Avalable onlne at www.scencedrect.com Proceda Engneerng 37 (202 ) 354 358 The Second SREE Conference on Engneerng Modelng and Smulaton Modelng of Rsk Treatment Measurement Model under Four Clusters Standards (ISO 900, 400, 2700, OHSAS 800) Lu Q, Du Qnglng, Sh We, Zhu Jne 2 Informaton Securty Department, Henan Polce College, Zhengzhou Henan 450002, Chna 2 FuElectrc(Hangzhou) Software Co., Ltd., Hangzhou 3002, Chna Abstract A novel model to measure Rsk Treatment ARME (Assets Rsk Value & Control Measures Effectveness) under four clusters standards (ISO 900, 400, 2700, OHSAS 800) was frstly proposed n ths paper. Establshment, computaton, realzaton flow and applcatons were dscussed n ths paper. Correctness of the model was proved; the correspondng ndcator system was gven. The computaton and mplementaton flow were developed. It was proposed the superortes of some organzaton undertook ths model. Accordng to the theory study and the practcal mplementaton, the model proposed n ths paper was effectve for measurng rsk treatment plan. 200 Publshed by Elsever Ltd. Selecton and/or peer-revew under responsblty of Socety for Resources, Envronment and Engneerng Open access under CC BY-NC-ND lcense. Keywords: rsk treatment measurement; ARME; ndcator system; rsk treatment effectveness. Introducton Nomenclature A Assets Su Suffcency R rsk value U Usablty S securty coeffcent La Laxty C Control Measures Sb Sutablty T Tmelness E Effcency Supported By Henan Educaton Commttee Proect (2B620002); Correspondng author. Lu Q (978-), assocate professor, Ph.D. Research Specalty. Rsk Assessment. Moble.5903667760. E-mal address: mchellemn@yahoo.cn. 877-7058 202 Publshed by Elsever Ltd. do:0.06/.proeng.202.04.252 Open access under CC BY-NC-ND lcense.
Lu Q et al. / Proceda Engneerng 37 ( 202 ) 354 358 355 There exsts dfferent knd of rsks n the process of organzaton operaton, for example, qualty rsks, envronmental rsks, operatonal health and safety rsks, nformaton securty rsks, and etc. These rsks present on dfferent knds of manfestaton, and correlate wth each other n organzatons strategc plannng, organzatonal management, producton operaton and servce actvty[]. These may cause socal responsblty rsks and law rsks eventually. Numerous organzatons mplement management system ntegrated qualty, envronmental, occupatonal health and safety, nformaton securty based on nternatonal standard Clusters ISO 900[2], ISO 400[3], OHSAS 800[4], and ISO/IEC 2700[5] to manage rsks[6-0], mprove ther general vabltes. However, there faces several problems n practcal work when applyng these four clusters of standards. One of the knotty problems s that t s dffcult to measure the effectveness after mplement rsk treatment plan. Seldom materals, standards could be found n publshed lteratures at present. A novel rsk treatment plan measurement model (ARME) was proposed n ths paper, based on the establshment of nformaton securty system n many organzatons. The effectveness of the model was proved n ths paper, and t was appled n several organzatons. Theory study and the practcal mplementaton proved the effectveness of ARME. 2. Modelng of ARME 2.. Establshment of ARME Accordng to OHSAS 800[4], rsk means, combnaton of lkelhood of an occurrence of a hazardous event or exposure(s) and the severty of nury or ll health that can be caused by the event or exposure(s) ; rsk assessment means, process of evaluatng the rsk(s) arsng from a hazard(s), takng nto account the adequacy of any exstng controls, and decdng whether or not he rsk(s) s acceptable. After assess rsks, proper treatments should be mplemented to guarantee organzaton s securty. These treatments are called rsk treatments[]. The purpose of establshng rsk treatment measurement model s to measure the effectveness of rsk treatments. The evaluatons are based on several correspondng parts: the suffcency of rsk treatment, f the executon could be undertake accordng to the plan, f the desred effect could be catered for, and etc. Through the nvestgaton, we thnk the followng factors should be consdered to measure rsk treatment effectveness: securty coeffcent; Tmelness (control measure effects could react organzatons n tme lmtaton); Suffcency (control measures could be fully mplemented); Usablty (f control measures could be easly mplemented); and etc. Based on the above, the effectveness measurement model (ARME) and ndcator system were frstly proposed n fg.. Fg. ARME Model
356 Lu Q et al. / Proceda Engneerng 37 ( 202 ) 354 358 2.2. Computaton of ARME The computaton of ARME model was frstly proposed n ths paper wth defnton, theorem, and corollary as follows. Defnton: Defne ten tuples = A, RCST,,,, SuU,, LaSbE,,. R S satsfes S = ( R + ) R, ST, La satsfes La = co S + co T. Su, U Sb satsfes 2 Sb = co3 Su + co4 U ( co, co2, co3, co4 represent normalzaton coeffcents). Then Rl, Sb Ef satsfes E = La wla + Sb wsb ( wrl, wsb represent weghts of La and Sb ). Theorem: For ten tuples = A, RCSTSuULaSbE,,,,,,,,, always holds equaton. ( ) [ ] E = wrl co R R+ + co2 T+ wsb co3 Su+ co4 U proof : E = La wla + Sb wsb = co S + co T w + co Su + co U w [ 2 ] Rl [ 3 4 ] Sb w co ( R R ) co T w [ co Su co U] = Rl + + 2 + Sb 3 + 4 Corollary: For arbtrary a A e E r R s S c C t T la La su Su u U sb Sb always holds equaton 2. ( ( ) ) e = w Rl co R r co2 t w Sb co3 su co4 u + + + + (2) Proof: By the above defnton, each set n ten tuples = A, RCST,,,, SuU,, LaSbE,, could be represented by matrx as follows. Input set Assets, output set Effectveness could be represented by e... e m... n E = ; others could be represented as: en... en m r... r m s... s m c... c m t... t m R = S = C = T = r r n... nm sn... s nm cn... c nm tn... t nm r... r m su... su m u... u m sb... sb m R = Su = U = Sb = rn... r nm sun... sun m un... u nm sbn... sbn m matrx as: A = [ a a ] a Use, ;, e E ;, r R ;, s S ;, c C ;, t T ; a A e r s c t la, la La ; su, su Su ; u, u U ; sb, sb Sb to represent arbtrary elements ()
