**5. Method for construction of effective database system**

Now we propose a method composed of three phases to construct a database system with an effective clusters.

Phase I: Collecting Mitigation Controls

126 Security Enhanced Applications for Information Systems

1. Load a database *D*. Determine the number of clusters *s*, fuzzification value *m*, and the

( ) <sup>1</sup> ( ) ( ) <sup>1</sup> (, ) (, ) *<sup>s</sup> <sup>t</sup> <sup>m</sup> <sup>t</sup> <sup>i</sup> <sup>j</sup> ij <sup>t</sup> <sup>k</sup> <sup>i</sup> <sup>k</sup>*

*dx v dx v*

In the algorithm above, we need to be careful that the fuzzification exponent *m*=1 reduces

Moreover, *m* is usually set a values between 1.4 and 2.6 (Celikyilmaz, & Turksen, 2009, p.57).

For our proposed method for selecting set of mitigation controls from a database of controls, we assume the existence of an external database, *D*, of mitigation controls with mitigation degree,δ*m* (*T*)∈[0,1] and *m*∈*D*, evaluated depending only on the type of threat path *T*. This mitigation degree should signify that adopting the control roughly mitigate the risk level

We use the risk profile work sheet of OCATVE-S, and we suppose that determination of the set of critical assets are done, and all the possible threat path were distinguished with the risk value calculated from (*vR*,*vF*,*vP*,*vFi*,*vS*,*vO*,*p*), the vector of impacts and probability. This is

**Step 2.** Select several controls as members of the candidate set, *M*⊂*D*, by evaluating their

**Step 3.** Define the desirable, but dummy, mitigation control, *a*0, as an acceptable impacts

initial mitigation degree dependent on *T*. One simple way to determine *M* is setting

respect to the impact of reputation when *mj* is performed. These degrees are calculated by considering the type of assets, threat path, and impact or probability

 

2

*ij* to 0.

(6)

, evaluate the difference of two

*j*

) as the alternative vectors corresponds to *mj* by

represents the reduction degree with

with respect to each of

*ij* and ( ) { } *<sup>t</sup>*

*<sup>j</sup> v* as the results

2. Set *t*=1, and give certain initial values for {*μij* } denoted by {*μij* (t-1)}

 , and put

5. If the difference value is less than *ε*, then stop and output ( ) { } *<sup>t</sup>*

for *U* and *V*. If not, increase *t* by 1 and go back to the step 3)

**4. Method for choosing effective set of mitigation controls** 

Then the process is performed according to the following steps.

and probability vector (*vR*0,*vF*0,*vP*0,*vF*i0,*vS*0,*vO*0,*p*0). **Step 4.** For each element *mj*∈*M*, figure out its mitigation degree *d*\*

impacts and probability. For instance, *dRj*

,*vFj* ,*vPj* ,*vFij* ,*vSj* ,*vOj* ,*pj*

*M*={*m*∈*D*:*δm*(*T*)<*δ*} for a definite value *δ*.

 

 *m d xv ij <sup>i</sup> <sup>j</sup>*

1 1 / *t t n n t m jk ij ik ij i i v x* 

4. With the corresponding values for 1 2 (, ) *<sup>m</sup>*

values () () (; , ) *W DU V t t* and ( 1) ( 1) (; , ) *W DU V t t* by *ε*

the denominator of the exponent of each terms in Σ for ( )*<sup>t</sup>*

error evaluation threshold *ε*

from 1 to that degree.

the preliminary stage of our method.

**Step 1.** Determine a threat path T.

in some criteria.

**Step 5.** Calculate *aj*= (*vRj*

*d*\* *j* ×*v*\*.

3. Calculate ( ) ( 1) ( 1)

It seems to be patient and time-consuming works that we gather and examine all controls possible to mitigate information related risks, together with giving each of them a kind of classification index simultaneously. The classification is used to give each control a value vector of OCATVE's threat path attributes related entries in Phase II. Fortunately, we have some of existing database of controls referred in section 2 such as in ISO/IEC 27002, MEHARI, NIST SP-800, and in OCTAVE. They are already classified in view of various aspects.

Phase II: Evaluation of Controls

This phase is composed of two processes.

