The Net Present Value (NPV), and discounted Return on Investment (dRoI) models are proposed for the execution of cost- ... investigations not only con...

0 downloads 0 Views 441KB Size

Fuzzy Economic Decision-models for Information Security Investment J.N. Sheen Department of Electrical Engineering, Cheng-Shiu University 840, Chingcing Rd., Niaosung Township, Kaohsiung County, TAIWAN Email:[email protected] Abstract—Present paper derives fuzzy economic models to evaluate the economic feasibility of information security investment. The Net Present Value (NPV), and discounted Return on Investment (dRoI) models are proposed for the execution of costbenefit analysis. Since fuzzy results are in the form of a complex nonlinear representation, and do not always provide a totally ordered set in the same way that crisp numbers do, the current paper approximates the resulting fuzzy profitability indexes by a triangular fuzzy number initially, and then uses the Mellin Transform to obtain the means and variances of the triangle fuzzy numbers in order to determine their relative ranking in a decision-making process. The performances of the proposed models are verified by considering their application to a practical illustration, which were used in a previous literature. These investigations not only confirm that the results of the fuzzy economic models are consistent with those of the conventional crisp models, but also demonstrate that the proposed models are more flexible, intelligent and computationally efficient compared to the extension principle fuzzy mathematics approach. The developed models represent readily implemented feasibility analysis tools for use in the arena of uncertain economic decision-making. Keywords—Fuzzy economics, risk management, information security investment, decision-making, Mellin transform. and business operations. This is the main reason why modern organizations are investing in information security system 1. Introduction (ISS). The ISS should protect the confidentiality, integrity, and availability of the information system. Given the Prior to adopting a project, potential investors must information-intense characteristics of a modern economy, it explore the soundness of the project by performing a should be no surprise to learn that ISS is a growing spending feasibility study which investigates all aspects of the project, priority among most companies. This growth in ISS is including its anticipated future financial and economic performance. The feasibility study mainly concerns the occurring in a variety of areas including software to detect viruses, firewalls, sophisticated encryption techniques, monetary aspects of the project and its financial rewards and intrusion detection systems, automated data backup, and profitability from the investors’ perspectives. That is, an hardware devices [2, 3]. economic profitability model should be made available to The information assets consist of hardware and software potential investors to enable them to evaluate the benefitcomponents that are the fruit of the work of a plethora of costs of the project. In general, the greater the economic suppliers, systems integrators and internal employees. The effectiveness of a project, the greater the degree of its value of the information assets comprises tangible and acceptance by investor[1]. intangible assets [4]. The tangible component is the sum total Given the information-intense characteristics of a modern of the cost to implement the various hardware and software economy, whatever kind, scale of firms they are undergoing elements of a system. The intangible component includes the electronic business activities. The continued growth in the use of information technologies makes firms increasingly value of the data stored in databases, the knowledge and the intellectual property stored within a system [5]. The value of dependent on their information systems. However, firm’s the intangible assets may be difficult to calculate in monetary information assets are susceptible to risk by virtue of the fact terms. that the information system is connected to third party Losses from security breaches can be caused by a poor networks, typically the Internet. The want and need for organization of security measures, human failures or fraud, information security can have many different motivations. technical failures or external events, and accordingly they are Some people and firms deal with highly sensitive classified as financial, technical, ecological, social, information that could potentially threaten a certain people or psychological or other. The average disclosed loss from nation. Corporations have trade secrets and business cyber crime in 2007 for the people that responded to the processes they do not want publicly disclosed. Banks and Computer Security Institute and Federal Bureau of medical organizations have many records that could be used Investigation’s annual report was $350,424[6]. In the context to steal personal identities. All of these situations require of business operations the meaning and the importance of varying levels of security. security failures are better understood through economic Any successful attack on information system and its losses than with a technical analysis [3, 7, 8]. eventual crash could result in a serious loss of data, services 1

ISSN: 1790-5117

141

ISBN: 978-960-474-174-8

Proceedings of the 9th WSEAS Int. Conference on INSTRUMENTATION, MEASUREMENT, CIRCUITS and SYSTEMS

