**3. Brief explanation of useful tools**

In this section, some tools based on fuzzy theory such as fuzzy outranking method, fuzzy inference mechanism, modified structural modelling method based on FSM, and fuzzy cmean (clustering) are briefly described.

Construction of Effective Database System for Information Risk Mitigation 123

Let GM*k* (*k*=1,...,*m*) denote group members, and A*k* (*k*=1,...,*m*) be fuzzy subordination

Then, mental model of GM*k* is embedded into a fuzzy subordination matrix on the context on basis of the relaxation of transitivity, reflexivity and symmetry by each group member (Zadeh 1965; Klir & Yuan 1995; Tazaki & Amagasa 1979). Herein, NGT and automatic generation method of subordination matrix are applied to embed entries of the matrices efficiently and effectively. In order to formulate the individual fuzzy subordination matrix with the same establishment level, the entries of the matrix embedded by group individual are normalized statistically. Then, a representative subordination matrix is formulated by integrating the fuzzy subordination matrices of

Let 1 { ,..., ,..., } *Ss s s i n* denote a system with *n* elements, and let [ ] *<sup>k</sup> A a k i <sup>j</sup> n n* (*k*=1,2,…,*m*)

subordination matrices calculated by the given data [ ] *<sup>k</sup> A a k i <sup>j</sup> n n* from group members

Now, the normalized subordination matrices are used to compute the representative subordination matrix which holds the data factor from group members. Let [ ] *NAR d ij*

(*i*,*j*=1,2,…,*n*). (2)

Next, the fuzzy reachability matrix is computed on the basis of *NAR*, and multi-level digraph is drawn as an interpretive structural model. In order to compare the structural model with mental model, a feedback for learning will be performed to group members. If an agreement among group members is obtained, the process goes ahead to documentation step. Otherwise, a threshold and fuzzy structure parameter will be modified and the process is iterated until a consenting model is derived. Here, let *p* be the threshold, specified by αcut, which is defined by the modified z-value in standard normal distribution. The value of *p* is used for controlling the percentage of subordination relations among elements which

Fig. 2 illustrates a flowchart of the modified structural modeling method which begins with mental model of individual group member which is determined depending on their

*ij a* is the grade of which *si* is subordinate to *sj* and *m* is the number of group

*ij <sup>i</sup> <sup>j</sup> a f ss* (0≤ *<sup>k</sup>*

1 1 1 *n n <sup>k</sup> k ij i j a a n*

(*k*=1,…,*m*) and

*<sup>j</sup> n n* (*k*=1,2,…,*m*) denote the normalized fuzzy

*ij a* ≤1, *i*,*j*=1,2,…,*n*,

denote the fuzzy subordination matrices in S, where ( , ) *k k*

(*i*,*j*=1,…,*n*, *k*=1,…,*m*), where 2

(*i*,*j*=1,…,*n*) be a representative subordination matrix, which is computed by

1 1 *<sup>m</sup> <sup>k</sup> ij ij k d h m*

matrices of data given by GM*k*.

group members as follows:

<sup>1</sup> ( 10 50) <sup>100</sup>

<sup>2</sup> 2

(*k* =1, …,*m*).

exist in the structural model to be evaluated.

intuition to the given problem.