Process 1: Vector indication in a fixed set

Fix a set of mitigation controls with some classification. Indicate a vector whose entries are values between 0 and 1 corresponding to each of attributes in OCTAVE's threat paths to all the controls in the set. Concretely speaking, we have six possible attributes "access" ("network", "physical"), "actor" ("inside", "outside"), "motive" ("accident", "deliberate") on the human actors worksheet, and four possible attributes "actor" ("software defects", "malicious code", "system crashes", "hardware defects") on the system problems worksheet. We propose a method to indicate the values for each of attribute by applying the MSMM in the following steps,


Process 2: Evaluation and modification

In the previous process, we have controls with value vector according to each classified set. The same or similar control can be appear in some classified sets, and it could be possible that one control has more than one value vector. We need to identify those controls and examine the indicated vectors of each of them before going on the next phase. If the vectors corresponding to a control have only acceptable difference, then take a vector whose entries

Construction of Effective Database System for Information Risk Mitigation 129

Nagata, K.; Umezawa, M.; Cui, D. & Amagasa, M. (2008A). Modified Structural Modeling

Nagata, K.; Kigawa, Y.; Cui, D. & Amagasa, M. (2008B). Risk Evaluation for Critical Assets

Nagata, K.; Kigawa, Y.; Cui, D. & Amagasa, M. (2009). Method to Select Effective

Nagata, K. (2011). On Clustering of Risk Mitigation Controls, *Proceedings of 2011* 

Tazaki, E. & Amagasa, M. (1979). Structural Modeling in a Class of Systems Using Fuzzy

Yu, Q. H. ; Liang, G. Y. & Nagata, K. (2010). Risk Scoring Method on Business Information

Alberts, C.; Dorofee, A.; Stevens, J. & Woody, C. (2005). OCTAVE-S Implementation Guide,

Information technology--Security techniques--Code of practice for information security

MEHARI 2010: Fundamental concepts and functional specifications, 28.02.2011, Available

http://www.clusif.asso.fr/fr/production/ouvrages/pdf/MEHARI--2010--

Recommended Security Controls for Federal Information Systems: 28.02.2011, Available

http://csrc.nist.gov/publications/nistpubs/800--53--Rev3/sp800--53--rev3--

Risk Management:Implementation principles and Inventories for Risk Management/Risk

http://www.enisa.europa.eu/act/rm/cr/risk--management--inventory/

Assessment methods and tools, 28.02.2011, Available from

Risk Management: Information Package for SMEs, 28.02.2011,Available from

*Management Systems Conference 2010*, DVD-ROM, ID117. Zadeh, L. A. (1965). Fuzzy Set, *Information and Control*, Vol.8, pp. 338-353.

Version 1.0, CMU/SEI-2003-HB-003. 28.02.2011,Available from

management, ISO/IEC 27002 Central, 28.02.2011, Available from

T1-R02, ID68.

484.

155.

103.

from

from

downloads.

NO. 3, pp. 245-256.

*Conference 2008*, pp. 2630-2640.

http://www.cert.org/octave/octaves.html

http://www.17799central.com/

Principles—Specifications.pdf

final/\_updated--errata/\_05--01--2010.pdf

*the 8th Asia Pacific Industrial Engineering and Management Systems Conference 2007*,

Method and Its Application -Behavior Analysis of Passengers for East Japan Railway Company-, *Journal of Industrial Engineering and Management Systems*, Vol. 7,

with Fuzzy Inference Mechanism in an Information Security Evaluation System, *Proceedings of the 9th Asia Pacific Industrial Engineering and Management Systems* 

Risk Mitigation Controls Using Fuzzy Outranking, *Proceedings of the 9th International Conference on Intelligent Systems Design and Applications*, pp. 479-

*International Conference on Network-Based Information Systems*, pp. 148-

Sets Theory, *International Journal of Fuzzy Sets and Systems*, Vol.2, No.1, pp. 87-

Management System, *Proceedings of the 11th Asia Pacific Industrial Engineering and* 

are the average of each entries as the final value vector of the control. If not, go back to the value vector indication steps.

Phase III: Clustering Controls

Clustering all controls using fuzzy c-mean clustering method by means of attribute vectors. Make the correspondence between each of clusters and each of threat paths by looking at the center vectors of clusters. Selecting a small set of mitigation controls is performed using this correspondence and *U* defined in subsection 3.4.
