Framework for Security Risk Assessment (FSRA) and Fuzzy Risk Inference System (FRIS) based on Standard ISO/IEC 27002:2022

Diógenes Antonio Marques José; Douglas Schmitz Dupski; Kembolle Amilkar

doi:10.22456/2175-2745.136309

Authors

Diógenes Antonio Marques José Universidade do Estado do Mato Grosso https://orcid.org/0000-0002-9707-6022
Douglas Schmitz Universidade do Estado do Mato Grosso https://orcid.org/0009-0006-0590-9354
Kembolle Amilkar Ministério Público do Estado de Mato Grosso

DOI:

https://doi.org/10.22456/2175-2745.136309

Keywords:

Cybersecurity, ISO/IEC 27002:2022, Fuzzy Logic, Framework, Cyber Threats

Abstract

Information security is a critical aspect for organizations, and a problem in this regard consists of
knowing the level of vulnerability in which organizations. Therefore, this article aims to present a Cybersecurity
Framework (FSRA) based on the ISO/IEC 27002:2022 standard. In addition, a Fuzzy Risk Inference System
(FRIS) is presented, which uses FSRA controls - Security Practices (SP), Software (S), and People (P) as
input, a total of 93 sub-items. A FRIS output is the Security Risk (SR) in which the organization is due to
non-compliance or partial compliance with FSRA controls. Thus, if each control is fully met, its entry value in the
FRIS will be 100%. Otherwise, it will be proportional. Therefore, when the FRIS returns the SR, whose output
values can be Low (13% to 39.99%), Medium (40% to 59.99%), or High (60% to 100%), the security analyst can
measure the risk security, in which the organization is located, according to ISO/IEC 27002:2022 and from that
know where to act and how to act.

Downloads

Download data is not yet available.

References

OGLIH, V.; PATOKA, H. Formation of information security system under conditions of uncertainty of influence of destabilization factors on the basis of neurofacle networks. Economic Scope, 2022. Disponível em: <https://journals.indexcopernicus.com/search/article?articleId=3637567>.

Fortinet. Fortinet relata que a América Latina foi alvo de mais de 360 bilhões de tentativas de ataques cibernéticos em 2022. 2023. Available in: <https://t.ly/nQoIG>.

MATHEW, D. A. R. Cyberbiosecurity as the foremost biological weapon to the digital world. International Research Journal of Innovations in Engineering and Technology, 2022. Disponível em: <https://irjiet.com/common_src/article_file/1644220918_e9b80512a6_6_irjiet.pdf>.

HSIEH, M.-Y.; HSU, Y.-C.; LIN, C.-T. Risk assessment in new software development projects at the front end: a fuzzy logic approach. Journal of Ambient Intelligence and Humanized Computing, Springer, v. 9, p. 295–305, 2018. Disponível em: <https://link.springer.com/article/10.1007/s12652-016-0372-5>.

KURE, H. An Integrated Cybersecurity Risk Management (I-Csrm) Framework for Critical Infrastructure Protection. Tese (Doutorado) — University of East London, 2021. Disponível em: <https://repository.uel.ac.uk/item/89ww3>.

NEWCOMB, E. A.; HAMMELL, R. Fluf: Fuzzy logic utility framework to support computer network defense decision making. p. 1–6, 2016. Disponível em: <https://ieeexplore.ieee.org/document/7851582>.

ZADEH, L. Fuzzy sets. Information and Control, v. 8, n. 3, p. 338–353, 1965. ISSN 0019-9958. Disponível em: <https://www.sciencedirect.com/science/article/pii/S001999586590241X>.

SENDI, A. S. et al. Femra Fuzzy expert model for risk assessment. IEEE, p. 48–53, 2010. Disponível em: <https://ieeexplore.ieee.org/document/5476890>.

ALALI, M. et al. Improving risk assessment model of cyber security using fuzzy logic inference system. Computers & Security, Elsevier, v. 74, p. 323–339, 2018. Disponível em: <https://www.sciencedirect.com/science/article/pii/S0167404817302006>.

OTERO, A. R. et al. A fuzzy logic-based information security control assessment for organizations. IEEE, p. 1–6, 2012. Disponível em: <https://ieeexplore.ieee.org/document/6417640>.

OTHMAN, N. A. A.; ALI, F. H. M.; LATIF, N. A. Risk assessment for cisco pix-525 firewall: Fuzzy logic approach. IEEE, p. 65–69, 2013. Disponível em: <https://ieeexplore.ieee.org/document/6836549>.

SHREEVE, B. Making sense of the unknown: How managers make cyber security decisions. ACM Transactions on Software Engineering and Methodology, v. 32, 2022. Disponível em: <https://dl.acm.org/doi/10.1145/3548682>.

ROCHA, H. O. d. Principais ameaças de segurança encontradas no ambiente virtual nas organizações. Ministério da Justiça e Segurança Pública do Brasil, 2022. Disponível em: <http://dspace.mj.gov.br/handle/1/9920>.

CLARA, A. M. C. Verificação de conformidade regulatória dos processos de governança de ti: um estudo de caso de uma empresa pública. Universidade de Brasília - Biblioteca Central, 2017. Disponível em: <https://repositorio.unb.br/handle/10482/32060>.

Programa de Privacidade e Segurança da Informação (PPSI). Guia do Framework de Privacidade e Segurança da Informação. 2022. Brasília, novembro de 2022. v 1.1. Disponível em: <https://www.gov.br/governodigital/pt-br/seguranca-e-protecao-de-dados/ppsi/guia_framework_psi.pdf>.

(PPSI), P. de Privacidade e Segurança da I. Política de Gestão de Ativos. 2023. Brasília, março de 2023. v 2.2. Disponível em: <https://t.ly/Dnkpw>.

International Organization for Standardization. ISO/IEC 27002: Information technology - Security techniques - Code of practice for information security controls. Geneva, 2013. Disponível em: <https://www.iso.org/standard/54533.html>.

JOSÉ, D. A. M. et al. Olsr fuzzy cost (olsrfc): an extension to olsr protocol based on fuzzy logic and applied to avoid selfish nodes. Revista de Informática Teórica e Aplicada, v. 26, n. 1, p. 60, 2019. ISSN 0103-4308. Disponível em: <https://seer.ufrgs.br/rita/article/view/RITA-VOL26-NR1-60>.

SILER, W.; BUCKLEY, J. J. Fuzzy Expert Systems and Fuzzy Reasoning. Hoboken, New Jersey: John Wiley & Sons, Inc., 2005. Disponível em: <https://cdn.preterhuman.net/texts/science_and_technology/artificial_intelligence/Fuzzy%20Expert%20Systems%20and%20Fuzzy%20Reasoning%20-%20William%20Siler.pdf>.

John A. Zachman. Zachman Framework. 2008. Available in: <https://zachman-feac.com/zachman/about-the-zachman-framework>. Acesso em: 18 jun. 2024.

ROSS, R. Guide for Conducting Risk Assessments. Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, 2012. Disponível em: <https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final>.

ISO; IEC. ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection — Guidance on managing information security risks. 2022. Disponível em: <https://www.iso.org/obp/ui/#iso:std:iso-iec:27005:ed-4:v1:en>.

SUDOSKI, B. S. et al. Um estudo de caso de desenvolvimento de políticas de segurança da informação, com base nas normas abnt nbr iso/iec: 27000, para uma instituição de soluções tecnológicas. Repositório Institucional da UFSC, Florianópolis, SC, 2018. Disponível em: <https://repositorio.ufsc.br/handle/123456789/192167>.