Analysis of computer network security risk assessment methods

Authors

  • Vasyl Tsurkan Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv, Ukraine https://orcid.org/0000-0003-1352-042X
  • Oleksandr Shapoval Institute of special communication and information protection National technical university of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv, Ukraine https://orcid.org/0000-0002-4960-2235

DOI:

https://doi.org/10.20535/2411-1031.2022.10.2.270437

Keywords:

information assets, computer network, computer network security, computer network security risk, risk assessment

Abstract

The implementation of information security management systems in the organization has been studied. Computer networks have been identified as essential information assets. Ensuring the integrity of their properties has been achieved by selecting appropriate measures and tools. For this purpose, the security risk of the computer network is assessed, and a decision is made on the need for processing. The latest research and publications have been analyzed, focusing on the generalized evaluation of information and cyber security risks. They often overlook the peculiarities of preserving the properties of assets, such as computer networks. Therefore, a typical example of their structure representation has been considered, characteristic zones and security features within each have been identified. The consequences of realizing threats, such as confidentiality, integrity, and availability properties, have been demonstrated through examples. This has allowed identifying potential areas of computer network security risk manifestation by model levels of the open systems interaction. The methods for evaluating the magnitude of the risk have been analyzed, and the peculiarities of using each of them have been established. This involves determining communication and exploitation levels, access, asset control and considering the combination of subjective and objective factors in conditions of uncertainty. In addition, the correlation of nodes with their operating environment is considered. The possible directions of threat realization through network vulnerabilities are displayed in an attack graph. The problem of needing more information about them is overcome by considering fuzziness and uncertainty.Furthermore, it has been highlighted aspects of assessing the security risk of the computer. However, by analyzing existing risk assessment methods, it has been found that they mainly focus on performing partial tasks, particularly identifying and estimating risks. Comparing the assessment results with an acceptable level needs to be addressed, limiting the decision-making and justification of the need for risk management. Moreover, it has been considered the properties of information and levels of interaction model of open systems in its transmission and securing in the computer network.

Author Biographies

Vasyl Tsurkan, Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv

candidate of technical sciences, associate professor, associate professor at the cybersecurity and application of information systems and technologies academic department

Oleksandr Shapoval, Institute of special communication and information protection National technical university of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv

senior lecturer at the cybersecurity and application of information systems and technologies academic department

References

International Organization for Standardization. (2013, Dec. 04). ISO/IEC 27001, Information technology. Security techniques. Information security management systems. Requirements. [Online]. Available: https://www.iso.org/standard/54534.html. Accessed on: Aug 21, 2022.

International Organization for Standardization. (2022, Febr. 15). ISO/IEC 27002, Information security, cybersecurity and privacy protection. Information security controls. [Online]. Available: https://www.iso.org/standard/75652.html. Accessed on: Aug 21, 2022.

International Organization for Standardization. (2018, Febr. 07). ISO/IEC 27000, Information technology. Security techniques. Information security management systems. Overview and vocabulary. [Online]. Available: https://www.iso.org/standard/75652.html. Accessed on: Aug 21, 2022.

International Organization for Standardization. (2015, Aug. 10; reviewed 2021, Apr. 19). ISO/IEC 27033-1, Information technology. Security techniques. Network security. Part 1: Overview and concepts. [Online]. Available: https://www.iso.org/standard/63461.html. Accessed on: Aug 21, 2022.

О. Г. Korchenko, S. V. Kazmirchuk, and B. B. Akhmetov, Applied information security risk assessment systems: monograph. Kyiv, Ukraine: Tsentr Polihrafiyi “KOMPRYNT”, 2017. [Online]. Available: https://er.nau.edu.ua/handle/NAU/40482. Accessed on: Aug 21, 2022.

V. Mokhor, O. Bakalynskyi, and V. Tsurkan, “Analysis of information security risk assessment representation methods”, Information Technology and Security, vol. 6, iss. 1 (10), pp. 75-84, 2018, doi: https://doi.org/10.20535/2411-1031.2018.6.1.153189.

V. Mokhor, O. Bakalynskyi, and V. Tsurkan, “Risk assessment presentation of information security by the risks map”, Information Technology and Security, vol. 6, iss. 2 (11), pp. 94-104, 2018, doi: https://doi.org/10.20535/2411-1031.2018.6.2.153494.

V.Yu. Zubok, “A combination of traditional methods and a metric approach to assessing the risks from cyber attacks to global routing”, Data Recording, Storage & Processing, vol. 21, no. 2, pp. 41-48, 2019, doi: https://doi.org/10.35681/1560-9189.2019.21.2.180256.

M. Eckhart, B. Brenner, A. Ekelhart, and E. Weippl, “Quantitative Security Risk Assessment for Industrial Control Systems: Research Opportunities and Challenges”, Journal of Internet Services and Information Security, vol. 9, no. 3, pp. 1-22, 2019, doi: http://dx.doi.org/10.22667/JISIS.2019.08.31.052.

