Académique Documents
Professionnel Documents
Culture Documents
421
of computer security and the confidentiality of MATLAB and is designed using four main e-
information on the system. banking risk criteria, including: Direct internal attack
risk, communication tampering attack risk, code
3.2 FL Expert System programming attack risk and denial of service attack
risk. Two IT auditors from each bank (5 banks) and a
A fuzzy expert system is an expert system that uses questionnaire have been used for judging the
FL instead of Boolean logic. In other words, it is a importance of the above four criterions.
collection of membership functions and rules that are From each case-study, we choose two IT
utilised to reason about data [6]. auditors to answer the questionnaire, which consisted
Fuzzy approach requires sufficient expert of 80 scaled questions (20 questions for each risk).
knowledge in the formulation of the rule base, the Instructions have been given to the IT auditors to tick
combination of the sets and the defuzzification. In the corresponding box on the satisfaction scale, then
General, the employment of FL might be helpful for to decide the minimum position and the maximum
complex processes such as when there is no simple position he/s accepts. For instance, an assessor might
mathematical model. Fourali [12] highlights the think that question 2 for the selected risk criteria is
relevance of FL to the task of measuring educational fair but not strong, hence he may tick box 5 on the
achievement in which he introduced the principles scale, and then he may realize also that a lower rating,
behind FL and illustrated how these principles could i.e. 4 is acceptable [12]. Calculation of the
be applied by educators in the area of assessment assessment criteria can be computed as follows:
using portfolio evidence. Murphy [17] discussed the Average outcome: (1*1+2*2+2*3+3*4+2*5)/10 =
primary risk factors in developing projects and the 3.3
keys to a successful risk management programme. Analysis of the data collected from the IT auditors
Cox [9] examined the organisation of a business rule revealed that the internal direct attack is the highest
systems and looked at how these rules should be security risk factor, and other risks have lower
organised and written in order to address the impact. In other words, the internal direct risk attack
uncertainty and imprecision of business decisions factor is double that of others. The internal direct
using FL. attack deals with human factor, which is not easy to
Abdul Rahim [2] showed the utilisation of fuzzy be controlled and managed. On the other hand, the
technology in modeling subjective, vague and other security risk factors can be controlled and
uncertain web usability and design guidelines. eliminated by the various kinds of hardwares and
Yuksel [20] determined the key quality dimensions softwares such as: firewalls, automated scanning
in internet banking using survey questionnaire. tools and antivirus applications to protect the
Davoli [10] presented a Fuzzy Quality Tree for web network. The complete framework is demonstrated
inspection (FQT4web), a qualitative, robust and in Figure 1 with all criteria.
efficient inspector-based methodology for website
evaluation that has a hierarchical structure. In his
paper, he produced six measures of quality
dimensions and an overall quality score for web sites.
Finally, Alasgarova [5] examined the beneficial
aspects of using fuzzy database for credit risk
prediction decision.
The inference process in FL goes through four
steps [9] Fuzzification, . Inference, Composition and
Defuzzification.
Figure 1: Structure of the system in MATLAB
4. System Design
Since FL offers a more natural way of assessing
security factors instead of exact values, we used it to
evaluate and assess the security of the dynamic
internet banking websites by classifying all the
online security risks, threats and vulnerability
according to an important weight. This classification
will enable us to produce an overall security score
for an e-banking website. The proposed system
shown in Figure 1 has been implemented in Figure 2 : Ring layer 1 - Phase 2 evaluation
422
Final Rating = 0.4* Direct internal attack Crisp
[second ring layer] +0.6*Phase 3 crisp [First ring
layer]
423
(phishing attack, social engineering attack, insider Table 4: Rule Base 3 structure and entries for
attack, and brute force attack), which produces the phase 3
direct internal attack rule base 1. Phase 2 Direct Internal Final
Rule
Attack Security
Rating
Table 2 : Sample of the rule base1 structure and 1 Low Risk Low Risk Safe
entries for direct internal attack valuation 2 Low Risk Moderate Risk Destructive
Phishing Social Insider Brute Direct
3 Low Risk High Risk Catastrophic
Attack Engineeri Attack Force Internal
Rule
424
International Journal of Information Management 21 (4),
Table 6: Four lowest (0) inputs for criteria (Direct 213-225, 2001.
internal attack) and all other highest (10) inputs [5] A. N. Alasgarova. Financial Credit Risk Prediction
with Fuzzy System. Engineering and Applied Sciences
Denial of Communic Code Direct % department, Khazar University, 2005.
Service ation Programm Internal Security
No
425