Bulanık FMEA Yöntemini Kullanarak Bilgi Güvenliğinde Risk Analizi

Abstract

The rapid development and widespread use of the Internet and information technologies have increased the dependence of organizations on information systems to support their business processes. This dependency is a critical element for organizations in various industries to sustain their daily operations and gain competitive advantage. However, it also makes organizations more vulnerable to potential threats to their information technology systems. These threats can cause data loss and negatively impact business continuity. Organizations must develop security measures and risk management strategies to effectively protect their information assets. The measures taken will have a positive impact on the cost of the organization by minimizing potential losses due to information security vulnerabilities, thus supporting the image of a transparent and reliable organization. In order to minimize potential failures in information security risk management, this thesis presents the Failure Mode and Effect Analysis (FMEA) method with a fuzzy approach. The fuzzy FMEA method is preferred because it is more practical, effective and useful in assessing risks, as it increases the scope and flexibility of the classical FMEA. This study analyzes the information security of portable media and devices in an organization in terms of one or more of the three basic elements defined as confidentiality, integrity and availability with the goal of eliminating the risks if possible and reducing their impact if not. The Fuzzy FMEA method was developed with a team of seven information security experts. The experts are also actively involved in the ISO/IEC 27001 ISMS team. For the failure modes identified in the study, the precautionary items under the title of Mobile Device and Environment Security, which is one of the 6 main asset groups in the Digital Transformation Office of the Presidency of the Republic of Turkey Information and Communication Security Guide, were used. The experts were asked to rate the occurence, severity and detectability of these failure modes using 10 different linguistic variables. The median was calculated for each parameter to exclude outliers from the evaluation. A comparison of traditional and fuzzy FMEA was made with the resulting data and it was concluded that there was a strong relationship between the two methods.