Alternative form of Dempster's rule for binary variables
Rajendra Srivastava2005, International Journal of Intelligent Systems
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
This article develops an alternative form of Dempster's rule of combination for binary variables. This alternative form does not only provide a closed form formulae for efficient computation but also enables researchers to develop closed form analytical formulae for assessing risks such as information security risk, fraud risk, audit risk, independence risk, etc., involved in assurance services. We demonstrate the usefulness of the alternative form in calculating the overall information security risk and also in developing an analytical model for assessing fraud risk.
Related papers
The Dempster-Shafer Theory: An Introduction and Fraud Risk Assessment Illustration
Australian Accounting Review, 2011
The main purpose of this paper is to introduce the Dempster-Shafer theory ("DS" theory) of belief functions for managing uncertainties, specifically in the auditing and information systems domains. We illustrate the use of DS theory by deriving a fraud risk assessment formula for a simplified version of a model developed by Srivastava, Mock, and Turner (2007). In our formulation, fraud risk is the normalized product of four risks: risk that management has incentives to commit fraud, risk that management has opportunities to commit fraud, risk that management has an attitude to rationalize committing fraud, and the risk that auditor's special procedures will fail to detect fraud. We demonstrate how to use such a model to plan for a financial audit where management fraud risk is assessed to be high. In addition, we discuss whether audit planning is better served by an integrated audit/fraud risk assessment as now suggested in SAS 107 (AICPA 2006a, see also ASA 200 in AUASB 2007) or by the approach illustrated in this paper where a parallel, but separate, assessment is made of audit risk and fraud risk.
The Dempster-Schafer Theory of Belief Functions for Managing Uncertainties: An Introduction and Fraud Risk Assessment Illustration
2013
This is the author's final draft. The publisher's official version is available electronically from:<http://onlinelibrary.wiley. com/journal/10.1111/%28ISSN%291835-2561>.The main purpose of this paper is to introduce the Dempster-Shafer theory (“DS” theory) of belief functions for managing uncertainties, specifically in the auditing and information systems domains. We illustrate the use of DS theory by deriving a fraud risk assessment formula for a simplified version of a model developed by Srivastava, Mock, and Turner (2007). In our formulation, fraud risk is the normalized product of four risks: risk that management has incentives to commit fraud, risk that management has opportunities to commit fraud, risk that management has an attitude to rationalize committing fraud, and the risk that auditor’s special procedures will fail to detect fraud. We demonstrate how to use such a model to plan for a financial audit where management fraud risk is assessed to be high. In a...
Belief-Function Formulas for Audit Risk
Studies in Fuzziness and Soft Computing
BELIEF-FUNCTION FORMULAS FOR AUDIT RISK SYNOPSIS AND INTRODUCTION: This article relates belief functions to the structure of audit risk and provides formulas for audit risk under certain simplifying assumptions. These formulas give plausibilities of error in the belief-function sense. We believe that belief-function plausibility represents auditors' intuitive understanding of audit risk better than ordinary probability. The plausibility of a statement, within belief-function theory, measures the extent to which we lack evidence against the statement. High plausibility for error indicates only a lack of assurance, not positive evidence that there is error. Before collecting, analyzing, and aggregating the evidence, an auditor may lack any assurance that a financial statement is correct, and in this case will attribute very high plausibility to material misstatement. This high plausibility does not necessarily indicate any evidence that the statement is materially misstated, and hence it is inappropriate to interpret it as a probability of material misstatement. The SAS No. 47 formula for audit risk is based on a very simple structure for audit evidence. The formulas we derive in this article are based on a slightly more complex but still simplified structure, together with other simplifying assumptions. We assume a tree-type structure for the evidence, assume that all evidence is affirmative and that each variable in the tree is binary. All these assumptions can be relaxed. As they are relaxed, however, the formulas become more complex and less informative, and it then becomes more useful to think in terms of computer algorithms rather than in terms of formulas (Shafer et al. 1988). In general, the structure of audit evidence corresponds to a network of variables. We derive formulas only for the case in which each item of evidence bears either on all the audit objectives of an account or on all the accounts in the financial statement, as in figure 1, so that the network is a tree. Usually, however, there will be some evidence that bears on some but not all objectives for an account, on some but not all accounts, or on objectives at different levels; in this case, the network will not be a tree.
