**6. Conclusion and discussion**

As the final goal of the series of information security evaluation and management system, a system to propose a set of mitigation controls effective and efficient to reduce the organizational risk level is very important. For this purpose, the construction of a feasible database of mitigation controls is necessary. In this chapter, we look over several types of controls, and proposed a method for construct the database. The resulted consists of controls with a value vector whose entries are corresponding to some of attributes on the threat path in OCTAVE's risk profile worksheet. Our idea to apply the fuzzy c-mean clustering might be helpful to choose a small set of control candidates from a huge number of controls.

For the practical use, we need to construct a feasible and real database by applying our system and to verify the effectiveness of the total system.

In our future work, we intend to apply our system to some of classified set of mitigation controls, such as in OCTAVE, ENISA, NIST SP800 and in MEHARI, to obtain an example of effective database. We also intend to define a function from a set of threat path attributes to a set of clusters resulted from fuzzy c-mean clustering.

### **7. References**

Alberts, C. & Dorofee, A. (2003). *Management Information Security Risks*, Addison-Wesley.


are the average of each entries as the final value vector of the control. If not, go back to the

Clustering all controls using fuzzy c-mean clustering method by means of attribute vectors. Make the correspondence between each of clusters and each of threat paths by looking at the center vectors of clusters. Selecting a small set of mitigation controls is performed using this

As the final goal of the series of information security evaluation and management system, a system to propose a set of mitigation controls effective and efficient to reduce the organizational risk level is very important. For this purpose, the construction of a feasible database of mitigation controls is necessary. In this chapter, we look over several types of controls, and proposed a method for construct the database. The resulted consists of controls with a value vector whose entries are corresponding to some of attributes on the threat path in OCTAVE's risk profile worksheet. Our idea to apply the fuzzy c-mean clustering might be helpful to choose a small set of control candidates from a huge

For the practical use, we need to construct a feasible and real database by applying our

In our future work, we intend to apply our system to some of classified set of mitigation controls, such as in OCTAVE, ENISA, NIST SP800 and in MEHARI, to obtain an example of effective database. We also intend to define a function from a set of threat path attributes to

Alberts, C. & Dorofee, A. (2003). *Management Information Security Risks*, Addison-Wesley. Amagasa, M. (2004). *Management Systems Engineering*, Institute of Business Research, Daito

Bidgoli, H. (Editor-in-Chief) (2006). *Hand Book of Information Security*,Vol. III, John Wiley &

Inoue, H. & Amagasa, M., (1998), *Fundamentals of Fuzzy Theory*, (in Japanese), Asakura

Klir, G. J. & Yuan B. (1995) *Fuzzy Sets and Fuzzy Logic-Theory and Application*, Prentice Hall

Nagata, K.; Kigawa, Y.; Cui, D. & Amagasa, M. (2007). Integrating Modified Structural

Modeling Method with an Information Security Evaluation System, *Proceedings of* 

Celikyilmaz, A. & Turksen, I. B. (2009) *Modeling Uncertainty with Fuzzy Logic*, Springer. Kaufman, A. et al. (1975). *Introduction to the Theory of Fuzzy Subsets*, NewYork: Academic

Kaye, D. (2002) *Strategy for Web Hosting and Managed Services*, John Wiley & Sons.

value vector indication steps. Phase III: Clustering Controls

correspondence and *U* defined in subsection 3.4.

system and to verify the effectiveness of the total system.

a set of clusters resulted from fuzzy c-mean clustering.

**6. Conclusion and discussion** 

number of controls.

**7. References** 

Sons.

Shoten.

Press.

Bunka University

International Inc.

*the 8th Asia Pacific Industrial Engineering and Management Systems Conference 2007*, T1-R02, ID68.


http://www.clusif.asso.fr/fr/production/ouvrages/pdf/MEHARI--2010-- Principles—Specifications.pdf

Recommended Security Controls for Federal Information Systems: 28.02.2011, Available from

http://csrc.nist.gov/publications/nistpubs/800--53--Rev3/sp800--53--rev3- final/\_updated--errata/\_05--01--2010.pdf


**7**

Finne Auvo

*Finland* 

*University of Jyväskylä,* 

**Quality Model – Master Plan and DNA** 

The goal of the chapter is to give a refined definition for the quality of information system as a technical artifact and based on that statement present a complete conceptual framework for quality modeling. Further, the chapter shows how a quality model as a master plan for

Every theory has its surroundings and postulates. So has a theory about quality models, and it is better to make the main lines of these ideas explicit before presenting the theory itself. A human made information system (IS) as a technical artifact exists and operates always in the context of societies, organizations, personal lives etc. It is a tool used for gathering, storing, processing, presenting and exchanging (communication) information. These activities can be termed "information behavior" (Allen et al., 2011). Accordingly the context of an information system has a two-tiered structure (Figure 1). The inner tier, information behavior, is subordinate to the outer tier, human society. Information in general is used to support human activities, and technical information tools, in turn, are used to enhance the

information systems can drive and control the entire development process.

**1.1 Information system and its context - Models and objects of modeling** 

**1. Introduction** 

use of information.

Fig. 1. Two-tiered context of information system

 **of an Information System** 

http://www.enisa.europa.eu/act/rm/cr/risk--management- inventory/downloads

Risk Management Guide for Information Technology Systems, 28.02.2011,Available from http://csrc.nist.gov/publications/nistpubs/800--30/sp800 --30.pdf
