METHOD OF COMPREHENSIVE CYBERSECURITY RISKS ASSESSMENT IN DISTRIBUTED INFORMATION SYSTEMS
DOI:
https://doi.org/10.28925/2663-4023.2024.26.731Keywords:
кібербезпека; інформаційна безпека; ризик інформаційної безпеки; оцінка ризиків; управління ризиками; розподілена інформаційна система; нейронна мережаAbstract
Cybersecurity risk assessment and analysis is an important element for building an effective information security management system. The high complexity and scalability of the architecture of modern distributed systems, the heterogeneity of equipment and infrastructure, as well as constant changes in the configuration and scaling of the environment give rise to a number of problems related to the collection and analysis of information for risk assessment, the need for operational processing of large arrays of complex in structure and heterogeneous in nature data coming from differentiated security and monitoring systems, event logs, audit reports and other sources, as well as the lack of a single format for their presentation. The limitations of existing standards and methodologies in the dynamic conditions of modern DIS, their conceptual nature and the complexity of practical implementation and application require the development of flexible methodological and technological solutions for cyber risk analysis that would integrate the advantages of existing approaches, provide automation of calculations and take into account the dynamic aspects of distributed environment. The article presents a comprehensive adaptive method for quantitative assessment of cybersecurity risks in distributed information systems, which is relevant in dynamic conditions of complex multi-component and scalable DIS. The proposed method, integrating a metric-oriented approach based on the results of a complex of neural network models for assessing DIS infrastructure security indicators and compliance metrics for regulatory frameworks and leading standards, provides an opportunity to create a scalable and dynamic cyber risk management system that effectively responds to modern threats in DIS and open opportunities for the comprehensive implementation of intelligent information security management systems in risk management processes.
Downloads
References
Tanenbaum, A. S., & Van Steen, M. (2007). Distributed systems: Principles and paradigms (2nd ed.). Prentice Hall of India.
Zaslavskyi, V. (2017). System principles, mathematical models and methods to ensure high reliability of safety systems. Proceedings of SPIE, 10418, 1041803.
Norkin, V. I., Gaivoronski, A. A., Zaslavsky, V. A., & Knopov, P. S. (2018). Models of the optimal resource allocation for the critical infrastructure protection. Cybernetics and Systems Analysis, 54, 696–706.
Henry, K. (2017). Risk management and analysis. In H. F. Tipton & M. Krauze (Eds.), Information security management handbook (6th ed., Part 1, Section 1.4, Ch. 28, pp. 321-329). Auerbach Publications.
Palko, D., Vialkova, V., & Babenko, T. (2019). Intellectual models for cyber security risk assessment. In Processing, transmission and security of information: Monografia (Vol. 2, pp. 284–288). Wydawnictwo Naukowe Akademii Techniczno-Humanistycznej w Bielsku-Białej.
Korchenko, A. G., Arkhipov, A. E., & Kazmirchuk, S. V. (2013). Analysis and assessment of information security risks. Lazurit-Poligraf.
Rot, A. (2008). IT risk assessment: Quantitative and qualitative approach. In Proceedings of the World Congress on Engineering and Computer Science (pp. 1073–1078).
Russell, S., & Norvig, P. (2005). Artificial intelligence: A modern approach. Williams.
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems (NIST Special Publication 800-30 Rev A). National Institute of Standards and Technology.
FIRST. (2021). Common Vulnerability Scoring System (CVSS) v3.1. Official Documentation.
Aksu, M. U., Dilek, M. H., Tatlı, E. İ., Bicakci, K., Dirik, H. I., Demirezen, M. U., & Aykır, T. (2017, October). A quantitative CVSS-based cyber security risk assessment methodology for IT systems. In 2017 International Carnahan Conference on Security Technology (ICCST) (pp. 1-8). IEEE.
Wang, J., Neil, M., & Fenton, N. (2020). A Bayesian network approach for cybersecurity risk assessment implementing and extending the FAIR model. Computers & Security, 89, 101659.
Fagade, T., Maraslis, K., & Tryfonas, T. (2017). Towards effective cybersecurity resource allocation: The Monte Carlo predictive modelling approach. International Journal of Critical Infrastructures, 13(2-3), 152–167.
Alali, M., Almogren, A., Hassan, M. M., Rassan, I. A., & Bhuiyan, M. Z. A. (2018). Improving risk assessment model of cyber security using fuzzy logic inference system. Computers & Security, 74, 323–339.
Krundyshev, V. (2020). Neural network approach to assessing cybersecurity risks in large-scale dynamic networks. In 13th International Conference on Security of Information and Networks.
Ekstedt, M., Afzal, Z., Mukherjee, P., Hacks, S., & Lagerström, R. (2023). Yet another cybersecurity risk assessment framework. International Journal of Information Security, 22(6), 1713–1729.
Gartner Report. (2023). The role of SIEM and SOAR in modern cybersecurity strategies. Gartner Security Insights.
Cebula, J. J., & Young, L. R. (n.d.). A taxonomy of operational cyber security risks. Carnegie Mellon University.
Novykov, A. N., Rodyonov, A. N., & Tymoshenko, A. A. (2015). Models and methods of cybernetic protection of information and communication systems based on the logical-probabilistic approach: Monograph. NTUU KPI.
Palko, D., Hnatienko, H., & Babenko, T. (2021, September 28–30). Determining key risks for modern distributed information systems. In IntSol-2021 Intelligent Solutions, Taras Shevchenko National University of Kyiv, Kyiv, Ukraine.
Palko, D., Babenko, T., Bigdan, A., Kiktev, N., Hutsol, T., Kuboń, M., Hnatiienko, H., Tabor, S., Gorbovy, O., & Borusiewicz, A. (2023). Cyber security risk modeling in distributed information systems. Applied Sciences, 13(4), 2393. https://doi.org/10.3390/app13042393
Palko, D., Babenko, T., Myrutenko, L., & Bigdan, A. (2020). Model of information security critical incident risk assessment. In Proceedings of the 2020 IEEE International Conference «Problems of Infocommunications».
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Дмитро Палко, Лариса Мирутенко
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