An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions
Journal of Management Information Systems, 2006
This study develops an alternative methodology for the risk analysis of information systems security (ISS), an evidential reasoning approach under the Dempster-Shafer theory of belief functions. The approach has the following important dimensions. First, the evidential reasoning approach provides a rigorous, structured manner to incorporate relevant ISS risk factors, related counter measures and their interrelationships when estimating ISS risk. Secondly, the methodology employs the belief function definition of risk, that is, ISS risk is the plausibility of information system security failures. The proposed approach has other appealing features, such as facilitating cost-benefit analyses to help promote efficient ISS risk management. The paper both elaborates the theoretical concepts and provides operational guidance for implementing the method. The method is illustrated using a hypothetical example from the perspective of management and a real-world example from the perspective of external assurance providers. Sensitivity analyses are performed to evaluate the impact of important parameters on the model's results.
Quantitative Analysis of Information Security Risk
The purpose of this quantitative data analysis was to examine the relationship between industry type and information security risk-level among businesses in the United States. This paper took into account collected business related data from 36 industry types. Pattern recognition, bivariate linear regression analysis, and a one-sample t-test were performed to test the industry type and information security risk-level relationship of the selected business. Test results indicated that there is a significant predictive relationship between industry type and risk-level rates among United States businesses. Moreover, the one-sample t-test results indicated that United States businesses classified as a particular industry type are more likely to have a higher information security risk-level than the midpoint level of United States businesses.
Quantification, Optimization and Uncertainty Modeling in Information Security Risks
Information Resources Management Journal, 2000
In this paper, the authors present a quantitative model for estimating security risk exposure for a firm. The model includes a formulation for the optimization of controls as well as determining sensitivity of the exposure of assets to different threats. The model uses a series of matrices to organize the data as groups of assets, vulnerabilities, threats, and controls. The matrices are then linked such that data is aggregated in each matrix and cascaded across the other matrices. The computations are reversible and transparent allowing analysts to answer what-if questions on the data. The exposure formulation is based on the Annualized Loss Expectancy (ALE) model, and uncertainties in the data are captured via Monte Carlo simulation. A mock case study based on a government agency is used to illustrate this methodology.
Quantitative Model for Information Security Risk Management
2012
The paper presents a mathematical model to improve our knowledge of information security and risk management in contemporaneous businesses and other organizations. In the world of permanent cyber-attacks to information systems the knowledge about risk management is becoming a crucial task for minimization of the potential risks that can endeavour their operation. Therefore, it requires good knowledge of information security. The prevention of the heavy losses that may happen due to cyber-attacks and other failures in an organization is usually associated with knowledge about appropriate investment in different security measures. With the rise of the potential risks from different cyber-attacks the investment in security services and data protection is growing and is becoming a serious economic issue to many organizations and enterprises. The paper presents a mathematical model for the optimal security-technology investment evaluation and decision-making processes based on the quantitative analysis of security risks and digital asset assessments in an enterprise. The model makes use of the quantitative analysis of different security measures that counteract individual risks by identifying the information system processes in an enterprise and the potential threats. The selection of security technology is based on the efficiency of selected security measures. Economic metrics are applied for the efficiency assessment and comparative analysis of different protection technologies. Unlike the existing models for evaluation of the security investment, the proposed model allows direct comparison and quantitative assessment of different security measures.
