Digital security vulnerabilities and threats implications for financial institutions deploying digital technology platforms and application: FMEA and FTOPSIS analysis

Digital security consideration in IoTs, CC and BD integration

Studies have attempted to classify digital security threats and vulnerabilities for IoTs, CC, and BDA into security risk dimensions. A cursory review of the literature found that the risks influenced the overall benefits of deploying IoTs, CC, and BDA for data management. According to Li & Tang (2013), the identification and prioritization of critical threats and vulnerabilities should find security dimensions to be potential threats to digital platforms and the use of applications. Our study considered these threats when classifying the vulnerabilities and risks for the deployment and use of IoTs, CC and BDA.

FMEA and Fuzzy theory application

FMEA has been shown to be a useful analytical tool for evaluating potential risk identification failures and preventative measures. FMEA is defined by Stamatis (2003) as “an analysis technique for defining, identifying and eliminating known or potential failures, problems, errors and so on from system, design, process and services before they reach the customer”. FMEA outlines the process of identifying potential failure modes, causes, effects, and challenges affecting the overall systems, hardware reliability, software applications, and the safety of the system (Kim & Zuo, 2018). FMEA identifies the potential failure modes based on their criticality to the systems (Kangavari et al., 2015). Measuring the risk priority number (RPN) is determined as the product of Occurrence (Occ), Severity (Sev), and Detection (Det) of a failure mode defined in Eq. (1). In Eq. (1), Occ is the frequency of occurrence of the failure mode, Sev is the extent of the effect of the failure mode, and Det is the probability of detecting the failure before it impacts each system. Groups of decision-makers evaluate the three risk parameters (Occ, Sev, and Det) by providing an assessment value with specific scales for each identified failure mode. A high RPN for any failure mode requires adequate attention to provide corrective measures to the system. (1)${\displaystyle RPN=Occ\times Sev\times Det}$

The use of FMEA has been combined with other techniques to improve its efficacy (Liu, Liu & Liu, 2013). Zadeh (1965) developed the fuzzy set theory to address phenomena characterized by uncertainty or complexities under FMEA conditions. The fuzzy set is able to offer more accurate results with the subjective opinions of FMEA experts. Hadi-Venchec & Aghajani (2013) proposed a fuzzy analysis to examine expert views using linguistic terms to evaluate their independent judgment to control failures. Likewise, Carpitella et al. (2018) proposed a combined multi-criteria approach to support FMEA for a group of experts to optimize maintenance activities.

Fuzzy sets are expressed in linguistic terms through fuzzy triangular or trapezoidal numbers (Ramzali, Reza & Ghodousi, 2015). Linguistic variables represent triangular or trapezoidal fuzzy numbers quantitatively to reflect the responses given by experts (Zadeh, 1965). The linguistic variables are expressed to show the fuzzy ratings for failure modes to determine the weighted criteria of risk factors. The linguistic terms and fuzzy numbers for Occ indicate the probability of a failure mode occurring. Severity explains the level of impact of the failure mode affecting the system. The Det scale also shows the extent to which the system could identify failures modes within a specified period.

Crisp RPN values have been criticized due to the subjectivity of quantifying the linguistic scale although FMEA risk analysis has yielded several results. Focus on fuzzy number aggregation to determine the ranking of RPN for risk factors has been criticized because it does not reflect a fair representation of FMEA group assessments. In response to these limitations, approaches such as a technique for ordering preference by similarity to ideal solution (TOPSIS), analytic hierarchy process (AHP), and data envelopment analysis (DEA) have been proposed in the literature. The TOPSIS and AHP techniques seek to support decision-makers with alternatives under certain conditions (Sun, Wu & Liu, 2006). In line with the above, we adopted the FTOPSIS multi-criteria decision method to support FMEA in estimating potential vulnerabilities and threats. The FTOPSIS extends traditional TOPSIS to improve the application of linguistic variables for rating criteria for failure modes under FMEA and fuzzy environment (Chen, 2000).