*a a*

*a*

*k k ij k ij k*

1 *n n k k a ij k i j*

*n*

*a a*

1 1

members. Let <sup>2</sup> ( ,( ) ) [ ] *k kk NA N a h k ka i*

*k*=1,2,…,*m*). *<sup>k</sup>*

with

*h*

#### **3.1 Fuzzy outranking method**

The method to roughly compare two alternatives *a* and *a*' through the adoption of loose relation is called outranking. When *a* is judged not to be inferior to *a*' at least, it is said that *a* outranks *a*'. When *a*' is more preferable than *a* or they are incomparable to each other, it is said that *a* doesn't outrank *a*'. While these relations are valued as 0 or 1 in the conventional outranking method, such as *μ*(*a*,*a*')=1 if *a* outranks *a*' and *μ*(*a*,*a*')=0 if *a* does not outranks *a*', the fuzzy outranking method access the outranking degree as a value between 0 and 1. More precisely, that degree is determined using a fuzzy membership function with lower threshold value *qi* and upper one *pi*, where "*i*" represents one of view points for evaluating these alternatives. Thus the corresponding value is denoted by *ci*(*a*,*a*') (*i*=1,…,*n*), and they are aggregated by taking the weighted average ω1*c*1(*a*,*a*')+…+ω*ncn*(*a*, *a*') with a set of certain weight {ω1,…,ω*n*}. This index is called the "concordance index" denoted by *C*(*a*,*a*'). Another index is "discordance index" denoted by *dj*(*a*,*a*'), which is also calculated using a fuzzy set with lower threshold value *pj* and upper one *vj*. This index represents the degree of objection against the preferability to choose *a* then *a*'. Thus *dj*(*a*,*a*')=1 implies that the condition "*a* outranks *a*'" is exclusively vetoed from the number *j* point of view.

If there are discordant points of view *j*1,…, *jk*, whose index are greater than *C*(*a*,*a*'), then the total outranking index *μ*(*a*,*a*') is calculated by the following formula:

$$\mu(a, a') = \mathcal{C}(a, a') \times \frac{1 - d\_{j\_1}(a, a')}{1 - \mathcal{C}(a, a')} \times \dots \times \frac{1 - d\_{j\_k}(a, a')}{1 - \mathcal{C}(a, a')} \tag{1}$$

#### **3.2 Fuzzy inference mechanism**

Fuzzy inference (Kaufman, et al., 1975; Klir & Yuan, 1995) is originally the process of formulating the mapping from a given input to an output using fuzzy logic. Then the mapping provides a basis for which decisions can be made, or patterns distinguished.

The rule of fuzzy inference is generally expressed as follows:

"IF *x* is A1 and *y* is B1 THEN *z* is C1, else IF *x* is A2 and *y* is B2 THEN *z* is C2, else IF *x* is A*<sup>n</sup>* and *y* is B*n* THEN *z* is C*n* , else *x* is A' and *y* is B' THEN *z* is C' ", where A1,…, A*n*, A' are subsets of universe of discourse *U*, and B1 ,…, B*n*, B' are fuzzy subsets of universe of discourse (*V*; C1 , …, C*n*, C' are fuzzy subsets of universe of discourse *W*).

We have several types of fuzzy number such as triangular, trapezoidal, and Gaussian fuzzy numbers in mind (Inoue & Amagasa, 1998, pp. 57-66).

#### **3.3 Modified structural modelling**

The modified structural modelling method is developed by Cui, D. and Amagasa, M. for constructing a structural model with consensus of multi-participants (Amagasa, 2004, pp. 121-132, Nagata et al., 2008A). Here, assume that a decision group consists of several members (decision makers) with either equal or different knowledge background for a given problem.

The method to roughly compare two alternatives *a* and *a*' through the adoption of loose relation is called outranking. When *a* is judged not to be inferior to *a*' at least, it is said that *a* outranks *a*'. When *a*' is more preferable than *a* or they are incomparable to each other, it is said that *a* doesn't outrank *a*'. While these relations are valued as 0 or 1 in the conventional outranking method, such as *μ*(*a*,*a*')=1 if *a* outranks *a*' and *μ*(*a*,*a*')=0 if *a* does not outranks *a*', the fuzzy outranking method access the outranking degree as a value between 0 and 1. More precisely, that degree is determined using a fuzzy membership function with lower threshold value *qi* and upper one *pi*, where "*i*" represents one of view points for evaluating these alternatives. Thus the corresponding value is denoted by *ci*(*a*,*a*') (*i*=1,…,*n*), and they are aggregated by taking the weighted average ω1*c*1(*a*,*a*')+…+ω*ncn*(*a*, *a*') with a set of certain weight {ω1,…,ω*n*}. This index is called the "concordance index" denoted by *C*(*a*,*a*'). Another index is "discordance index" denoted by *dj*(*a*,*a*'), which is also calculated using a fuzzy set with lower threshold value *pj* and upper one *vj*. This index represents the degree of objection against the preferability to choose *a* then *a*'. Thus *dj*(*a*,*a*')=1 implies that the condition "*a* outranks *a*'" is exclusively vetoed from

If there are discordant points of view *j*1,…, *jk*, whose index are greater than *C*(*a*,*a*'), then the

<sup>1</sup> 1 ( , ') 1 ( , ') ( , ') ( , ') 1 ( , ') 1 ( , ')

Fuzzy inference (Kaufman, et al., 1975; Klir & Yuan, 1995) is originally the process of formulating the mapping from a given input to an output using fuzzy logic. Then the mapping provides a basis for which decisions can be made, or patterns distinguished.