Key aspects of any economic security research should refer to [7]: 1.The frequency of security breaches – what are the symptoms and which are the indicia that compose the frequency of breaches; 2.The cost of security breaches – the resolution of a problematic cost estimation of a breach; 3.The investments to information security mechanisms – the level of expenditures for adoption and establishment of a security framework. In order to determine how much an organization should spend on ISS and data protection it is important to know the value of the assets to be protected. This is usually done by risk management, which provides the organization with information about the consequences if appropriate protection and security solutions are not provided and about the potential losses in the case of security incident and the impact it may have on the company’s overall productivity. Nowadays, the question is not whether organizations need more security, but how much to spend for added security. Each choice involves risk. Risk-based benefit is the reduction in expected loss from security failure incidents (that is, a reduction in risk). In this sense, IT security activities have a strong affinity with other activities that do not produce revenue but nonetheless provide essential and necessary support for the overall organization. As such, the relevant criterion in evaluating IT solutions is not simply the cost of implementation but how much benefit each additional dollar of investment brings, in the form of reducing the expected loss or risk. Classical decision-making methodologies are criticized for over-simplifying the decision-making process by forcing the experts to express their views on pure numeric scales. However, owing to the availability and subjectivity of information, it is very difficult to obtain exact assessment data as concerns the fulfillment of the requirements of the criteria or the relative importance of each criterion. It is common evidence that assessments made by experts are mostly of subjective and qualitative nature. Linguistic terms are frequently encountered in practice and are used to convey experts’ assessments and beliefs. Fuzzy sets theory, originally proposed by Dr. Zadeh, is an effective means to deal with the vagueness of human judgment. The cash flow models applied in many economic decisionmaking problems often involve an element of uncertainty. In the case of deficient data, decision-makers generally rely on an expert’s knowledge of economic information when carrying out their economic modeling activities. The fuzzy set theory has been developed and successfully applied to numerous areas, such as control and decision making, engineering and medicine. Its application to economic analysis is natural due to the uncertainty inherent in many financial and investment decisions. However, practical applications of fuzzy number theory in the economic decision-making arena involve two laborious tasks, namely fuzzy mathematical operations and the comparison or ranking of the resultant complex fuzzy numbers. The remainder of this paper is structured as follows: Section II introduces the fuzzy number, mathematics, and discusses the ranking of the fuzzy numbers. Section III develops fuzzy economic models to assist ISS investors in

evaluating the relative benefits of ISS projects in an uncertain environment. Section IV presents the application of the proposed fuzzy evaluation models to a practical case study. Finally, Section V presents the conclusions of the present study.

2. FUZZY MATHEMATICS AND RANKING 2.1 Fuzzy Number When dealing with uncertainty, decision-makers are commonly provided with information, which is characterized by vague linguistic descriptions such as “high risk”, “low profit”, “high annual interest rate”, etc. The principal objective of fuzzy set theory is to quantify these vague descriptive terms. Dr. Zadeh proposed a membership function, which accords each object a grade (or degree) of membership within the interval [0, 1]. A fuzzy set is designated as ∀x ∈ X , μ A ( x ) ∈ [0,1], where μ A ( x ) is the grade of membership, ranging from 0 to 1, of a vague predicate, A, over the universe of objects, X. The closer the object matches the vague predicate, the higher its grade of membership. The membership function may be viewed as representing an opinion poll of human thought or as an expert’s opinion. A fuzzy number is a normal and a convex fuzzy set, and its membership function can be denoted as: μ A ( x ) = (a1, f A1 (α ) / a2 , a3 / f A2 (α ), a4 ) , where f A1 (α ) is a continuous monotonically increasing function of α for 0 ≤ α ≤ 1 , f A2 (α ) is a continuous monotonically decreasing function f A1 (1) = a2

of ,

α

f A2 (1) = a3

for ,

0 ≤α ≤1

f A2 (0 ) = a4

, and

,

f A1 (0 ) = a1

a1 < a2 ≤ a3 < a4

. The

Trapezoidal Fuzzy Number (TrFN) is a particular form of fuzzy number in which f A1 and f A2 are both straight-line segments, and in the case where a2 = a3 , this TrFN becomes a Triangular Fuzzy Number (TFN). Implementing the TFN is mathematically straightforward, and more importantly, it represents a rational basis for quantifying the vague knowledge associated with most decision-making problems [9-14, 26]. The TFN of the vague predicate A can be expressed simply as A = (a1, a2 , a3 ) , where the vertexes a1 , a2 , and a3 denote the smallest possible value, the most promising value, and the largest possible value to describe a fuzzy event, respectively. Of these values, the most promising value can be considered as the conventional (classic) crisp number. It is noted that these parameters are analogous to the lower, medium, and higher values in the domain of the triangular probability distribution. However, the parameters in a TFN represent the values accorded by human thought to the possibility of an event occurring, while the parameters in a triangular probability distribution represent the values associated with the probabilistic occurrence of that event. The membership function of the vague predicate A presented in Figure 1 is described by the following linear relationships: x − a1 ⎧ ⎪ μ A1 ( x ) = a − a ⎪ 2 1 μ A( x) = ⎨ ⎪ μ ( x ) = a3 − x ⎪⎩ A2 a3 − a2

a1 ≤ x ≤ a2 a2 ≤ x ≤ a3

2

ISSN: 1790-5117

,

142

ISBN: 978-960-474-174-8

(1)

