نوع مقاله : مقاله پژوهشی
نویسندگان
1 دانش آموخته کارشناسی ارشد مدیریت فناوری اطلاعات، گروه مدیریت، دانشکده علوم اجتماعی و اقتصادی، دانشگاه الزهرا ، تهران، ایران
2 عضو عیات علمی گروه مدیریت، دانشکده علوم اجتماعی و اقتصادی، دانشگاه الزهرا ، تهران، ایران⃰ نویسنده مسئول : M_azami@pnu.ac.ir
3 دانش آموخته دکتری مهندسی صنایع، دانشکده مهندسی صنایع، دانشگاه تربیت مدرس، مدرس مدعو گروه مدیریت، دانشکده علوم اجتماعی و اقتصادی، دانشگاه الزهرا ، تهران، ایران
چکیده
بسیاری از سازمانها برای موفقیت در پیادهسازی و ارزیابی سیستم مدیریت امنیت اطلاعات خود، از استانداردهای موفق جهانی نظیر ایزو۲۷۰۰۱ بهره میگیرند. در این پژوهش یک سیستم خبره ضریبدار سلسله مراتبی جهت محاسبه امتیاز امنیت اطلاعات سازمان بر مبنای استاندارد بینالمللی ایزو۲۷۰۰۱ طراحی و پیادهسازی شده است. در این سیستم بر خلاف سایر سیستمهای خبره ممیزی موجود، میزان اهمیت معیارهای ارزیابی امنیت یکسان در نظر گرفته نشده است. اطلاعات لازم جهت ایجاد پایگاه دانش از مطالعات کتابخانهای استخراج شده است. همچنین اطلاعات لازم برای رتبهبندی اهداف کنترلی و معیارهای ارزیابی از طریق پرسشنامه گردآوری شده و با بهکارگیری تکنیک دیمتل به همراه فرمول دالالا و روش واسپاس، وزن اهداف کنترلی و معیارها محاسبه شدند. در مرحله بعدی پنج هدف اصلی امنیت شامل صحت، محرمانگی، در دسترس بودن، مسئولیتپذیری و قابلیت ممیزی به دلیل تأکید و تکرار بیشتر در ادبیات پژوهش انتخاب شدند. با بهکارگیری اطلاعات این چهار مرحله سیستم خبره طراحی شد. جهت پیادهسازی رابط کاربری از زبان ویژوال بیسیک و جهت استنتاج از اکسل ۲۰۱۶ استفاده شد. سیستم موردنظر علاوه بر محاسبه امتیاز امنیت اطلاعات برحسب استاندارد، قادر به محاسبه امتیاز امنیت با اعمال وزن اهداف کنترلی و معیارهای ارزیابی اهداف کنترلی و درصد تحقق اهداف اصلی امنیت بوده و نتیجه را در سه سطح وضعیت بحرانی، متوسط و بسیار خوب نشان میدهد. اجرای سیستم در دو سازمان ایرانی نشان داد که سیستم با میانگین دقت 95% دارای دقت و کارایی لازم جهت ارزیابی امنیت اطلاعات است. سایر نتایج در قالب بحث و نتیجه گیری در پژوهش آمده است.
کلیدواژهها
موضوعات
عنوان مقاله [English]
Hierarchical weighted Expert system for Information security assessment based on ISO 27001 international standard
نویسندگان [English]
- Melika Armandi 1
- Mina Ranjbarfard 2
- Zahra Taheri 3
1 M.Sc. from Alzahra University , Tehran, Iran
2 Department of Management, Faculty of Social Sciences and Economics, Alzahra University, Tehran, Iran Corresponding Author: m.ranjbarfard@alzahra.ac.ir
3 lecturer at Alzahra University
چکیده [English]
In this research, an expert system was designed and implemented based on the ISO/ICE27001 standard. In order to create the knowledge base of this expert system, control goals and criteria for evaluating these goals were extracted based on the ISO/ICE27001 standard, and the necessary information was collected to define the rules. Then, the approach of creating rules as well as the rules were confirmed through interviews with experts. The control objectives and evaluation criteria of the control objectives were using the Dematel technique along with the Dalala formula and WASPA method. In the next stage, the five main security objectives were chosen to continue the work due to their emphasis in the research literature. The specified goals were reviewed and confirmed during face-to-face interviews with experts. After designing the expert system, Visual Basic was used to implement the user interface and Excel 2016 was used for inference. The designed system is able to calculate the information security score according to the standard and also is able to calculate the information security score by applying the weight of the control objectives, the evaluation criteria of the control objectives and the percentage of realization of the main objectives of the information security. The resulted score is shown in three levels of critical status, average status and very good status to the user. Results of the system implementation in two Iranian organizations showed that the system with an average accuracy of 95% has the necessary accuracy and efficiency to evaluate information security.
