Automation of Information Security Risk Assessment
Abstract
An information security audit method (ISA) for a distributed computer network (DCN) of an informatization object (OBI) has been developed. Proposed method is based on the ISA procedures automation by using Bayesian networks (BN) and artificial neural networks (ANN) to assess the risks. It was shown that such a combination of BN and ANN makes it possible to quickly determine the actual risks for OBI information security (IS). At the same time, data from sensors of various hardware and software information security means (ISM) in the OBI DCS segments are used as the initial information. It was shown that the automation of ISA procedures based on the use of BN and ANN allows the DCN IS administrator to respond dynamically to threats in a real time manner, to promptly select effective countermeasures to protect the DCSReferences
REFERENCES
R. Langner, "Stuxnet: Dissecting a Cyberwarfare Weapon," in IEEE Security & Privacy, vol. 9, no. 3, pp. 49-51, May-June 2011, doi: 10.1109/MSP.2011.67.
Lyubchenko, A. A. (2019). The Information Society and the Threat of Cyberwar. In Derzhavin Readings (pp. 303-305).
Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. information security technical report, 13(4), 247-255. doi: 10.1016/j.istr.2008.10.010
Kanatov, M., Atymtayeva, L., & Yagaliyeva, B. (2014, December). Expert systems for information security management and audit. Implementation phase issues. In 2014 Joint 7th International Conference on Soft Computing and Intelligent Systems (SCIS) and 15th International Symposium on Advanced Intelligent Systems (ISIS) (pp. 896-900). IEEE. doi: 10.1109/SCIS-ISIS.2014.7044702
Han, D., Dai, Y., Han, T., & Dai, X. (2015). Explore Awareness of Information Security: Insights from Cognitive Neuromechanism. Computational Intelligence and Neuroscience, 2015, 762403-762403. doi: 10.1155/2015/762403
Andrade, R., Torres, J., & Flores, P. (2018, January). Management of information security indicators under a cognitive security model. In 2018 IEEE 8th annual computing and communication workshop and conference (CCWC) (pp. 478-483). IEEE. doi:10.1109/CCWC.2018.8301745
Grediaga, Á., Ibarra, F., García, F., Ledesma, B., & Brotóns, F. (2006, May). Application of neural networks in network control and information security. In International Symposium on Neural Networks (pp. 208-213). Springer, Berlin, Heidelberg. doi: 10.1007/11760191_31
Mukkamala, S., Janoski, G., & Sung, A. (2002, May). Intrusion detection using neural networks and support vector machines. In Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No. 02CH37290) (Vol. 2, pp. 1702-1707). IEEE. doi:10.1109/IJCNN.2002.1007774
Kirta, T., & Kivimaab, J. (2010). Optimizing it security costs by evolutionary algorithms. In Conference on Cyber Conflict Proceedings (pp. 145-160). https://ccdcoe.org/uploads/2018/10/Kirt-et-al-Optimizing-IT-security-costs-by-evolutionary-algorithms.pdf
S. Lysenko, K. Bobrovnikova, R. Shchuka and O. Savenko, "A Cyberattacks Detection Technique Based on Evolutionary Algorithms," 2020 IEEE 11th International Conference on Dependable Systems, Services and Technologies (DESSERT), 2020, pp. 127-132, doi: 10.1109/DESSERT50317.2020.9125016
Barankova I.I., Mikhailova U.V., Kalugina O.B. (2020) Analysis of the Problems of Industrial Enterprises Information Security Audit. In: Radionov A., Karandaev A. (eds) Advances in Automation. RusAutoCon 2019. Lecture Notes in Electrical Engineering, vol 641. Springer, Cham. doi: 10.1007/978-3-030-39225-3_104
Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2018). The influence of a good relationship between the internal audit and information security functions on information security outcomes. Accounting, Organizations and Society, 71, 15-29. doi: 10.1016/j.aos.2018.04.005
Mataracioglu, T., & Ozkan, S. (2011). Governing information security in conjunction with COBIT and ISO 27001. arXiv preprint arXiv:1108.2150.
Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2012). The relationship between internal audit and information security: An exploratory investigation. International Journal of Accounting Information Systems, 13(3), 228-243. doi: 10.1016/j.accinf.2012.06.007
R. Montesino and S. Fenz, "Information Security Automation: How Far Can We Go?," 2011 Sixth International Conference on Availability, Reliability and Security, 2011, pp. 280-285, doi: 10.1109/ARES.2011.48.
Au, C. H., & Fung, W. S. (2019). Integrating Knowledge Management into Information Security: From Audit to Practice. International Journal of Knowledge Management (IJKM), 15(1), 37-52. doi: 10.4018/IJKM.2019010103
Stafford, T., Deitz, G., & Li, Y. (2018). The role of internal audit and user training in information security policy compliance. Managerial Auditing Journal, 33(4), 410-424. doi: 10.1108/MAJ-07-2017-1596
T. S. M. Pereira and H. Santos, "A Security Framework for Audit and Manage Information System Security," 2010 IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology, 2010, pp. 29-32, doi: 10.1109/WI-IAT.2010.244.