"IF *x* is A1 and *y* is B1 THEN *z* is C1, else IF *x* is A2 and *y* is B2 THEN *z* is C2, else IF *x* is A*<sup>n</sup>* and *y* is B*n* THEN *z* is C*n* , else *x* is A' and *y* is B' THEN *z* is C' ", where A1,…, A*n*, A' are subsets of universe of discourse *U*, and B1 ,…, B*n*, B' are fuzzy subsets of universe of

We have several types of fuzzy number such as triangular, trapezoidal, and Gaussian fuzzy

The modified structural modelling method is developed by Cui, D. and Amagasa, M. for constructing a structural model with consensus of multi-participants (Amagasa, 2004, pp. 121-132, Nagata et al., 2008A). Here, assume that a decision group consists of several members (decision makers) with either equal or different knowledge background for a

*<sup>k</sup> j j d aa d aa*

(1)

*Caa Caa*

total outranking index *μ*(*a*,*a*') is calculated by the following formula:

*aa Caa*

The rule of fuzzy inference is generally expressed as follows:

numbers in mind (Inoue & Amagasa, 1998, pp. 57-66).

discourse (*V*; C1 , …, C*n*, C' are fuzzy subsets of universe of discourse *W*).

**3.1 Fuzzy outranking method** 

the number *j* point of view.

**3.2 Fuzzy inference mechanism** 

**3.3 Modified structural modelling** 

given problem.

Let GM*k* (*k*=1,...,*m*) denote group members, and A*k* (*k*=1,...,*m*) be fuzzy subordination matrices of data given by GM*k*.

Then, mental model of GM*k* is embedded into a fuzzy subordination matrix on the context on basis of the relaxation of transitivity, reflexivity and symmetry by each group member (Zadeh 1965; Klir & Yuan 1995; Tazaki & Amagasa 1979). Herein, NGT and automatic generation method of subordination matrix are applied to embed entries of the matrices efficiently and effectively. In order to formulate the individual fuzzy subordination matrix with the same establishment level, the entries of the matrix embedded by group individual are normalized statistically. Then, a representative subordination matrix is formulated by integrating the fuzzy subordination matrices of group members as follows:

Let 1 { ,..., ,..., } *Ss s s i n* denote a system with *n* elements, and let [ ] *<sup>k</sup> A a k i <sup>j</sup> n n* (*k*=1,2,…,*m*) denote the fuzzy subordination matrices in S, where ( , ) *k k ij <sup>i</sup> <sup>j</sup> a f ss* (0≤ *<sup>k</sup> ij a* ≤1, *i*,*j*=1,2,…,*n*, *k*=1,2,…,*m*). *<sup>k</sup> ij a* is the grade of which *si* is subordinate to *sj* and *m* is the number of group members. Let <sup>2</sup> ( ,( ) ) [ ] *k kk NA N a h k ka i <sup>j</sup> n n* (*k*=1,2,…,*m*) denote the normalized fuzzy subordination matrices calculated by the given data [ ] *<sup>k</sup> A a k i <sup>j</sup> n n* from group members with

$$h\_{ij}^k = \frac{1}{100} \frac{a\_{ij}^k - \overline{a}\_k}{\sigma\_a^k} \times 10 + 50 \quad \text{(i.j = 1, \dots, n\_r \quad k=1, \dots, m\text{)} \quad \text{where} \quad \overline{a}\_k = \frac{1}{n^2} \sum\_{i=1}^n \sum\_{j=1}^n a\_{ij}^k \quad \text{(k=1, \dots, m\text{)} \quad \text{and} \quad \overline{a}\_j^k = \overline{a}\_j^k$$
 
$$\sigma\_a^k = \frac{1}{n^2} \sqrt{\sum\_{i=1}^n \sum\_{j=1}^n a\_{ij}^{k^2} - \overline{a}\_k^2} \quad \text{(k=1, \dots, m\text{)} \quad \text{(k=1, \dots, m\text{)}}$$

