2017 International Conference on Computer Science and Application Engineering (CSAE 2017) ISBN: 978-1-60595-505-6

**Research of Information System Security Risk Management based **

**on Probability Model and Security Entropy**

Jiawei Du*, Ying Zhou, Ronghua Guo, Xing Zhang and Guowei Suo

*Luoyang Electronic Equipment Test Center, 471003 Luoyang, China *

**ABSTRACT **

Nowadays, there is a big challenge on the security risk of information system with the rapid development of network. Computer viruses have brought great intimidation on information systems, which made the loss of worldwide information security moving up. Therefore, more and more people focus on the security problem of information systems, which need our appropriate protection. At first, the principle approach from security risk identification to risk management is proposed. Secondly, an information system security risk management algorithm based on probability model and security entropy is described in detail. Thirdly, a particular system is selected as the example. The whole risk of information system security is modelled and computed according to the risk management computing formula. In accordance with the example, the applicability and feasibility of the probability model is verified. The method proposed in this paper provides some use of reference in the risk management of information system security and execution of security measures.

**INTRODUCTION **

Any kind of information system is likely to suffer from some sort of intimidation and attacks, as the security risk of information system is objective and unavoidable. The likelihood of risk occurrence is related to the probability of unknown events and the loss of it, while unknown events are not only associated with defects and vulnerabilities of information systems, but also with potential threats and attacks. The objective of risk assessment is controlling the system risk effectively and accordingly. Risk management, according to the system status which has been evaluated, takes proper security policies and moderate measures to control the risk in an acceptable range, which makes the system under a “temperate security” circumstance. To this end, the basic approach is like this: firstly, the risk domains (security domains) are properly divided and the risk points in every domain are confirmed by proper mathematic description according to the asset status of information system; secondly, the observed values of these risk points are obtained by questionnaire survey and automatic collection, which need quantitative processing; finally, proper security policies and moderate measures are taken to control the risk in an acceptable range[1].

**LITERATURE REVIEW **

improved the efficiency of the information system security. Commonly used methods of assessment are Analytical Hierarchy Process, Delphi, Fault Tree Analysis and so on. According to the calculation method, it can be divided into qualitative risk assessment and quantitative risk assessment[2].

Qualitative risk assessment is based on the knowledge and experience of the evaluators, and analyzes and judges the risks of the information system. The risk assessment results are described by descriptive language. The qualitative method is rather rough, but it is more applicable when the data is not enough or the data base is weak. Commonly used qualitative analysis methods include Fault Tree Analysis, RMECA and so on[3].

Quantitative risk assessment is a method of analysis and deduction based on the relevant data of risk in the information system. It is usually expressed in the form of data. Quantitative methods are more complex, but they are more applicable when the information is sufficient or the risk of information assets may be relatively large. The commonly used quantitative analysis methods include Factor Analysis Method, Cluster Analysis, Time Series Model, Regression Model, Risk Mapping and so on[4].

Each method has its own advantages and disadvantages. Although the risk assessment methods have been greatly improved, the problems of difficulty in implementation, limited scope of application and high requirements for analysts are also common. Therefore, further study of convenient, fast and effective evaluation method is the prerequisite and key to ensure the smooth development of information security work. Next, we will introduce a conventional risk management model, and then make an application analysis in the light of a practical example.

**INFORMATION SECURITY RISK MANAGEMENT MODEL BASED ON **
**PROBABILITY MODEL AND SECURITY ENTROPY **

The security risks of information systems are derived from information assets. In order to manage the risks effectively, we must control the risks in an acceptable range. Furthermore, building a risk management model based on information assets is a primary requirement.

