Transactions on Computer Science and Technology December 2014, Volume 3, Issue 4, PP.140-145
The Analysis and Research Based on DEA Model and Super Efficiency DEA Model for Assessment of Classified Protection of Information Systems Security Jing Gao#,Yongjun Shen, Guidong Zhang, Qi Zhou School of Information Science & Engineering, Lanzhou University, Lanzhou Gansu Province 730000, China #
Email: gaoj12@lzu.edu.cn
Abstract As decision making units with eight units, which classified protection of information systems security are second-level. Using data envelopment analysis (DEA) model and super efficiency DEA method establish the assessment model of information systems security management effectiveness, and then by calculating the relative efficiency value and the super efficiency value of each unit, security management efficiency values of the units are sorted completely. Conclusions show that the same level of classified protection of information system security, the method can solve the issue for distinguishing security management efficiency of the decision making units. Keywords: Classified Protection of Information Systems Security; DEA Model; Super Efficiency DEA Model
1 INTRODUCTION The classified protection of information systems security (referred to CPISS) is divided into five levels [1].Through a detailed evaluation scores, the situation of information security of the measuring object can be judged whether to achieve the appropriate level of requirements. However, the existing evaluation results are still some limitations, mainly reflecting its conclusion only if the measured object to achieve the appropriate level of security, but at the same level strengths and weaknesses of different security level is difficult to visually reflect the measured object, but also from the perspective of input and output is more difficult to analyse the efficiency value of information systems security management (referred to ISSM). The ISSM is a typical multi-input and multi-output model, its diversified input types, complex integrated environment between different systems, output indicators difficult to quantitative analysis. The traditional evaluation methods are difficult to make an objective evaluation of the input-output ratio of an organization's ISSM. Present domestic and foreign for the evaluation methods of the ISSMâ€&#x;s effectiveness mainly include neural networks method, fuzzy comprehensive evaluation method, artificial immune method, etc. This paper attempts to use the data envelopment analysis (DEA), on the basis of traditional evaluation data of the CPISS mining, under the same level of protection levels, to achieve a quantitative assessment of the different decision-making unit (unit under test) is input production the ratio, and use this to give its evaluation value of the ISSM. This article will use the model of DEA projection analysis, and the use of improved model of traditional DEA algorithm gives management decision analysis and optimization recommendations of invalid unit.
2 DEA MODEL AND ITS IMPROVEMENT 2.1 Model Overview and Effectiveness Meanings 1978, by the famous operations research expert, Professor University of Texas and the United States A. Charnes, - 140 http://www.ivypub.org/cst
W.W. Cooper and E. Rhodes to "evaluate the relative efficiency" formally proposed based on the concept of data envelopment analysis (referred to as the DEA [2]), DEA using mathematical programming models, evaluation the relative effectiveness (called DEA efficient) between the "sector" or "organization" with multiple inputs, especially multiple output (referred to as "decision making unit", abbreviated DMU). The main idea of DEA model is to use input and output data of each DMU to construct the "effective production frontier." If a DMU is located in the efficient production frontier, it is called DEA efficiency that means output has reached its maximum under the current input, otherwise it is DEA inefficiency. The production frontier refers to the surface that composed by the most-advantage of the input and output data of the observed DMU. DEA efficiency includes technology efficiency and scale efficiency. Technical efficiency: If the production state ( x, y) is satisfied, the state ( x, y) is called technology efficiency (i.e. in terms of the output relative to the input has reached its maximum). At this time, the point ( x, y) is located on the surface of the production function. Scale efficiency means neither too large nor too small in inputs, which the returns to scale is the status between increment and decrement, that means in the status of constant returns to scale. The literature [3] pointed out that the overall technical efficiency (OTE) = technical efficiency (TE) × scale efficiency (SE). We define that the highest efficiency is set to 1, the relative efficiency of the other evaluation unit is set between 0-1. When an evaluation unit while achieving scale efficiency and technology efficiency, it is called overall efficiency, and its overall efficiency reaches 1.