Proceedings of the 9th WSEAS Int. Conference on INSTRUMENTATION, MEASUREMENT, CIRCUITS and SYSTEMS

⎧ f (α ) = μ −1 = a + (a − a )α 0 ≤ α ≤ 1 1 2 1 A1 ⎪ A1 x=⎨ −1 ⎪ f A2 (α ) = μ A = a3 − ( a3 − a2 )α 0 ≤ α ≤ 1 2 ⎩

The probabilistic method is one of two previously published fuzzy ranking methods [9, 21-25]. In an earlier study [26], the current author suggested using the Mellin transform [32, 33] to perform the fuzzy ranking of normalized fuzzy numbers. The proportional probability density function was adopted due to its computationally straightforward nature and conceptual consistence. The proportional probability density function (pdf) corresponding to the membership function of a fuzzy number, μ( x ) , is p( x ) = h p μ A ( x ) , where h p denotes the conversion constant

(2)

The α -cut of a fuzzy set A is a crisp set containing all the elements of the universal set X, whose membership grades in A are greater than, or equal to, the specified value of α . The α -cut of the fuzzy set A is given by: Aα = [ f A1 (α ) , f A2 (α )] = ⎡⎣ a1 + (a2 − a1 )α , a3 − ( a3 − a2 )α ⎤⎦

(3)

which ensure that the area under the continuous probability density function is equal to 1. The Mellin transforms of the TFN A(a1, a2 , a3 ) were summarized in Table 1 in [26]. Computing M x ( s ) at s=1, 2 and 3, gives the mean and variance of the triangular fuzzy number A(a1, a2 , a3 ) as:

Possibility (or confidence level) analyses is performed by using the membership function of the fuzzy number given in Eqs.(1)-(3). In this analyses, if x lies between a1 and a2 , then the possibility of x can be obtained by substituting x into μ A1 ( x ) . Similarly, if x lies between a2 and a3 , then the possibility of

x

can be obtained by substituting x into μ A2 ( x ) .

At a specific membership grade or at a specific possibility α, the range of x can be calculated from the α -cut given in Eq.(3). Fuzzy mathematics is based on the extended principles presented in References [15-17], in which the traditional addition, subtraction, multiplication, division, power, logarithmic and exponent mathematical operations are applied to fuzzy numbers. Dubois and Prade[16] demonstrated that when performing the binary manipulation of fuzzy numbers, the resultant increasing (decreasing) part arose from binary operations on the non-decreasing (nonincreasing) parts of the two fuzzy numbers. The extended operations ensured that the resultant fuzzy number continuously maintained its fuzzy properties during the arithmetic operating procedure. It is found that fuzzy mathematics tends to be cumbersome for even the more straightforward operations such as addition and subtraction. Unfortunately, financial and engineering applications involving fuzzy sets typically require the more complex nonlinear mathematical operations such as product, division, power and logarithmic manipulations [9]. In some cases, fuzzy operations of this type may require an insurmountable computational effort. Consequently, it has been proposed that approximated triangular fuzzy numbers be used to examine the resultant fuzzy profitability indexes [10].

a +a +a μ A = M x ( 2) = 1 2 3

(4)

1 2 ( a1 + a22 + a32 − a1a2 − a2a3 − a3a1 ) 18

(5)

3

σ A2 =

Fig.1 presents a flow chart describing the proposed ranking process for fuzzy numbers. Initially, the fuzzy numbers are converted to their equivalent pdfs. Eqs.(4) and (5) are then used to calculate their means and variances. Fuzzy numbers which share the same mean value are ranked using Rule 1, while the remaining fuzzy numbers are ranked using Rule 2. These two rules are summarized as follows: Rule 1: a fuzzy number with a lower variance is ranked above fuzzy numbers whose variances are higher. Rule 2: a fuzzy number with a superior mean is ranked above fuzzy numbers having inferior means. Note that when performing a least-cost analysis, a smaller mean cost is superior to higher mean costs. Conversely, in a cost-benefit analysis, a higher mean benefit is superior to lower mean benefits. Start Convert fuzzy numbers to pdfs

