ارزیابی ریسک‌های نرم افزاری امنیت اطلاعات سامانه‌ اطلاعاتی تحقیقاتی با استفاده از روش ترکیبی تجزیه‌تحلیل حالات بالقوه خرابی فازی و تصمیم‌گیری با معیارهای چندگانه فازی

نوع مقاله : مقاله پژوهشی

نویسندگان

1 دانشجوی کارشناسی ارشد، گروه مهندسی صنایع دانشگاه آزاد اسلامی، نجف آباد، اصفهان

2 عضو هیئت علمی پژوهشگاه علوم و فناوری اطلاعات ایران (ایرانداک)

3 دانشکده مهندسی صنایع، دانشگاه صنعتی مالک اشتر، اصفهان، ایران

چکیده

امروزه با گسترده تر شدن استفاده از رایانه در سیستم‌های اطلاعاتی، تنوع ریسک‌های امنیت اطلاعات افزایش یافته و مدیریت اینگونه ریسک­ها بیش از پیش مورد توجه قرار گرفته است. با توجه به اهمیت امنیت اطلاعات در سامانه­های اطلاعاتی تحقیقاتی برخط بعنوان منابع اصلی تحقیقات و پژوهش های آتی، اینمطالعه با بکارگیری مدل ترکیبی از منطق فازی، ابزار FMEAو روش­های تصمیم­گیری AHP و TOPSIS، سعی در ارزیابی و اولویت‌بندی بهینهریسک‌های امنیتاطلاعات یک سامانه اطلاعاتی تحقیقاتی برخط در ایران را دارد. با استفاده از منطق فازی در روش FMEAسنتی، امتیازات شفاف­تر و دقیق­تر ارزیابی شده و با بکارگیری روش­های AHP و TOPSIS فازی ابتدا وزن معیارهای روش FMEA اندازه‌گیری و سپس با محاسبه ضریب نزدیکی، ریسک‌های بالقوه شناسایی شده، اولویت‌بندی گردیده است. نتایج حاصل از این مقاله در بررسی کاربرد این مدل در شناسایی، ارزیابی و اولویت­بندی ریسک­های بالقوه سامانه مورد مطالعه در سه حوزه اصلی: محرمانگی، دردسترس بودن و یکپارچگی اطلاعات نشان می‌دهد، ریسک­های مربوط به دسترسی غیرمجاز به اطلاعات و درست و یکپارچه نبودن اطلاعات از نظر کارشناسان این سامانه در اولویت بالاتری قرار دارد.

کلیدواژه‌ها


عنوان مقاله [English]

Information Security Software Risk Analysis of Research Information Using Hybrid Approach of Fuzzy Failure Mode and Effect Analysis and Fuzzy Multi Criteria Decision Making

نویسندگان [English]

  • Mehrdad Forouzandeh 1
  • Mohammad Javad Ershadi 2
  • Mahdi Karbasian 3
1 Department of Industrial Engineering, Najafabad Branch, Islamic Azad University, Najafabad, Iran,
2 Department of Industrial Engineering, Najafabad Branch, Islamic Azad University, Najafabad, Iran, Engineering Department, Iranian Research Institute for Information Science and Technology, Tehran, Iran,
3 Industrial Engineering Department, Shahin shahr Branch, Malek-Ashtar University of Technology, Shahin shahr, Iran,
چکیده [English]

Abstract: Nowadays, extensive use of computers, networks and the internet in information systems has increased the diversity of information security risks so the management of these risks has been increasingly considered. According to the importance of information security in online research information systems as the main source of future researches, this study applies a hybrid of fuzzy Failure Mode and Effects Analysis (FMEA), analytic hierarchy process (AHP), Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS), attempts to optimizely identify, assess and prioritize organization's information security risks. By using fuzzy logic ratings will be more accurate and more transparent, and with the combination of AHP and TOPSIS can measure the weight of the criteria of FMEA and with the calculation closeness coefficient of any risk prioritized each of them. The result to study of application this model in identifying and assessing potential risks of system studied in three main areas: confidentiality, availability and integrity of information, shows risks related to unauthorized access to information and incorrect and lack of integrated information are in the highest priority of the organization's experts.

کلیدواژه‌ها [English]