Introduction
Information is a vital element for the survival of the organization and information security plays a decisive role in modern information organizations. Many organizations use successful global standards such as ISO/ICE27001 to ensure success in implementing and evaluating their information security management system. Organizations can become aware of the state of information security with the lowest cost and highest efficiency by using the intelligent information security audit system. In this research, an expert system with hierarchical coefficients to calculate the organization's information security score based on the ISO/ICE27001 standard was designed and implemented: considering the importance of control goals and evaluation criteria for these goals, as well as calculating the degree of achievement of the main security goals. In the design of this system, unlike other audit expert systems, the importance of information security evaluation criteria has not been considered equal. This system can be used in various organizations and industries for intra-organizational evaluations of information security status and determining corrective measures. Organization with ISO/ICE27001 certification can also use this system as an alternative to traditional audits to increase efficiency and reduce time and cost.
Literature review
ISO 27001 information security management standard
Information security management standards provide a security framework along with specialized techniques for implementing security in the information exchange space. The ISO 27001 international standard was prepared to provide requirements for the establishment, implementation, maintenance and continuous improvement of an information security management system (Chang and Lee 2013).
The ISO 27001 standard has been able to provide a complete form of security processes and controls for the organization (Wallhoff 2004). Referring to the capabilities of various information security standards shows that ISO 27001 is a leader compared to other standards, especially in the field of information security management systems; (Susanto, Almunawar, and Tuan 2011).
Intelligent information security audit systems
An expert system uses human knowledge to solve problems that normally require human intelligence. Expert systems are designed in such a way that they acquire the intelligence and information available in the minds of experts and provide this knowledge to other members of the organization with the aim of solving problems. The main components of an expert system are its knowledge base and inference engine. The knowledge base contains the necessary knowledge to understand, explain and solve the problem, and it is the inference engine of the brain of the expert system that determines its reasoning method (Tripathi 2011).
Research Question(s)
What are the control goals and evaluation criteria of the information security evaluation expert system?
What is the appropriate architecture of the expert system with coefficients to evaluate the organization's information security?
How are the goals and control security evaluation criteria determined?
How is the main security goal determined for each control?
What is the method of inference in the expert system of evaluating the organization's information security?
Does the designed system have the necessary credibility to measure the organization's information security?
Methodology
This research is applied-developmental in terms of purpose, because by using the ISO 27001 international standard and in order to improve and perfect the strategies, behaviors, methods, tools, devices, structures and patterns used by the organization. has designed the audit expert system. Also, the research is descriptive in terms of data and its strategy is design.
In order to create the knowledge base of this expert system, control goals, criteria for evaluating these goals and recommendations were extracted based on the ISO/ICE27001 standard, and the necessary information was collected to define the rules. Then, the approach of creating rules as well as the rules were confirmed through interviews with experts. The necessary information for ranking the control objectives and evaluation criteria of the control objectives was collected through a questionnaire and the weight of the control objectives and criteria was calculated using the Dematel technique along with the Dalala formula and WASPA method. In the next stage, the five main security objectives: authenticity, confidentiality, availability, accountability and auditability were chosen to continue the work due to their emphasis in the research literature. After determining which of the main security goals each control is aimed at, the specified goals were reviewed and confirmed during face-to-face interviews with experts. Then, using the information of these four stages, an expert system was designed to evaluate information security based on the ISO/ICE27001 standard. Visual Basic was used to implement the user interface and Excel 2016 was used for inference.
Discussion
In this research, the control objectives and information security evaluation criteria are extracted from the ISO 27001 standard, and the checklist used is completely in accordance with the standard, and the system has calculated the organization's information security score based on the standard. In addition, compared to previous researches, the presented system has special innovative aspects. The ranking of standard control goals and criteria has been done according to the opinion of experts, and the information security score has also been calculated by taking into account the weight of control goals and evaluation criteria. In addition, the main objectives of information security for each recommendation (control) have been determined according to the opinion of experts, and the designed system has also evaluated the degree of realization of the main security objective in the organization.
It is worth mentioning that the method of assigning points to each control is based on interviews with security auditors in Iran, and the structure of the ISO 27001 standard does not specify a specific method for scoring, which has an impact on the creation of rules and the efficiency of the expert system.