A Quantitative Model for Information-Security Risk Management
Engineering Management Journal, 2013
The paper presents a mathematical model to improve our knowledge of information security and risk management in contemporaneous businesses and other organizations. In the world of permanent cyber-attacks to information systems the knowledge about risk management is becoming a crucial task for minimization of the potential risks that can endeavour their operation. Therefore, it requires good knowledge of information security. The prevention of the heavy losses that may happen due to cyber-attacks and other failures in an organization is usually associated with knowledge about appropriate investment in different security measures. With the rise of the potential risks from different cyber-attacks the investment in security services and data protection is growing and is becoming a serious economic issue to many organizations and enterprises. The paper presents a mathematical model for the optimal security-technology investment evaluation and decision-making processes based on the quantitative analysis of security risks and digital asset assessments in an enterprise. The model makes use of the quantitative analysis of different security measures that counteract individual risks by identifying the information system processes in an enterprise and the potential threats. The selection of security technology is based on the efficiency of selected security measures. Economic metrics are applied for the efficiency assessment and comparative analysis of different protection technologies. Unlike the existing models for evaluation of the security investment, the proposed model allows direct comparison and quantitative assessment of different security measures.
A method for computing the value of corrective security
IEEE Transactions on Power Systems, 1998
This paper describes a method for computing the optimal balance between preventive and corrective security actions. This method relies on a three-stage Benders decomposition and is capable of handling the mixed integer linear nature of this problem. A number of cases studies are presented to demonstrate the effectiveness of this method and to illustrate the consequences of introducing demand side corrective actions. In particular, it is shown that using corrective actions can significantly reduce the total cost of security and that the reliability of the transmission system affects the optimal mix of preventive and corrective security. The proposed method providcs a basis for negotiations between the transmission operator and potential providers of demand side corrective actions.
The Dempster-Shafer Theory of Belief Functions for Managing Uncertainties: An Introduction and Fraud Risk Assessment Illustration
2011
This is the author's final draft. The publisher's official version is available electronically from:<http://onlinelibrary.wiley. com/journal/10.1111/%28ISSN%291835-2561>.
Related papers
Bayesian and Belief-Functions Formulas for Auditor Independence Risk Assessment
International Journal of Auditing, 2009
This paper illustrates two formulas for assessing independence risk based on the Bayesian and belief-functions frameworks. These formulas can be used to assess the role of threats to auditor independence as well as the role of threat-mitigating safeguards. Also, these formulas provide a basis for evaluation of an audit firm's independence risk and a framework to educate stakeholders about the threats faced by the audit firm and the role of effective safeguards in mitigating these risks. The formulas also provide a means for regulators and lawmakers to evaluate whether they have effective safeguards in place given the existence of threats and for auditors to signal to various stakeholders that they have identified significant threats and have effective safeguards in place. To show the potential usefulness of these analytical models, several illustrations addressing increased transparency and the potential impact of regulations are presented.
Analytical formulas for risk assessment for a class of problems where risk depends on three interrelated variables
International Journal of Approximate Reasoning, 2007
We derive general analytical formulas for assessing risks in a problem domain where the risk depends on three interrelated variables. More specifically, we derive general analytical formulas for propagating beliefs in a network where three binary variables, A, B and C, are related to a fourth binary variable Z through an 'AND' relationship. In addition, we assume that variables A, B and C are interrelated in that a change in one variable may affect the value of each of the other two. The analytical formulas derived in this article determine the overall belief and plausibility that Z is true or not true, given that we have beliefs on variables A, B and/or C. To demonstrate the importance of the general results, we use the results to develop models applicable to three real-world situations. The first model can aid external auditors in assessing the quality of an audit client's internal audit function to determine the extent to which the internal auditor's work can be relied on in the conduct of a financial audit while the second can aid in assessing the risk of impaired auditor independence when conducting a financial statement audit. The third model can be used to assess the risk of management fraud in financial reporting. Assessment of such risks is of critical importance to external auditors, regulators, and the investing public. Analytical formulas to help address these types of important business and economic problems have not been available prior to these derivations.
Risk Assessment with Decision Tree in Professional Liability Insurance: In Accounting
Journal of Artificial Intelligence, 2018
A New Approach to Improve Accuracy in Information Security Risk Management
2014
Risk management constitutes a basis for decision making in a business continuity plan, since it creates a view that allows to identify and control risks that can compromise the assets of a given organization. Despite the existence of several methodologies to estimate the severity of these threats, preview evidence has demonstrated that the presence of human data sources for risk analysis can produce biased results, thus compromising the business continuity as a result of wrong-guided investments. In this work, we present an approach that reduces human biases by weighting risk evaluations using a reliability level of the sources, based on risk treatment performance. The experiments showed that the usage of reliability scores can effectively increase the accuracy of risk estimation, becoming a tool to minimize and/or eliminate those data sources that provoke the deviation of risk assessment results.
