Applying Fuzzy Expert System to Information Security Risk Assessment - A Case Study on an Attendance System

As computer becomes popular and internet advances rapidly, information application systems are used extensively in organizations. Various information application systems such as attendance systems, accounting systems, and statistical systems have already replaced manual operations. In such a drastic change, the information security issue encountered by organizations becomes increasingly significant. This study adopts an attendance system of a governmental organization to explore the information security issue. The risk assessment of the attendance system mainly focuses on the assessments of confidentiality, integrity and availability. Weak points of the attendance system and threats to the outside are also included in the scope of consideration. This study adopts the ISO/IEC 27001 information security management system standard and ISO/IEC27005:2008 Information technology Security techniques - Information security risk management to explore the risk assessment method of the attendance system and establish a set of fuzzy expert systems to measure the value at risk. In the meantime, a recommended acceptable value at risk is provided for facilitating and assisting decision makers through practical aspects and fuzzy expert systems and used as a reference for selecting an acceptable value at risk.