Аnalysis of information security risk assessment representation methods

Authors

  • Volodymyr Mokhor Pukhov institute for modeling in energy engineering of National academy of sciences of Ukraine, Kyiv,, Ukraine https://orcid.org/0000-0001-5419-9332
  • Oleksandr Bakalynskyi Department of formation and implementation of state policy on cyber protection of Administration of the State Special Communications, Kyiv,, Ukraine https://orcid.org/0000-0001-9712-2036
  • Vasyl Tsurkan Institute of special communication and information protection National technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv,, Ukraine https://orcid.org/0000-0003-1352-042X

DOI:

https://doi.org/10.20535/2411-1031.2018.6.1.153189

Keywords:

Information security risk, information security risk assessment, tree of risks, rose (star), helix of risks, risk map, acceptability risk corridor

Abstract

Methods of resenting information security risk assessments are considered. The method are divided into a tree of risks, a rose (star) and a helix of risks, a risk map and an acceptability risk corridor. The classic tree construction method is used to represent tree risk assessments. Its elements show individual risks or group of risks. The rose (star) and a spiral constructing a use as basis for the circular diagrams. These diagrams reflect the sequence of consideration of information security risks. Due to this, their ranking is carried out in a comparative analysis. Rose (star) displays only one of the parameters of the information security risk among the selected set with the ability to overlay maps with one with different parameters. Therefore, the use of such a presentation method is to build a family of roses (stars) of information security risk assessments. At the same time, the most widespread use of information security risk maps among known methods of their presentation is defined. The risk map represents estimates based on the probability of the threat realization and the amount of losses. Due to the versatility of such a way of representation, it is possible to combine, compare, overlay and integrate information security risk maps. Therefore, common and applied risk maps are segregate among them. A characteristic feature of risk maps of the general type is the presence or absence of a scale of evaluation. In the presence of a scale, the risk value is evaluated qualitatively or quantitatively. While in its absence, the assessment is reduced to the selection of areas of information security risk assessment. For each of the identified areas, the interval values of the probability of the threat realization and the size of the risk are established. Corridor of acceptability of information security risks is set individually for each organization with the most probable estimations. These estimates determine the areas of acceptability of information security risks. Thus, process of analyzing of methods for presenting information security risk assessments by tree, rosy (star), spiral, map and corridor of acceptability allowed to define their advantages and disadvantages. In addition, it allowed to choose the direction of further researches to present information security risk assessments with a risk map.

Author Biographies

Volodymyr Mokhor, Pukhov institute for modeling in energy engineering of National academy of sciences of Ukraine, Kyiv,

сorresponding member of the National Academy of Sciences of Ukraine, doctor of technical sciences, professor, director

Oleksandr Bakalynskyi, Department of formation and implementation of state policy on cyber protection of Administration of the State Special Communications, Kyiv,

head of department

Vasyl Tsurkan, Institute of special communication and information protection National technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv,

candidate of technical sciences, associate professor at the cybersecurity and application of information systems and technologies academic department

References

International Organization for Standardization. (2013, Oct. 01). ISO/IEC 27001. Information technology. Security techniques. Information security management systems. Requirements. [Online]. Available: https://www.iso.org/standard/54534.html.

International Organization for Standardization. (2013, Oct. 01). ISO/IEC 27002. Information technology. Security techniques. Code of practice for information security controls. [Online]. Available: https://www.iso.org/standard/54533.html.

International Organization for Standardization. (2011, June 10). ISO/IEC 27005. Information technology. Security techniques. Information security risk management. [Online]. Available: https://www.iso.org/standard/56742.html.

International Organization for Standardization. (2018, Febr. 15). ISO 31000. Risk management. Guidelines. [Online]. Available: https://www.iso.org/standard/65694.html.

International Organization for Standardization. (2009, Nov. 27). IEC 31010. Risk management. Risk assessment techniques. [Online]. Available: https://www.iso.org/standard/51073.html.

A. G. Badalova, and A. V. Panteleev, Risk management of the enterprise. Moskow, Russia: Vuzovskaia knika, 2016.

Downloads

Published

2018-06-30

How to Cite

Mokhor, V., Bakalynskyi, O., & Tsurkan, V. (2018). Аnalysis of information security risk assessment representation methods. Collection "Information Technology and Security", 6(1), 75–84. https://doi.org/10.20535/2411-1031.2018.6.1.153189

Issue

Vol. 6 No. 1 (2018)

Section

INFORMATION SECURITY RISK MANAGEMENT

License

Copyright (c) 2020 Collection "Information technology and security"

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The authors that are published in this collection, agree to the following terms:

  1. The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
     
  2. The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
     
  3. Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).