**The Dynamic Probabilities of Information Asset Risks **

As the system boundary is relative, we need to divide the risk domains first, and research the specific domains as a whole. Let us assume that risk domain Ω is a given one. There are N risk points in this domain, and the corresponding information asset of the k risk point is Ak. The risk probability of Ak at t moment is qk(t). Then, the security probability Pk(t) , which is opposite to the risk probability ,can be denoted as:

) ( 1 )

(t q t

P_{k} _{k} (1)
For Ak, the vulnerability, threat and asset value change with t. The range of t is
0≤t≤∞. The risk probability density through derivation of qk(t) is obtained:

t q k

d
t
d
t_{)} k( )

(

μ

(2)

) (

) ( ) (

t P

t t

k k k

(3)

In formula (3), _{k}(t) denotes the instantaneous frequency of Ak’s security risk under
safe working condition at t moment.

From (1) to (3), the relation among _{k}(t), q_{k}(t) and P_{k}(t) can be deduced:
)

( ) ( )

(t t P t
P_{k} _{k} _{k}

(4)

)] ( 1 )[ ( )

(t t q t

q_{k} _{k} _{k} (5)

After solving the above equations, the following formula can be obtained:

0 ) ( ], ) ( exp[ )

(

0

###

k t k

kt d

P (6)

0 ) ( ], ) ( exp[ 1 ) (

0

###

k t k

k t d

q (7)

**Information System Security Risk Management Algorithm Based on Probability **
**Model **

In formula (1), formula (4) is a homogeneous differential equation, which describes
an autonomous system. As time goes by, the trajectory of moving in safe state entirely
depends on parameter _{k}(t) and the safe state Ak. For the sake of controlling the risk of
Ak effectively, adding a controlling item on the right side of formula (4) is necessary, as
we can change A k’s trajectory moving in safe state by using certain controlling rule, for
which can we manage the risk effectively. The model equation changed is

) ( )

( ) ( )

(t t P t b u t

P_{k} _{k} _{k} _{k} _{k} _{ }_{(8) }

In formula (8), bk is a constant value, and uk(t) denotes the input of controlling item.

In order to manage the security risks of assets effectively, we also need to build a target function, which can describe the quality in a quantificational way[5]. As formula (8) which describes the asset safe state is a linear conditional function, the target function can be set as a linear quadratic function:

dt t u r t P g t

P f

J tf

t k k k k f

k k

k

###

0

)] ( )

( [ 2 1 ) ( 2

1 2 2 2 _{ }_{(9) }

In formula (9), fk≥0, gk≥0 and rk>0 are weighted constant values, which can be

set and adjusted according to actual problems. t0 is the beginning time, and tf is the

ending time.

Let us assume that Ak’s beginning safe state is Pk(t0), and its terminal (target) safe

state is Pk(tf). Therefore, the problem of Ak’s risk management becomes a dynamic optimization one, and that is:

Given the state equation of Ak’s risk in formula (7) and boundary conditionsPk(t0)

and Pk(tf), we need to obtain the acceptable management policy ( ) ( )
* _{t}
u
t
u_{k} _{k}
which can satisfy the target function, and make Ak’s safe state moving from Pk(t0) to

)

( _{f}

k t

Then it becomes a problem that evaluates function extreme value. The maximum principle can help us solve the function and get the optimal algorithm targeting Ak’s risk[6].

Firstly, we need to build a Hamilton function, since it is commonly used in optimizing control[7]:

)) ( ) ( ) ( )( ( ) ( 2 1 ) ( 2

1 _{g} _{P}2_{t} _{r}_{u}2_{t} _{t} _{t} _{P} _{t} _{b} _{u} _{t}

Hk k k k k k k k k k (10)

Then, a co-state function and boundary condition can be obtained:

) ( ) ( ) ( )

( t t g p t

p H

t _{k} _{k} _{k} _{k}

k k

k _{}

(11)

) ( )

(_{f} _{k} _{k} _{f}
k t f P t

(12)

The optimal uk*(t) needs to satisfy the additional function below:

0 ) ( ) ( t b t u r U H k k k k k

k _{} _{ }_{(13) }

Since rk>0, the following function can be obtained:

)
(
)
(
* _{t}
r
b
t
u _{k}
k
k

k (14)

) (

*_{t}

u_{k} is plugged into the state function in formula (8):

)
(
)
(
)
(
)
(
2
* _{t}
r
b
t
P
t
t
P _{k}
k
k
k
k

k (15)

