Application of BBN in Information Systems and Operational Risk Management

Literature Review

Weber et al. (2012) presented a bibliographic review of BBN applications in reliability, risk analysis and maintenance domains for the period 2002-2012 and showed that number of articles has a rising trend. They analyzed some 200 references in the field of application of BBN in reliability, risk analysis, and application maintenance, examining a database with over 7,000 BBN references. As one of the main reasons for such a growing trend, they attributed to strengths of Bayesian networks, compared to other classical methods of reliability analysis such as Markov chains, Fault trees, and Petri Nets. Some of these advantages are: the ability to model complex systems, capacity to use BBN for prediction and diagnosis, ability to calculate the exact probability of occurrence of an event and update the calculation on the basis of new evidence, the possibility of presenting multimodal variables and tools for modeling, and compact graphical display of a modeled problems.

Franke et al. (2012) presented a model for decision support in the area of availability of information systems based on BBN. The model parameters are obtained based on the opinions of 50 experts in the area of availability of information systems. Raderius et al. (2009) presented a case study where the availability of the information system was estimated using “extended influence diagrams” - a form of BBN- combined with the architectural metamodel. Hinz and Malinowski (2006) presented the BBN model of IT infrastructure risk. The parameters of this model are obtained using interviews with experts. Weber and Sumner (2001) used the influence diagrams for the economic analysis of information systems availability. Neil et al. (2009) presented a methodology for developing BBN model for managing the operational risk of IT infrastructure in the financial and other institutions. The presented methodology enables modeling of financial losses that may arise as a result of operational risks, including data centers, applications, systems and processes, and in particular services to clients that are supported by information technology. Wei et al. (2011) developed an integrated modeling process based on the BBN for supporting efficient management of IT services. Sommestad and Ekstedt (2009) suggested a model based on the extended influence diagram, which allows the analysis of the cyber security of different architectural solutions. The model supports the selection of the appropriate scenarios, based on relative prices of a countermeasures against loss resulting from the attack. Cemerlic et al. (2008) proposed an intrusions detection system (IDS) based on BBN. Simonsson et al. (2008) proposed a model for measuring the quality of managing information technologies based on BBN. The model was validated in 35 different organizations. Lande et al. (2010) modeled critical information systems by using a BBN model that improves the system resilience by predicting possible failures of the system components. Zhang et al. (2009) presented an innovative model to improve the information system availability based on the BBN in which the data for filling CPT are obtained from system logs. In a review of the statistical methods that can be used for modeling of business continuity management, Bonafede and Cerchiello (2007) provided examples on how to use BBN for this purpose. Linnes (2006) suggested using decision theory for quantifying the costs of network security risks, and presented models based on influence diagrams and decision trees.