Results
The designed system is able to calculate the information security score according to the standard and also is able to calculate the information security score by applying the weight of the control objectives, the evaluation criteria of the control objectives and the percentage of realization of the main objectives of the information security. The resulted score is shown in three levels of critical status, average status and very good status to the user. Results of the system implementation in two Iranian organizations showed that the system with an average accuracy of 95% has the necessary accuracy and efficiency to evaluate information security.
Keywords:Information Security Management System, Expert System, ISO27001 International Standard, Dematel Technique, Dalala Formula, WASPAS Method
کلیدواژهها [English]
- Information security management system
- expert system
- Dematel technique
- Dalala formula
- WASPAS method
- آذر، عادل و مؤمنی، منصور. (1384). آمار و کاربرد آن در مدیریت. تهران: سازمان مطالعه و تدوین کتب علوم انسانی دانشگاهها.
- آزادبیگی، نورالله. (۱۳۹۸). ارائه راهکارهای بومی و عملیاتی جهت رفع آسیبپذیری و تهدیدات امنیتی شبکههای کامپیوتری سازمانی در چارچوب استانداردهای ISO/IEC 27K (پایاننامه کارشناسیارشد رشته کامپیوتر، گرایش نرمافزار). مؤسسه آموزش عالی اشراق بجنورد.
- آفتابی، نوید. (۱۳۹۷). یک مدل مدیریت امنیت اطلاعات برای کاهش ریسکهای احتمالی در سازمانهای مبتنی بر فناوری اطلاعات (پایاننامه کارشناسیارشد گرایش سیستمهای اقتصادی و اجتماعی). دانشکده مهندسی صنایع، دانشگاه شریف.
- اخوان، فاطمه، موسوی، سید عبداله امین و سرآبادانی، ابوالقاسم. (۱۴۰۲). عوامل کلیدی موفقیت در پیادهسازی حاکمیت امنیت اطلاعات (مطالعۀ موردی: شرکت نفت مناطق مرکزی ایران). مطالعات راهبردی در صنعت نفت و انرژی، ۱۴ (۵۶)، ۱۳۲-۱۱۳.
- جعفرنژاد، سهیلا و تقوا، محمدرضا. (۱۳۹۸). نقش پیادهسازی چارچوبهای مدیریت خدمات و امنیت (ITIL و ISMS) در تداوم خدمات فناوری اطلاعات. نشریه علمی مطالعات مدیریت کسب و کار هوشمند، ۷ (۳۰)، 33-54.
- شاهبهرامی، اسدالله، رفیعزاده کاسانی، رامین و پوریوسفیدرگاه، حسین. (۱۳۹۷). شناسایی و اولویتبندی پارامترهای تأثیرگذار بر سیستم مدیریت امنیت اطلاعات (مطالعه موردی: شعب تأمین اجتماعی استان گیلان). فصلنامه علمی-پژوهشی فناوری اطلاعات و ارتباطات ایران، ۱۰ (۳۵ و ۳۶)، ۵۷-۷۴.
- شیخابومسعودی، روحاله، کوهیحبیبی، سحر، عطایی، مریم و اسماعیلی، نازیلا. (۱۳۹۴). ارزیابی سیستمهای مدیریت اطلاعات دانشگاه علوم پزشکی با استفاده از استاندارد ISO/IEC 27001. مدیریت اطلاعات سلامت، ۱۲ (۳)، ۳۰۶-۳۱۶.
- فرهادی، کامران. (1396). آموزش جامع پیادهسازی و سرممیزی سیستم مدیریت امنیت اطلاعات. تهران: آکادمی باتیس.
- میدانی، زهرا، عصاری، محمدامین، موسوی، سید غلامعباس و عطایی اندزق، علی. (۱۳۹۶). ارزیابی امنیت سیستمهای اطلاعات بیمارستانی. مدیریت اطلاعات سلامت، ۵ (۱۴)، ۱۸۷-۱۹۳.
References
- Aileen, A., & Fianty, M. I. (2024). Capability level assessments of information security controls: An empirical analysis of practitioners assessment capabilities. Journal of Information Security, 8(1), 91-103.
- Atymtayeva, L. B., Bortsova, G. K., Inoue, A., & Kozhakhmet, K. T. (2012). Methodology and ontology of expert system for information security audit. In The 6th International Conference on Soft Computing and Intelligent Systems, and The 13th International Symposium on Advanced Intelligent Systems (pp. 238-243). IEEE.
- Bartoš, J., Walek, B., Klimeš, C., & Farana, R. (2014). Fuzzy tool for conducting information security risk analysis. In Proceedings of the 2014 15th International Carpathian Control Conference (ICCC) (pp. 28-33).
