Interpretation model of assessments boundary information security risks

Authors

  • Vitalii Bezshtanko Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv,, Ukraine http://orcid.org/0000-0002-7998-246X
  • Yaroslav Zinchenko Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv,, Ukraine http://orcid.org/0000-0001-9574-3947

DOI:

https://doi.org/10.20535/2411-1031.2020.8.2.222610

Keywords:

risk analysis, risk assessment, information security, risk limits, interpretive model

Abstract

Amendments to the legislation of Ukraine allow building, implementing, and conducting certifications of information protection systems owned by the state, or the requirements for the protection of which are established by law. It is recommended to use the requirements and/or guidelines of international practices that provide for the use of a risk-oriented approach. Thus, the international standard ISO/IES 27001 implemented in Ukraine recommends choosing or developing a method for assessing information security risks. At the same time, the results of the analysis of open sources revealed the absence of models and methods for quantifying their limit values. By informational, we mean the risks associated with the possibility of losses as a result due to violations of the properties of confidentiality, integrity, availability of information. Therefore, the purpose of this article is to develop an interpretive model that will provide the limit values of information security risks. Their quantitative values could be used as criteria at the stage of formation requirements for a comprehensive information security system and / or information security management system. The basis for calculating the value of the risk limit value is the standard deviation of the uncollected profit for the period. If the profit exceeds the planned, then hypothetically during the analysis period there were no incidents that would affect resources. Information risks are a component of the organization's risks. According to the recommendations of ISO/IES 27005, where risk is the effect of uncertainty on the achievement of goals, and the effect is a positive or negative deviation from the expected, the hypothetically obtained standard deviation can be considered an assessment of the impact of information uncertainty of additive information resources on economic results. In addition, assessing the acceptable threshold of information risk of the organization. Thus, an interpretive model for estimating the marginal risks of information security and allowable losses on individual components of threats to the information properties as a formalization of the impact of information uncertainty on financial consequences. This made it possible to quantify these estimates based on available actual economic / cost indicators of information activity in the organization.

Author Biographies

Vitalii Bezshtanko, Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv,

candidate of technical sciences,
researcher of research special
laboratory № 1 at the research center

Yaroslav Zinchenko, Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv,

candidate of technical sciences,
senior researcher, head of research
special research laboratory № 1
at the research center

References

Verkhovna Rada of Ukraine, 3st Session. (2020, Jun. 04). Law № 681-IX, On amendments to the Law of Ukraine “On information protection in information and telecommunication systems” to confirm the compliance of the information system with the requirements for information protection. [Online]. Available: https://zakon.rada.gov.ua/laws/show/681-20#Text. Accessed on: Sept. 03, 2020.

Verkhovna Rada of Ukraine, I Convocation. (1994, Jul. 05). Law № 80/94-VR, On information protection in information and telecommunication systems. [Online]. Available: https://zakon.rada.gov.ua/laws/show/80/94-%D0%B2%D1%80#Text. Accessed on: Sept. 03, 2020.

International organization for standardization. (2013, Sept. 25). ISO/IEC 27001, Information technology. Information security management systems. Requirements. [Online]. Available: https://www.iso.org/ru/standard/54534.html. Accessed on: Sept. 03, 2020.

International organization for standardization. (2018, Jul. 09). ISO/IEC 27005, Information technology. Security techniques. Information security risk management. [Online]. Available: https://www.iso.org/ru/standard/75281.html?browse=tc. Accessed on: Sept. 03, 2020.

National Institute of Standards and Technology. (2012, Sept. 18). NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems. [Online]. Available: https://www.ucop.edu/information-technology-services/initiatives/resources-and-tools/sp800-30.pdf. Accessed on: Sept. 03, 2020.

International organization for standardization. (2018, Feb. 14). ISO 31000. Risk management. Guidelines. [Online]. Available: https://www.iso.org/ru/standard/65694.html. Accessed on: Sept. 03, 2020.

International Electrotechnical Commission. (2019, Jun. 17). IEC 31010. Risk management. Risk assessment techniques. [Online]. Available: https://www.iso.org/standard/ 72140.html. Accessed on: Sept. 03, 2020.

Bundestag Standard Institute. (2018, May 07). BSI Standard 200-3: Risk Analysis based on IT-Grundschutz, Version 1.0. [Online]. Available: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2003_en_pdf.pdf?__blob= publicationFile&v=2. Accessed on: Sept. 03, 2020.

V. V. Mokhor, and A. M. Bogdanov, “Interpretation ISO GUIDE 73:2009 Risk management – Vocabulary”, Collection of scientific works of the Institute of modeling problems in energy named after G.E. Pukhov of National Academy Sciences of Ukraine, iss. 59, pp. 173-199, 2011.

V. V. Mokhor, and A. M. Bogdanov, “Presentation of standard ISO 31000 Risk Management. Principles and Guidelines in Russian”, Das Management, iss. 3, pp. 5-18, 2011.

V. I. Zavgorodniy, “Information risk paradigm”. [Online]. Available: https://studfile.net/preview/5366710. Accessed on: Sept. 03, 2020.

A. A. Ivanov, S. Y. Oleynikov, and S. A. Bocharov, Risk management. Moscow, Russia: Izd. zentr ЕАОI, 2008.

E. D. Sologentsev, Scenario-based probabilistic risk management in business and technology. Sankt-Peterburg, Russia: Izdatelskiy dom “Biznes-pressa”, 2006.

P. I. Biduyk, B. P. Tkach, and T. Harringon, Mathematical statistics. Kyiv, Ukraine: DP “Vid. dim ”Personal”, 2018.

V. V. Mokhor, A. M. Bohdanov, O. N. Kruk, and V. V. Tsurkan, “Building a risk assessment of information security based on dynamic set of actual threats”, Collection of scientific works of the Institute of modelling problems in energy named after G.E. Pukhov of National Academy Sciences of Ukraine, iss. 56, pp. 87-99, 2010.

Published

2020-12-30

How to Cite

Bezshtanko, V., & Zinchenko, Y. (2020). Interpretation model of assessments boundary information security risks. Information Technology and Security, 8(2), 224–231. https://doi.org/10.20535/2411-1031.2020.8.2.222610

Issue

Section

INFORMATION SECURITY RISK MANAGEMENT