Since this is a linear quadratic equation problem, there is linear relationship between )

(t k

andPk(t)[8]:

) ( ) ( )

(t _{k}t P_{k}t

k

(16) We can deduce the following differential equation through derivation of k(t):

k k k k k k

k t g

r b t t

t

( ) 2 ( ) ( ) 2( )

2

(17)

The boundary condition is:

k f kt f

( ) (18) Formula (17) is a nonlinear ordinary differential equation about k(t), called continuity Riccati function[9]. Formula (8) has unique solution that satisfies boundary condition. Therefore, the optimal value uk*(t) is:

) ( ) ( ) (

* _{t} _{P} _{t}

r b t

u _{k} _{k}

k k f

k

(19)

If ( ) (t)
r
b
t
K _{k}
k
k

k (20)

then _{u}*(_{t}) _{K} (_{t})_{P} (_{t})
k
k

k (21) Getting the optimal value according to formula (21), the minimum value of the target function is:

) , ( ) ( 2 1 )

( 2 _{0} _{0}

*

f k k f

k t P t t t

J

The optimal trajectory Pk*(t) moving in safe state is the solution of equations

below:

) ( )] ( )

( [ )

(t t b K t P t

P_{k} _{k} _{k} _{k} _{k} _{ }_{(23) }

0

)

( _{k}

k t P

P (24)

**Information System Security Entropy and Management Efficiency Estimation **

Let us assume that an information system has N risk points. The security risk of every point (corresponding Ak) is independent of each other, so is the effect on the whole system risks. When k=1,2,…N, repeating the management algorithm can help us obtain the optimal management policies u1*(t), ( )

* 2 t

u , …uN*(t). The optimal trajectory

) (

*_{t}

P_{k} of every risk point moving in safe state is the solution that satisfies boundary
conditional equality (24), and that is:

) ( } )] ( )

( [ exp{ )

( _{0}

*

0

t P d K b t

P t _{k}

t k k k

k

##

(25)

K=1,2,…,N; t0≤t≤tf

Since the risk intensity of every risk point is different, the importance in security protection is different, too. Besides, the parameters of the model vary with time. Even if the risk-managing policy is optimal, every risk point’s security state is uncertain. In order to describe the degree of uncertainty under microstate circumstance in a whole, we introduce the concept of security entropy.

Let us assume that the security probability of risk point k (according to Ak) under the optimal policy uk*(t) is ( )

*_{t}

P_{k} . When k=1, 2, …, N, the uncertainty of the whole
system can be denoted as:

) ( ) ( )

( *

1

*_{t}_{InP} _{t}

P K t

S N _{k}

k k s

###

(26)

In formula (26), K_{s} is a proportional constant andS(t) is named security entropy,

which is used to estimate the degree of uncertainty[10]. Since Pk*(t) (k=1, 2 ,…, N) is

the security probability of every information asset under the optimal policy, S(t) is the evaluation function of the whole information system’s risk-managing efficiency.

Since t0≤t≤tf, once t0 and tf are given, the controlling process is over, and the security state of every information asset (security probability) is fixed. Therefore, the whole system’s security entropy is a fixed value, denoted byS(t0,tf).

As the maximum value of S(t) is e

N
K_{s}

, for the sake of comparative quantification,

we define the comprehensive evaluating index of risk-managing effectiveness as )

, (t0 tf

E :

) , ( )

,

( _{0} s _{0} _{f}

f _{e} S t t

N K t

t

The best effect of risk-managing is the value of E(t0,tf) higher and that of

)
,
(t_{0} t_{f}

S lower. According to it, the value of E(t0,tf) can be regarded as the quantitative index of evaluating risk-managing effectiveness comprehensively.