Now, the normalized subordination matrices are used to compute the representative subordination matrix which holds the data factor from group members. Let [ ] *NAR d ij* (*i*,*j*=1,…,*n*) be a representative subordination matrix, which is computed by

$$d\_{i\dot{j}} = \frac{1}{m} \sum\_{k=1}^{m} h\_{i\dot{j}}^{k} \text{ ( $i, j=1,2,...,n$ ). (2)}$$

Next, the fuzzy reachability matrix is computed on the basis of *NAR*, and multi-level digraph is drawn as an interpretive structural model. In order to compare the structural model with mental model, a feedback for learning will be performed to group members. If an agreement among group members is obtained, the process goes ahead to documentation step. Otherwise, a threshold and fuzzy structure parameter will be modified and the process is iterated until a consenting model is derived. Here, let *p* be the threshold, specified by αcut, which is defined by the modified z-value in standard normal distribution. The value of *p* is used for controlling the percentage of subordination relations among elements which exist in the structural model to be evaluated.

Fig. 2 illustrates a flowchart of the modified structural modeling method which begins with mental model of individual group member which is determined depending on their intuition to the given problem.

Construction of Effective Database System for Information Risk Mitigation 125

When we put the set of all the cluster centers 1 { ,..., } *Vv v <sup>s</sup>* , the objective function which

1 1 (;,) (,) *s n <sup>m</sup>*

*ij j* .

( ; , ) ( ; , ) ( 1)

*W DUV JDUV*

and optimal solutions are given at the saddle points, that is{μ*ij*} and *vj* (*j*=1,...,*s*) satisfy

*m*

 

1

*k i k n*

1

*i jk <sup>n</sup> <sup>m</sup>*

*ij ik*

*x*

*ij i*

(, ) (, ) *<sup>s</sup> <sup>m</sup> i j*

*dx v dx v*

1

*<sup>W</sup> m d xv*

1

1 2

*ij i j*

*<sup>n</sup> <sup>m</sup> ik jk ji*

*x v*

where *vjk* represents the *k* coordinate of point *vj*, and the distance function is the Euclidean

The exponential number *m* of *μ* reflects the fuzzyness of the clustering, such as setting *m*=1 implies the ordinary, not fuzzy, clustering, increasing the value of *m* means the widely

*<sup>d</sup> <sup>j</sup> <sup>i</sup>* satisfying trivial constraints in inequalities 0 1

*j i*

express each data *xi*=(*xi*1,...,*xin*) with values of *j*-th attribute *xij* where 1 { ,..., } *Dx x <sup>n</sup>* .

*JDUV*

(, ) *c x* between 0 and 1 indicates the degree of membership of a data

2

*d xv*

*ij i j*

1

(,) 0

 

> <sup>1</sup> <sup>2</sup> 1

 

2( ) 0

*s ij j*

 

attributes, and *s* be a number of clusters, and

, (2)

(3)

(4)

(5)

*ij* (*i*=1,...,*n*,

Here the value

where { ( , )} *U cx ij* 

overlapping of the resulted clusters.

distance <sup>2</sup>

Solving the equations above, we have

<sup>1</sup> (,) ( ) *<sup>n</sup> i j ik jk <sup>k</sup> dx v x v* 

Now let *n* be the number of data with *n*

should be minimized is defined as following.

*<sup>j</sup>*=1,...,*s*) and only one non-trivial equation 1 <sup>1</sup> *<sup>s</sup>*

By introducing the Lagrange multiplier λ, objective function is

*ij*

.

Thus the algorithm proceeds in the following steps;

*W*

*v*

*jk i*

*ij*

*v*

 

*x D* in a cluster *c C* , and clusters can be overlapped.

Fig. 2. The flowchart of modified structural modeling method

#### **3.4 Fuzzy c-mean clustering**

Data base of multi-attribute elements can be classified into several groups according to a fixed metric. This kind of process is call a clustering, and ordinary clustering is simply that defining a function,

$$
\mu = \mu\_d : D \times \mathbb{C} \to \{0, 1\},
$$

satisfying the condition that for any *x D* there is only one *c C* such that (, ) 1 *c x* .

