Keywords

1 Introduction

As government departments, financial institutions, enterprises and institutions, and commercial organizations rely on information systems, information security issues have received widespread attention and importance. Using risk assessment to analyze the security risks in information systems and propose targeted corrective measures is an effective means to solve information security problems. Among them, identifying assets and assessing their value is the primary task of information security risk assessment, and the current calculation of asset value is mainly to be achieved based on confidentiality (C), integrity (I) and availability (A) [1]. Tang [2] proposes an objective assignment method to assign weights to evaluation indicators to make the calculated importance values more objective, but this weighting method only considers the dispersion of data and does not consider the correlation between indicators. In the literature [3], it is proposed that since quantifying the security level of assets in terms of confidentiality, integrity, and availability is prone to subjectivity, the importance of the business carried by the assets is considered as a factor to reduce the subjective influence, and then using weighting and other methods to synthesize the value of the assets, but the literature does not give a specific implementation algorithm. Xiang Hong [4] identifies assets based on business and uses the AHP method to assign values to assets. The AHP method is effective in reducing the drawbacks of being completely subjective, but the method requires multiple experts with rich experience to give a reliable judgment matrix and also involves calculations such as consistency tests, which increases the complexity of the calculations. Zhou Jing-Xian [5] uses the rough set approach to calculate the value of each asset by assigning weights to four factors of CIA that determine the value of the asset and the importance of the business undertaken, and since the importance to the business is judged by human, then once the decision makers differ, it will result in a situation where the same asset has different values. In order to solve the above problems, it is necessary to propose to calculate the asset value by combining the importance of the business carried by the quantified assets.

In this paper, we propose a method to evaluate the asset value by using the importance of the business carried by the asset together with the four factors of confidentiality, integrity and availability. The method selects the evaluation indexes that can reflect the importance of the business carried by the asset and calculates the business importance value by combining the CRITIC weighting method, and then uses the multiplication method for the four influencing factors to obtain the asset value, which can reduce the subjective influence of the traditional method when considering CIA and distinguish the value of assets that belong to different organizations but carry the same type of business and assets that carry different types of business under the same organization.

2 Asset Valuation Method

The value of an asset is determined by the level of assignment of the three security attributes of confidentiality, integrity and availability, as well as the importance of the business undertaken by the asset. The realization of a complete business requires the involvement of multiple assets, and the more significant the business is, the more important its associated assets are. Based on this, this paper proposes an intuitive asset valuation model to analyze the value of assets.

2.1 Asset Valuation Model

The asset value assessment model proposes in this paper is depicted in Fig. 1. For information assets, their value is mainly reflected in four indicators: confidentiality, integrity, availability and the higher the requirements for these indicators, the higher the asset value. The three security attributes of confidentiality, integrity and availability are classified into five levels: very high, high, medium, low and very low, and the higher the level, the higher the requirement of the asset for this security attribute. The importance of the business carried by the assets is mainly reflected in the business itself and the impact of the assets attached to the business on the organization, so the importance of the business can be evaluated from four aspects: organization ranking, organization level, scope of impact and business category.

Fig. 1.
figure 1

Asset valuation model

Full size image

2.2 Business Importance Indicators System Construction

From the evaluation model, it is obvious that the asset value will be affected by the importance of the business. In order to evaluate the asset value more accurately, it is required to select indicators that rely completely on objective data to quantify the importance of the business. In this paper, the business category and influence range indicators proposed by the business itself point out that the more core the business category is, the higher the importance of the business, and the more extensive the influence range is when the business cannot operate normally, the higher the importance of the business. However, considering that the selected indicators do not fully reflect the importance of the business and the indicators proposed from the business itself cannot distinguish the importance of different businesses that belong to the same business category and have the same scope of influence, this paper based on the assets on which the business depends, and proposes two indicators, organization ranking and organization level, to reflect the importance of the business running on them by measuring the importance of the assets. Among them, organization ranking refers to the ranking of the organization to which the asset belongs within the industry. The higher the ranking, the stronger the organization is in the industry and the higher the importance of its subordinate assets; The organization level refers to the category in which the organization to which the asset belongs is classified in that industry. The higher the category level belongs to, the more important the organization is and the more important its subordinate assets are. (If the value of an indicator of the assessment object cannot be determined, we may assign the same default value to the indicator and it is necessary to ensure that the final sum of all indicator weights is 1.)

With regard to the organization ranking, organization level, and influence range indicators, it is necessary to analyze the reports issued by the organization to which the actual assets belong to obtain their values, while the business category indicator can be determined by initially knowing the classification of the business according to the literature [6] and then combining it with the business carried on the actual assets to identify the specific category. The literature roughly classifies businesses into five major categories according to their characteristics (since specific business systems are not mentioned, the information in the table is not complete, and the classification of businesses in the actual assessment work should be based on the actual situation), as shown in Table 1. Because the value of an asset takes into account the importance of the business it carries, it is likely that the exact same information asset will have a different value to the organization being evaluated because of the different businesses it carries.