Methodology

We present the research design, the sampling method, questionnaire design, data collection and analysis in the following sections to provide holistic insight into the prevailing threats and vulnerabilities in IoTs, BDA, and CC integration for data management.

Implementation of data analysis

The FMEA and Fuzzy TOPSIS analysis involved data aggregation for a fuzzy group and weight matrix, a fuzzy normalized matrix, a fuzzy ideal solution, and calculation of coefficient scores closeness. We used FMEA to categorize threats and vulnerabilities by the probability of occurrence, the severity of occurrence, and the extent to which the vulnerabilities were detected. Fuzzy TOPSIS further defined the fuzzy set functions. This enabled us to aggregate experts’ responses regarding the occurrence, severity, and detection of digital threats and vulnerabilities. This in turn allowed us to determine the group decision matrix. Considering the subjective nature of expert opinions, the Fuzzy TOPSIS also provided a systematic step to normalize the aggregated responses before determining the criticality of values to rank and prioritize the failure modes under investigation.

The experimental design for the methodology is presented in Fig. 1, detailing a step-by-step procedure used to achieve the research objectives. The experimental design provided a statistical procedure for data collection and analysis to yield valid and objective conclusions for this study (Montgomery, 2017). Our experimental design began by identifying experts and collecting data. Experts were identified based on their understanding of the terms and specific data for each digital security criterion. Once this stage was satisfied, the questionnaires were distributed to the appropriate experts within the IT security units. The data reflected the extent to which risks and vulnerabilities occurred and their severity and detectability of the use of IoTs, BDA, and CCs. The second stage of our study transformed the linguistic scales of expert rankings into associated fuzzy trapezoidal numbers using Excel Visual Basic to ensure the reliability of the data set for mathematical modelling. Thus, for the fuzzification of stages 3 to 6 we used Fuzzy TOPSIS mathematical modelling to derive the aggregated fuzzy group matrix, the weighted fuzzy matrix, the normalized fuzzy matrix, the distance for ideal solutions, and the closeness of coefficient scores. We used the closeness of coefficient scores to prioritize and rank the vulnerabilities and threats identified in the context of digital security risks.

Step 1

Fuzzy set A is defined as the membership function that includes elements of the universe X to the unit interval [0,1] (Zadeh, 1965). Accordingly, fuzzy set A in X is characterized by membership function $f_A\left(x\right)$, the corresponding points for each X must be real numbers in the interval [0,1] representing x with set A (Zadeh, 1965). The value of $f_A\left(x\right)$ is assumed to be more significant to the membership of X to set A if it is closer to 1. We adapted the trapezoidal fuzzy number $\tilde{A}$ which is represented as $\left(a_1,a_2,a_3,a_4\right)$ as shown by Ramzali, Reza & Ghodousi (2015) in Eq. (2).

For any given two positive trapezoidal numbers, $\tilde{A}$ = $\left(a_1,a_2,a_3,a_4\right)$ and $\tilde{B}$ = $\left(b_1,b_2,b_3,b_4\right)$ with positive real numbers, the basic operations for fuzzy set theory are defined in Eqs. (3) to (6) (Zadeh, 1965; Bojadziev & Bojadziev, 2007).

(3)${\displaystyle \tilde{A}\oplus \tilde{B}=\left[a_1+b_1,a_2+b_2,a_3+b_3,a_4+b_4\right]}$ (4)${\displaystyle \tilde{A}\ominus \tilde{B}=\left[a_1-b_1,a_2-b_2,a_3-b_3,a_4-b_4\right]}$ (5)${\displaystyle \tilde{A}\otimes \tilde{B}=\left[a_1{b}_1,a_2{b}_2,a_3{b}_3,a_4{b}_4\right]}$ (6)${\displaystyle \tilde{A}\otimes r=\left[a_{1}r,a_{2}r,a_{3}r,a_{4}r\right]}$

