Risk assessment and analysis for threats and vulnerabilities of the corporate infrastructure information system

Authors

DOI:

https://doi.org/10.20535/2411-1031.2025.13.2.344595

Keywords:

risk assessment, infrastructure, Q-analysis, information system

Abstract

This article presents a methodological approach to assessing risks associated with the threats and vulnerabilities of the information system of a corporate infrastructure object. The relevance of this topic is due to the growing number and complexity of cyber threats and the need for more accurate risk assessment tools that account for the structure of interdependencies between potential vulnerabilities and attacks. The main problem addressed in the study is the insufficient precision of traditional risk assessment methods that do not reflect the composite nature of threats within complex systems. To solve this issue, the authors employ an extended Q-analysis methodology, which considers the structural relationships between threats and vulnerabilities to form a more detailed risk model. The purpose of the study is to apply the theoretical foundations of extended Q-analysis to a practical example using real expert data. As part of this, the authors construct an incidence matrix between threats and vulnerabilities, form a simplex complex, and build a structural tree to visualize interdependencies. Based on these models, calculations are performed to estimate the loss values associated with each threat and their combinations (“gluing”). Using optimization methods, including the Lagrange method, the authors identify conditions for maximum and minimum risk, analyze the behavior of the risk function under different probability distributions, and construct comparative graphs. The results demonstrate that the refined methodology allows a reduction in overall risk by up to 23.3% compared to linear models, depending on the threat distribution. The findings confirm the practical value of the proposed approach, offering more accurate risk estimates and improved decision-making support in cybersecurity management of complex information systems.

Author Biographies

Serhii Smirnov, National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv

candidate of science (Physics and Mathematics), senior researcher, associate professor, Educational and Research Institute of Physics and Technology

Viktoriia Polutsyhanova, National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute,” Kyiv

PhD, assistant, Educational and Research Institute of Physics and Technology

References

“NIST 800-30 і Структура оцінки ризиків”, Lazarus Alliance, Inc. [Online]. Available:https://lazarusalliance.com/uk/nist-800-30-and-the-risk-assessment-framework. Accessed on: Mar 04, 2025.

Ye. Zhyvylo, and V. Kuz, “Risk Management of Critical Information Infrastructure: Threats-Vulnerabilities-Consequences”, Theoretical and Applied Cybersecurity: scientific journal, vol. 5, no. 2, pp. 68-80, 2023. doi: https://doi.org/10.20535/tacs.2664-29132023.2.280377.

V. Mokhor, S. Gonchar, and О. Dybach, “Methods for the Total Risk Assessment of Cybersecurity of Critical Infrastructure Facilities”, Nuclear and Radiation Safety, no. 2 (82), pp. 4-8, 2019. doi: https://doi.org/10.32918/nrs.2019.2(82).01.

S. Toliupa, S. Buchyk, O. Kulinich, and O. Buchyk1, “Protection of state management of critical infrastructure objects under the influence of cyber attacks”, Information and Communication Technologies, Electronic Engineering, vol. 2, no. 2, pp. 33-41, 2022. doi: https://doi.org/10.23939/ictee2022.02.033.

V. Polutsyhanova, and S. Smyrnov, “Methodology for constructing basic q-analysis metrics and their application”, Systems Research and Information Technology, no. 3, pp. 76-88, 2019. doi: https://doi.org/10.20535/srit.2308-8893.2019.3.07.

V. Polutsyhanova, “System construction of cybersecurity vulnerabilities with Q-analysis”, Theoretical and Applied Cybersecurity, vol. 5, no. 1, pp. 52-55, 2023. doi: https://doi.org/10.20535/tacs.2664-29132023.1.285430.

V. Polutsyhanova, “Vulnerability classification using Q-analysis”, Theoretical and Applied Cybersecurity, vol. 5, no. 2, pp. 56-61, 2023. doi: https://doi.org/10.20535/tacs.2664-29132023.2.285431.

V. Polutsyhanova, “Risk assessment method based on analysis of the structure of threats and vulnerabilities in cybersystems”, PhD thesis, ES PTI, NTUU “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv, Ukraine, 2024.

Downloads

Published

2025-11-27

How to Cite

Smirnov, S., & Polutsyhanova, V. (2025). Risk assessment and analysis for threats and vulnerabilities of the corporate infrastructure information system. Collection "Information Technology and Security", 13(2), 192–203. https://doi.org/10.20535/2411-1031.2025.13.2.344595

Issue

Vol. 13 No. 2 (2025)

Section

NETWORK AND APPLICATION SECURITY

License

Copyright (c) 2025 Collection "Information Technology and Security"

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The authors that are published in this collection, agree to the following terms:

  1. The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
     
  2. The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
     
  3. Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).