METHODOLOGY FOR ASSESSING COMPREHENSIVE DAMAGES FROM AN INFORMATION SECURITY INCIDENT
DOI:
https://doi.org/10.28925/2663-4023.2023.21.99120Keywords:
cyber security; information protection; vulnerability; risk; security incidentAbstract
Security incidents can have significant economic consequences for public authorities. To mitigate the economic impact of cybersecurity incidents, public authorities must invest in robust countermeasures, and collaboration with other government agencies, private sector partners, and international organizations can help increase resilience and response capacity to cyber attacks. The article uses the analysis of various vulnerabilities and the mechanism of transformation into a security incident, as well as analyzed approaches to monitoring existing threats and methods of countering them. International and national organizations and associations can act as data sources. Results from various reports are aggregated depending on the field of work of a certain organization and its form of ownership. Consideration of the mechanics of the transition of vulnerabilities into security incidents allows the creation of formalized models for audit systems and analysis of detected incidents or real-time monitoring. One of the main criteria is the assessment of cyber security risks. The publication proposes a method that takes into account the interrelationship of system components and allows taking into account the sequence of engagement of these components. Sources of operational and reporting information on security incidents are considered as international and national experiences. As a result, measures are proposed to reduce the risk of using existing vulnerabilities for state information networks and systems. Since the only method of qualitative transition to reduce losses from cyber incidents is to improve the quality of cyber security specialists, the article proposes a new retraining program for specialists from related fields: information technology, telecommunications, electronics, radio engineering, programming, etc. As a result of this study, it can be seen that the formation of security policy for state institutions should also take into account the economic impact and probable losses from cyber attacks. Further research is aimed at validating the proposed recommendations for the formation of security policy for state and commercial institutions and organizations.
Downloads
References
Kuzminykh, I., et al. (2021). Information Security Risk Assessment. Encyclopedia, 1(3), 602–617. https://doi.org/10.3390/encyclopedia1030050
Bebeshko, B., et al. (2022). Application of Game Theory, Fuzzy Logic and Neural Networks for Assessing Risks and Forecasting Rates of Digital Currency. Journal of Theoretical and Applied Information Technology, 100(24), 7390–7404.
Buriachok, V., Sokolov, V., Skladannyi, P. (2019). Security Rating Metrics for Distributed Wireless Systems. In 8th International Conference on “Mathematics. Information Technologies. Education,” vol. 2386, 222–233.
Hulak, H., et al. (2022). Vulnerabilities of Short Message Encryption in Mobile Information and Communication Systems of Critical Infrastructure Objects. Cybersecurity: Education, Science, Technique, 1(17), 145–158. https://doi.org/10.28925/2663-4023.2022.17.145158
Grechaninov, V., et al. (2021). Decentralized Access Demarcation System Construction in Situational Center Network. In Cybersecurity Providing in Information and Telecommunication Systems II, 3188 (2), 197–206.
Taj Dini, M., Sokolov, V. (2018). Penetration Tests for Bluetooth Low Energy and Zigbee using the Software-Defined Radio. Modern Information Protection, 1, 82–89.
Grechaninov, V., et al. (2022). Models and Methods for Determining Application Performance Estimates in Distributed Structures. In Cybersecurity Providing in Information and Telecommunication Systems, 3288(1), 134–141.
Sokolov, V., Skladannyi, P., Hulak, H. (2022). Stability Verification of Self Organized Wireless Networks with Block Encryption. In Cybersecurity Providing in Information and Telecommunication Systems, 3137, 227–237.
Kyrychok, R., et al. (2021). Rules for the Implementation of Exploits during an Active Analysis of the Corporate Networks’ Security based on a Fuzzy Assessment of the Quality of the Vulnerability Validation Mechanism. Cybersecurity: Education, Science, Technique, 2(14), 148–157. https://doi.org/10.28925/2663-4023.2021.14.148157
Hulak, H., et al. (2020). Cryptovirology: Security Threats to Guaranteed Information Systems and Measures to Combat Encryption Viruses. Cybersecurity: Education, Science, Technique, 2(10), 6–28. https://doi.org/10.28925/2663-4023.2020.10.628
Kyrychok, R., et al. (2016). Problems of Ensuring Security Control of Corporate Networks and Ways to Solve Them. Scientific Records of the Ukrainian Research Institute of Communications, 3, 48–61.
Grechaninov, V., et al. (2022). Formation of Dependability and Cyber Protection Model in Information Systems of Situational Center. In Emerging Technology Trends on the Smart Industry and the Internet of Things, 3149, 107–117.
