Advanced search
Publication Cover
Journal of Management Information Systems Volume 22, 2006 - Issue 4
Journal homepage
632
Views
121
CrossRef citations to date
0
Altmetric
Original Article

An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions

LILI SUN Rutgers Business School
,
RAJENDRA P. SRIVASTAVA University of Kansas
&
THEODORE J. MOCK University of Southern California (USC) and Maastricht University, the Netherlands
Pages 109-142 | Published online: 08 Dec 2014

References

  • Alter, S., and Sherer, S. A general, but readily adaptable model of information system risk. Communications of the AIS, 14, article 1 (2004), 1-28.
  • American Institute of Certified Public Accountants. AICPA/CICA WebTrust Principles and Criteria for Business-to-Consumer Electronic Commerce, version 1.0. New York: AICPA, 1999.
  • American Institute of Certified Public Accountants. AICPA/CICA WebTrust Principles and Criteria for Business-to-Consumer Electronic Commerce, version 3.0. New York: AICPA, 2001.
  • Ball, L., and Harris, R. SMIS member: A membership analysis. MIS Quarterly, 6, 1 (1982), 19-38.
  • Bell, T.; Marrs, F.; Solomon, I.; and Thomas, H. Auditing Organizations Through a Strategic-Systems Lens--The KPMG Business Measurement Process. Montvale, NJ: KPMG Peat Marwick, 1997.
  • Bellovin, S.M. Computer security--An end state? Communications of the ACM, 44, 3 (2001), 131-132.
  • Byers, R.E., and Lederer, P.J. Retail bank services strategy: A model of traditional, electronic, and mixed distribution choices. Journal of Management Information Systems, 18, 2 (Fall 2001), 133-156.
  • Campbell, K.; Gordon, L.A.; Loeb, M.P.; and Zhou, L. The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11, 3 (March 2004), 431-448.
  • Cavusoglu, H.; Mishra, B.; and Raghunathan, S. The effect of Internet security breach announcements on market value: Capital market reactions for breached firms and Internet security developers. International Journal of Electronic Commerce, 9, 1 (Fall 2004), 69-104.
  • Chen, S.Y.; Lin, W.C.; and Chen, C.T. Spatial reasoning based on multivariate belief functions. In J. Calder (ed.), Proceedings of the 1992 IEEE Computer Society Conference on Computer Vision and Pattern Recognition. Los Alamitos, CA: IEEE Computer Society Press, 1992, pp. 624-626.
  • Cohen, Y., and Shoshany, M. Analysis of convergent evidence in an evidential reasoning knowledge-based classification. In O. Altan (ed.), Proceedings of the Twentieth International Society for Photogrammetry and Remote Sensing. Amsterdam: Elsevier, 2004, pp. 916-920.
  • Cutter Consortium. Exactly what is risk management? Cutter Consortium Press Release, Arlington, MA, June 6, 2002 (available at www.cutter.com/press/020606.html).
  • Démotier, S.; Schön, W.; and Denoeux, T. Risk assessment based on weak information using belief functions: A case study in water treatment. IEEE Transactions on Systems, Man and Cybernetics--Part C: Applications and Reviews, C99 (2004), 1-15.
  • Dempster, A.P. A generalization of Bayesian inference. Journal of the Royal Statistical Society, Series B, 30 (1968), 205-247.
  • Dickson, G.W.; Leitheiser, R.L.; Wetherbe, J.C.; and Nechis, M. Key information systems issues for the 1980s. MIS Quarterly, 8, 3 (1984), 135-159.
  • Gopal, R.D., and Sanders, G.L. Preventive and deterrent controls for software piracy. Journal of Management Information Systems, 13, 4 (Spring 1997), 29-47.
  • Gordon, J., and Shortliffe, E.H. The Dempster-Shafer theory of evidence. In B.G. Buchanan and E.H. Shortliffe (eds.), Rule-Based Expert Systems: The MYCIN Experiments of the Stanford Heuristic Programming Project. Reading, MA: Addison-Wesley, 1984, pp. 272-292.
  • Gordon, L.A.; Loeb, M.P.; Lucyshyn, W.; and Richardson, R. CSI/FBI computer crime and security survey. Computer Security Institute, San Francisco, 2005.
  • Guarro, S.B. Principles and procedures of the LRAM approach to information systems risk analysis and management. Computers and Security, 6, 6 (1987), 493-504.
  • Hammond, R. Improving productivity through risk management. In R.F. Umbaugh (ed.), Handbook of MIS Management, 2d ed. Boston: Auerbach, 1988, pp. 655-665.