Lu Q et al. / Proceda Engneerng 37 ( 202 ) 354 358 357 belongs to the set. ( =, 2,..., n,, 2,..., m ). Based on Defnton, S = R + R, La co S co T = + 2 3 4 equatons could be obtaned. ( ) s = ( R) + r, (3) la = co s + co t (4) 2 3 4 = ( ) Sb = co Su + co U E = La wla + Sb wsb,,, the correspondng ) sb = co su + co u (5) e = la w + sb w (6) La Sb Put equatons (3) (5) nto equaton (6), then e = la w + sb w = co s + co t w + co su + co u w ( ) ( (( ( ) ) ) La Sb 2 La 3 4 Sb = w R r co co su co u + + + w Equaton (2) could be obtaned: La 3 4 Sb ( ( ) ) e = cw Rl RV rv t c2 w Sb aq cv + + 2.3. Realzaton Flow of ARME Effectveness of model (ARME) could be computed by extractng parameters from rsk treatment tables, control measurement mplementaton tables, then bndng ntal values nput subectvely, as showed n fgure 2. 3. Applcatons of ARME Fg.2 Realzaton Flow We appled ARME n several organzatons, to guarantee the effectveness of rsk treatment plan n the prevous work. Take H organzaton for example, model ARME was used to measure ts effectveness of rsk treatment. Every threat, vulnerablty n all 59 rsk treatment tables was evaluated as follows. Measure all rsk treatment plans by ARME Compute the scores of each rsk treatment plans Classfy all the results nto three levels Analyze the results and obtaned the effcency of ARME A sample of ARME applcaton s showed n table. From table, Treatment results of 00 classes rsk treatment plans were 37% wth excellent effect, 33% wth good effect, 30% wth average effect.
358 Lu Q et al. / Proceda Engneerng 37 ( 202 ) 354 358 Table. Rsk Treatment Plan Measurement by ARME (Incomplete) Assets Seral Numbers Rsk Value (normalzed) S C T Su U La Sb E PD-MD-AD-BC xxx 20 85% 2 2 7 2 5 PD-MD-AD-TC xxx 20 80% 2 2 2 2 2 PD-MD-AD-EC xxx 2 00% 3 5 8 6 7 PD-MD-AD-EC xxx 5 80% 2 2 7 2 5 PD-DD-SD xxx 20 00% 5 4 0 8 9 The analyss s as follows. Measurements wth excellent effects focus on establshng correspondng management regulatons, procurng necessary equpments, and etc. Ths result catered for actvely workng atttudes of top leaders and coordnate department. Measurements wth good effects concentrate on staff mplementng correspondng control measurements. Ths result catered for ther busy workng fuzzy regulatons of reward and punshment. Measurements wth average effects focus on IT department. Ths s accorded that there s no full-tme staff n the department. All the results above catered for H organzaton s actual stuaton, whch shows the effectveness of model ARME proposed n ths paper. 4. Concluson A novel rsk treatment measurement model ARME for organzatons establshed ISO 900, ISO 400, OHSAS 800, and ISO/IEC 2700 four clusters standards management systems was frstly proposed n ths paper. Besdes, the correspondng ndcator system was proposed. The computaton equatons was desgned and proved theoretcally. The realzaton flow was showed and one of the applcaton cases of H organzaton was gven. Accordng to theoretcally study and practcal applcatons, the model ARME proposed n ths paper s effectveness for measurng rsk treatments. Next research wll focus on ndcator system coeffcents adustment, organzatons feed back about the model, and etc. References [] Guang Yaohua, Xe Zongxao, Cheng Yuq. Qualty/ Envronmental/ Operaton and Health/ Informaton Securty Four Clusters Standards Integratng Management System Course. Chna Standards Publshng House. 2009.9. [2] ISO 900, Qualty management systems Requrements. [3] ISO 400, Envronmental management systems Requrements wth gudance for use. [4] OHSAS 800, Occupatonal health and safety management systems Requrements. [5] ISO/IEC 2700, Informaton technology-securty technques-informaton securty management systems-requrements. [6] NIST Specal Publcaton 800-30: Rsk Management Gude for Informaton Technology Systems. [7] Z. Predrag. Informaton rsk and securty modelng. Proceedngs of SPIE The Internatonal Socety for Optcal Engneerng, Vol. 582, Data Mnng, Intruson Detecton, Informaton Assurance, and Data Networks Securty 2005, 42-50. [8] H. Olvers, Informaton modelng for automated rsk analyss. Communcatons and Multmeda Securty: CMS 2006, LNCS 4237, 2006, 228-239. [9] V. Page, M. Dxon, Choudhury. Securty rsk mtgaton for nformaton systems. BT TECHNOLOGY JOURNAL, 2007, 25(), 8-27. [0] Kevn J. Soo Hoo. How much s enough? [D] A Rsk-Management Approach to Informaton Securty, Doctoral dssertaton, Stanford Unversty, (20):69-78, 2000. [] NIST, ISO/IEC 27002, Informaton technology-securty technques - Code of practce for nformaton securty management