Risk and Reliability Formulas for Systems Security under Dempster‐Shafer Theory of Belief Functions

ABSTRACT: This paper develops comprehensive formulas for assessing the risk and reliability of “Systems Security” under the Dempster‐Shafer theory of belief functions, using the Trust Services framework as proposed by the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA). In addition, we discuss how these formulas can be used for planning and evaluation of “Systems Security” risk under the SysTrust services. The analytical formulas are derived for a tree‐structured evidential diagram which is constructed by converting the exact network‐structured evidential diagram. The use of an analytical formula eliminates the computational complexities of propagating beliefs in a network and allows the assurance provider to use a simple spreadsheet to combine evidence. We provide theoretical justification and perform sensitivity analyses to show that the analytical formula based on a tree‐type evidential diagram is a good approximation of the exact network model under realistic situations. However, as shown theoretically and also through the sensitivity analysis, the analytical formula provides significantly different results when input beliefs are significantly negative. It should be noted that the analytical formula based on the tree model provides a more conservative assessment of information systems risk than the exact network model.