Table 1. Example of business classification.
Full size table

2.3 Business Importance Calculation

Because of the differences in the contribution of each indicator to the importance of business, this paper uses the CRITIC method [7] to assign weights to indicators to calculate the importance of business. As can be seen from the previous subsection, business importance is determined by four indicators: organization ranking, organization level, influence range, and business category, and the CRITIC method which takes into account the conflicting nature of the indicators and the characteristics of the differences in the values taken by the evaluation objects under each indicator is used to calculate the weight of each indicator [8]. For example, if there is a greater conflict between the organizational ranking indicator and other indicators, the greater the difference in the data under that indicator, which means that the indicator contains more information, that is, it has greater weight and contributes more to the importance of the business. Similarly, the weights of other indicators can be obtained from the CRITIC method [9], and the calculation steps are as follows:(In this paper, if we select only one indicator to assess the importance of the business, we only need to do the normalization step of the indicator data in this algorithm).

  1. 1)

    In order to eliminate the influence on the evaluation results of different magnitudes, formula (1) was used to reverse the process for the indicators belonging to the smaller value, and formula (2) was used to forward the process for the indicators belonging to the larger value [10]:

    $$ x_{ij}^* = \frac{{\max \left( {x_j } \right) - x_{ij} }}{{\max \left( {x_j } \right) - min\left( {x_j } \right)}} $$
    (1)
    $$ x_{ij}^* = \frac{{x_{ij} - \min \left( {x_j } \right)}}{{\max \left( {x_j } \right) - min\left( {x_j } \right)}} $$
    (2)

    In the formula: max(xj) is the maximum value of the j indicator, min(xj) is the minimum value of the j indicator, xij is the value of evaluation object i under indicator j, xij* is the processed value and its value range is [0,1].

  2. 2)

    After the data were processed, the standard deviation of each indicator was calculated using formula (3) as an indication of the difference in the values taken by each assessment subject under each indicator:

    $$ \sigma = \sqrt {\frac{1}{n}\sum\nolimits_{i = 1}^n {\left( {x_{ij}^* - \overline{x_j }} \right)^2 } } $$
    (3)

    Among them, j is the standard deviation of the j indicator and is the average of n assessment objects under indicator j.

  3. 3)

    Formulas (4) and (5) are used to calculate the magnitude of conflict be-tween indicators:

    $$ r_{ij} = \frac{{\sum_{k = 1}^n \left( {x_{ik} - \overline{x_i }} \right)\left( {x_{jk} - \overline{x_j }} \right)}}{{\sqrt {\sum_{k = 1}^n (x_{ik} - \overline{x_i })^2 \sum_{k = 1}^n \left( {(x_{jk} - \overline{x_j }} \right)^2 } }} $$
    (4)
    $$ A_j = \sum\nolimits_{i = 1}^m {\left( {1 - r_{ij} } \right)} $$
    (5)

    In the formula, rij denotes the correlation coefficient between indicator i and indicator j, xik and xjk denote all data under indicator i and indicator j, respectively, and Aj denotes the conflict between indicator j and other indicators.

  4. 4)

    From formula (6), the weights of each indicator is w1, w2, w3 and w4:

    $$ w_j = \frac{\sigma_j A_J }{{\sum_{J = 1}^M \sigma_j A_J }} $$
    (6)
  5. 5)

    According to the weight of each indicator and the value of each business object under each indicator, the business importance α can be obtained:

    $$ \alpha = \sum\nolimits_{J = 1}^M {w_j x_{ij}^* } $$
    (7)

2.4 Asset Value Calculation

After obtaining the asset’s assigned level of confidentiality, integrity and avail- ability and the importance of the business it carries, then we use the multiplication method to calculate the asset’s value. The specific calculation steps are as follows:

Set the value of the j asset as dj, its values in confidentiality, integrity, and availability as c, i, and a, and its business importance as α. The formula of calculating the asset value is as follows:

$$ d_j = \sqrt[3]{{\alpha \,{*}\,c\,{*}\,i\,{*}\,a}} $$
(8)

3 Evaluation Examples and Results Analysis

This paper uses the bank assets which are obtained from the extranet as the valuation object, and applies the above calculation method to calculate the value of each asset, and compares and analyzes the results obtained with the traditional method.

