模糊群體決策環境下之風險評估__臺灣人文及社會科學引文索引資料庫

:::

詳目顯示

第 1 筆 / 總合 1 筆

/1頁

論文基本資料
摘要
外文摘要
參考文獻

題名：	模糊群體決策環境下之風險評估
作者：	王平
作者(外文)：	Wang Ping
校院名稱：	國立交通大學
系所名稱：	資訊管理研究所
指導教授：	羅濟群趙國銘
學位類別：	博士
出版日期：	2005
主題關鍵詞：	風險評鑑；多準則決策；謪值法；模糊多數；柔性共識；risk assessment；MCDM；entropy method；fuzzy majority；soft consensus
原始連結：	連回原系統網址
相關次數：	被引用次數:期刊(1) 博士論文(0) 專書(0) 專書論文(0) 排除自我引用:1 共同引用:0 點閱:31

傳統的定量風險評鑑著重於危害事件機率估計，然而機率的計算須累積足夠的危害事件方可求得機率密度函數，除計算不易且當系統架構改變時，以前統計之資訊亦僅作參考。此外，定量風險評鑑是屬於事後分析，無法滿足快速反應的需求；因此面對缺乏不確定(uncertain)及非完整(incomplete)的環境，本研究將利用多準則決策理論，考量實用且兼顧效益性，發展一套以軟運算(soft computing)為基礎的定性風險評鑑模式，內容包含三個新的方法以解決風險準則的權重、共識度量測與風險值彙總等問題，提供管理者確認資訊資產的風險所在並作出正確的控管決策，強化組織內的資安管理作為，提昇整體資訊安全。一般多準則決策問題可概略區分成兩階段：一、決定評估準則，二、意見彙總與替代方案之選擇。首先在決定評估準則過程中，如何決定準則的權重是一項重要的研究議題。然而以往相關研究大多是直接採用主觀權重或採用相對比較(pairwise comparison)評估值以計算權重，且限制評估資料須為數值，因此本研究改良Zeleny所提的謪值法(Entropy Method)，而提出一個可由語意量詞決定權重的方法－「語意謪值法(Linguistic Entropy Method, LEM)」以決定模糊準則之權重大小。在風險評鑑中，專家意見彙總程序常使用資料彙總方法是簡單加總法(Simple Weighting Additive Method，SWAM)。簡單加總法無法判別風險評鑑之群體共識度(group consensus) 以了解專家共識是否達成；此外，簡單加總法亦無法透過群體共識度分析共識度動態變化的趨勢，因此本研究研析Kacprzyk 和 Fedrizzi所研提的柔性共識度量方法，提出模糊群體「柔性共識度量測法(Soft-consensus Risk Assessment Method, SRAM)」與「OWA風險值彙總法(OWA (Ordered Weighted Averaging) Aggregation Method, OAM)」，讓風險評鑑過程更為合理及有效。最後，舉一網路資料中心(Internet Data Center, IDC)之資訊資產風險評鑑為例，本研究運用所研提的三種新的方法以探討上述風險評鑑問題；首先我們運用「語意謪值法」以求取風險屬性的權重，與傳統謪值法作比較，並分析兩個方法使用上的優缺點；此外，當各專家風險意見無法達成一致時，則進行群體多數的表決，此時可運用「柔性共識度量測法」分析群體共識度，求取專家意見彙總之多數解；最後以「OWA風險值彙總法」彙整所有專家意見，決定資訊資產之風險排序。本研究所研提之三個方法可客觀決定模糊準則間的權重，有效分析群體柔性共識度、決策過程中共識區間變化的趨勢及資訊資產之風險排序，可系統化探討風險評鑑過程，降低風險評估過程不確定性並提高評估結果之合理性。

