In recent decades, information security has become crucial for protecting the benefits of a business operation. Many organizations perform information security risk management in order to analyze their weaknesses, and enforce the security of the business processes. However, identifying the threat-vulnerability pairs for each information asset during the processes of risk assessment is not easy and time-consuming for the risk assessor. Furthermore, if the identified risk diverges from the real situation, the organization may put emphasis on the unnecessary controls to prevent the non-existing risk. In order to resolve the problem mentioned above, we utilize the data mining approach to discover the relationship between assets and threat-vulnerability pairs. In this paper, we propose a risk recommendation mechanism for assisting user in identifying threats and vulnerabilities. In addition, we also implement a risk assessment system to collect the historical selection records and measure the elapsed time. The result shows that with the assistance of risk recommendations, the mean elapsed time is shorter than with the traditional method by more than 21 %. The experimental results show that the risk recommendation system can improve both the performance of efficiency and accuracy of risk identification.

Introduction

More and more organizations rely on information technology to assist them in achieving their business goals such as faster service response or better quality. However, focusing on ease of use in terms of system configuration and 5 operation makes systems more vulnerable and easily compromised. This is why information security is of paramount importance to organizations. A systematic approach for information security risk management is necessary to help identify information security requirements and to create an effective management system. Risk is the effect of uncertainty on objectives, and information security risk 10 is often expressed in terms of a combination of the consequences of an information security event and the associated likelihood of occurrence [1]. The object for assessment also called information asset, which means anything that has value to organization. It is noting that information asset of an information system consists of more than hardware and software [1]. In this paper, we classify 15 the information asset into five categories: hardware, software, people, information and service. Risk assessment, both the process and associated techniques, offers an analytical and structured walk-through of the organization’s security state [2]. Risk identification is an important step in risk assessment, to determine what could cause a potential loss, and to gain insight into how and why the 20 loss might happen. Thus, if a corporation expects to perform risk assessment successfully, finding the appropriate threat-vulnerability pair of each asset is a crucial step. However, in the process of identifying threat-vulnerability pairs, it is difficult for the risk assessor, especially one who lacks information security competence, to recognize the feasible combinations. 25 Without the support of a recommendation system, a risk assessor may encounter at least three challenges: First, in spite of the threat and vulnerability list being provided as a candidate list for risk assessors, it is still time-consuming to choose the appropriate one from more than a hundred combinations. Second, the threat-vulnerability pairs may be irrational if the root cause is not 30 considered discreetly. For example, a physical server appliance may have some vulnerability due to the lack of physical protection. Theoretically, environmental damage and physical breakage are reasonable threats. However, a mistake may be made when people choose another irrational threat such as ”insufficient software testing”. Third, not all the users have the ability to find the security 35 issue for the information asset, and may choose non-existing risks. Non-existing threat-vulnerability pairs may make organizations spend unnecessary time and money to prevent a risk that may not happen, which may lead the manager to neglect the real weaknesses, or invest in improper security measures.