- Broderick, J. S. (2006). ISMS, security standards and security regulations. Information Security Technical Report, 11, 26–31.
- Chang, L.-Y., & Lee, Z.-J. (2013). Applying fuzzy expert system to information security risk assessment: A case study on an attendance system. In 2013 International Conference on Fuzzy Theory and Its Applications (iFUZZY) (pp. 346-351).
- Clinch, J. (2009). ITIL V3 and information security. Best Management Practice.
- Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001 information security management standard: Literature review and theory-based research agenda. The TQM Journal, 33(7), 76-105.
- Dor, D., & Elovici, Y. (2016). A model of the information security investment decision-making process. Computers & Security, 63, 1-13.
- Farid, G., Warraich, N. F., & Iftikhar, S. (2023). Digital information security management policy in academic libraries: A systematic review (2010–2022). Journal of Information Science. https://doi.org/10.1177/01655515231160026
- Fonseca-Herrera, O. A., Rojas, A. E., & Florez, H. (2021). A model of an information security management system based on NTC-ISO/IEC 27001 standard. IAENG International Journal of Computer Science, 48(2), 213-222.
- Ganji, D., Kalloniatis, C., Mouratidis, H., & Malekshahi Gheytassi, S. (2019). Approaches to develop and implement ISO/IEC 27001 standard-information security management systems: A systematic literature review. International Journal on Advances in Software, 12(3).
- Hentea, M. (2007). Intelligent system for information security management: Architecture and design issues. Informing Science: International Journal of an Emerging Transdiscipline, 4(1), 29-43.
- Herath, T. C., Herath, H. S. B., & Cullum, D. (2023). An information security performance measurement tool for senior managers: Balanced scorecard integration for security governance and control frameworks. Information Systems Frontiers, 25(2), 681-721.
- ISO/IEC 27000. (2013). Information technology, security techniques. Information security management systems. Retrieved from https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en
- Kamal, M., Muhamad, M., Sudianto, Y., Fauzan, M. A., Anggito, Y., Yasin, W., & Hermawan, H. (2024). Information technology security audit at the YDSF national zakat institution using the ISO 27001 framework. Jurnal Sisfokom (Sistem Informasi dan Komputer), 13(1).
- Kanatov, M., Atymtayeva, L. B., & Yagaliyeva, B. (2014). Expert systems for information security management and audit: Implementation phase issues. In 2014 Joint 7th International Conference on Soft Computing and Intelligent Systems (SCIS) and 15th International Symposium on Advanced Intelligent Systems (ISIS) (pp. 896-900).
- Khafidh Sunny Al Fajri, & Harwahyu, R. (2024). Information security management system assessment model by integrating ISO 27002 and 27004. Institut Riset dan Publikasi Indonesia (IRPI). P-ISSN: 2797-2313.
- Kitsios, F., Chatzidimitriou, E., & Kamariotou, M. (2022). Developing a risk analysis strategy framework for impact assessment in information security management systems: A case study in IT consulting industry. Sustainability, 14(3), 1269.
- Kozhakhmet, K. T., Bortsova, G., Inoue, A., & Atymtayeva, L. B. (2012). Expert system for security audit using fuzzy logic. In Midwest Artificial Intelligence and Cognitive Science Conference (p. 146).
- Lakhno, V., Tkach, Y., Petrenko, T., Zaitsev, S., & Bazylevych, V. (2016). Development of adaptive expert system of information security using a procedure of clustering the attributes of anomalies and cyber attacks. Восточно-Европейский журнал передовых технологий, 65(4), 32-45.
- Liu, J., Xiao, Y., Chen, H., Ozdemir, S., Dodle, S., & Singh, V. (2010). A survey of payment card industry data security standards. IEEE Communication Surveys & Tutorials, 12(3), 287-303.
- Mera-Amores, F., & Roa, H. N. (2024). Enhancing information security management in small and medium enterprises (SMEs) through ISO 27001 compliance. In Future of Information and Communication Conference (pp. 197-207). Cham: Springer Nature Switzerland.
- Mirtsch, M., Blind, K., Koch, C., & Dudek, G. (2021). Information security management in ICT and non-ICT sector companies: A preventive innovation perspective. Computers & Security, 109, 102383.
- Muhammad Azam, M. S., Ali Khan, M., & Yang, S. (2022). A decision-making approach for the evaluation of information security management under complex intuitionistic fuzzy set environment. Journal of Mathematics, 2022, Article ID 9704466. https://doi.org/10.1155/2022/9704466
- Olzak, T. (2013). Insider threats: Implementing the right controls. TechRepublic.