以文找文

The traditional methods of quantitative risk assessment determine the solution using the probability of event occurrences. They need to accumulate a number of threat events to derive the probability density function. As a result, they could arise an inconsistent situation when the system architecture changes. Furthermore, quantitative risk assessment is a posterior analysis of risk occurrence, which cannot meet the security management and the requirements for quick reaction to rapid growth of attack events. Thus, this research applies the fuzzy MCDM (multi criteria decision-making) theory to develop a qualitative risk assessment model including three new approaches based on soft-computing theory to solve weighting determination, consensus measure, and risk-ratings aggregation problems of risk assessment. It provides managers with a method to identify the risk of information systems to make correct decisions and to enforce the security of information systems with incomplete data in an uncertain environment. The solution process of MCDM can be generally divided into two phases: the first phase, determination of criteria; the second phase, opinions aggregation and alternatives ranking. First, how to determine the weights of risk attributes is an important issue for fuzzy MCDM problem. The existing methods apply subjective weight or pairwise comparison method to directly determine the weight of criteria, and confine the assessment data to be a numerical data. Thus, this research improves Zeleny’s entropy method and proposes a new subjective weight-determination method, called the Linguistic Entropy method (LEM) that enable decision-makers to rationally determine weights of criteria when their opinions are expressed with linguistic terms under uncertainty situation. In addition, traditionally the experts often applied the simple weighting additive method (SWAM) to aggregate their opinions.. SWAM cannot specify consensus measure of group for risk assessment which indicates whether experts reach a group consensus or not, but it also cannot reveal the variation tendency of consensus reaching process. Hence we present a new method for solving consensus measure in the risk assessment process, called Soft-consensus Risk Assessment Method (SRAM) to improve Kacprzyk and Fedrizzis’ soft consensus method and to analyze the variation trend of group consensus. Furthermore, in order to improve limitations of SWAM, a fuzzy synthetic evaluation method, called OWA Aggregation Method (OAM), is introduced to aggregate risk rates and prioritise the risk ranking of assets using the Ordered Weighted Averaging (OWA) operator. Finally, a risk assessment example for Internet Data Center (IDC) is applied to verify the proposed algorithm. Three algorithms, LEM, SRAM, and OAM are employed to solve the unsettled problems in the risk assessment process. The experimental results show that the decision-makers could utilize the LEM to obtain a more objective weighting solution of risk criteria than the traditional methods. Furthermore, the decision-makers may employ the SRAM to obtain a soft-consensus of group if expert’s opinion is diverse or distinct, and to make the decision based on the majority concept. Then, OAM method can decide the risk ranking of assets and risk level of information assets using fuzz-logic operator. The proposed approaches can objectively determine the weights of criteria and systemically analyze the process of risk assessment to decrease the complexity and uncertainty of the risk evaluation through the use of the above three algorithms. From the results obtained from the application of the proposed methods to the examples, the proposed method has demonstrated its usefulness and effectiveness.