2.2 The C2R Model and the BC2 Model The relevant literature [3] has been defined the C2R model, here only given its duality planning. The duality model of the C2R model is ( DC 2 R ) I : min (eT s eˆT s _ ) s.t. n j x j s x0 ( DC 2 R ) I j 1 n j y j s y0 j 1 j 0, j 1,..., n s 0, s 0
(1 y f ( x) ) This model can be solved by the simplex method. Among them, e (1,...,1)T E m , eˆ (1,...,1)T E s , is nonArchimedean infinitely small quantity, s 、s are slack variables, and s E s , s E m .The literature [2] has proved that the equation (1) has a group optimum solution, and is the comprehensive technical efficiency of this DMU j0 . Sets 0 , j0 ( j 1,..., n ), s 、s as the optimal solution of the equation (1), and there are the following judgment:
0 1 , then is DEA inefficiency;
0 1 , s 0 s 0 0 , DMU j is DEA efficiency.
_
0
2
The C R model is the assumption of constant returns to scale. This assumption is often too strict, and difficult to meet in many cases. If add a convexity assumption in C2R model, we can obtain the equation (2) for the duality model of BC2 with a non-Archimedean infinitesimal . Because the BC2 model can only assess the technical efficiency of each DMU, so this is technical efficiency only. Set 0 , 0j ( j 1,..., n ), s 、s are the optimal solution of the equation (2), its determination conditions is the same as the equation (1). - 141 http://www.ivypub.org/cst
min (eT s eˆT s ) s.t. n j 1 j x j s x0 ( DBC 2 ) I nj 1 j y j s y0 n j j 1 0, j 1,..., n j s 0, s 0 _
(2)
2.3 The Definitions about DEA Analysis of Returns to Scale and Analysis of Projection In the C2R model, when 1n j0 =1, DMU j is constant returns to scale, which represents the output increases with the 0
increasing of input, but the "speed" of it is constant; when
n 1
0j <1, it is increasing returns to scale, which means
that the output increases with the increasing of input, but the "speed" of it is incremental; when 1n j0 >1, it is decreasing returns to scale, which means that the output increases with the increasing of input, but its "speed" is decremental. Projection value (ideal value) can directly reflect the real demand for current input resources of DMU, and may reach a maximum output capacity. The projection of the point ( x0 , y0 ) for non-DEA efficiency, which is in the surface for the production frontier, is served ( xˆ0 , yˆ0 ) , and s Set 0 , 0j ( j 1,..., n ), s 、s as the optimal solution of the equation (1), and its projection is: xˆ j0 0 x j0 - s 0 1 x j 0j , yˆ j0 = y j0 + s 0 1n y j j0 _
n
(3)
2.4 D. Super-Efficiency DEA Model When using the DEA method to evaluate the relative efficiency of DMU may cause that multiple DMU's overall efficiency values are 1. For such DMU, the C2R model is unable to distinguish the advantages and disadvantages and make a quantitative comparison. In order to solve this problem, the literature [4] proposed a DEA "super-efficient" model, which we call S- C2R model. The basic idea of S-C2R model is: When assessing a DMU, making inputs and outputs of it are replaced by linear combination of all the other DMU's inputs and outputs, which will exclude the in the rest of the DMU's set outside. If a DMU is DEA efficiency and can increase in proportion to their inputs and still maintain the largest proportion of the value of their relative effectiveness, called super-efficiency values for this proportion of the value of the DMU. Obviously the efficiency value may be greater than 1. We illustrate this idea by Figure 1:
FIG. 1 SIMPLIFIED SCHEMATIC FOR S-C2R
In Figure 1, M point is in the efficient production frontier, it was understood that the efficiency of in the C2R model is 1. According to the idea of super-efficiency model, when calculating the efficiency value at point M, M point are excluded from the reference DMU‟s set, so the production frontier has changed from the ABCD to the ABD, at this time the efficiency value of M point is OM'/ OM, and greater than 1. And for which the originally non-DEA efficiency DMU point N, its production frontier is still ABCD in the super-efficiency model. The efficiency value of - 142 http://www.ivypub.org/cst
N point is same as in the C2R model, and it is still ON'/ ON. Take this idea, and combined with C2R model, given the dual programming of S-C2R model: min (eT s eˆT s _ ) s.t. n j x j s x0 ( DS C 2 R ) I j 1, j j0 n y s y0 j 1, j j0 j j j 0, j 1,..., n s 0, s 0
