Аnalysis of information security risk assessment representation methods

Authors

  • Volodymyr Mokhor Pukhov institute for modeling in energy engineering of National academy of sciences of Ukraine, Kyiv,, Ukraine https://orcid.org/0000-0001-5419-9332
  • Oleksandr Bakalynskyi Department of formation and implementation of state policy on cyber protection of Administration of the State Special Communications, Kyiv,, Ukraine https://orcid.org/0000-0001-9712-2036
  • Vasyl Tsurkan Institute of special communication and information protection National technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv,, Ukraine https://orcid.org/0000-0003-1352-042X

DOI:

https://doi.org/10.20535/2411-1031.2018.6.1.153189

Keywords:

Information security risk, information security risk assessment, tree of risks, rose (star), helix of risks, risk map, acceptability risk corridor

Abstract

Methods of resenting information security risk assessments are considered. The method are divided into a tree of risks, a rose (star) and a helix of risks, a risk map and an acceptability risk corridor. The classic tree construction method is used to represent tree risk assessments. Its elements show individual risks or group of risks. The rose (star) and a spiral constructing a use as basis for the circular diagrams. These diagrams reflect the sequence of consideration of information security risks. Due to this, their ranking is carried out in a comparative analysis. Rose (star) displays only one of the parameters of the information security risk among the selected set with the ability to overlay maps with one with different parameters. Therefore, the use of such a presentation method is to build a family of roses (stars) of information security risk assessments. At the same time, the most widespread use of information security risk maps among known methods of their presentation is defined. The risk map represents estimates based on the probability of the threat realization and the amount of losses. Due to the versatility of such a way of representation, it is possible to combine, compare, overlay and integrate information security risk maps. Therefore, common and applied risk maps are segregate among them. A characteristic feature of risk maps of the general type is the presence or absence of a scale of evaluation. In the presence of a scale, the risk value is evaluated qualitatively or quantitatively. While in its absence, the assessment is reduced to the selection of areas of information security risk assessment. For each of the identified areas, the interval values of the probability of the threat realization and the size of the risk are established. Corridor of acceptability of information security risks is set individually for each organization with the most probable estimations. These estimates determine the areas of acceptability of information security risks. Thus, process of analyzing of methods for presenting information security risk assessments by tree, rosy (star), spiral, map and corridor of acceptability allowed to define their advantages and disadvantages. In addition, it allowed to choose the direction of further researches to present information security risk assessments with a risk map.

Author Biographies

Volodymyr Mokhor, Pukhov institute for modeling in energy engineering of National academy of sciences of Ukraine, Kyiv,

сorresponding member of the National Academy of Sciences of Ukraine, doctor of technical sciences, professor, director

Oleksandr Bakalynskyi, Department of formation and implementation of state policy on cyber protection of Administration of the State Special Communications, Kyiv,

head of department

Vasyl Tsurkan, Institute of special communication and information protection National technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv,

candidate of technical sciences, associate professor at the cybersecurity and application of information systems and technologies academic department

References

International Organization for Standardization. (2013, Oct. 01). ISO/IEC 27001. Information technology. Security techniques. Information security management systems. Requirements. [Online]. Available: https://www.iso.org/standard/54534.html.

International Organization for Standardization. (2013, Oct. 01). ISO/IEC 27002. Information technology. Security techniques. Code of practice for information security controls. [Online]. Available: https://www.iso.org/standard/54533.html.

International Organization for Standardization. (2011, June 10). ISO/IEC 27005. Information technology. Security techniques. Information security risk management. [Online]. Available: https://www.iso.org/standard/56742.html.

International Organization for Standardization. (2018, Febr. 15). ISO 31000. Risk management. Guidelines. [Online]. Available: https://www.iso.org/standard/65694.html.

International Organization for Standardization. (2009, Nov. 27). IEC 31010. Risk management. Risk assessment techniques. [Online]. Available: https://www.iso.org/standard/51073.html.

A. G. Badalova, and A. V. Panteleev, Risk management of the enterprise. Moskow, Russia: Vuzovskaia knika, 2016.

Published

2018-06-30

How to Cite

Mokhor, V., Bakalynskyi, O., & Tsurkan, V. (2018). Аnalysis of information security risk assessment representation methods. Collection "Information Technology and Security", 6(1), 75–84. https://doi.org/10.20535/2411-1031.2018.6.1.153189

Issue

Section

INFORMATION SECURITY RISK MANAGEMENT