以文找文

Journal papers
[1] Arrow, H.J., Aspects of the Theory of Risk Bearing. Helsini: Yrïö Jahnssonis Säätio, 1965.
[2] Bedford, T. and Cooke, R., “Probabilistic risk analysis: foundations and methods”, UK, Cambridge University Press, 2001.New York, NY, USA.
[3] Chiclana, F., Herrera, F. and Herrera-Viedma E., “A classification method of alternatives for multiple preference ordering criteria based on fuzzy majority,” J. Fuzzy Math., Vol. 34, pp.224 –229 ,1996.
[4] Chiclana, F., Herrera, F. and Herrera-Viedma E., “ Integrating three representation models in fuzzy multipurpose decision making based on fuzzy preference relations”, Fuzzy Sets and Systems 97, pp.33-48, 1998.
[5] Carroll, J. M., “Decision support for risk analysis, “Computers & Security, Vol. 2, Issue 3, pp.230-236, Nov. 1983.
[6] Chen, S-M, “Fuzzy group decision making for evaluating the rate of aggregative risk in software development,” Fuzzy set and Systems, Vol. 118, pp.75-88, 2001.
[7] Chen, S-M, Measures of similarity between vague sets, Fuzzy Sets and Systems, Vol.74, pp.217-223, 1995.
[8] Chen, S-J and Chen, S-M, “Fuzzy risk analysis based on similarity measures of generalized fuzzy numbers,” IEEE Trans on fuzzy sysytems, Vol. 11, No. 11, Feb 2003.
[9] Davies, P. C., “Design issues in neural network development”, NEUROVEST Journal, pp.21-25, 1994.
[10] Filev, D. and Yager, R.R., “On the Issue of Obtaining OWA Operator Weights,”
Fuzzy set and Systems, Vol.94, pp.157-169, 1998.
[11] Guan, B.C. Lo, C.C., Wang, P., Hwang, J. S, Evaluation of information security related risks of an organization- The application of multi-criteria decision-making method, IEEE 37th International Carnahan Conference on Security Technology (ICCST), 2003.
[12] Gau, W.L. and Buehrer, D.j., “Vague sets,” IEEE Trans Systems Man Cybernet. Vol.23, pp.610-614, 1993.
[13] Gary, S. et al., “Risk Management Guide for Information Technology Systems”, Special Publication 800-300, National Institute of Standards and Technology, 2001.
[14] Herrera, F. et al,. “A Rational Consensus Model in Group Decision Making Using Linguistic Assessments”, Fuzzy set and Systems, Vol.88, pp.31-49, 1997.
[15] Halliday, S. et al, ”A Business Approach to Effective Information Technology Risk Analysis and Management”, Information Management & Computer Security,
Vol.4, pp. 27-28, 1996.
[16] Kacprzyk, J. and Fedrizzi, M., “Multiperson decision making using fuzzy sets and possibility”, pp.231-241, Kluwer Academic Publishers, Netherlands, 1990.
[17] Kacprzyk, J. and Fedrizzi, M., “A soft’ measurement of consensus in the setting of partial (fuzzy) preference,” European Journal of Operational Research, Vol.34, pp.316-326, 1988.
[18] Kangari, R. and Riggs, L.S., “Construction risk assessment by linguistics,” IEEE Transactions on Engineering Management, Vol.36, Issue: 2, pp.126-131, May 1989.
[19] Lee, H.M., “Group decision making using fuzzy sets theory for evaluating the rate of aggregative risk in software development,” Fuzzy Sets and Systems, Vol. 80, Issue 3, pp.261-271, June 1996.
[20] Luca, A. Le and Termini, S. “A Definition of nonprobabilistic entropy in the setting of fuzzy Theory,” Inform. and Control, Vol. 20, pp. 301-312, 1972.
[21] Li, D. and Cheng, C., “New similarity measures of intuitionistic fuzzy sets and application to pattern recognition,” Pattern Recognition, Letter.23, pp.221 –225, 2002.
[22] Lichtenstein, S., “Factors in the selection of a risk assessment method”, Information Management & Computer Security, Vol.4, No.4, pp.20-25, 1996.
[23] Mon D.L., Cheng C.H. and Lin J. C., “Evaluating Weapon System Using Fuzzy Analytical Hierarchy Process Based on Entropy Weight”, Fuzzy Sets and Systems, Vol. 62, pp.117-134, 1994.
[24] Mann, L. and Tan, C., ”The Hassled Decision Maker: The Effects of Perceived Time Pressure on Information Processing in Decision Making.” Australian Journal of Management. Vol.18, No2, pp.197-210, 1993.
[25] March, J.G. and Shapira, Z., “Managerial perspectives on risk and risk taking,”
Management Science, Vol. 33, No. 11, Nov. 1987.
[26] Orlovski, S.A., “Decision-making with a fuzzy preference relation,” Fuzzy Sets and Systems, Vol.1, pp.155-167, 1978.
[27] Rudas, I J. and Kaynak, M. O., “Entropy-based operations on fuzzy sets, “ IEEE
Trans. Fuzzy Systems, Vol. 6, pp.33 – 40, Feb. 1998.
[28] Subhash Sharma, “Applied multivariate technologies, ” John Wiley & Sons, 1996.
[29] Szmidt, E. and Kacprzyk, J., “Evaluation of agreement in a group of experts via distance between intuitionistic fuzzy preference,” International IEEE Symposium “intelligent systems” Sep, 2002.
[30] Szmidt, E. and Kacprzyk, J., Distances between intuitionistic fuzzy sets, Fuzzy Sets and Systems, Vol. 114, pp.505 –518, 2000.
[31] Satty, T.L., The analytic Process, McGraw Hill, New York, 1980.
[32] Smolikova, R. and Wachowiak, M.P., “Aggregation operators for selection problems”, Fuzzy Sets and Systems, Vol. 131, pp.23-34, 2002.
[33] Tsaur, S-H, Tzeng, G-H, and Wang, K-C, “Evaluation Tourist Risks from Fuzzy Perspectives,” Annual of Tourism Research, Oct. 1997.
[34] Tanino, T., “Fuzzy preference ordering in group decision making,” Fuzzy set and Systems, Vol. 12, pp.117-131, 1984.
[35] Weber, D.P., “Fuzzy fault tree analysis,” IEEE World Congress on Comp. Intelligence, Proceedings of the Third IEEE Conference on Fuzzy Systems, Vol.3,
pp.1899-1904, June 1994.
[36] Ward, S. C., “Assessing and managing important risks,”International Journal
of Project Management, Vol. 17, No 6, pp.331, 1999.
[37] Yager, R.R., “On ordered weighted averaging aggregation operators in multi criteria decision making,” IEEE Trans. Systems Man Cybernet.Vol.18, pp.183-190, 1988.
[38] Yager, R.R., “On the measure of fuzziness and negation, Part I: membership in unit
interval”, Internat. J. General Systems, Vol. 5, pp.221-229, 1979.
[39] Yager, R.R., “Modeling prioritized multi-criteria decision making”, IEEE Trans.
Systems, Man and Cybernetics-Part B, Vol. 34, pp. 2396– 2404, Dec. 2004.
[40] Yacov, Y. H., Risk Modeling, Assessment and Management, John Wiley
publication, 1998.
[41] Zimmermann, H.J. and Zysno, P., “Decision and evaluations by hierarchical aggregation of information”, Fuzzy Sets and Systems, Vol.10, pp.243-260, 1983.
[42] Zadeh, L.A., “A computational approach to fuzzy quantifiers in natural languages,” Comput. Math.Appl. 9, pp.149-184, 1983.
[43] Zwick, R., Carlstein, E. and Budescu, D.V., “Measures of similarity among fuzzy concepts: A comparative analysis”, Internat. J. Approximate Reasoning, Vol. 1,
pp.221-242, 1987.

