Abstract

In an information-oriented society, the security of information related assets in organizations is one of chief concerns and the importance of security evaluation system to grasp their security level is increasing. We also consider that the magnitude of risk to information assets is highly dependent on the scales, forms, treat etc. of the organization, and should be evaluated by reflecting these characteristics. Standing on this concept, we adopted OCTAVESM as the basic information system and already proposed two fuzzy-based methods integrated in it. One is to determine the set of critical assets using fuzzy decision making methodology by multi-participants. The other is to calculate the degree of risks along with the given threat path as a crisp value using fuzzy inference mechanism and so on. In this paper, we propose a system for selecting some mitigation controls considered to be more effective than others as an application of fuzzy outranking.