Risk assessment presentation of information security by the risks map

Authors

  • Volodymyr Mokhor Pukhov institute for modeling in energy engineering of National academy of sciences of Ukraine, Kyiv,, Ukraine https://orcid.org/0000-0001-5419-9332
  • Oleksandr Bakalynskyi Department of formation and implementation of state policy on cyber protection of Administration of state serves of special communication and information protection of Ukraine, Kyiv,, Ukraine https://orcid.org/0000-0001-9712-2036
  • Vasyl Tsurkan Institute of special communication and information protection National technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv,, Ukraine https://orcid.org/0000-0003-1352-042X

DOI:

https://doi.org/10.20535/2411-1031.2018.6.2.153494

Keywords:

Information security risk, information security risk assessment, rating scale, risk map, discrete risk map, continuous risk map.

Abstract

The risk assessment presentation features of information security by the risk maps are considered. In practice, such map is displayed on the coordinate plane. Its axes denote information security risk parameters. This is the risks and the losses magnitude. This determines the acceptability of separate or group information security risks. It is established by choosing the scale of assessment (qualitative, quantitative, or qualitative-quantitative); risk map dimensionality (equal in size, different in size). When used risks maps of information security equally in size and different in size, linguistic rating scales mainly apply (for example, "very low", "low", "medium", "high", "very high"). This approach is limited by the complexity of comparing possible parameters estimates of risk possibility and the losses magnitude. This leads to the difficulty of determining the information security risk assessments acceptability and, as a result, the decision to process them. This limitation is overcome by a combination of linguistic and ordinal scales. The combination of scales allows overcoming the comparing information security risk assessments limitations and establishing clear boundaries on the map. The use of discrete maps with clear (discrete) limits is complemented by color symbols. Acceptable assessments highlight in green, unacceptable in red. The level of acceptability is established by the expert and depends on his knowledge, skills, preparedness, and experience. The adequacy of using discrete information security risk maps is determined by its dimensionality. Therefore, if necessary, it can be increased. On the one hand, it is possible to take into account the intermediate values of the information security risk. On the other hand, it will lead to the enumeration of a large number of pairs (risks, the losses magnitude), difficulties of their perception and the increase in time for deciding whether or not to handle unacceptable information security risks. Thus, the use of discrete maps is limited by the difficulties, firstly, the assessment, comparison and accounting of pairs (the probability of the risks, the losses magnitude). Accounting for these difficulties is possible through the presentation risk assessment of information security by the continuous map.

Author Biographies

Volodymyr Mokhor, Pukhov institute for modeling in energy engineering of National academy of sciences of Ukraine, Kyiv,

сorresponding member of the National Academy of Sciences of Ukraine, doctor of technical sciences, professor, director

Oleksandr Bakalynskyi, Department of formation and implementation of state policy on cyber protection of Administration of state serves of special communication and information protection of Ukraine, Kyiv,

head of department

Vasyl Tsurkan, Institute of special communication and information protection National technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv,

candidate of technical sciences, associate professor at the cybersecurity and application of information systems and technologies academic department

References

International Organization for Standardization. (2013, Oct. 01). ISO/IEC 27001. Information technology. Security techniques. Information security management systems. Requirements. [Online]. Available: https://www.iso.org/standard/54534.html.

International Organization for Standardization. (2013, Oct. 01). ISO/IEC 27002. Information technology. Security techniques. Code of practice for information security controls. [Online]. Available: https://www.iso.org/standard/54533.html.

International Organization for Standardization. (2011, June 10). ISO/IEC 27005. Information technology. Security techniques. Information security risk management. [Online]. Available: https://www.iso.org/standard/56742.html.

International Organization for Standardization. (2018, Febr. 15). ISO 31000. Risk management. Guidelines. [Online]. Available: https://www.iso.org/standard/65694.html.

International Organization for Standardization. (2009, Nov. 27). IEC 31010. Risk management. Risk assessment techniques. [Online]. Available: https://www.iso.org/standard/51073.html.

A. G. Badalova, and A. V. Panteleev, Risk management of the enterprise. Moskow, Russia: Vuzovskaia knika, 2016.

V. Mokhor, O. Bakalynskyi, and V. Tsurkan, “Analysis of information security risk assessment representation methods”, Information Technology and Technology, vol. 6, iss. 1, 2018. doi: 10.20535/2411-1031.2018.6.1.153189.

S. A. Petrenko, and S. V. Simonov, Information risk management. Cost-effective security. Moskow, Russia: DMK Press, 2004.

I. D. Vishniakov, and N. N. Radaev, General risk theory. Moskow, Russia: Publ. “Akademiia”, 2007.

A. M. Astakhov, The art of information risk management. Moskow, Russia: DMK Press, 2010.

Downloads

Published

2018-12-30

How to Cite

Mokhor, V., Bakalynskyi, O., & Tsurkan, V. (2018). Risk assessment presentation of information security by the risks map. Collection "Information Technology and Security", 6(2), 94–104. https://doi.org/10.20535/2411-1031.2018.6.2.153494

Issue

Vol. 6 No. 2 (2018)

Section

INFORMATION SECURITY RISK MANAGEMENT

License

Copyright (c) 2020 Collection "Information technology and security"

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The authors that are published in this collection, agree to the following terms:

  1. The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
     
  2. The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
     
  3. Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).