  • Hartog, C., and Herbert, M. 1985 opinion survey of MIS managers: Key issues. MIS Quarterly, 10, 4 (1986), 351-361.
  • Jaffray, J.-Y. Linear utility theory for belief functions. Operations Research Letters, 8, 2 (1989), 107-112.
  • Jaffray, J.-Y. Dynamic decision making with belief functions. In R.R. Yager, M. Fedrizzi, and J. Kacprzyk (eds.), Advances in the Dempster-Shafer Theory of Evidence. New York: Wiley, 1994, pp. 331-352.
  • Juul, N.C., and Jørgensen, N. The security hole in WAP: An analysis of the network and business rationales underlying a failure. International Journal of Electronic Commerce, 7, 4 (Summer 2003), 73-92.
  • Kleijnen, J.P.C. An overview of the design and analysis of simulation experiments for sensitivity analysis. European Journal of Operational Research, 164, 2 (July 2005), 287-300.
  • Krishnamoorthy, G. Discussion of aggregation of evidence in auditing: A likelihood perspective. Auditing: A Journal of Practice and Theory, 12, supplement (1993), 161-164.
  • McBurney, P., and Parsons, S. Using belief functions to forecast demand for mobile satellite services. In R.P. Srivastava and T. Mock (eds.), Belief Functions in Business Decisions. Heidelberg and New York: Physica-Verlag, 2002, pp. 281-315.
  • Moon, W.M. Integration of geophysical and geological data using evidential belief function. IEEE Transactions on Geoscience and Remote Sensing, 28, 4 (July 1990), 711-720.
  • National Institute of Standards and Technology (NIST) and National Security Agency (NSA). Common Criteria for Information Technology Security Evaluation, version 2.1. Fort Meade, MD, August 1999.
  • Nguyen, H.T., and Walker, E.A. On decision making using belief functions. In R.R. Yager, M. Fedrizzi, and J. Kacprzyk (eds.), Advances in the Dempster-Shafer Theory of Evidence. New York: John Wiley and Sons, 1994, pp. 311-330.
  • Niederman, F.; Brancheau, J.C.; and Wetherbe, J.C. Information systems management issues for the 1990s. MIS Quarterly, 15, 4 (1991), 475-502.
  • Pacelle, M., and Sidel, R. Security is breached at card processor. Wall Street Journal (June 20, 2005), A2.
  • Palacharla, P., and Nelson, P.C. Evidential reasoning in uncertainty for data fusion. In B. Bouchon-Meunier, R.R. Yager, and L.A. Zadeh (eds.), Advances in Intelligent Computing: Fifth International Conference on Processing and Management of Uncertainty in Knowledge-Based Systems. Berlin: Springer-Verlag, 1994, pp. 715-720.
  • Perschke, G.A.; Karabin, S.J.; and Brock, T.L. Four steps to information security. Journal of Accountancy, 161, 4 (1986), 104-113.
  • Pickard, R. Computer crime. Information Center, 5, 9 (September 1989), 18-27.
  • Post, G.V., and Diltz, J.D. A stochastic dominance approach to risk analysis of computer systems. MIS Quarterly, 10, 4 (1986), 363-375.
  • Rainer, R.K.; Snyder, C.A.; and Carr, H.H. Risk analysis for information technology. Journal of Management Information Systems, 8, 1 (Summer 1991), 129-147.
  • Saffiotti, A., and Umkehrer, E. Pulcinella: A general tool for propagating uncertainty in valuation networks. In B.D. D'Ambrosio, P. Smets, and P.P. Bonissone (eds.), Proceedings of the Seventh National Conference on Artificial Intelligence. San Francisco: Morgan Kaufmann, 1991, pp. 323-331.
  • Shafer, G. A Mathematical Theory of Evidence. Princeton: Princeton University Press, 1976.
  • Shafer, G. The combination of evidence. International Journal of Intelligent Systems, 1 (1986), 155-179.
  • Shafer, G. Perspectives on the theory and practice of belief functions. International Journal of Approximate Reasoning, 4, 5-6 (1990), 323-362.
  • Shafer, G. The Dempster-Shafer theory. In S.C. Shapiro (ed.), Encyclopedia of Artificial Intelligence, 2d ed. New York: John Wiley and Sons, 1992, pp. 330-331.
  • Shafer, G., and Srivastava, R.P. The Bayesian and belief-function formalisms: A general perspective for auditing. Auditing: A Journal of Practice and Theory, 9 (Supplement 1990), 110-148.