V. Bezshtanko, and Ya. Zinchenko, “Interpretation model of assessments boundary information security risks”, Information Technology and Security, vol. 8, iss. 2 (15), pp. 224-231, 2020, doi: https://doi.org/10.20535/2411-1031.2020.8.2.222610.

Z. Ying, Q. Li, S. Meng, Z. Ni, Z. Sun, “A Survey of Information Intelligent System Security Risk Assessment Models, Standards and Methods”, in Cloud Computing, Smart Grid and Innovative Frontiers in Telecommunications. X. Zhang, G. Liu, M. Qiu, W. Xiang, and T. Huang, vol. 322, Eds. Cham: Springer, 2020, pp. 603-611, doi: https://doi.org/10.1007/978-3-030-48513-9_48.

O. Potii, Y. Gorbenko, O. Zamula, and K. Isirova, “Analysis of methods for assessing and managing cyber risks and information security”, Radiotekhnika, no. 206, pp. 5-24, 2021, doi: https://doi.org/10.30837/rt.2021.3.206.01.

G. Erdogan, E. Garcia-Ceja, Å. Hugo, P.H. Nguyen, and S. Sen, “A Systematic Mapping Study on Approaches for Al-Supported Security Risk Assessment”, in Proc. IEEE 45th Annual Computers, Software, and Applications Conference, Madrid, 2021, pp. 755-760, doi: https://doi.org/10.1109/COMPSAC51774.2021.00107.

I. Gorbenko, O. Zamula, and Yu. Osipenko, “The concept of assessing the risks of cybersecurity of the information system of the critical infrastructure object”, Radiotekhnika, no. 209, pp. 118-129, 2022, doi: https://doi.org/10.30837/rt.2022.2.209.12.

A. Akbarzadeh, and S. K. Katsikas, “Dependency-based security risk assessment for cyber-physical systems”, International Journal of Information Security, 2022. [Online], doi: https://doi.org/10.1007/s10207-022-00608-4. Accessed on: Aug. 28, 2022.

Y. Duan, Y. Cai, Z. Wang, and X. Deng, “A Novel Network Security Risk Assessment Approach by Combining Subjective and Objective Weights under Uncertainty”, Applied Sciences, vol. 8, iss. 3, pp. 1-20, 2018, doi: https://doi.org/10.3390/app8030428.

Z. Wang, Y. Lu, and J. Li, “Network Security Risk Assessment Based on Node Correlation”, Journal of Physics: Conference Series, vol. 1069, pp. 1-4, 2018, doi: https://doi.org/10.1088/1742-6596/1069/1/012073.

X. Li, M. Li, and H. Wang, “Research on Network Security Risk Assessment Method Based on Bayesian Reasoning”, in Proc. IEEE 9th International Conference on Electronics Information and Emergency Communication, Beijing, 2019, pp. 1-7, doi: https://doi.org/10.1109/ICEIEC.2019.8784470.

J. Chen, Z. Zhou, Y. Tang, Y. He, and S. Zhao, “Research on Network Security Risk Assessment Model Based on Grey Language Variables”, IOP Conference Series: Materials Science and Engineering, vol. 677, iss. 4, pp. 1-7, 2019, doi: https://doi.org/10.1088/1757-899X/677/4/042074.

X. Lei, T. Ma, Z. Niu, C. Ma, and H. Shan, “Research on Ad Hoc Network Security Risk Assessment Method”, in Proc. IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference, Melbourne, 2020, pp. 2272-2279, doi: https://doi.org/10.1109/ITNEC48623.2020.9085110.

B. Yi, Y. P. Cao, and Y. Song, “Network security risk assessment model based on fuzzy theory”, Journal of Intelligent & Fuzzy Systems, vol. 38, no. 4, pp. 3921-3928, 2020, doi: https://doi.org/10.3233/JIFS-179617.

G. Wang, “Research on Network Security Risk Assessment Method Based on Improved Analytic Hierarchy Process”, International Journal of Network Security, vol. 23, no. 3, pp. 515-521, 2021, doi: https://doi.org/10.6633/IJNS.202105_23(3).17.

Y. Yang, Z. Yang, Q. Yang, G. Ji, and S. Xue, “Network Security Risk Assessment Based on Enterprise Environment Characteristics”, International Journal of Network Security, vol. 24, no. 1, pp. 156-165, 2022, doi: https://doi.org/10.6633/IJNS.202201_24(1).18.

International Electrotechnical Commission. (2019, June 17). IEC 31010, Risk management. Risk assessment techniques. [Online]. Available: https://www.iso.org/standard/72140.html. Accessed on: Aug 21, 2022.

Published

2022-12-29

How to Cite

Tsurkan, V., & Shapoval, O. (2022). Analysis of computer network security risk assessment methods. Collection "Information Technology and Security", 10(2), 204–215. https://doi.org/10.20535/2411-1031.2022.10.2.270437

Issue

Section

INFORMATION SECURITY RISK MANAGEMENT