An Information Systems Security Risk Assessment Model Under Dempster- Schafer Theory of Belief Functions

This is the author's final draft. The publisher's official version is available from:.This study develops an alternative methodology for the risk analysis of information systems security (ISS), an evidential reasoning approach under the Dempster-Shafer theory of belief functions. The approach has the following important dimensions. First, the evidential reasoning approach provides a rigorous, structured manner to incorporate relevant ISS risk factors, related counter measures and their interrelationships when estimating ISS risk. Secondly, the methodology employs the belief function definition of risk, that is, ISS risk is the plausibility of information system security failures. The proposed approach has other appealing features, such as facilitating cost-benefit analyses to help promote efficient ISS risk management. The paper both elaborates the theoretical concepts and provides operational guidance for implementing the method. The method is illustrated using a hypothetical example from the perspective of management and a real-world example from the perspective of external assurance providers. Sensitivity analyses are performed to evaluate the impact of important parameters on the model’s results

The Dempster-Schafer Theory of Belief Functions for Managing Uncertainties: An Introduction and Fraud Risk Assessment Illustration

This is the author's final draft. The publisher's official version is available electronically from:<http://onlinelibrary.wiley. com/journal/10.1111/%28ISSN%291835-2561>.The main purpose of this paper is to introduce the Dempster-Shafer theory (“DS” theory) of belief functions for managing uncertainties, specifically in the auditing and information systems domains. We illustrate the use of DS theory by deriving a fraud risk assessment formula for a simplified version of a model developed by Srivastava, Mock, and Turner (2007). In our formulation, fraud risk is the normalized product of four risks: risk that management has incentives to commit fraud, risk that management has opportunities to commit fraud, risk that management has an attitude to rationalize committing fraud, and the risk that auditor’s special procedures will fail to detect fraud. We demonstrate how to use such a model to plan for a financial audit where management fraud risk is assessed to be high. In addition, we discuss whether audit planning is better served by an integrated audit/fraud risk assessment as now suggested in SAS 107 (AICPA 2006a, see also ASA 200 in AUASB 2007) or by the approach illustrated in this paper where a parallel, but separate, assessment is made of audit risk and fraud risk

An Introduction to Evidential Reasoning for Decision Making under Uncertainty: Bayesian and Belief Functions Perspectives

The main purpose of this article is to introduce the evidential reasoning approach, a research methodology, for decision making under uncertainty. Bayesian framework and Dempster-Shafer theory of belief functions are used to model uncertainties in the decision problem. We first introduce the basics of the DS theory and then discuss the evidential reasoning approach and related concepts. Next, we demonstrate how specific decision models can be developed from the basic evidential diagrams under the two frameworks. It is interesting to note that it is quite efficient to develop Bayesian models of the decision problems using the evidential reasoning approach compared to using the ladder diagram approach as used in the auditing literature. In addition, we compare the decision models developed in this paper with similar models developed in the literature

Loss Distribution Approach for Operational Risk Capital Modelling under Basel II: Combining Different Data Sources for Risk Estimation

The management of operational risk in the banking industry has undergone significant changes over the last decade due to substantial changes in operational risk environment. Globalization, deregulation, the use of complex financial products and changes in information technology have resulted in exposure to new risks very different from market and credit risks. In response, Basel Committee for banking Supervision has developed a regulatory framework, referred to as Basel II, that introduced operational risk category and corresponding capital requirements. Over the past five years, major banks in most parts of the world have received accreditation under the Basel II Advanced Measurement Approach (AMA) by adopting the loss distribution approach (LDA) despite there being a number of unresolved methodological challenges in its implementation. Different approaches and methods are still under hot debate. In this paper, we review methods proposed in the literature for combining different data sources (internal data, external data and scenario analysis) which is one of the regulatory requirement for AMA

An Evidential Reasoning Approach to Sarbanes-Oxley Mandated Internal Control Risk Assessment

This is the peer reviewed version of the following article: Mock, T., L. Sun, R. P. Srivastava, and M. Vasarhelyi. " An Evidential Reasoning Approach to Sarbanes-Oxley Mandated Internal Control Risk Assessment under Dempster-Shafer Theory", 2009, ABACUS, Vol. 45, No. 1, pp. 66-87. , which has been published in final form at http://doi.org/10.1016/j.accinf.2008.10.003. This article may be used for non-commercial purposes in accordance with Wiley Terms and Conditions for Self-Archiving.In response to the enactment of the Sarbanes-Oxley Act 2002 and of the release of the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5, this study develops a risk-based evidential reasoning approach for assessing the effectiveness of internal controls over financial reporting (ICoFR). This approach provides a structured methodology for assessing the effectiveness of ICoFR by considering relevant factors and their interrelationships. The Dempster-Shafer theory of belief functions is utilized for representing risk. First, we develop a generic ICoFR assessment model based upon a Big 4 audit firm’s approach and apply it to a real-world example. Then, based on this model, we develop a quantitative representation of various levels of ICoFR effectiveness and related risk-assessment as defined by the PCAOB and contrast these representations with levels implied by Auditing Standard No. 5. In doing so, we demonstrate the potential value of formal risk assessment models in both facilitating the assessment of risks in an individual engagement and in assessing the effects of different regulations

Sequential Two-Player Games with Ambiguity

If players' beliefs are strictly non-additive, the Dempster-Shafer updating rule can be used to define beliefs off the equilibrium path. We define an equilibrium concept in sequential two-person games where players update their beliefs with the Dempster-Shafer updating rule. We show that in the limit as uncertainty tends to zero, our equilibrium approximates Bayesian Nash equilibrium by imposing context-dependent constraints on beliefs under uncertainty.

Alternative Form of Dempster's Rule for Binary Variables

This is the author's final draft. The publisher's official version is available electronically from: .This article develops an alternative form of Dempster’s rule of combination for binary variables. This alternative form does not only provide a closed form formulae for efficient computation but also enables researchers to develop closed form analytical formulae for assessing risks such as information security risk, fraud risk, audit risk, independence risk, etc., involved in assurance services. We demonstrate the usefulness of the alternative form in calculating the overall information security risk and also in developing an analytical model for assessing fraud risk