEOSIS pro-jectrdquo Enterprise Information Systems vol 3 no 3 pp 219ndash2512009
[14] L A Gordon and M P Loeb ldquoThe economics of informationsecurity investmentrdquo ACM Transactions on Information andSystem Security vol 5 no 4 pp 438ndash457 2002
[15] H S B Herath and T C Herath ldquoInvestments in informationsecurity a real options perspective with Bayesian postauditrdquo
Journal of Management Information Systems vol 25 no 3 pp337ndash375 2009
[16] K Kannan and R Telang ldquoMarket for software vulnerabilitiesThink againrdquo Management Science vol 51 no 5 pp 726ndash7402005
[17] M N Azaiez and V M Bier ldquoOptimal resource allocation forsecurity in reliability systemsrdquo European Journal of OperationalResearch vol 181 no 2 pp 773ndash786 2007
[18] H Cavusoglu B Mishra and S Raghunathan ldquoThe effect ofinternet security breach announcements on market value cap-ital market reactions for breached firms and internet securitydevelopersrdquo International Journal of Electronic Commerce vol9 no 1 pp 69ndash104 2004
[19] N Feng andM Li ldquoAn information systems security risk assess-ment model under uncertain environmentrdquo Applied Soft Com-puting Journal vol 11 no 7 pp 4332ndash4340 2011
[20] N Feng H J Wang and M Li ldquoA security risk analysis modelfor information systems causal relationships of risk factors andvulnerability propagation analysisrdquo Information Sciences vol256 pp 57ndash73 2014
[21] Q Yan ldquoA security evaluation approach for information systemsin telecommunication enterprisesrdquo Enterprise Information Sys-tems vol 2 no 3 pp 309ndash324 2008
[22] P-Y Chen G Kataria and R Krishnan ldquoCorrelated failuresdiversification and information security risk managementrdquoMIS Quarterly vol 35 no 2 pp 397ndash422 2011
[23] J Pearl Probabilistic Reasoning in Intelligent Systems Networksof Plausible Inference Morgan-Kaufmann Publishers SanMateo Calif USA 1998
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
6 The Scientific World Journal
Acknowledgments
The research was supported by the National Natural ScienceFoundation of China (nos 70901054 and 71271149) and theProgram for New Century Excellent Talents in University(NCET) It was also supported by the China PostdoctoralScience Foundation funded Project (no 2012M520025) Theauthors are very grateful to all anonymous reviewers whoseinvaluable comments and suggestions substantially helpedimprove the quality of this paper
References
[1] I A Tsoukalas and P D Siozos ldquoPrivacy and anonymity in theinformation societymdashchallenges for the european unionrdquo The-ScientificWorldJournal vol 11 pp 458ndash462 2011
[2] Y Zhang XDengDWei andYDeng ldquoAssessment of E-Com-merce security using AHP and evidential reasoningrdquo ExpertSystems with Applications vol 39 no 3 pp 3611ndash3623 2012
[3] S Ransbotham and S Mitra ldquoChoice and chance a conceptualmodel of paths to information security compromiserdquo Informa-tion Systems Research vol 20 no 1 pp 121ndash139 2009
[4] B Bulgurcu H Cavusoglu and I Benbasat ldquoInformation secu-rity policy compliance an empirical study of rationality-basedbeliefs and information security awarenessrdquoMISQuarterly vol34 no 3 pp 523ndash548 2010
[5] E Gal-Or and A Chose ldquoThe economic incentives for sharingsecurity informationrdquo Information Systems Research vol 16 no2 pp 186ndash208 2005
[6] C-F Fan and Y-C Yu ldquoBBN-based software project risk man-agementrdquo Journal of Systems and Software vol 73 no 2 pp 193ndash203 2004
[7] L Sun R P Srivastava and T J Mock ldquoAn information systemssecurity risk assessment model under the Dempster-Shafer the-ory of belief functionsrdquo Journal ofManagement Information Sys-tems vol 22 no 4 pp 109ndash142 2006
[8] W T Yue M Cakanyildirim Y U Ryu and D Liu ldquoNetworkexternalities layered protection and IT security risk manage-mentrdquo Decision Support Systems vol 44 no 1 pp 1ndash16 2007
[9] R Di Pietro and L V Mancini ldquoSecurity and privacy issues ofhandheld and wearable wireless devicesrdquo Communications ofthe ACM vol 46 no 9 pp 74ndash79 2003
[10] P Ning Y Cui D S Reeves and D Xu ldquoTechniques and toolsfor analyzing intrusion alertsrdquo ACM Transactions on Informa-tion and System Security vol 7 no 2 pp 274ndash318 2004
[11] R Sarathy and K Muralidhar ldquoThe security of confidentialnumerical data in databasesrdquo Information Systems Research vol13 no 4 pp 389ndash403 2002
[12] N Li and M V Tripunitara ldquoSecurity analysis in role-basedaccess controlrdquo ACM Transactions on Information and SystemSecurity vol 9 no 4 pp 391ndash420 2006
[13] S Rinderle-Ma andM Reichert ldquoComprehensive life cycle sup-port for access rules in information systems the CEOSIS pro-jectrdquo Enterprise Information Systems vol 3 no 3 pp 219ndash2512009
[14] L A Gordon and M P Loeb ldquoThe economics of informationsecurity investmentrdquo ACM Transactions on Information andSystem Security vol 5 no 4 pp 438ndash457 2002
[15] H S B Herath and T C Herath ldquoInvestments in informationsecurity a real options perspective with Bayesian postauditrdquo
Journal of Management Information Systems vol 25 no 3 pp337ndash375 2009
[16] K Kannan and R Telang ldquoMarket for software vulnerabilitiesThink againrdquo Management Science vol 51 no 5 pp 726ndash7402005
[17] M N Azaiez and V M Bier ldquoOptimal resource allocation forsecurity in reliability systemsrdquo European Journal of OperationalResearch vol 181 no 2 pp 773ndash786 2007
[18] H Cavusoglu B Mishra and S Raghunathan ldquoThe effect ofinternet security breach announcements on market value cap-ital market reactions for breached firms and internet securitydevelopersrdquo International Journal of Electronic Commerce vol9 no 1 pp 69ndash104 2004
[19] N Feng andM Li ldquoAn information systems security risk assess-ment model under uncertain environmentrdquo Applied Soft Com-puting Journal vol 11 no 7 pp 4332ndash4340 2011
[20] N Feng H J Wang and M Li ldquoA security risk analysis modelfor information systems causal relationships of risk factors andvulnerability propagation analysisrdquo Information Sciences vol256 pp 57ndash73 2014
[21] Q Yan ldquoA security evaluation approach for information systemsin telecommunication enterprisesrdquo Enterprise Information Sys-tems vol 2 no 3 pp 309ndash324 2008
[22] P-Y Chen G Kataria and R Krishnan ldquoCorrelated failuresdiversification and information security risk managementrdquoMIS Quarterly vol 35 no 2 pp 397ndash422 2011
[23] J Pearl Probabilistic Reasoning in Intelligent Systems Networksof Plausible Inference Morgan-Kaufmann Publishers SanMateo Calif USA 1998
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014