- Piech, H., & Grodzki, G. (2017). Audit expert system of communication security assessment. Procedia Computer Science, 112, 147-156.
- Proenca, D., & Borbinha, J. (2018). Information security management systems: A maturity model based on ISO/IEC 27001. In Business Information Systems: 21st International Conference, BIS 2018, Berlin, Germany, July 18-20, Proceedings 21 (pp. 102-114).
- Raghavendra Rao Althar, D. S., Samanta, D., Purushotham, S., Singh Senga, S., & Hewage, C. (2023). Design and development of artificial intelligence knowledge processing system for optimizing security of software system. SN Computer Science, 4, 331.
- Riswaya, A. R., Sasongko, A., Maulana, A., Mardira Indonesia, S., & Langlangbuana Bandung, U. (2020). Evaluasi tata kelola keamanan teknologi informasi menggunakan indeks kami untuk persiapan standar SNI ISO/IEC 27001 (Studi Kasus: STMIK Mardira Indonesia). Jurnal Computech & Bisnis, 14(1), 10–18.
- Rkaur, G., Rani, P., & Garg, S. (2016). Various issues in expert system for information management and audit. International Journal of Advanced Research in Computer Science, 79(3), 245-261.
- Saha, P., Mahanti, A., Chakraborty, B. B., & Navlani, A. (2013). Development of ontology-based framework for information security standards. In Proceedings of the 9th International Conference on Autonomic and Autonomous Systems (pp. 83-89).
- Sendi, A. S., Jabbarifar, M., Shajari, M., & Dagenais, M. (2010). FEMRA: Fuzzy expert model for risk assessment. In 2010 Fifth International Conference on Internet Monitoring and Protection (pp. 48-53).
- Sihwi, S. W., Andriyanto, F., & Anggrainingsih, R. (2016). An expert system for risk assessment of information system security based on ISO 27002. In 2016 IEEE International Conference on Knowledge Engineering and Applications (ICKEA) (pp. 56-61).
- Singhal, D., Tripathy, S., & Kumar Jena, S. (2018). DEMATEL approach for analyzing the critical factors in remanufacturing process. Materials Today: Proceedings, 5(9), 18568-18573.
- Sun, H., & Bai, S. H. (2022). Enterprise information security management using Internet of Things combined with artificial intelligence technology. Computational Intelligence and Neuroscience, 2022, Article ID 7138515. https://doi.org/10.1155/2022/7138515
- Suorsa, M., & Helo, P. (2024). Information security failures identified and measured: ISO/IEC 27001: 2013 controls ranked based on GDPR penalty case analysis. Information Security Journal: A Global Perspective, 1-22.
- Susanto, H., Almunawar, M. N., & Tuan, Y. C. (2011). Information security management system standards: A comparative study of the big five. International Journal of Electrical Computer Sciences, IJECSIJENS, 11(5), 23-29.
- Tarek Ali, M., Al-Khalidia, M., & Al-Zaidib, R. (2024). Information security risk assessment methods in cloud computing: Comprehensive review. Journal of Computer Information Systems. https://doi.org/10.1080/08874417.2024.2329985
- Tripathi, K. P. (2011). A review on knowledge-based expert system: Concept and architecture. IJCA Special Issue on Artificial Intelligence Techniques-Novel Approaches & Practical Applications, 4, 19-23.
- Wallhoff, J. (2004). Combining ITIL with COBIT and ISO/IEC 17799: 2000. Scillani Information AB.
- Holbert, R. L., Lee, J., Esralew, S., Walther, W. O., Hmielowski, J. D., & Landreville, K. D. (2013). Affinity for political humor: An assessment of internal factor structure, reliability, and validity. Humor, 26(4), 551-572.
- Deepak, S., Sushant, T., & Sarat, K. (2018). DEMATEL approach for analyzing the critical factor in remanufacturing process. Materials Today: Proceedings, 5, 18568–18573.
- Sfaei, H., & Homayounzadeh, F. (2017). A hybrid approach using fuzzy multi-criteria techniques to evaluate the performance of in-service training courses (Case study: Mazandaran and Golestan Regional Electricity Company). Journal of Applied Research on Industrial Engineering, 4(1), 39–49.
- Zavadskas, E. K., Turskis, Z., Antucheviciene, J., & Zakarevicius, A. (2012). Optimization of weighted aggregated sum product assessment. Electronics and Electrical Engineering, 122(6), 3-6.