  • Shafer, G.; Shenoy, P.P.; and Srivastava, R.P. Auditor's Assistant: A knowledge engineering tool for audit decisions. In R.P. Srivastava and J.E. Rebele (eds.), Proceedings of the 1988 Touche Ross/University of Kansas Symposium on Auditing Problems. Lawrence: University of Kansas, 1988, pp. 61-79.
  • Shenoy, C., and Shenoy, P.P. Modeling financial portfolios using belief functions. In R.P. Srivastava and T. Mock (eds.), Belief Functions in Business Decisions. Heidelberg and New York: Physica-Verlag, 2002, pp. 316-332.
  • Shenoy, P.P., and Shafer, G. Axioms for probability and belief-function propagation. In R.D. Shachter, T.S. Levitt, J.F. Lemmer, and L.N. Kanal (eds.), Uncertainty in Artificial Intelligence, vol. 4. Amsterdam: North-Holland, 1990, pp. 169-198.
  • Smets, P. The combination of evidence in the transferable belief model. IEEE Transactions on Pattern Analysis and Machine Intelligence, 12, 5 (May 1990), 447-458.
  • Smets, P. Constructing the pignistic probability function in a context of uncertainty. In M. Henrion, R.D. Shachter, L.N. Kanal, and J.F. Lemmer (eds.), Uncertainty in Artificial Intelligence, vol. 5. Amsterdam: Elsevier Science, North-Holland, 1990, pp. 29-40.
  • Srivastava, R.P. Decision making under ambiguity: A belief-function perspective. Archives of Control Sciences, 6, 1-2 (1997), 5-27.
  • Srivastava, R.P., and Liu, L. Applications of belief functions in business decisions: A review. Information Systems Frontiers, 5, 4 (December 2003), 359-378.
  • Srivastava, R.P., and Mock, T. Evidential reasoning for WebTrust assurance services. Journal of Management Information Systems, 16, 3 (Winter 1999-2000), 11-32.
  • Srivastava, R.P., and Mock, T. Belief Functions in Business Decisions. Heidelberg and New York: Physica-Verlag, 2002.
  • Srivastava, R.P., and Mock, T. Why we should consider belief functions in auditing research and practice. Auditor's Report, 28, 2 (2005), 58-65.
  • Srivastava, R.P., and Shafer, G. Belief-function formulas for audit risk. Accounting Review, 67, 2 (April 1992), 249-283.
  • Strat, T.M. Decision analysis using belief functions. International Journal of Approximate Reasoning, 4, 5-6 (1990), 391-417.
  • Strat, T.M. Decision analysis using belief functions. In R.R. Yager, M. Fedrizzi, and J. Kacprzyk (eds.), Advances in the Dempster-Shafer Theory of Evidence. New York: John Wiley and Sons, 1994, pp. 275-309.
  • Straub, D.W., and Welke, R.J. Coping with systems risk: Security planning models for management decision-making. MIS Quarterly, 22, 4 (1998), 441-469.
  • Suh, B., and Han, I. The impact of customer trust and perception of security control on the acceptance of electronic commerce. International Journal of Electronic Commerce, 7, 3 (Spring 2003), 135-161.
  • Tversky, A., and Kahnenman, A. Judgment under uncertainty: Heuristics and biases. Science, 185 (1974), 1124-1131.
  • Wilkins, E., and Lavington, S.H. Belief functions and the possible worlds paradigm. Journal of Logic and Computation, 12, 3 (June 2002), 475-495.
  • Xu, H.; Hsia Y.-T.; and Smets, P. A belief-function based decision support system. In D. Heckerman and A. Mamdani (eds.), Proceedings of the Ninth Uncertainty in Artificial Intelligence. San Mateo, CA: Morgan Kaufmann, 1993, pp. 535-542.
  • Yager, R.R. Decision making under Dempster-Shafer uncertainties. Technical Report MII-915, Iona College, New Rochelle, NY, 1990.
  • Yager, R.R.; Fedrizzi, M.; and Kacprzyk, J. Advances in the Dempster-Shafer Theory of Evidence. New York: John Wiley and Sons, 1994.
  • Yuan, L. Companies face system attacks from inside, too. Wall Street Journal (June 1, 2005), B1.
  • Zarley, D.; Hsia, Y.-T.; and Shafer, G. Evidential reasoning using DELIEF. In R.G. Smith and T.M. Mitchell (eds.), Proceedings of the Seventh National Conference of Artificial Intelligence. Menlo Park, CA: AAAI Press, 1988, pp. 205-209.
  • Zviran, M., and Haga, W.J. Password security: An empirical study. Journal of Management Information Systems, 15, 4 (Spring 1999), 161-185.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.