Six Sigma Methodology On Risk Assessment Of Banking Information Systems Security

This thesis mainly focuses on using Six Sigma methodology on risk assessment of banking information systems security. The key assumptions are 1. the bank has already adopted Six Sigma as a company management strategy. 2. the bank has already started to implement Six Sigma in the company-wide process improvement.By using fuzzy comprehensive evaluation (FCE) model to calculate the total risk value, using effect theory to measure the difference and accuracy level of different risk assessments, and leveraging Six Sigma process improvement methodologies, the objectives are to improve the calculation of the information systems security risk value as well as to set up baselines for risk assessment.Based on the above approaches, two key challenges in risk assessment will be addressed:1. How to measure the risk value differences between high-loss low-probability risk case and low-loss high-probability risk case with same expected loss2. How to measure the risk acceptance level differences between different scale organizations exposed to same riskThe goals are to effectively reduce the information systems security risk, to improve the accuracy and trust level of risk assessment and to enhance the quality of risk assessment process. The ultimate goal is to assure the successful and non-stop operation of an enterprise.The main discussion areas of the thesis are:1. Total risk value assessment model is based on the risk calculation model from the draft by National Standard on"Information Systems Security Risk Assessment Guide"which provides the overall framework on risk assessment. The total risk value assessment model combines the Six Sigma process improvement methodology and fuzzy comprehensive evaluation model, providing an approach to accurately calculate the total risk value. Current risk evaluation models in China mostly focus on qualitative measurements. This thesis is intending to use more quantitative approaches to analyze the problems, therefore providing more direct and convincing results.2. The calculation method on risk case occurrence probability is based on fuzzy comprehensive evaluation model, combining three major risk assessment factors: threat action occurrence probability, assets vulnerability level, and current protection mechanism on assets. It also uses Six Sigma methodology to set up the baselines for all risk assessment process steps. 3. The effect measurement model on risk assessment introduces effect function into the information systems security area. It uses the reverse function to define the absolute loss effect and relative loss effect. The absolute loss effect can measure the risk value differences between high-loss low-probability risk case and low-loss high-probability risk case with same expected loss. The relative loss effect can measure the risk acceptance level differences between different scale organizations with same expected loss. The current risk assessment model is incapable of measuring these differences because it is based on expected loss calculation. The effect measurement model in this thesis is capable of calculating these differences, therefore will improve the suitability, accuracy and trust level of the risk assessment.