Interpretation model of assessments boundary information security risks
Keywords:risk analysis, risk assessment, information security, risk limits, interpretive model
Amendments to the legislation of Ukraine allow building, implementing, and conducting certifications of information protection systems owned by the state, or the requirements for the protection of which are established by law. It is recommended to use the requirements and/or guidelines of international practices that provide for the use of a risk-oriented approach. Thus, the international standard ISO/IES 27001 implemented in Ukraine recommends choosing or developing a method for assessing information security risks. At the same time, the results of the analysis of open sources revealed the absence of models and methods for quantifying their limit values. By informational, we mean the risks associated with the possibility of losses as a result due to violations of the properties of confidentiality, integrity, availability of information. Therefore, the purpose of this article is to develop an interpretive model that will provide the limit values of information security risks. Their quantitative values could be used as criteria at the stage of formation requirements for a comprehensive information security system and / or information security management system. The basis for calculating the value of the risk limit value is the standard deviation of the uncollected profit for the period. If the profit exceeds the planned, then hypothetically during the analysis period there were no incidents that would affect resources. Information risks are a component of the organization's risks. According to the recommendations of ISO/IES 27005, where risk is the effect of uncertainty on the achievement of goals, and the effect is a positive or negative deviation from the expected, the hypothetically obtained standard deviation can be considered an assessment of the impact of information uncertainty of additive information resources on economic results. In addition, assessing the acceptable threshold of information risk of the organization. Thus, an interpretive model for estimating the marginal risks of information security and allowable losses on individual components of threats to the information properties as a formalization of the impact of information uncertainty on financial consequences. This made it possible to quantify these estimates based on available actual economic / cost indicators of information activity in the organization.
Verkhovna Rada of Ukraine, 3st Session. (2020, Jun. 04). Law № 681-IX, On amendments to the Law of Ukraine “On information protection in information and telecommunication systems” to confirm the compliance of the information system with the requirements for information protection. [Online]. Available: https://zakon.rada.gov.ua/laws/show/681-20#Text. Accessed on: Sept. 03, 2020.
Verkhovna Rada of Ukraine, I Convocation. (1994, Jul. 05). Law № 80/94-VR, On information protection in information and telecommunication systems. [Online]. Available: https://zakon.rada.gov.ua/laws/show/80/94-%D0%B2%D1%80#Text. Accessed on: Sept. 03, 2020.
International organization for standardization. (2013, Sept. 25). ISO/IEC 27001, Information technology. Information security management systems. Requirements. [Online]. Available: https://www.iso.org/ru/standard/54534.html. Accessed on: Sept. 03, 2020.
International organization for standardization. (2018, Jul. 09). ISO/IEC 27005, Information technology. Security techniques. Information security risk management. [Online]. Available: https://www.iso.org/ru/standard/75281.html?browse=tc. Accessed on: Sept. 03, 2020.
National Institute of Standards and Technology. (2012, Sept. 18). NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems. [Online]. Available: https://www.ucop.edu/information-technology-services/initiatives/resources-and-tools/sp800-30.pdf. Accessed on: Sept. 03, 2020.
International organization for standardization. (2018, Feb. 14). ISO 31000. Risk management. Guidelines. [Online]. Available: https://www.iso.org/ru/standard/65694.html. Accessed on: Sept. 03, 2020.
International Electrotechnical Commission. (2019, Jun. 17). IEC 31010. Risk management. Risk assessment techniques. [Online]. Available: https://www.iso.org/standard/ 72140.html. Accessed on: Sept. 03, 2020.
Bundestag Standard Institute. (2018, May 07). BSI Standard 200-3: Risk Analysis based on IT-Grundschutz, Version 1.0. [Online]. Available: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2003_en_pdf.pdf?__blob= publicationFile&v=2. Accessed on: Sept. 03, 2020.
V. V. Mokhor, and A. M. Bogdanov, “Interpretation ISO GUIDE 73:2009 Risk management – Vocabulary”, Collection of scientific works of the Institute of modeling problems in energy named after G.E. Pukhov of National Academy Sciences of Ukraine, iss. 59, pp. 173-199, 2011.
V. V. Mokhor, and A. M. Bogdanov, “Presentation of standard ISO 31000 Risk Management. Principles and Guidelines in Russian”, Das Management, iss. 3, pp. 5-18, 2011.
V. I. Zavgorodniy, “Information risk paradigm”. [Online]. Available: https://studfile.net/preview/5366710. Accessed on: Sept. 03, 2020.
A. A. Ivanov, S. Y. Oleynikov, and S. A. Bocharov, Risk management. Moscow, Russia: Izd. zentr ЕАОI, 2008.
E. D. Sologentsev, Scenario-based probabilistic risk management in business and technology. Sankt-Peterburg, Russia: Izdatelskiy dom “Biznes-pressa”, 2006.
P. I. Biduyk, B. P. Tkach, and T. Harringon, Mathematical statistics. Kyiv, Ukraine: DP “Vid. dim ”Personal”, 2018.
V. V. Mokhor, A. M. Bohdanov, O. N. Kruk, and V. V. Tsurkan, “Building a risk assessment of information security based on dynamic set of actual threats”, Collection of scientific works of the Institute of modelling problems in energy named after G.E. Pukhov of National Academy Sciences of Ukraine, iss. 56, pp. 87-99, 2010.
How to Cite
Copyright (c) 2020 Information Technology and Security
This work is licensed under a Creative Commons Attribution 4.0 International License.
The authors that are published in this collection, agree to the following terms:
- The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
- The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
- Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).