Again, given m as cross-functional decision makers $D{M}_k\left(,2,\dots ,m\right)k=1$ in a FMEA team is responsible for evaluating a set of n failure modes FM _i (i = 1,2, …, n) with respect to Occurrence, Severity, and Detection risk factors. Therefore, $a_{ij1}^k,b_{ij2}^k,c_{ij3}^k,d_{ij4}^k$ are the fuzzy ratings provided by each DM_k to evaluate FM _i for Occ, Sev, and Det expressed in Eqs. (7), (8) and (9). (7)${\displaystyle Occ=\left(a_{ij1}^k,b_{ij2}^k,c_{ij3}^k,d_{ij4}^k\right)}$

(8)${\displaystyle Sev=\left(a_{ij1}^k,b_{ij2}^k,c_{ij3}^k,d_{ij4}^k\right)}$ (9)${\displaystyle Det=\left(a_{ij1}^k,b_{ij2}^k,c_{ij3}^k,d_{ij4}^k\right)}$

The aggregated fuzzy group decision matrix was derived from Ghoushchi, Yousefi & Khazaeili (2019) as formulated in Eq. (10). Given that ${\widetilde{\mathrm{FM}}}_{\mathrm{I}}$ = DM assessment of ${\widetilde{\mathrm{FM}}}_{\mathrm{I}}$ (i = 1, 2, …, m) with respect to Occ, Sev, and Det risk factors. The trapezoidal values for Occ, Sev, and Det are calculated for each failure mode under their respective dimensions. (10)${\displaystyle {\widetilde{FM}}_i=\left({\tilde{A}}_{ij}=\frac{1}{k}\ast \sum _k^l{a}_{ij1}^k,{\tilde{B}}_{ij}=\frac{1}{k}\ast \sum _k^l{b}_{ij2}^k,{\tilde{C}}_{ij}=\frac{1}{k}\ast \sum _k^l{c}_{ij3}^k,{\tilde{D}}_{ij}=\frac{1}{k}\ast \sum _k^l{d}_{ij4}^k\right).}$ Similarly, each aggregated fuzzy weight denoted as ${\tilde{w}}_j$ was derived using Eq. (11) with respect to Occ, Sev, and Det factors for each failure mode by each DM_k. (11)${\displaystyle {\tilde{w}}_j=\left(w_{j1},w_{j2},w_{j3},w_{j4}\right)=\left({\tilde{w}}_1=\frac{w_{j1}}{k},{\tilde{w}}_2=\frac{w_{j2}}{k},{\tilde{w}}_3=\frac{w_{j3}}{k},{\tilde{w}}_4\frac{w_{j4}}{k}\right)}$

Step 2

The cost attributes procedure was used to compute the ${\tilde{R}}_{ij}$ in Eq. (12) to determine the normalized decision matrix since vulnerabilities and risk are used for this study. The cost attribute in Eq. (13) represents the minimum value for $a_j^{-}$ for each vulnerability respective to Occ, Sev, and Det. Therefore, the normalized fuzzy weights (${\tilde{z}}_{ij}$) were computed using Eq. (16) for the group decision matrix for each vulnerability and risk failure mode for Occ, Sev, and Det; the result is in Table 2.

(12)${\displaystyle N=\left[\begin{array}{cccc}\hfill r_{11}\hfill & \hfill r_{12}\hfill & \hfill \cdots \hfill & \hfill r_{1j}\hfill \\ \hfill r_{21}\hfill & \hfill r_{22}\hfill & \hfill \dots \hfill & \hfill r_{2j}\hfill \\ \hfill ⋮\hfill & \hfill \dots \hfill & \hfill \ddots \hfill & \hfill ⋮\hfill \\ \hfill r_{i1}\hfill & \hfill r_{i2}\hfill & \hfill \cdots \hfill & \hfill r_{ij}\hfill \end{array}\right]}$ (13)${\displaystyle {\tilde{r}}_{ij}=\left\{\begin{array}{c}\left(\frac{a_{ij}}{d^{+}},\frac{b_{ij}}{d^{+}},\frac{c_{ij}}{d^{+}},\frac{d_{ij}}{d^{+}}\right)\mathrm{if}\mathrm{j}\mathrm{is}\mathrm{a}\text{benefit attribute}\hfill \\ \hfill \\ \left(\frac{a_j^{-}}{d_{ij}},\frac{a_j^{-}}{c_{ij}},\frac{a_j^{-}}{b_{ij}},\frac{a_j^{-}}{a_{ij}}\right)\mathrm{if}\mathrm{j}\mathrm{is}\mathrm{a}\text{cost attribute}\hfill \end{array}\right.}$ (14)${\displaystyle d_j^{+}=maxof{d}_{ij}\text{if j is a benefit attribute}}$ (15)${\displaystyle a_j^{-}=minof{a}_{ij}\text{if j is a cost attribute}}$ (16)${\displaystyle {\tilde{z}}_{ij}=w_j.{\tilde{r}}_{ij}}$