Here *D* is the set of all data, *C* is the set of clusters, and *d* represents a distance with some kind of metric e.g., Euclidean metric, maximum metric, etc. With the function above, each element has only one cluster and no overlapping of clusters.

Fuzzy c-mean clustering is represented by a function,

$$
\mu = \mu\_d : D \times \mathbb{C} \to [0, 1]
$$

Fig. 2. The flowchart of modified structural modeling method

element has only one cluster and no overlapping of clusters.

Fuzzy c-mean clustering is represented by a function,

 *<sup>d</sup> D C*

satisfying the condition that for any *x D* there is only one *c C* such that

 *<sup>d</sup> D C*

Data base of multi-attribute elements can be classified into several groups according to a fixed metric. This kind of process is call a clustering, and ordinary clustering is simply that

Here *D* is the set of all data, *C* is the set of clusters, and *d* represents a distance with some kind of metric e.g., Euclidean metric, maximum metric, etc. With the function above, each

: {0,1}

: [0,1]

(, ) 1 *c x* .

**3.4 Fuzzy c-mean clustering** 

defining a function,

Here the value (, ) *c x* between 0 and 1 indicates the degree of membership of a data *x D* in a cluster *c C* , and clusters can be overlapped.

Now let *n* be the number of data with *n* attributes, and *s* be a number of clusters, and express each data *xi*=(*xi*1,...,*xin*) with values of *j*-th attribute *xij* where 1 { ,..., } *Dx x <sup>n</sup>* .

When we put the set of all the cluster centers 1 { ,..., } *Vv v <sup>s</sup>* , the objective function which should be minimized is defined as following.

$$J(D; \!LU, V) = \sum\_{j=1}^{s} \sum\_{i=1}^{n} \mu^m \, \_{ij} d^2(\mathbf{x}\_i, \mathbf{v}\_j) \,, \tag{2}$$

where { ( , )} *U cx ij <sup>d</sup> <sup>j</sup> <sup>i</sup>* satisfying trivial constraints in inequalities 0 1 *ij* (*i*=1,...,*n*, *<sup>j</sup>*=1,...,*s*) and only one non-trivial equation 1 <sup>1</sup> *<sup>s</sup> ij j* .

The exponential number *m* of *μ* reflects the fuzzyness of the clustering, such as setting *m*=1 implies the ordinary, not fuzzy, clustering, increasing the value of *m* means the widely overlapping of the resulted clusters.

By introducing the Lagrange multiplier λ, objective function is

$$\mathcal{N}(\mathcal{D}; \mathcal{U}, V) = \mathcal{J}(\mathcal{D}; \mathcal{U}, V) - \mathcal{A}(\sum\_{j=1}^{s} \mu\_{ij} - 1) \tag{3}$$

and optimal solutions are given at the saddle points, that is{μ*ij*} and *vj* (*j*=1,...,*s*) satisfy

$$\begin{cases} \frac{\partial \mathcal{W}}{\partial \mu\_{ij}} &= \, ^t \boldsymbol{\mu}\_{ij}^{m-1} \boldsymbol{d}^2(\mathbf{x}\_i, \boldsymbol{v}\_j) - \boldsymbol{\lambda} &= \, ^0 \boldsymbol{\lambda} \\\\ \frac{\partial \mathcal{W}}{\partial \boldsymbol{v}\_{jk}} &= \quad \sum\_{i=1}^n \mathbf{2}(\boldsymbol{x}\_{ik} - \boldsymbol{v}\_{jk}) \boldsymbol{\mu}\_{ji}^m &= \quad \mathbf{0} \end{cases} \tag{4}$$

where *vjk* represents the *k* coordinate of point *vj*, and the distance function is the Euclidean distance <sup>2</sup> <sup>1</sup> (,) ( ) *<sup>n</sup> i j ik jk <sup>k</sup> dx v x v* .