(4)
3 EXAMPLES OF APPLICATIONS 3.1 DEA Evaluation Model about of Information System Security Management Efficiency Building and the DMU’s Input-output Indicators Defining Based on the literature [5-6] principles, each unit that received the same assessment conditions as DMUj, 1<j<n; their input indicators are based on data collected in the field. For their output indicators, considering the actual for specific assessment sub keys nearly 400, each assessment sub key will accumulated the assessment score by the scoring rules (Satisfy the conditions to get 1 point, basically satisfy the conditions to get 0.6 points, does not satisfy the conditions to get 0 points).Then to merge all of the assessment sub keys and divide them into two categories main assessment items, and make the scores for each category main items (full mark is 200 points) as an this DMU's output indicator, so we can obtain the DEA assessment model about the ISSM efficiency. The specific input and output indicators are in Table 1. TABLE 1 DEFINITION OF INPUT AND OUTPUT INDICATORS
Types of Indicator
Serial Number x1
Assessment Indicators Manpower inputs
x2
Terminal inputs
x3
Patch update frequency
Input
Applications effectiveness Management effectiveness
y1 Output y2
Mode of Definition The proportion of specialized staff The average inputs in the core network terminals The patch of system protection update frequency (times / month) Assessment scores (200) Assessment scores (200)
3.2 B. Examples of Applications Effectiveness Analysis In this paper, we choose the eight units, which their assessment levels of CPISS are all second level, as the evaluation objects. Now for each unit according to inputs, outputs indicators for data collection, the results in Table 2. TABLE 2 DATA OF INPUT AND OUTPUT INDICATORS
DMUj 1 2 3 4 5 6 7 8
x1 2.26 2.86 3.64 5.44 8.89 4.57 5.75 6.25
Inputs x2 16360.27 12451.61 17555.56 16636.36 28700.03 22615.38 11266.67 8875.15
Outputs x3 14 20 5 12 10 9 8 12
- 143 http://www.ivypub.org/cst
y1 177.4 199.6 34.8 168.6 102.2 125.6 74 137
y2 165.8 192.6 20.2 149.6 95.6 129.4 82.8 145.2
By DEAP or the others software processing data of Table 2, we can obtain the overall technical efficiency (OTE), technical efficiency (TE), scale efficiency (SE) and returns to scale changes of each DMU, and the results are shown in Table 3. TABLE 3 DATA OF INPUT AND OUTPUT INDICATORS
DMUj 1 2 3 4 5 6 7 8
OTE 1.000 1.000 0.495 1.000 0.729 1.000 0.799 1.000
TE 1.000 1.000 1.000 1.000 0.797 1.000 1.000 1.000
SE 1.000 1.000 0.495 1.000 0.915 1.000 0.799 1.000
n 1
0j
Scale change
1.000 1.000 0.206 1.000 0.676 1.000 0.599 1.000
Constant Constant Increasing Constant Increasing Constant Increasing Constant
The results according to Table 3, in all of the DMU, DMU1, DMU2, DMU4, DMU6 and DMU8 are DEA efficiency, which are both technical efficiency and scale efficiency. DMU3, DMU5, DMU7 are non-DEA efficiency, which DMU3, DMU7 are technical efficiency only, not for scale efficiency, and DMU5 are neither technical efficiency nor scale efficiency. Therefore, these three units have potential for improvement. Below to example for DMU5 for projection-analysis, and the results are shown in Table 4. TABLE 4 RESULTS OF PROJECTION ON DMU5 Types of Indicator
Actual value
Projection value
Projection Distance
Change rate
x1 x2 x3 y1 y2
8.89 28700.03 10 102.2 95.6
4.33 21311.42 7.969 102.2 101.3
4.56 7388.61 2.031 0 -5.7
51.3% 25.7% 25.5% 0 -6.0%
TABLE 5 RESULTS FOR SUPER-EFFICIENCY VALUE ANALYSIS DMUj C2R Efficiency Value S-C2R Efficiency Value
1
2
4
6
8
1.000
1.000
1.000
1.000
1.000
1.24
1.388
1.091
1.153
1.198
Data from Table 3 and Table 4 show that the DMU5„s overall efficiency is 72.9%, while maintaining the current condition of the input-output efficiency, to compare projection value and the original value, its various inputs indicators can be reduced 51.3%, 25.7% and 25.5 % respectively. Meanwhile, the first item of DMU5„s output indicators has reached optimum; the projection value of the second item is negative, which indicate that under the existing inputs conditions, the output of this item is insufficient, and it should also be able to enhance 5.7 points for the evaluation score.
