TABLES OF CONTENTS CHAPTER TITLE PAGE

Transcription

1 vii TABLES OF CONTENTS CHAPTER TITLE PAGE DECLARATION DEDICATION ACKNOWLEDGEMENT ABSTRACT ABSTRAK TABLE OF CONTENTS LIST OF TABLES LIST OF FIGURES LIST OF ABBREVIATIONS LIST OF APPENDICES ii iii iv v vi vii xi xii xiv xvi 1 INTRODUCTION Background of the Problem Problem Statement Project Aim Project Objective Project Scope Summary 5 2 LITERATURE REVIEW Overview of Risk Analysis Risk analysis concept and terminology Available Techniques in risk analysis Importance of risk analysis tool Risk analysis in fuzzy environment 13

2 viii 2.3 Fuzzy Risk Analysis Model in Information Security Field Information Security Risk Assessment Model Using Fuzzy Number Operation Method Risk analysis in e-commerce (EC) development Model using Fuzzy Decision Support System (FDSS) Enterprise Strategic Risk Assessment Model based on Theory of multi-objective fuzzy optimization Network Security Risk Assessment Method Based on Fuzzy Similarity Measure Threat Modeling Using Fuzzy Logic Paradigm Overview of Fuzzy set theory in decision making Fuzzy set theory Triangular Fuzzy Number Linguistic Variables Triangular Average Number Fuzzy Weighted Average Summary 35 3 RESEARCH METHODOLOGY Introduction Research Strategy Phase 1 Initial Planning Phase 2- Literature Review Phase 3 Threat Analysis Model Design, Prototype Development and Verification Phase 4 Benefits, Discussion and Future Works Project Schedule Instrumentation 44

3 ix 3.5 Summary 45 4 THREAT ANALYSIS DESIGN Introduction Case Study Development Construct the Fuzzy Threat Analysis Model in THIS environment Step 1 - Threat Identification Step 2 - Natural Language Representation Step 3 - Fuzzy Assessment Aggregation Step 4 - Fuzzy Weighted Average Computation Step 5 - Linguistic Approximation Illustrative Example of Computation for Fuzzy Threat Analysis Prototype Architecture and Design Database Design System Requirement Prerequisite Software Minimum Hardware Requirement Summary 60 5 IMPLEMENTATION AND RESULT Introduction Prototype Implementation Prototype Verification Using Scenario Method Threat Assessment Assessment Result Summary 69 6 BENEFITS, DISCUSSION AND FUTURE WORKS Introduction Contribution of the Research 70

4 x 6.3 Limitations and Recommendations for Future Research 71 REFERENCES 75 Appendices A - M

5 xi LIST OF TABLES TABLE NO. TITLE PAGE 2.1 Qualitative techniques in risk analysis Risk Table Grade corresponding to language variable (Fu and Wu, 2008) Fuzzification and Defuzzification processes in Information Security Risk Assessment Model Fuzzy set representation for each linguistic terms ( Ngai and Wat, 2005) Fuzzification and Defuzzification processes in Risk Analysis for e-commerce (EC) Development Model Fuzzification and Defuzzification processes in Enterprise Strategic Risk Assessment Model Relatively Comparison Scaling (Pan and Cai, 2008) Fuzzification and Defuzzification processes in Network Security Risk Assessment Method A nine member linguistic term set (Liao et al., 2006) Fuzzy Set Representation for each linguistic terms The membership functions scale definition Impact of threat level for system definition Prerequisite Software Minimum hardware requirement 60

6 xii LIST OF FIGURES FIGURE NO TITLE PAGE 2.1 Risk formulated in terms of defined consequences of undesirable events and related probabilities (Nilsena and Aven, 2003) Word-to-Probability relationship (Xu et al., 2003) Model information security risk assessment(fu and Wu, 2008) Simple hierarchical structure of legal risk( Ngai and Wat, 2005) System of hierarchical structure (Pan and Cai, 2008) The hierarchical structure of the military network security(liao et al., 2006) Hierarchical Fuzzy Weighted Average (HFWA) method (Liao et al., 2006) Architecture for Fuzzy Logic based threat modeling (Sodiya et al., 2007) Triangular fuzzy number (Simon and Maria, 2007) Defuzzification of fuzzy average (Simon and Maria, 2007) Research Methodology Framework Total Hospital Information System (THIS) Fuzzy Threat Analysis prototype development methodology framework Total Hospital Information System (THIS) Fuzzy Threat Analysis Model Simple hierarchical structure to identify the security threats impact for TC01 - Power failure / loss 51

7 xiii 4.3 Membership function of Likelihood Membership function of Consequence Total Hospital Information System (THIS) Fuzzy Threat Analysis prototype architecture and design Total Hospital Information System (THIS) Fuzzy Threat Analysis MySQL 5.0 database schemata Threat Assessment Screen Threat Assessment Result Sample Graph - Impact of total threat level for each system Sample Graph - Threat frequency with respect to five (S1-S5) systems 73

8 xiv LIST OF ABBREVIATIONS AHP - Analytic Hierarchy Process ALE - Annualized Loss Expectancy ARO - Annualized Rate of Occurrence AS/NZS - Australian and New Zealand Standard for risk management 4360/1999 CRAMM - CCTA Risk Analysis and Management Method EC - E-Commerce EF - Exposure Factor EFWA - Efficient Fixed Weightage Average FDSS - Fuzzy Decision Support System FMEA - Failure Mode and Effects Analysis FST - Fuzzy Set Theory FTA - Fault Tree Analysis FWA - Fuzzy Weighted Average GB - Giga Bytes GHz - Giga Hertz GUI - Graphical User Interface HAZOP - Hazard and Operability Analysis HFWA - Hierarchical Fuzzy Weighted Average HIS - Healthcare Information Systems IDE - Integrated Development Environment IFWA - Improved Fuzzy Weighted Average Algorithm ISO/IEC The International Organization for Standardization / International Electrotechnical Commission for Information Security Risk Management Standard IT - Information Technology JAR - Java Archive

9 xv JDBC - Java Database Connectivity MB - Mega Bytes MHz - Mega Hertz NIST National Institute of Standard and Technology -Risk Management Guide for Information Technology Systems OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation PACS - Picture Archiving Communication System PHA - Preliminary Hazard Analysis RAM - Random Access Memory ROG - Radius of gyration SLE - Single Lost Expectancy SQL - Structure Query Language SQL - Structure Query Language STRIDE - Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege TCP/IP - Transmission Communication Protocol /Internet Protocol TCP/IP - Transmission Communication Protocol /Internet Protocol THIS - Total Hospital Information System VGA - Video Graphic Array

10 xvi LIST OF APPENDICES APPENDIX TITLE PAGE A A Classification Framework in Risk Management for E-Commerce Development (Pan and Cai, 2008) 79 B Threat Modeling Using Fuzzy Logic Paradigm (Sodiya et al., 2007) 80 C Total Hospital Information System Key Components (Ganthan, Ahmad and Ismail, ) D Project Ghant Chart 83 E List of Total Hospital Information System Asset (Ganthan, Ahmad and Ismail, 2009) 84 F List of Total Hospital Information System Threat Category and Its Descriptions 85 G Hierarchical Structure of Security Threats to Total Hospital Information System 87 H Threat Assessment Design Form 88 I EFWA Algorithm (Lee and Park, 1997) 91 J Illustrative Example of Fuzzy Based Threat Analysis 92 K Overall Three Different Evaluators Perceptions on Threat Assessment for S1 Picture Archiving Communication System (PACS) 100 L Prototype Installation, Configuration and Implementation 104 M Assessment Result 118