Calculate moments No

2.2 Fuzzy Ranking Following the manipulation of the approximated fuzzy financial function by fuzzy mathematics, the task of comparing or ranking the resultant complex fuzzy numbers can invoke another problem because fuzzy numbers do not always yield a totally ordered set in the same way that crisp numbers do. Many authors have investigated the use of alternative fuzzy set ranking methods, and these methods have been reviewed and compared by Chen and Hwang [18]. The Mellin Transform [19, 20] has been proposed as a mean to calculate the mean and variance values of the approximated fuzzy resulted indexes. A rigorous ranking of the fuzzy numbers can then be obtained by simply comparing the means and variances of the fuzzy numbers.

Yes Equal mean values

Rule 2 ranking

Rule 1 ranking

Decision making

Fig.1. Flow chart of fuzzy number ranking process

3. FUZZY ISS ECONOMIC DECISION MODELS There are many different methodologies for assessing the profitability of information security investment. Quantitative analysis attempts to assign numeric values to the likelihood and impact of the risk and to the costs and benefits related to 3

ISSN: 1790-5117

143

ISBN: 978-960-474-174-8

Proceedings of the 9th WSEAS Int. Conference on INSTRUMENTATION, MEASUREMENT, CIRCUITS and SYSTEMS

the ISI. In this paper, only the economic evaluation method under uncertainty will be described instead of the estimated for individual security parameters. A simple analytical method for risk exposure proposes calculation of annual loss expectancy(ALE)[3,8]. The first thing in ALE calculation is determination of the monetary loss associated with the impact, or the single loss exposure(SLE). The SLE is the total amount of revenue that is lost from a single occurrence of the risk. It is a monetary amount that is assigned to a single event that represents the organization’s potential loss amount if a specific threat exploits the vulnerability. The SLE is calculated by multiplying the monetary value of the information asset(AV) with the exposure factor(EF). SLE = AV × EF (6) The EF represents the percentage of loss that a realized threat could have on a certain information asset. The annual rate of occurrence(ARO) is the number of times that an organization reasonably expects particular risk to occur during one year. The ALE of an information asset then calculated as: ALE = SLE × ARO (7) Most of the currently used metrics for quantifying the costs and benefits of Information security investments are based on the calculated indicator such as return on investment(ROI), net present value(NPV), internal rate of return(IRR) or combinations of all of them. The cost of ISS should be considered as a compound of the system configuration specific costs and the operating costs. System configuration specific costs are typically one-time spend costs for purchase, testing and implementation of defense solution that protects information assets from possible threats. Operating costs are represented by annual maintenance (upgrades and patching of the defense solution), training users and network administrators, monitoring the solution. On the other hand, assess or measure the benefits of ISS is difficult to define, since firewall, antivirus software and other security solution do not generate revenue that can be easily measured. The benefits resulting from ISI then measured as cost avoided that result from preventing information security breaches[3,8]. Benefits can be therefore represented as a difference between ALE without and with ISS: (8) Benefit = ALEwithout ISS − ALE with ISS

the opportunity cost of capital was neglected. The opportunity cost of capital is the expected return forgone by bypassing of other potential investment activities for a given capital. The opportunity cost of capital is an important concept for a source-limited firm to schedule any kind of investments. This paper will take both interest rate and inflation rate of monetary into account for the cost-benefit analysis of ISS decision-making in a firm. The cash flow models applied in economic decisionmaking problems relating to project evaluation frequently involve an element of uncertainty. Previous researchers, including Kaufmann and Gupta [27] and Ward [28], conducted fuzzy discounted cash flow analyses in which either the periodic cash flow or the discount rate was specified as a fuzzy number. Furthermore, Buckley [29], Chiu and Park [30] and Kahraman et al. [31] addressed problems in which both the periodic cash flow and the discount rate were expressed as fuzzy numbers. These studies also developed various economic equivalence formulae for use in rudimentary economic calculations. However, these models have only limited application in the economic decision-making arena since they consider only a single payment, or at best, a few payments, when deriving their economic indexes. However, in real-world applications, the periodic cash flow may be subject to occasional uncertain variations. Accordingly, the present study adopts a parameter, d, to represent the inflation rate. Those parameters are specified in the form of fuzzy numbers and are used to reflect an uncertain geometric series of cash flows. At the planning stage, a decision-maker is seldom in possession of all the information required to make an accurate assessment of the initial investment I , and the annual cash flow-in (or out) A . Therefore, it is appropriate to specify the initial investment, the periodic cash flow, the inflation rate and the interest rate as TFNs. In evaluating certain projects, investors may take the cash flow-out to be the initial capital investment I, and consider the cash flow-in to be the annual net profit, A, which is calculated as the difference between the annual production revenue and the annual operating cost. The present study develops two fuzzy cost-benefit evaluation models, i.e. net present value (NPV), and discounted return of investment (dROI), to assess the profitability of ISS projects. Although the internal rate of return indicator is commonly used in conventional crisp cost/benefit analysis, it has been noted by previous researchers that this index is not applicable to the fuzzy case [12, 30]. The crisp NPV, and dROI measures are expressed in Eqs.(9), and (10), respectively. Meanwhile, the membership functions of the corresponding fuzzy models can be derived as represented in Eqs.(11) and (12), respectively. (9) NPV = − I + A * GPVF Where the geometric series present value factor is:

In [2], the authors took into account the vulnerability of the information to a security breach and the potential loss such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. For two broad classes of security breach probability functions, the optimal amount to invest in information security should not exceed 37%( ≈ 1 / e ) of the expected loss due to a security breach. In many previous literatures and many firms prefer to take a generic approach to evaluating the return on security investment for information security activities. However, this is an over-simple model to evaluate the invest activities since

GPVF =

1 − ((1 + d ) / (1 + r ))n (r − d )

n A(1 + d )t −1 t t =1 (1 + r )

∑

dROI =

I

=

A ⎛ n (1 + d )t −1 ⎞ ⎜∑ ⎟ I ⎜ t =1 (1 + r )t ⎟ ⎝ ⎠

4

ISSN: 1790-5117

144

ISBN: 978-960-474-174-8

(10)

Proceedings of the 9th WSEAS Int. Conference on INSTRUMENTATION, MEASUREMENT, CIRCUITS and SYSTEMS

represented as triangle fuzzy value, e.g. the purchase price of the LC-alternative is estimated by the expert about 60k€, which can be denoted as TFN (55,60,65) k€ means the smallest possible value, the most promising value, and the largest possible value of the purchase price are 55k€, 60k€, and 65k€, respectively. The interest rate and inflation rate are estimated about 5% and 2%, respectively, represented in TFNs as (4,5,6)% and (1,2,3)%, respectively. The annual security benefit and yearly maintenance cost of the LCalternative then can be denoted as (90,100,110)k€, (18,20,22)k€, respectively. Similarly, the annual security benefit and yearly maintenance and renew cost of the PROalternative are denoted as (173,190,205)k€, (33,35,37)k€, respectively. The purchase price and first staff training fee for this alternative are (91,100,109)k€, (28,30,32)k€, respectively. The annual security benefit and yearly maintenance and renew cost of the OUT-alternative are denoted as (118,130,140)k€, (23,25,27)k€, respectively. The purchase price of the PRO-alternative is estimated (137,150,162)k€. Using the developed models of this paper, the two fuzzy economic indexes are summarized in Table II for all three alternatives. The triangle fuzzy NPV for all three alternatives also presented in Fig. 2. The results indicate that the PRO alternative has a higher NPV and dROI mean values. Consequently, the PRO alternative is the preferred choice, although it is the most expensive one, in this particular case. To compares with the cited paper[8], if the inflation rate are set as (0,0,0)%, the NPV of three alternative(LC, PRO, and OUT) are (170.06,223.68,278.96) k€, (325.70,416.30,503.17) k€, and (153.32,222.33,287.71) k€, respectively. Meanwhile, the dROI of three alternative(LC, PRO, and OUT) are (3.62,4.73,6.07), (4.05,5.16,6.46), and (1.95,2.48,3.10), respectively. It should be noted that the most promising values of fuzzy NPV and dROI are consistent with the practice illustration demo in [8], which shown in Table 2. However, in case of inflation consideration, more benefit is shown in the developed models obviously. A possibility analysis can be performed by setting a specific confidence level in the fuzzy economic models in order to obtain a possible economic value range. For the case of the low 0.3 confidence level, the possible NPV ranges are calculated to be [191.4, 275.2]k€, [371.4, 501.3]k€, and [180.4,284.5]k€, respectively, for LC-, PRO-, and OUTalternative. Meanwhile, for the case of the higher 0.6 confidence level, the possible NPV ranges are calculated to be [208.8, 256.7]k€, [392.4, 471.7]k€, and [203.0, 262.5]k€, respectively, for LC-, PRO-, and OUT-alternative. Similarly, the possible dROI ranges of the all three alternatives at 0.6 confidence levels are estimated to be [4.39, 5.49], [4.84, 5.90], and [2.32, 2.83], respectively. The possible dROI ranges of the all three alternatives at 0.3 confidence levels are estimated to be [4.03, 5.96], [4.47, 6.33], and [2.05, 3.03], respectively. It should be noted that a fuzzier (larger interval) economic index is obtained as the lower confidence level is adopted. The economic possibility analysis shows the possible interval of the economic decision index as well as their corresponding membership grade. This analysis can be likely