FIG. 2 COMPARISON CHART FOR THE RELATIVE EFFICIENCY OF C2R MODEL AND S-C2R MODEL
Through the above data, managers can analyse the reasons for insufficient of the ISSM efficiency, figure out some problematic aspects, rather than relying on a higher investment to improve the level for ISSM. Apply the S-C2R model to deal with all of the efficiency value of the DMU was 1 in Table 3. The results are shown in Table 5. - 144 http://www.ivypub.org/cst
All of DMUs are sorted by the efficiency value of S-C2R as follows: DMU2 > DMU1 > DMU8 > DMU6 > DMU4 > DMU7 > DMU5 > DMU3. From Figure 2, it is easy to know that in values of all eight units for the ISSM efficiency, the 2nd unit is the highest and the 3rd unit is the lowest.
4 CONCLUSIONS In this paper, used the assessment for the CPISS as application background, the first from the point of view with input-output ratio, by establishing input-output indicators and the establishment of a DEA model of the ISSM efficiency, and using this model gave the relative efficiency value of each unit. Secondly, through the projection results, analysed the reason about the relative efficiency of a unit was the non-DEA efficiency, and calculated the degree of input redundancy and output insufficient. Finally, by virtue of S-C2R model, analysed and sorted the efficiency value of each unit for ISSM based on their super-efficiency value. The results show that the integrated use of DEA model and S-C2R model and projection analysis for the ISSM efficiency can solve the issue that difficult to distinguish the situation of the ISSM efficiency between units under the same classified protection, and can help managers to further clarify the improvement goals and optimize the allocation of resources for information systems security management.
ACKNOWLEDGMENT I would like to express my gratitude to all those who helped me during the writing of this thesis. I gratefully acknowledge the help of my supervisor Professor Shen Yongjun. I do appreciate his patience, encouragement, and professional instructions during my thesis writing. Also, I would like to thank Teacher Zhang Guidong and Ms Zhou Qi, who kindly gave me a hand when I was collecting evaluation data. Last but not the least, my gratitude also extends to my family who have been assisting, supporting and caring for me all of my life.
REFERENCES [1]
Yanhua Yang, Yongjun Shen, Guidong Zhang and Gan Yu. The Grading Scheme Based on Fuzzy Comprehensive Evaluation and Analytic Hierarchy Process for Classified Protection of Information System. 2014 ICSESS, June 27-29, 2014, Beijing
[2]
A. Charnes, W.W. Cooper, E. Rhodes. Measuring the efficiency of decision making units. European Journal of Operational Research 1978(2), 429-444
[3]
Quanling Wei. Data envelopment analysis model for evaluating the relative effectiveness. [M] Beijing: China Renmin University Press Co. LTD, 2012
[4]
P. Andersen and N. C. Petersen, “A procedure for ranking efficient units in data envelopment analysis,” Manage-ment Science, Vol. 39, pp. 1261–1264, 1993
[5]
Huahui Yan, Jingchuan Cui. A Method for Solving Optimal Input-Output Weight in Original CCR Model of DEA. Operations Research and Management Science [J], 2013(12)
[6]
Liang Li, Jingchuan Cui. Selection of input-output items and data disposal in DEA. Journal of Systems Engineering, 2003(6)
[7]
Zhiping Chen, Ruiyue Lin. Main methods for the mutual fund performance evaluation based on DEA models. Journal of Systems Engineering [J], 2005, 20:73-83
AUTHOR Jing Gao (1984 - ), male, Master Degree Candidate, and the main research areas are information security and information management.
- 145 http://www.ivypub.org/cst