In the process of security risk analysis for information systems, establishing an appropriate model suitable for the target security risk problem is a crucial task that will ultimately influence the effectiveness of risk analysis results. For inducing a representative model for observed information systems, a security risk analysis model is proposed based on the knowledge from observed cases and domain experts. In this model, a Bayesian network (BN) is developed by integrating the database of observed cases with domain expert experience and knowledge. Based on the BN, the model facilitates the visibility and repeatability of the decision-making process of security risk analysis. Finally, the model is further demonstrated and validated via a case study.
Key words: information systems, risk analysis, Bayesian networks, probabilistic inference.
Copyright © 2020 Author(s) retain the copyright of this article.
This article is published under the terms of the Creative Commons Attribution License 4.0