(11)

μ NPV ( x ) = ( NPV1, f NPV1 (α ) / NPV2 , NPV2 / f NPV2 (α ), NPV3 )

where: n

f NPVi (α ) = − f I ( 3 −i )

⎛ 1 + f d (α ) ⎞ i ⎟ 1− ⎜ ⎜ 1 + f r( 3 −i ) (α ) ⎟ ⎝ ⎠ (α ) + f Ai (α ) f r( 3 − i ) (α ) − f di (α )

i = 1, 2

μdROI ( x ) = ( dROI1, f dROI1 (α ) / dROI 2 , dROI 2 / f dROI 2 (α ), dROI 3 )

(12)

where: n ⎛ ⎛ 1 + f d (α ) ⎞ ⎜ i ⎜ ⎟ 1 − ⎜ ⎜ 1 + f r( 3 − i ) (α ) ⎟ f Ai (α ) ⎜ ⎝ ⎠ f dROI i (α ) = f I ( 3 −i ) (α ) ⎜⎜ f r( 3 − i ) (α ) − f di (α ) ⎜ ⎜ ⎝

⎞ ⎟ ⎟ ⎟ ⎟ i = 1, 2 ⎟ ⎟ ⎟ ⎠

4. CASE STUDIES The fuzzy economic decision-making procedures are briefly described. Firstly, the estimated input parameters, such as interest rate, inflation rate, investment, and operating revenue and/or cost, which are needed in economic index calculation, should be provided by the expert in form of fuzzy numbers. The fuzzy economic decision indexes are then calculated according to the models developed in Section III. The fuzzy economic decision is made finally according to the relative ranking of the resultant fuzzy economic indexes, which is performed following the process described in Fig.1. This paper cited a plausible illustration presented in [8] to demonstrate the application of the developed models. A firm with 500 computers is decided to reduce the security risk. It is estimated that the potential annual loss from security breach would cost the organization €1,000,000. The current implemented information security controls reduces the security risk by 80%, but this is not good enough. The organization’s security goal is to reduce the probability of security breach to max 10%. The investment is intended for four years, zero salvage value was considered. The first alternative is a low cost security solution(LC), which reduces the probability of a security breach to 10%. The purchase price of this solution is €60,000 and firm estimate €20,000 for yearly maintenance costs for in-house technical staff(updates, monitoring and upgrades). The second alternative is professional solution(PRO), which reduces the probability of a security breach to just 1%. Its purchase price is €100,000, while the annual renewable price is €30,000. Because this is a more professional solution, the technical staff needs training, which costs €30,000, but further yearly maintenance costs will be smaller, just €5,000. The third alternative is outsourcing the additional security(OUT). The firm providing outsourcing service assures that a security breach is no more than 7%. The company charges €150,000 for implementing security solution and €25,000 for annual maintenance and support. There is no need for extra in-house technical support. In Table I the fuzzy initial ISS investment, annual operating costs and annual benefits are represented together for all three alternatives. All considering parameters are 5

ISSN: 1790-5117

145

ISBN: 978-960-474-174-8

Proceedings of the 9th WSEAS Int. Conference on INSTRUMENTATION, MEASUREMENT, CIRCUITS and SYSTEMS

considered as a subjective sensitivity analysis in case of the and effective means of evaluating the vulnerability of the conventional engineering economics. Fuzzy economic profitability of a project which might deviate from the best mathematics eliminates the need for complicate sensitivity estimates in the future. The future deviations are guessed analysis studies associated with input parameter variations. subjectively by the experts’ opinions in fuzzy number form. The economic possibility analysis is therefore an essential TABLE I TRIANGLE FUZZY BENEFITS AND COSTS FOR ALL THREE ALTERNATIVES Alternative PRO

Alternative LC Year

Benefit(k€)

0

Purchase and Maintenance upgrade cost(k€) cost(k€) (55,60,65)

Alternative OUT

Benefit(k€)

Purchase and upgrade cost(k€) (91,100,109)

