Apply Fuzzy Decision Tree to Information Security Risk Assessment

As computer becomes popular and internet advances rapidly, information application systems are used extensively in organizations. Various information application systems such as attendance systems, accounting systems, and statistical systems have already replaced manual operations. In such a drastic change, the information security issue encountered by organizations becomes increasingly significant. Information security risk assessment is the core of information security. It focuses on the assessments of assets with confidentiality, integrity and availability. Moreover, vulnerability of information systems and threats to the outside are also included in the scope of consideration. This study adopts fuzzy decision tree to evaluate the information security risk assessment for decision-makers. There are 155 input-output data with 22 attributes used to measure the value at risk obtained from ISO/IEC 27001 information security management system standard and ISO/IEC27005: 2008 Information technology. Another zoo dataset collected from UCI repository is also used to test the performance for the proposed algorithm. From simulation results, the proposed approach outperforms other existing approaches.