3.1 Instance Data

In order to determine the value of the indicators which are selected for the calculation of business importance, the analysis will be performed here in combination with the actual assets. From the literature [11], we know the ranking of organizations to which bank extranet assets belong, and from the literature [12], we can summarize and classify the organizations of bank information system assets into five major levels: state-owned large banks, state-owned commercial banks, regional urban commercial banks, rural banks in each county and district, and private banks. For the bank information system, the impact range of the business on it can be reflected by the impact range of the organization to which the asset belongs, so the impact range can be divided into five categories: global, national, province/municipality/autonomous region, city, and county, and assign values in descending order of range. Combined with the actual evaluation object and ac- cording to the literature [13], the categories of services carried by the bank’s extranet assets can be classified into five major categories: transaction-type services, customer exchange services, online investment services, information services and other services. The transaction services include money transfers and credit operations performed by individuals or companies, which are the highest level of banking service systems and definitely have access to the bank’s internal network. The customer exchange service is the communication of information, documents or files between the customer and the bank [14, 15], and this kind of service is a higher-level service system and has access to the bank’s internal network. The online investment service [16] is a service that provides customers to purchase various types of financial products launched by the bank. The information service is to publish information that can be accessed by everyone, and this type of service is the most basic type of business that has no access to the bank’s internal network. The other services include various forms of special value-added services, such as life type payment services. The business categories are assigned according to the degree of connection to the bank’s internal and the level of the service system, see Table 2. Through the above analysis, the 18 acquired bank extranet assets are organized as shown in Table 3. ( The 18 selected assets S1-S18 are ICBC about ICBC system, China Construction Bank deposit and loan and bank card system, China Construction Bank investment and finance system, Agricultural Bank of China personal service system, Agricultural Bank of China talent recruitment system, Bank of China personal financial system, Bank of China electronic banking system, Bank of JIANGSU personal business system, Chongqing Rural Commercial Bank savings business system, Chengdu Rural Commercial Bank’s personal financial service system, Bank of Chongqing’s personal business system, TRC Bank’s savings business system, Bank of Dongguan’s personal business system, NRC Bank’s savings business system, Bank of Tangshan’s email system, XIAOSHAN Rural Commercial Bank Savings Business System, ZJB’s savings business system.)

Table 2. Assignment of business importance indicators.
Full size table
Table 3. Asset information form.
Full size table

3.2 Business Importance Calculation

We use organization ranking (Index 1), organization level (Index 2), scope of influence (Index 3), and business type (Index 4) as four indicators to assess the importance of the business carried on the bank’s assets. The four indicators are quantified in Table 2, and the results are shown in Table 4.

Table 4. Quantification of business importance indicators.
Full size table

We use formula (1) and formula (2) to forward or reverse the values of assets under the above four indicators. For assets, the smaller the value under the organization ranking indicator, the better, while the larger the value under the three indicators of organization level, impact area, and business category, the better. From Table 4, it can be seen that asset S3 takes the value x31 of 2 under the organization ranking indicator, the data under this indicator has a maximum value of 100 and a minimum value of 1. Replacing into formula (1), the value of x31 after reverse processing can be obtained as \(x_{31}^* = \frac{100 - 2}{{100 - 1}} = 0.9899\). The value x32 of asset S3 under the business category indicator is 5, and the maximum value of data under this indicator is 5 and the minimum value is 2. Replacing into formula (2), we can get \(x_{32}^* = \frac{5 - 2}{{5 - 2}} = 1\). Similarly, the values x33 and x34 of S3 under the influence range and business category indicators are \(x_{33}^* = 1\) and \(x_{34}^* = 1\) respectively after processing by formula (2). Similarly, the values of other assets under the four indicators are processed similarly.

After the above processing, the mean value of each indicator can be found as 0.669, 0.519, 0.528, and 0.819 in order. We then substituted the 18 data under the organization ranking index and the mean value of the index into formula (3) that we can find the standard deviation of the index is 0.362, and the standard deviation of the other indexes is similar to this, and the results are shown in Table 5. From formula (4) and formula (5), we can find the magnitude of conflict between each indicator and other indicators as 1.457, 1.558, 1.486, and 3.735.

From formula (6), we can obtain the weight w1 of the organizational ranking indicator:

$$ w_1 = \frac{{0.362\,{*}\,1.457}}{{0.362\,{*}\,1.457 + 0.460\,{*}\,1.558 + 0.461\,{*}\,1.486 + 0.330\,{*}\,3.735}} = 0.167 $$

Similarly, the weight w2of the organization level indicator is found to be 0.227, the weight w3 of the influence range indicator is 0.217, and the weight w4 of the business category indicator is 0.389.

Table 5. CRITIC method to calculate the weighting process.
Full size table

From Table 4, the values of asset S3 under the four indicators are 2, 5, 5, 5, and after processing are 0.9899, 1, 1, 1, 1, and the corresponding weights of each indicator are (0.167, 0.227, 0.217, 0.389), and the importance 3 of the business on asset S3 is obtained from formula (7) as:

$$ \alpha_3 = w_1 *0.9899 + w_2 *1 + w_3 *1 + w_4 *1 = \,\,0.{9983} $$

Similarly, we can get the importance of the business carried by other assets, see Table 6.

