Date Added: Feb 2012
In electronic business environment, it is critical for an enterprise to assess Information Systems Security (ISS) risks. In this paper, the authors propose an evidence theory and rough sets based approach to objectively represent uncertainty inherent in the ISS risk assessment. Uncertainty in security risk management stems from the incompleteness and vagueness of the conditioning attributes that characterize a risk. In the hybrid approach, evidence theory provides a consistent approach to model experts' beliefs and develop an evidential diagram to assess the ISS risk that contains various variables such as the IS assets, the related threats, and the corresponding countermeasures. While rough set theory is ideally suited for dealing with vague and incomplete information.