Internet data
[44] 2004 CSI/FBI Computer Crime and Security Survey, http://www.visionael.com/
products/security_audit/ FBI_CSI_2004.pdf.
[45]http://reliability.sandia.gov/Reliability/Fault_Tree_Analysis/fault_tree_analysis.html
[46] http://www.iee.org/Policy/Areas/Health/hsb26c.pdf.
[47] http://www.analex.com/html/aero_fmeca.html
[48] http://pie.che.ufl.edu/guides/hazop/
[49] http://coras.sourceforge.net/
[50] http://www.ercim.org/publication/Ercim_News/enw49/dimitrakos.html
[51]http://www.microsoft.com/technet/archive/itsolutions/ecommerce/maintain/operate/aspsec.mspx

English Books:
[52] BS7799-2:1999, Information security management - part 2:Specification for
information security management systems.
[53] BS7799-2:2002, Information security management systems - Specification with
guidance for use.
[54] CRMES (Center of Risk Management of Engineering System), Ranking of Space Shuttle FMEA/CIL items: the Risk Ranking and Filtering (RRF) method, university of Virginia, Charlottesville, 1991.
[55] Hwang, C.L. and Yoon, K., Multiple Attribute Decision Making: Methods and Applications, Springer-Verlag, Berlin, Heidelberg, New York, pp. 41-58,
pp.153-154, 1981.
[56] ISO/IEC 17799:2000, Information technology - Code of practice for information security management.
[57] ISO/IEC TR13355-1, Guidelines for the Management of IT Security – Part 1:
The concept and model of IT security.
[58] ISO/IEC Guide 73:2002, Risk Management Vocabulary Guidelines for use in standards.
[59] Kaufmann, A. and Gupta, M. M., Introduction to Fuzzy Arithmetic Theory and Application, New York, 1991.
[60] Koller, G. R., “Risk assessment and decision making in business and industry: a
practical guide,” CRC press LLC, 2000.
[61] Klir, G. L. and Yuan, B., Fuzzy sets and fuzzy logic, Prentice Hall, Singapore, 1988, pp.259-277.
[62] Zeleny, M., Multiple Criteria Decision Making, McGraw-Hill, 1982, pp.
185-198.
[63] Chen, S-H, and Hwang, C.L., “Fuzzy Multiple Attribute Decision Making Methods
and Applications,” Springer-Verlag, Berlin, Heidelberg, New York,1992, pp. 491-493.

中文資料
[64] 劉永禮，陳啟光，「以BS7799資訊安全管理規範建構組織資訊安全風險管理模式之研究」，元智大學，工業工程與管理學系，碩士論文，2002年。
[65] 李慶民，莊謙亮，"以BS 7799為基建構資訊安全評選模式之研究—以虛擬私有網路系統為例"，國防大學資訊研究所碩士論文，民國90年5月，頁24-49。
[66] 溫鳳祺譯，風險管理－詞彙－標準使用指引(ISO/IEC Guide 73:2002(E/F))。
[67] 賴溪松，「資訊安全國家標準」，資訊安全通訊，第四卷，第四期，29頁，1998年。
[68] 張真誠、婁德權，「資訊系統安全之對策」，資訊與教育，第59期，41-47頁，1995年。
[69] 樊國楨，「資訊及相關技術之控管目的與應用簡介」，資訊安全通訊，第五卷，第三期，1-7頁，1999年。
[70] 范淼，中科院「專案風險管理技術開發」課程，2002年7月。
[71] 柯輝耀，預防性失效分析-FMECA & FTA之應用，中華民國品質學會，2001。

推文
推薦
引用網址
引用嵌入語法
轉寄

top

:::

相關期刊
相關論文
相關專書
相關著作
熱門點閱

1.	具有或閘失誤樹於銀行批次作業之風險模式建構

無相關博士論文

無相關書籍

無相關著作

無相關點閱

QR Code

臺灣人文及社會科學引文索引資料庫系統

詳目顯示

臺灣人文及社會科學引文索引資料庫