Maintenance cost(k€)

Benefit(k€)

Purchase and upgrade cost(k€) (137,150,162)

1

(90,100,110)

(20,18,22)

(173,190,205)

(29,30,31)

(38,40,42)

(118,130,140)

(23,25,27)

2

(90,100,110)

(20,18,22)

(173,190,205)

(29,30,31)

(4,5,6)

(118,130,140)

(23,25,27)

3

(90,100,110)

(20,18,22)

(173,190,205)

(29,30,31)

(4,5,6)

(118,130,140)

(23,25,27)

4

(90,100,110)

(20,18,22)

(173,190,205)

(29,30,31)

(4,5,6)

(118,130,140)

(23,25,27)

represents a better solution than one with a lower mean benefit. Meanwhile, a computer simulation is performed to explore the main uncertainties typically encountered in this analysis. The results show that the fuzziness of the decision indexes is not significantly influenced by the change in the values of the investment and the annual cost (benefit). However, it is strongly influenced by the values of interest rate r and inflation rate d due to the presence of the nth power of r and d within the economic decision indexes. The simulation also shows that a fuzzier economic index is obtained as the lower confidence level is adopted. It is found that all of two economic measures, NPV, and dROI indexes, suggest the same result, and hence any one of the economic decision indexes can be chosen for decision-making purposes. The performances of the proposed fuzzy economic models are verified by considering their application to a practical project. It has been demonstrated that the most promising cases generated using the proposed fuzzy models are consistent with those provided by the conventional crisp models. And in case of inflation consideration, more benefit results than with no-inflation cases are shown in the developed models. The results of this present study have confirmed that the proposed methods provide readily implemented possibility analysis tools for use in the arena of financial uncertain decision-making.

TABLE II THE FUZZY ECONOMIC COMPARISON OF THREE ALTERNATIVES ALTERNATIVE LC SOLUTION TRIANGLE

NPV(K€) (174.0,231.9,293.8)

BCR (3.68,4.87,6.43)

233.2 24.45

4.99 0.56

(332.5,432.3,530.9)

(4.11,5.32,6.76)

431.9 40.50

5.40 0.54

(157.8,233.2,306.5)

(1.97,2.56,3.24)

232.52 30.35

2.59 0.26

FUZZY VALUE MEAN VALUE STANDARD DEVIATION

PRO

TRIANGLE

SOLUTION

FUZZY VALUE MEAN VALUE STANDARD DEVIATION

OUT

TRIANGLE

SOLUTION

FUZZY VALUE MEAN VALUE STANDARD DEVIATION

6. REFERENCES [1] S. Talukdar and C.W. Gellings, Load management, IEEE Press, New York, 1986. [2] L. A. Gordon and M. P. Loeb, The economics of information security investment, ACM Transactions on Information and System Security, Vol.5, No.4, pp.438-457, November 2002. [3] R. Bojanc and B. J.erman-Blazic, Towards a standard approach for quantifying an ICT security investment, Computer Standards & Interfaces, Vol.30, pp.216-222, 2008. [4] B. Brykrzynski, security your organization’s information assets, The Journal of Defense Software Engineering, Vol.16, No.5, pp.12-16, 2003. [5] A. Mizzi, Return on information security investment- the viability of an anti-spam solution in a wireless environment, International Journal of Network Security, Vol.10, No.1, pp.18-24, January 2010.

Fig. 2 Triangle fuzzy NPV for all three alternatives

5. CONCLUSIONS This study has derived fuzzy economic models which enable project investors to perform an economic evaluation of information security investment alternatives. The proposed economic decision analysis method is more flexible and more intelligent than other methods since it takes the degree of confidence of the decision-makers’ opinions into consideration. The cost-benefit analysis of information security investment is performed using the NPV, and dROI indexes. The moments of the resultant fuzzy indexes are derived in order to determine the relative ranking of the fuzzy economic indexes to support the decision-making process. In a cost-benefit analysis, a higher mean benefit 6

ISSN: 1790-5117

146

ISBN: 978-960-474-174-8

Proceedings of the 9th WSEAS Int. Conference on INSTRUMENTATION, MEASUREMENT, CIRCUITS and SYSTEMS