3.3 Value Assessment

Based on the method described in Sect. 2, the three major security attributes of the bank’s extranet assets are assigned, see Table 6. The confidentiality of assets is mainly analyzed and evaluated by the degree of disclosure of assets, for example, the confidentiality of deposit-related data within a bank is the highest, and once disclosed, it will have a very serious impact on the normal operation of the bank. The integrity is analyzed from the damage to the entire organization if the integrity of that asset is breached. The availability of assets is measured in terms of the damage caused to the organization by their functional interruptions. For assets which carry transaction-type services, there must be a connection channel with the bank’s internal network, so the confidentiality,

integrity and reliability of the assets are of the highest level. For assets which run customer exchange services, there are generally connection channels established with the bank’s internal network. For assets that carry online investment services, there is a certain connection to the bank’s internal network. For assets carrying information service classes and other service classes, there is no connection channel with the bank’s internal network, so the C, I and A of the assets take lower values than the previous ones. For assets that carry other services, the CIA takes the lowest value compared to the others.

Table 6. Asset value indicators.
Full size table

From Table 6, the values of C, I, and A of asset S3 and the importance of the business it carries are 5, 5, 5, and 0.9983, respectively. Replacing formula (8), the value d3 of asset S3 is obtained as:

$$ d_3 = \sqrt[3]{{0.9983\,{*}\,5\,{*}\,5\,{*}\,5}} = 4.997 $$

The remaining assets are evaluated by the same method and the results are written in Table 7.

Table 7. Comparison of asset value results.
Full size table

3.4 Results Analysis and Comparison

For bank extranet assets, the comparison between the evaluation results obtained by this paper’s method and the traditional method which only considers the three major security elements is shown in Table 7. The ranking of asset values obtained by the traditional method [17] is from highest to lowest (S1, S3, S5, S7, S9, S10, S11, S12, S13, S14, S15, S17, S18, S8, S4, S2, S6, S16), where assets S1 to S15 and assets S17, S18 are all obtained with asset values of 5, and assets S8, S2, S4, S6 are all obtained with asset values of 3.The asset values obtained from the methods in this paper are ranked from highest to lowest (S1, S3, S5, S7, S9, S8, S12, S14, S10, S4, S11, S13, S15, S17, S18, S2, S6, S16), and the values of each asset are different. It is easy to conclude that the value of each asset calculated by the traditional method is the same, making it impossible to distinguish the value of assets that carry different business types in the same organization and assets that carry the same business type in different organizations, while the value of these assets can be clearly distinguished by the results calculated by considering the business importance factor proposed in this paper. For assets S3 and S4, which belong to the same organization but carry different types of business, the values of assets which are calculated by using the traditional method are 5 and 4, and the results obtained by using the method in this paper are 4.997 and 4.006. Both methods obtain a higher value for asset S3 than asset S4, which indicates that the proposed method is correct and feasible. For asset S9 and asset S12, which are both personal business systems, the values of C, I, and A are the same, so the results obtained by the traditional method are the same, both are 5, and it is impossible to distinguish whose value is higher, while the results obtained by using the method of this paper are 4.464 and 4.370, because although the CIA values of the two assets are the same, it can be seen from Table 7 that the importance of the business carried on S9 is higher than that of S12. This is because although the CIA values of the two assets are the same, the importance of the business carried on S9 is higher than that of S12. Therefore, it can be concluded that the value of asset S9 is higher than that of asset S12, which indicates that for assets which carry the same type of business in different organizations, the value of these assets can be distinguished better by using the results calculated by this method than the traditional method.

It can be seen from the above examples that on the basis of the factors of confidentiality, integrity and reliability that affect the value of assets, it is necessary to consider the importance of the business carried by the assets, not only can reduce the influence of subjective factors, but also can solve the problem that the value of different assets carrying the same type of business cannot be distinguished by using traditional methods. Therefore, it is practical and realistic to use this paper’s method to assess the value of assets.

4 Conclusions

The objective, accuracy, and ease of differentiation are the goals that must be achieved for information asset value assessment. In this paper, considering the three security attributes of confidentiality, integrity, and availability of assets, we propose that the value of assets is also influenced by the importance of the business they carry, and use the multiplication method to calculate the value of assets. We use the CRITIC assignment method to assign weights to four objective evaluation indicators which measure business importance: organization rank, organization level, service scope and business category, and then calculate business importance from the obtained weights of each indicator and the data processed by forward or inverse direction. In this paper, the feasibility of the proposed method is verified by evaluating the value of bank assets which are obtained from the extranet. The method can also be applied to other organizations to calculate the value of assets and prepare for the subsequent risk assessment work.