**AN APPLICATION EXAMPLE **

Let us assume an information system has 5 risk points, the asset covered by risk point k is denoted by Ak, k=1, 2, 3, 4, 5. According to the security events’ report in the past and real observed data, the frequency of every asset’s risk is like this: A1- 1 time half a year, A2- 1 time half a year; A3- 2 times half a year, A4- 2 times half a year; A5- 1 time two months. In light of formula (3), the risk density of every asset in the system can be deduced:

6 1

2

1

;

3 1

4

3

;

2 1

5

The security probability of every information asset can be computed by formula (6):

t

e t p t

p 6

1 2

1( ) ( )

; p t p t e 3t 1 4

3( ) ( )

; p t e 2t 1 5( )

Assuming that the value of proportional constant Ks is 1, we can obtain the security

entropy on basis of formula (26):

t t

t

te te

te t

S 2

1 3

1 6

1

2 1 3

2 3

1 )

(

The maximum value is ( ) 5 1.83 e

t

S_{m} .

If we choose one month as the measuring period, supposing T=1 (month), we can deduce the security entropy at any period of time in this system.

When t=0, S(0)=0; When t=1, S(1)=1.06; When t=2, S(2)=1.53; When t=3, S(3)=1.68; When t=4, S(4)=1.66;

Security entropy increment of the first month is 1.06, and that of the second month is 0.47, and that of the third month is 0.15. During the first couple of months, security entropy is always positive, until in the fourth month, the entropy increment slows to -0.02, negative, when the whole security risk of the system is unacceptable. From the above, the security entropy of the whole system is the entropy value of the last measuring period, 1.66. The comprehensive evaluating index of risk-managing effectiveness E(t0,t4), on basis of formula (27), can be deduced:

17 . 0 66 . 1 83 . 1 ) ,

(*t*_{0} *t*_{4}
*E*

The value of E(t0,t4) is the very quantitative index of evaluating risk-managing

effectiveness comprehensively.

analysts evaluate the system overall security risk conveniently and fast, and take proper security policies and moderate measures to control the risk in an acceptable range.

**CONCLUSIONS **

In this paper, a security risk management algorithm based on probability model and security entropy is proposed, and a particular information system is selected as the example, which is modeled and computed on basis of some principle. The results of the example testify the feasibility and practicability of the model. The basic idea of this paper and the specific algorithm is applied to the risk control and management on information system (Security). The engineering practice is feasible, but should have at least two conditions: one is the strength of the information assets risk identification method and quantitative criteria has been established; the other is "a one-to-one relationship establishment between the admission control strategy" and "appropriate security measures" against each other, this relationship must have been established in quantitative.

The ultimate goal of risk management is not only to identify, analyze and evaluate the security risk of information system, but to take appropriate security policies and appropriate security measures and control the risk in the range that people can accept, which is more important.

**REFERENCES **

1. Xiaocong Ou, Zhenxue Wang, Yong Hu. 2010. “Information security risk assessment model and comprehensive evaluation method based on GB/T 20984,” Sichuan University Journal, 2010 (3). 2. Zhenxue Wang, Anmin Zhou, and Yong Fang. 2011. “Information system security risk assessment

and management theories,”* M. Science Press*, 2011 (06).

3. Hong Fan, Dengguo Feng, and Yafei Wu. 2006. “Information security risk assessment methods and
application,” *M. Qinghua University Press*, 2006:1-3.

4. D.L. Nazareth, and J. Choi. 2015. “A system dynamics model for information security management,”

*J. Information & Management*, 2015, 52(1).

5. Feng Yan. 2011. “Information system risk assessment model based on OCTAVE and FAHP,” *J. *
*Chongqing Normal Universit*y, 2011 (04).

6. “ISO/IEC 27001:2005 Information technology-Security techniques-Information security management systems-requirements,” 2005 (10).

7. Danielson M. 2005. “Generalized evaluation in decision analysis,” *J. European Journal of *
*Operational Re-search*, 2005 (7).

8. Xiang Li, and Peikai Wang. 2016. “Research on information security risk management method of
information system,” *J. Mathematical techniques and Applications*, 2016 (11).

9. W. Qu, and D. Z. Zhang. 2007. “Security metrics’ model and application with SVM in information
security management,” *C. Proceedings of the Sixth International Conference on Machine Learning *
*and Cybernetics*, Hong Kong, China: IEEE Press, 2007(32).