INFORMATION PROTECTION MODEL BASED ON INFORMATION SECURITY RISK ASSESSMENT FOR SMALL AND MEDIUM-SIZED BUSINESS
DOI:
https://doi.org/10.28925/2663-4023.2021.14.158175Keywords:
information security (IS) risks; SWOT analysis; statistical methods; method of expert assessments; Monte Carlo method; threats; vulnerabilities; information protection model.Abstract
This study focuses on the protection of information resources on the basis of risk-oriented approach for small and medium-sized businesses with an emphasis on risk assessment of information security (IS). The analysis of scientific sources allowed to characterize the essence of the risk-oriented approach and to formulate the main provisions for creating a model of information protection based on this technology. The content line of the model focuses on conducting qualitative and quantitative IS risk assessment, namely, SWOT-analysis, statistical method, expert assessment method and Monte Carlo method. The step-by-step procedure of carrying out the stages of analysis and implementation of these methods for IS risk assessment is described. In order to obtain a comprehensive map of IS risks at the initial stage, it is proposed to conduct a SWOT analysis, in particular to identify business weaknesses and external and internal threats. Use a statistical method to quantify IS risk if there are sufficient analytical reports. Otherwise, implement the method of expert assessments. The final step is to generate a script using the Monte Carlo method. To effectively describe the context of each information resource, use the technology of forming multiple pairs "threat - vulnerability".
The relevance and possibilities of using this model as a methodology of information for small and medium businesses are substantiated.
Downloads
References
Shepherd, M. (2019). 30 Surprising Small Business Cyber Security Statistics (2021) - Fundera Ledger. Fundera: Compare Your Best Small Business Loan and Credit Card Options. https://www.fundera.com/resources/small-business-cyber-security-statistics
Catteddu, D., & Hogben, G. (2009). Cloud Computing: Benefits, risks and recommendations for information security. ENISA.
Alali, M., Almogren, A., Hassan, M. M., Rassan, I. A. L., Bhuiyan, M. Z. A. (2018). Improving risk assessment model of cyber security using fuzzy logic inference system. Computers & Security, 74, 323–339. https://doi.org/10.1016/j.cose.2017.09.011
Shin, J., Son, H., Heo, G. (2017). Cyber Security Risk Evaluation of a Nuclear I&C Using BN and ET. Nuclear Engineering and Technology, 49(3), 517–524. https://doi.org/10.1016/j.net.2016.11.004
Savelieva, T. V., Panasko, O. M., Pryhodiuk, O. M. (2018). Analiz metodiv i zasobiv dlia realizatsii ryzyk-oriientovanoho pidkhodu v konteksti zabezpechennia informatsiinoi bezpeky pidpryiemstva. Visnyk Cherkaskoho derzhavnoho tekhnolohichnoho universytetu. Seriia: Tekhnichni nauky, 1(1), 81–89. https://doi.org/10.24025/2306-4412.1.2018.153279
Arkhypov, O., Muratov, O., Brovko, V. (2019). Osnovy teorii ryzykiv: navchalnyi posibnyk. NA SB Ukrainy.
Akhmetov, B., Korchenko, A., Arkhypov, A., & Kazmyrchuk, S. (2018). Postroenye system analyza y otsenyvanyia ryskov ynformatsyonnoi bezopasnosty. Teoryia y praktycheskye reshenyia. redaktsyonno-yzdatelskyi otdel KHUTY ym. Sh. Esenova. https://er.nau.edu.ua/handle/NAU/40479?locale=uk
Shevchenko, H., Shevchenko, S., Zhdanova, Yu., Spasiteleva, S., Negodenko, O. Information Security Risk Analysis SWOT. Cybersecurity Providing in Information and Telecommunication Systems, 2923, 309-317.
Informatsiini tekhnolohii. Metody zakhystu. Upravlinnia ryzykamy informatsiinoi bezpeky (DSTU ISO/IEC 27005:2019). (2019).
Polozhennia, Postanova №95 ot 28.09.2017, Pro zatverdzhennia Polozhennia pro orhanizatsiiu zakhodiv iz zabezpechennia informatsiinoi bezpeky v bankivskii systemi Ukrainy. Zakonodavstvo Ukrainy - Zakonodatelstvo Ukrayny. http://search.ligazakon.ua/l_doc2.nsf/link1/PB17146.html
Stephenson, P. R. (2004). A formal model for information risk analysis using colored petri nets. У Proceedings of the Fifth Workshop and Tutorial on Practical Use of Coloured Petri Nets and the CPN Tools (с. 167–184). DAIMI PB - 570 / Kurt Jensen (Ed.).
Nevoit, Ya. V. (2016). Metod otsiniuvannia stanu zakhyshchenosti informatsiinykh resursiv na osnovi doslidzhennia dzherel zahroz informatsiinii bezpetsii [Dys. kand. tekhn. nauk, DUT]. http://www.dut.edu.ua/uploads/p_1539_26349739.pdf
Shevchenko, S., Zhdanova, Yu., Spasitielieva, S., Adamovych, O. (2017). Statystychna obrobka eksperymentalnykh danykh yak odna z form naukovo-doslidnoi roboty studentiv spetsialnosti «Kiberbezpeka». Suchasnyi zakhyst informatsii, 2(30), 95-103.
Buriachok, V. L., Tolubko, V. B., Khoroshko, V. O., Toliupa, S. V. (2015). Informatsiina ta kiberbezpeka: sotsiotekhnichnyi aspekt : pidruchnyk. DUT.
