METHOD FOR CALCULATING THE LEVEL OF CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE FACILITIES

Authors

DOI:

https://doi.org/10.28925/2663-4023.2025.30.986

Keywords:

cybersecurity, critical infrastructure, critical infrastucture facilities, critical information infrastructure facilities, model for calculation, method for calculation, weighting factors

Abstract

In today's world, where the number and complexity of cyber threats, especially those targeting strategic state assets, are growing rapidly, there is an urgent need to develop effective, flexible, and adaptive mechanisms for assessing the current level of cyber security. In view of this need, an analysis of existing approaches to assessing the level of cyber security was conducted. Among them are models based on maturity, risk, and compliance. The results of the analysis showed that none of these approaches is completely universal or sufficient for a comprehensive assessment of critical information infrastructure objects in the context of the national legislative field. In particular, approaches based solely on compliance may not take into account real risks, while approaches based on maturity are often too subjective. To address these systemic shortcomings, a hybrid approach was proposed. This approach integrates the best features of previous models, combining the objectivity of compliance testing, the flexibility and process orientation of maturity assessment, and risk-based prioritization. Based on the hybrid approach, a method for calculating the level of cyber protection of critical information infrastructure objects was developed. A component of this method is the introduction of weighting coefficients for different criteria systems. To determine these weighting coefficients, which should ensure an objective reflection of expert knowledge, the hierarchy analysis method was chosen. The proposed method allows qualitative characteristics (e.g., binary “yes/no” answers) to be transformed into a single quantitative indicator. This indicator is calculated in a standardized range from 0 to 1, which facilitates comparison and monitoring. The resulting numerical value is further interpreted on a five-level maturity scale (from “Initial” to “Optimized”), which provides a clear idea of the steps needed for improvement.

Thus, the developed method is hierarchical, multi-criteria, and adaptable to current Ukrainian legislation in the field of cyber protection and cyber security.

In further research, it is planned to conduct an experimental study and verify the method on three critical infrastructure objects in the fuel and energy sector, as well as to compare the results obtained using the author's software and two other tools.

Downloads

Download data is not yet available.

References

State Cyber Protection Center of the State Service of Special Communications and Information Protection of Ukraine. (2025). Annual report of the vulnerability detection and cyber incident response system. https://scpc.gov.ua/api/files/72e13298-4d02-40bf-b436-46d927c88006

National Security and Defense Council of Ukraine. (2024). Annual analytical review (October 2023 – September 2024). https://www.rnbo.gov.ua/files/2024/

CMMI Institute. (2023). Capability Maturity Model Integration (CMMI) for Development, Version 3.0. https://cmmiinstitute.com/cmmi

U.S. Department of Energy. (2022). Cybersecurity Capability Maturity Model (C2M2), version 2.1. https://www.energy.gov/sites/default/files/2022-06/C2M2%20Version%202.1%20June%202022.pdf

W. S. Humphrey. (1989). Managing the software process. Reading, Addison-Wesley, MA, 1989

Klein, M., & Masi, M. (1993). The Capability Maturity Model, Version 1.1. IEEE Software.

Khudyntsev, M., & Palazhchenko, I. (2024). Cybersecurity Maturity Models for Cybersecurity assessment in critical infrastructure. ISSN: 2411-4049. Environmental safety and environmental management, vol. 4 (52), 2024.

National Institute of Standards and Technology. (2024) NIST Cybersecurity Framework, version 2.0. https://www.nist.gov/cyberframework

ISO/IEC. (2022). 27005:2022. Information security, cybersecurity and privacy protection — Guidance on managing information security risks

Stoneburner, G., Goguen A., Feringa A. (2002). Risk Management Guide for Information Technology Systems (NIST Special Publication 800-30).

Freund J, Jones J. (2014). Measuring and Managing Information Risk: A FAIR Approach. United States: Butterworth-Heinemann. ISBN-13:978-0124202313.

Patton, Michael Quinn (2002). Qualitative Research and Evaluation Methods. 3 ed. SagePublications.

Mansour Alali, Ahmad Almogren, Mohammad Mehedi Hassan etc. (2018). Improving risk assessment model of cyber security using fuzzy logicinference system. Computers & Security, № 74.

Honchar, S. F. (2019). Cybersecurity risk assessment model of information systems of critical infrastructure facilities. Monograph, Alpha Reklama. 176 p. ISBN 978-966-288-263-6

ISO/IEC. (2022). 27001:2022. Information technology — Security techniques — Information security management systems — Requirements.

Cybersecurity and Infrastructure Security Agency. (2023). CISA Cybersecurity Performance Goals. https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf

Cabinet of Ministers of Ukraine. (2019). Resolution No. 518 dated June 19, 2019 "On Approval of General Requirements for Cybersecurity of Critical Infrastructure Facilities".

Yudina, D. (2025). MODEL FOR CALCULATING THE LEVEL OF CYBER SECURITY OF CRITICAL INFRASTRUCTURE FACILITIES. Electronic professional scientific publication “Cybersecurity: Education, Science, Technology,” 4(28), 586–598. https://doi.org/10.28925/2663-4023.2025.28.829

Cabinet of Ministers of Ukraine. (2021). Resolution No. 1426 dated December 29, 2021 "On approval of the Regulations on the organizational and technical model of cybersecurity".

Administration of the State Service of Special Communications and Information Protection of Ukraine. (2025). Order No. 54 dated January 30, 2025, “On Approval of Basic Cyber Security Measures and Methodological Recommendations for Implementing Basic Cyber Security Measures”.

Yudina, D. (2025). MODIFICATION OF THE MODEL FOR CALCULATING THE LEVEL OF CYBER SECURITY OF CRITICAL INFRASTRUCTURE FACILITIES. Electronic professional scientific publication “Cybersecurity: Education, Science, Technology,” 1(29), 818–836. https://doi.org/10.28925/2663-4023.2025.29.943

Vargas, Luis L.; Saaty, Thomas L. (2001). Models, Methods, Concepts & Applications of the Analytic Hierarchy Process. Boston: Kluwer Academic. ISBN 0-7923-7267-0

Downloads


Abstract views: 24

Published

2025-10-26

How to Cite

Yudina, D. (2025). METHOD FOR CALCULATING THE LEVEL OF CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE FACILITIES. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 2(30), 473–487. https://doi.org/10.28925/2663-4023.2025.30.986

Issue

Vol. 2 No. 30 (2025): Cybersecurity: Education, Science, Technique. Special issue.

Section

Articles

License

Copyright (c) 2025 Діана Юдіна

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.