Solving the equations above, we have

$$\begin{cases} \mu\_{ij} &= \left( \sum\_{k=1}^{s} \left( \frac{d(\mathbf{x}\_i, \mathbf{v}\_j)}{d(\mathbf{x}\_i, \mathbf{v}\_k)} \right)^{\frac{2}{m-1}} \right)^{-1} \\\\ \mathbf{v}\_{jk} &= \underbrace{\sum\_{i=1}^{n} \mu\_{ij} \mathbf{x}\_{ik}}\_{\begin{subarray}{c} i=1 \\ \sum\_{i=1}^{n} \mu\_{ij}^{m} \end{subarray}} \\\\ \mathbf{r} &= \underbrace{\sum\_{i=1}^{n} \mu\_{ij}^{m}}\_{i=1} \end{cases} \tag{5}$$

Thus the algorithm proceeds in the following steps;

Construction of Effective Database System for Information Risk Mitigation 127

**Step 6.** Apply the fuzzy outranking method with certain threshold values of concordance

**Step 7.** Determine the set of effective mitigation controls *ET* by referring the outranking

Now we propose a method composed of three phases to construct a database system with

It seems to be patient and time-consuming works that we gather and examine all controls possible to mitigate information related risks, together with giving each of them a kind of classification index simultaneously. The classification is used to give each control a value vector of OCATVE's threat path attributes related entries in Phase II. Fortunately, we have some of existing database of controls referred in section 2 such as in ISO/IEC 27002, MEHARI, NIST SP-800, and in OCTAVE. They are already classified in view of various

Fix a set of mitigation controls with some classification. Indicate a vector whose entries are values between 0 and 1 corresponding to each of attributes in OCTAVE's threat paths to all the controls in the set. Concretely speaking, we have six possible attributes "access" ("network", "physical"), "actor" ("inside", "outside"), "motive" ("accident", "deliberate") on the human actors worksheet, and four possible attributes "actor" ("software defects", "malicious code", "system crashes", "hardware defects") on the system problems worksheet. We propose a method to indicate the values for each of attribute by applying the

In the previous process, we have controls with value vector according to each classified set. The same or similar control can be appear in some classified sets, and it could be possible that one control has more than one value vector. We need to identify those controls and examine the indicated vectors of each of them before going on the next phase. If the vectors corresponding to a control have only acceptable difference, then take a vector whose entries

**5. Method for construction of effective database system** 

*M*.

an effective clusters.

aspects.

descending order.

Phase I: Collecting Mitigation Controls

Phase II: Evaluation of Controls

MSMM in the following steps,

**Step 1.** give a weight each of first level or second level classes

**Step 2.** give a weight all the controls in each class **Step 3.** aggregate two weight values in step 1 and step2

Process 2: Evaluation and modification

This phase is composed of two processes. Process 1: Vector indication in a fixed set

and discordance indices to each of (*aj*,*a0*) for *j*=1,…*n*, where *n* is the cardinality of

relation values *μj=μ*(*aj*,*a*0). We have two versions for this. One is to determine *ET*={*mj*;*μj >α*} as the optimal set with fixed lower boundary value α. The other is to choose the definite number of *mi*s' from the permutated mitigation controls in


$$\mu\_{\parallel}^{(t)} = \left( \sum\_{k=1}^{s} \left( \frac{d(\mathbf{x}\_{i'}, \mathbf{v}\_{k'}^{(t)})}{d(\mathbf{x}\_{i'}, \mathbf{v}\_{k'}^{(t)})} \right)^{\frac{2}{m-1}} \right) \tag{6}$$


In the algorithm above, we need to be careful that the fuzzification exponent *m*=1 reduces the denominator of the exponent of each terms in Σ for ( )*<sup>t</sup> ij* to 0.

Moreover, *m* is usually set a values between 1.4 and 2.6 (Celikyilmaz, & Turksen, 2009, p.57).

#### **4. Method for choosing effective set of mitigation controls**

For our proposed method for selecting set of mitigation controls from a database of controls, we assume the existence of an external database, *D*, of mitigation controls with mitigation degree,δ*m* (*T*)∈[0,1] and *m*∈*D*, evaluated depending only on the type of threat path *T*. This mitigation degree should signify that adopting the control roughly mitigate the risk level from 1 to that degree.

We use the risk profile work sheet of OCATVE-S, and we suppose that determination of the set of critical assets are done, and all the possible threat path were distinguished with the risk value calculated from (*vR*,*vF*,*vP*,*vFi*,*vS*,*vO*,*p*), the vector of impacts and probability. This is the preliminary stage of our method.

Then the process is performed according to the following steps.