  • Research Information System
  • Risk Management
  • Information security
  • Failure modes and Effects Analysis
[1] T. Yuan and P. Chen, "International Workshop on Information and Electronics Engineering Data Mining Applications in E-Government Information Security," Procedia Engineering, vol. 29, pp. 235-240, 2012.
[2] D. Feledi, S. Fenz, and L. Lechner, "Toward web-based information security knowledgesharing," Information Security Technical Report, vol. 17, no. 4, pp. 199-209, 2013.
[3] R. E. Crossler, A. C. Johnston, P. B. Lowry, Q. Hu, M. Warkentin, and R. Baskerville,"Future directions for behavioral information security research," Computers & Security, vol. 32, pp. 90-101, 2013.
[4] S. A. Chaharsoughi, M. A. Doustari, A. Y. Varjani, A. M. Ardestani, " Application of artificial neural networks in assessing information security risk," Journal Of Electronical & Cyber Defence, vol. 1, no. 4, pp. 23-33, 2014 (In Persian).
[5]‌‌‌‌ M. S. Saleh, and A. Alfantookh, "A new comprehensive framework for enterprise information security risk management," Applied Computing and Informatics, vol. 9, no. 2, pp. 107-118, 2011.
[6] Liu, Hu-Chen, Liu, Lang, and Liu, Nan" Risk evaluation approaches in failure mode and effects analysis: A literature review," Expert Systems with Applications, vol. 40, no. 2, pp. 828-838, 2013.
[7] J. S. Broderick,"ISMS, security standards and security regulations," Information Security Technical Report, vol. 11, no. 1, pp. 26-31, 2006.
[8] J. I. Fernando, and L. L. Dawson, "The health information system security threat lifecycle: An informatics theory," International Journal of Medical Informatics, vol. 78, no. 12, pp. 815-826, 2009.
[9] G. Wei, X. Xhang, X. Zhang, and Z. Huang, "Research on E-government Information Security Risk Assessment - Based on Fuzzy AHP and Artificial Neural Network Model," Paper presented at 2010 First International Conference on Networking and Distributed Computing (ICNDC).
[10] Y.-P. Ou Yang, H.-M. Shieh, and G.-H. Tzeng, "A VIKOR technique based on DEMATEL and ANP for information security risk control assessment," Information Sciences, vol. 232, pp.482-500, 2013.
[11] M. M. Silva, A. P. H. de Gusmão, T. Poleto., L. C. e. Silva, and A. P. C. S. Costa, "A multidimensional approach to information security risk management using FMEA and fuzzy theory," International Journal of Information Management, vol. 34, no. 6, pp. 733-740, 2014.
[12] N. Feng, H. J. Wang, and M. Li, "A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis," Information Sciences, vol. 256, pp. 57-73, 2014.
Mendonça Silva, M., Poleto, T., Camara e Silva, L., Henriques de Gusmao, A. P., & Cabral Seixas Costa, A. P. , “A Grey Theory Based Approach to Big Data Risk Management Using FMEA”, Mathematical Problems in Engineering, 2016.
[14]  De Gusmão, A. P. H., e Silva, L. C., Silva, M. M., Poleto, T., & Costa, A. P. C. S. “ Information security risk analysis model using fuzzy decision theory”, International Journal of Information Management, vol. 36, no. 1, pp.25-34,‏ 2016.
[15] Amini, A., Jamil, N., Ahmad, A. R., & Sulaiman, H, ”A Fuzzy Logic Based Risk Assessment Approach for Evaluating and Prioritizing Risks in Cloud Computing Environment “, In International Conference of Reliable Information and Communication Technology, pp. 650-659, 2017.
[16] Chanamool, N., & Naenna, T. “Fuzzy FMEA application to improve decision-making process in an emergency department”, Applied Soft Computing, vol. 43, pp. 441-453, 2016. 
[17] M. Abdelgawad, and A. Fayek,"Risk Management in the Construction Industry Using Combined Fuzzy FMEA and Fuzzy AHP," Journal of Construction Engineering and Management, vol. 136, no. 9, pp. 1028-1036, 2010.
[18] Fattahi, R., & Khalilzadeh, M., “Risk evaluation using a novel hybrid method based on FMEA, extended MULTIMOORA, and AHP methods under fuzzy environment”, Safety Science, vol. 102, pp. 290-300, 2018.
[19] Selim, H., Yunusoglu, M. G., & Yılmaz Balaman, Ş., “A dynamic maintenance planning framework based on fuzzy TOPSIS and FMEA: application in an international food company”, Quality and Reliability Engineering International, vol. 32, no. 3, pp. 795-804, 2016. 
[20] A. C. Kutlu, and M. Ekmekçioğlu, "Fuzzy failure modes and effects analysis by using fuzzy TOPSIS-based fuzzy AHP," Expert Systems with Applications, vol. 39, no. 1, pp. 61-67, 2012.
[21] Chang, K.-H., Chang, Y.-C., & Lee, Y.-T. "Integrating TOPSIS and DEMATEL Methods to Rank the Risk of Failure of FMEA," International Journal of Information Technology & Decision Making, vol. 13, no. 06, pp. 1229-1257, 2014.
[22] Kumru, Mesut, and Kumru, Pinar, Yildiz."Fuzzy FMEA application to improve purchasing process in a public hospital," Applied Soft Computing, vol. 13, no. 1, pp. 721-733, 2013.
[23] Deng, X., & Jiang, W.,” Fuzzy risk evaluation in failure mode and effects analysis using a D numbers based multi-sensor information fusion method”, Sensors, vol.17, no.9, pp. 1-17, 2017.
[24] L. A. Zadeh, "Fuzzy logic: computing with words," IEEE Transactions on Fuzzy Systems, vol. 4, no. 2, pp.103-111, 1996.
[25] D. Y. Chang, "Applications of the extent analysis method on fuzzy AHP," European Journal of Operational Research, vol. 95, no. 3, pp. 649–655, 1996.