An Evidential Reasoning Approach to Fraud Risk Assessment under Dempster-Shafer Theory: A General Framework
2011 44th Hawaii International Conference on System Sciences, 2011
This paper develops a general framework under Dempster-Shafer theory for assessing fraud risk in a financial statement audit by integrating the evidence pertaining to the presence of fraud triangle factors (incentives, attitude and opportunities), and evidence concerning both account-based and evidence-based fraud schemes. This framework extends fraud risk assessment models in prior research in three respects. 1) It integrates fraud schemes, both account schemes through which accounts are manipulated, and evidence schemes through which frauds are concealed, into a single framework. 2) It incorporates prior fraud frequency information obtained from the Accounting and Auditing Enforcement Releases issued by the Securities and Exchange Commission into an evidential network which uses Conditional OR relationships among assertions. 3) The framework provides a structured approach for connecting risk assessment, audit planning, and evaluation of audit results. The paper uses a real fraud case to illustrate the application of the framework.
Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk
International Journal of Computer Applications, 2014
Risk management methodologies, such as Mehari, Ebios, CRAMM and SP 800-30 (NIST) use a common step based on threat, vulnerability and probability witch are typically evaluated intuitively using verbal hazard scales such as low, medium, high. Because of their subjectivity, these categories are extremely difficult to assign to threats, vulnerabilities and probability, or indeed, to interpret with any degree of confidence. The purpose of the paper is to propose a mathematical formulation of risk by using a lower level of granularity of its elements: threat, probability, criteria used to determine an asset's value, exposure, frequency and existing protection measure.
A Novel Approach to Information Security Risk Analysis
2020
A number of risk analysis methods became obsolete because of the profound changes in information technologies. Revolutionary changes in information technologies have converted many risk analysis methods into inconsistent, long lasting and expensive instruments. Therefore, risk analysis methods should be adaptively modified or redesigned according to the changes in information technologies, so that they meet the information security requirements of the organizations. By taking these requirements into consideration, a survey based approach is proposed for analyzing the risks of information technologies. This new method is named as Risk Analysis Method for Information Security (RAMIS). A case study is conducted to show the steps of RAMIS in detail and to obtain the risk results. To verify the results of the case study, simulation is performed based on the real statistical data. The results of simulation showed that RAMIS yields consistent results in a reasonable time period by allowing...
How Much Matter Probabilities in Information Security Quantitative Risk Assessment?
The starting point of this research essay is a critical review of two methods to conduct a quantitative analysis of information systems security risks: 1) Management of Risk: Guidance for Practitioners and 2) a cost model based on annual loss expectancy. We are focusing on these methods with a perspective that highlights the limits of both empiricism and the theoretical elements that underlie them.
Risk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique in Profit-Based Organization: Case Study of ZZZ Information System Application in ABC Agency
Procedia Computer Science, 2019
Risk management is a practical step in handling risk scenarios in an organization, including in the field of information security. There are many techniques used to carry out information security risk assessments. One of them is a combination technique using ISO 27005 and NIST SP 800-30 revision 1. Previous research proved that the combination technique could be implemented in a non-profit organization (government). However, the detailed risk assessment steps are not explained clearly yet. Thus, raising the question of whether this new approach can be utilized in a common organization or not (not only non-profit but also profit organization). This research focuses on information security risk assessment by implementing the combination technique in a profit organization using semi-quantitative methods. The result, the combination technique can be used in common organizations both profit and non-profit with clear step by step translation.
A Decision Rule Based on the Conditional Value at Risk
We introduce a decision rule where the risk dimension is measured by the conditional value of risk. We characterize the risk attitudes implied by the decision rule in a way similar to the well known mean variance framework. We show that the rule is consistent with Yaaris dual theory for all risk attitudes. Finally a reformulation of the decision rule is presented which is based on two conditional expected values.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.