Where ${\tilde{r}}_{ij}$ $=\left(\frac{a_j^{-}}{d_{ij}},\frac{a_j^{-}}{c_{ij}},\frac{a_j^{-}}{b_{ij}},\frac{a_j^{-}}{a_{ij}}\right)$ as described in Eq. (13).

Step 3

In the next stage we computed the fuzzy ideal positive and negative solution in Eqs. (17) to (23) (Carpitella et al., 2018). The Fuzzy Positive Ideal Solution (FPIS) and Fuzzy Negative Ideal Solution (FNIS) are further defined in Eqs. (17) and (18), respectively (Chen, 2000).

(17)${\displaystyle V^{\ast }=\left({\tilde{z}}_{i1}^{\ast },{\tilde{z}}_{i2}^{\ast },\dots {\tilde{z}}_{ij}^{\ast }\right)}$ (18)${\displaystyle V^{-}=\left({\tilde{z}}_{i1}^{-},{\tilde{z}}_{i2}^{-},\dots {\tilde{z}}_{ij}^{-}\right)}$

Where (19)${\displaystyle {\tilde{z}}_{ij}^{\ast }=max{\tilde{v}}_{ij}\left(max{a}_{ij},max{b}_{ij},max{c}_{ij},max{d}_{ij}\right)}$ (20)${\displaystyle {\tilde{z}}_{ij}^{-}=min{\tilde{v}}_{ij}\left(min{a}_{ij},min{b}_{ij},min{c}_{ij},min{d}_{ij}\right)}$

The distance for two generic Trapezoidal Fuzzy Numbers (TrFNs) is calculated in Eq. (21). For the crisp value for each failure mode, this was done after determining $min{\tilde{v}}_{ij}$ and $max{\tilde{v}}_{ij}$ for Occ, Sev, and Det (Khalili-damghani & Sadi-nezhad, 2013). Therefore, $\tilde{A}=\left(a_1,a_2,a_3,a_4\right)$ and $\tilde{B}=\left(b_1,b_2,b_3,b_4\right)$ represents the TrFNs for each ${\widetilde{FM}}_i$ for Occ, Sev, and Det factor. (21)${\displaystyle d\left(\tilde{A},\tilde{B}\right)\sqrt{\frac{1}{4}\left[{\left(a_1-b_1\right)}^2+{\left(a_2-b_2\right)}^2+{\left(a_3-b_3\right)}^2+{\left(a_4-b_4\right)}^2\right]}}$

Furthermore, the fuzzy ideal solution for each alternative d _i is then aggregated for the whole set of failure modes for related distances d^∗ and d⁻ by Eqs. (22) and (23). Table 3 shows the result of a fuzzy ideal solution for each failure mode.

(22)${\displaystyle FPIS\left(d^{\ast }\right)=\sum _{j=1}^{n}d\left({\tilde{z}}_{ij}\right)i=1,\dots ,n}$ (23)${\displaystyle FNIS\left(d^{-}\right)=\sum _{j=1}^{n}d\left({\tilde{z}}_{ij}\right)i=1,\dots ,n}$

Step 4

Failure mode rankings are finally computed using the closeness of coefficient (CC) in Eq. (24). The final results are shown in Table 4 and indicates the closeness of coefficient score rankings for all vulnerabilities under each dimension (Javadian et al., 2009). (24)${\displaystyle C{C}_i=\frac{FNIS}{FNIS+FPIS}.}$