Roy, Y., Mazur, N., Skladannyi, P. (2018). Audit of Information Security Is the basis of Effective Protection of the Enterprise. Cybersecurity: Education, Science, Technique, 1(1), 86–93. https://doi.org/10.28925/2663-4023.2018.1.8693
Sokolov, V., Kurbanmuradov D. (2018). The Method of Combating Social Engineering at the Objects of Information Activity. Cybersecurity: Education, Science, Technique, 1, 6–16. https://doi.org/10.28925/2663-4023.2018.1.616
Thiel, F., et al. (2015). Cloud Computing in Legal Metrology. In 17th International Congress of Metrology. EDP Sciences. https://doi.org/10.1051/metrology/20150016001
International Organization for Standardization (2023). ISO/IEC 15408-1:2022. nformation security, cybersecurity and privacy protection. Evaluation criteria for IT security. Part 1: Introduction and general model. https://www.iso.org/standard/72891.html
Verizon (2023). Data Breach Investigations Report. https://www.verizon.com/
business/resources/T18a/reports/2023-data-breach-investigations-report-dbir.pdf
National Security Agency (2022). Network Infrastructure Security Guide. https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/ctr_nsa_network_infrastructure_
security_guide_20220615.PDF
Cybersecurity Infrastructure Security Agency (2023). Identity and Access Management: Recommended Best Practices for Administrators. https://media.defense.gov/2023/Mar/21/2003183448/-1/-1/0/esf%20identity%20and%20
access%20management%20recommended%20best%20practices%20for%20administrators%20pp-23-0248_508c.pdf
NortonLifeLock (2022). Cyber Safety Insights Report. Global Results. https://www.nortonlifelock.com/content/dam/nortonlifelock/pdfs/reports/2022_NLCSIR_Global_Report.pdf
CrowdStrike (2023). Global Threat Report. https://go.crowdstrike.com/rs/281-OBQ-266/images/CrowdStrike2023GlobalThreatReport.pdf
CompTIA (2019). Security+. Certification Exam Objectives. No. SY0-601, ver. 3.0. https://www.comptia.jp/pdf/CompTIA%20Security+%20SY0-601%20Exam%20Objectives
%20(3.0).pdf
Joint Task Force on Cybersecurity Education (2018). Cybersecurity Curricula 2017: Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity. https://cybered.hosting.acm.org/wp-content/uploads/2018/02/newcover_csec2017.pdf
European Union Agency for Cybersecurity (2022). European cybersecurity skills framework (ECSF): User Manual. https://doi.org/10.2824/95989
International Organization for Standardization (2023). ISO/IEC 27032:2023. Cybersecurity. Guidelines for Internet security. https://www.iso.org/standard/76070.html
Sisler, J. (2019). CISSP Study Guide. Certification Training. Datasage. https://isc2rduchapter.org/wp-content/uploads/2019/02/CISSP.pdf
Newhouse, W., et al. (2017). National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. National Institute of Standards and Technology. https://doi.org/10.6028/nist.sp.800-181
Lepofsky, R. (2014). COBIT 5 for Information Security. In: The Manager’s Guide to Web Application Security. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-0148-0_10
National Institute of Standards and Technology (2023). Discussion Draft of the NIST Cybersecurity Framework 2.0 Core https://www.nist.gov/system/files/documents/2023/04/24/
NIST%20Cybersecurity%20Framework%202.0%20Core%20Discussion%20Draft%204-2023%20final.pdf
International Organization for Standardization (2020). ISO/IEC 19788-1:2011. Information Technology. Learning, Education and Training. Metadata for Learning Resources. Part 1: Framework. https://www.iso.org/standard/50772.html
The European Parliament and of the Council (2018). Regulation (EU) 2016/679 of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the European Union, 1–88. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
U.S. Department of Health and Human Services Office for Civil Rights (2013). HIPAA Administrative Simplification. Regulation Text. 45 CFR Parts 160, 162, and 164. https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf
PCI Security Standards Council (2022). PCI DSS, ver. 4.0. https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
Ministry of Education and Science of Ukraine (2021). Standard of Higher Education of Ukraine. Second (Master’s) Level. 12 Information Technologies. 125 Cybersecurity, No. 332 dated March 18, 2021 https://mon.gov.ua/storage/app/media/vyshcha/standarty/2021/03/
/125%20Kiberbezpeka_mahistr_18_03_21_332.docx
Tang, C. (2020). ACM CYBER2YR2020 Curriculum Guidelines. Innovations in Cybersecurity Education National CyberWatch Center, 44. https://www.nationalcyberwatch.
org/wp-content/uploads/2020/04/NCC_2020_Innovations_Booklet_Online.pdf
Sokolov, V., Skladannyi, P. (2023). Comparative Analysis of Strategies for Building Second and Third Level of 125 “Cyber Security” Educational Programs. Cybersecurity: Education, Science, Technique, 4(20), 183–204. https://doi.org/10.28925/2663-4023.2023.20.182203
Sokolov, V. (2022). Approaches to the Formation of Scientific Thinking in Cybersecurity High School Students. Cybersecurity: Education, Science, Technique, 2(18), 124–137. https://doi.org/10.28925/2663-4023.2022.18.124137
Buriachok, V., Sokolov, V. (2019). Implementation of Active Learning in the Master’s Program on Cybersecurity. Advances in Computer Science for Engineering and Education II, 938, 610–624. https://doi.org/10.1007/978-3-030-16621-2_57
Buriachok, V, et al. (2023). Implementation of Active Cybersecurity Education in Ukrainian Higher School. Lecture Notes on Data Engineering and Communications Technologie, 178, 533–551. https://doi.org/10.1007/978-3-031-35467-0_32
Buriachok, V., Shevchenko, S., Skladannyi, P. (2018). Virtual Laboratory for Modeling of Processes in Informational and Cyber Securities as a form of Forming Practical Skills of Students. Cybersecurity: Education, Science, Technique, 2(2), 98–104. https://doi.org/10.28925/2663-4023.2018.2.98104
Buriachok, V., et al. (2021). Interdisciplinary Approach to the Development of Risk Management Skills on the basis of Decision-Making Theory. Cybersecurity: Education, Science, Technique, 3(11), 155–165. https://doi.org/10.28925/2663-4023.2021.11.155165
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Володимир Соколов, Павло Складанний
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