[6] R. Richardson, CSI computer crime and security survey, CSI Survey 2007, available http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf. [7] T. Tsiakis and G. Stephanides, The economic approach of information security, Computers & security, Vol.24, pp.105-108, 2005. [8] R. Bojanc and B. J.erman-Blazic, An economic modeling approach to information security risk management, International Journal of Information Management, Vol.28, pp.413-422, 2008. [9] A. Kaufmann and M.M. Gupta, Introduction to Fuzzy Arithmetic: Theory and Applications, Van Nostrand Reinhold, New York, 1985. [10] S.H. Chen, “Operations on fuzzy numbers with function principle”, Tamkang Journal of Management Sciences, Vol.6, No.10, pp.13-25, 1985. [11] R. Jain, “Decision-marking in the presence of fuzzy variables”, IEEE Trans. On Systems, Man, Cybernet, Vol.6, no.10, pp.698-703, October 1976. [12] D. Dubois and H. Prade, “Ranking fuzzy numbers in the setting of possibility theory”, Information Sciences, Vol.30, pp.183-224, 1983. [13] S.J. Chen and C.L. Hwang, “Fuzzy multiple attribute decision making methods and applications”, Lecture Notes in Economics and Mathematical Systems, Springer, New York, 1992. [14] G.J. Klir and T.A. Folger, Fuzzy sets, Uncertainty, and Information, Prentice Hall, New Jersey, 1988. [15] L.A. Zadeh, “The concepts of a linguistic variable and its application to approximate reasoning, Part1,2 and 3”, Information Sciences, Vol.8, pp.199-249, Vol.8, pp.301-357, and Vol.9 pp.43-80,1975. [16] H. Dubois and D. Prade, “Operations on fuzzy numbers”, International Journal of System Sciences, Vol.9, No.1, pp.613-626, 1978. [17] D.Dubois and H. Prade, Fuzzy Sets and Systems: Theory and Applications, Academic Press, New York, 1980. [18] S.J. Chen and S.M. Chen, “Fuzzy risk analysis based on similarity measures of generalized fuzzy numbers”, IEEE Trans. on Fuzzy Systems, Vol.11, No.1, pp.45-56, 2003. [19] S.H. Chen, “Operations of fuzzy numbers with step form membership function using function principle”, Information Sciences, Vol.108, pp.149-155, 1998.

[20] C.H. Hsieh, “A model and algorithm of fuzzy product positioning”, Information Sciences, Vol.121, No.1-2, pp.6182, 1999. [21] D. Dubois and H. Prade, “Ranking of fuzzy numbers in the setting of possibility theory”, Information Sciences, Vol.30, pp.183-224, 1983. [22] M. Delgado et al., “ A procedure for ranking fuzzy numbers using fuzzy relations, Fuzzy Sets And Systems, Vol.26, no.1, pp.49-62, April 1988. [23] E.S. Lee and R.J. Li, “Comparsion of fuzzy numbers based on the probability measure of fuzzy events”, Computers and Mathematics with Applications, Vol.15, No.10, pp.887-896, 1988. [24] K.P. Yoon, “Aprobabilistic approach to rank complex fuzzy numbers”, Fuzzy Sets And Systems, Vol.80, pp.167176, 1996. [25] C.S. Park, “The Mellin transform in probabilistic cash flow modeling”, The Engineering Economist, Vol.32, No.2, pp.115-134, 1987. [26] J.N. Sheen, “Fuzzy financial profitability analyses of demand side management alternatives from participant perspective”, Information Sciences, Vol.169, pp.329-364, 2005. [27] A. Kaufmann and M.M. Gupta, Fuzzy Mathematical Models in Engineering and Management Science, Elsevier Science Publishers B.V. 1988. [28] T.L. Ward, “Discounted fuzzy cash flow analysis”, Proceedings of 1985 Fall Industrial Engineering Conference, Institute of Industrial Engineers, 1985, pp.476-481. [29] J.J. Buckley, “The Fuzzy Mathematics of Finance”, Fuzzy Sets And Systems, Vol.21, pp.257-273, 1987. [30] C.Y. Chiu and C.S. Park, “Fuzzy Cash Flow Analysis using Present Worth Criterion”, The Engineering Economist, Vol.39, pp.113-137, 1994. [31] C. Kahraman, D. Ruan and E. Tolga, “Capital budgeting techniques using discounted fuzzy versus probabilistic cash flows”, Information Sciences, Vol.142, pp.57-76, 2002. [32] W.C. Giffin, Transform Techniques for Probability Modeling, Academic Press, New York, 1975. [33] L. Debnath, Integral Transform and Their Application, CRC Press, New York, 1995.

7

ISSN: 1790-5117

147

ISBN: 978-960-474-174-8

Our partners will collect data and use cookies for ad personalization and measurement. Learn how we and our ad partner Google, collect and use data. Agree & close