Mashkina I. V., Sentsova A. U. The methodology of expert audit in the cloud computing system // Information technology security, 2013. № 4. P. 63–70.
Guzairov M. B., Mashkina, I. V., Stepanova E. S. The treats model development by fuzzy cognitive maps formation on the bases of security policy // Information technology security, 2011. № 2. P. 37–49.
Sentsova, A.Yu., Mashkina, I.V. Automation of an expert audit of information security based on the use of an artificial neural network. Information technology security. National Research Nuclear University "MEPhI" VNIIPVTI, No2, 2014. p. 118-126.
Makarevich, O., Mashkina, I., & Sentsova, A. (2013, November). The method of the information security risk assessment in cloud computing systems. In Proceedings of the 6th International Conference on Security of Information and Networks (pp. 446-447).
Mashkina, I. V., & Sentsova, A. U. (2014). The Method of the Information Security Risk Assessment in Cloud Computing Systems. In Computer Science and Information Technologies (CSIT'2014). (pp. 86-91).
Akhmetov, B., Lakhno, V., Akhmetov, B., & Alimseitova, Z. (2018, September). Development of sectoral intellectualized expert systems and decision making support systems in cybersecurity. In Proceedings of the Computational Methods in Systems and Software (pp. 162-171). Springer, Cham.
Lois, P., Drogalas, G., Karagiorgos, A., Thrassou, A., & Vrontis, D. (2021). Internal auditing and cyber security: audit role and procedural contribution. International Journal of Managerial and Financial Accounting, 13(1), 25-47.
Roldán-Molina, G., Almache-Cueva, M., Silva-Rabadão, C., Yevseyeva, I., & Basto-Fernandes, V. (2017, June). A decision support system for corporations cybersecurity management. In 2017 12th Iberian Conference on Information Systems and Technologies (CISTI) (pp. 1-6). IEEE. doi: 10.23919/CISTI.2017.7975826
Calderon, T. G., & Cheh, J. J. (2002). A roadmap for future neural networks research in auditing and risk assessment. International Journal of Accounting Information Systems, 3(4), 203-236. doi: 10.1016/S1467-0895(02)00068-4
Gaganis, C., Pasiouras, F., & Doumpos, M. (2007). Probabilistic neural networks for the identification of qualified audit opinions. Expert Systems with Applications, 32(1), 114-124. doi: 10.1016/j.eswa.2005.11.003
Atamanov, A.N. (2012). Methodology for dynamic iterative assessment of information security risks in automated systems. Global Science Potential, (3), 30-34.
Markowski, A. S., & Mannan, M. S. (2009). Fuzzy logic for piping risk assessment (pfLOPA). Journal of loss prevention in the process industries, 22(6), 921-927. doi: 10.1016/j.jlp.2009.06.011
Grace, A. M., & Williams, S. O. (2016). Comparative analysis of neural network and fuzzy logic techniques in credit risk evaluation. International Journal of Intelligent Information Technologies (IJIIT), 12(1), 47-62. doi: 10.4018/IJIIT.2016010103
Mokhor, V., & Honchar, S. F. (2018). The Idea of the Construction of the Algebra of Risks on the Basis of the Theory of Complex Numbers. Electronic modeling, 40(4), 107-111. doi: 10.15407/emodel.40.04.107
Mokhor, V., Honchar, S., & Onyskova, A. (2020). Cybersecurity Risk Assessment of Information Systems of Critical Infrastructure Objects. In 2020 IEEE International Conference on Problems of Infocommunications. Science and Technology (PIC S&T). (pp. 19-22). IEEE. doi: 10.1109/PICST51311.2020.9467957
Akhmetov, B.S., Lakhno, V.A., Ydyryshbayeva, M.B., Yagaliyeva, B.E., Baiganova, A.V., Akhanova, M.B., Tashimova, A.K. Application of bayesian networks in the decision support system during the analysis of cyber threats (2021) Journal of Theoretical and Applied Information Technology, 99 (4), pp. 884-893.
US National Vulnerability Database - https://nvd.nist.gov/
Bebeshko, B., Khorolska, K., Kotenko, N., Kharchenko, O., & Zhyrova, T. (2021). Use of neural networks for predicting cyberattacks. Paper presented at the CEUR Workshop Proceedings, 2923 13-223. http://ceur-ws.org/Vol-2923/paper23.pdf
Khorolska K., Lazorenko V., Bebeshko B., Desiatko A., Kharchenko O., Yaremych V. (2022) Usage of Clustering in Decision Support System. In: Raj J.S., Palanisamy R., Perikos I., Shi Y. (eds) Intelligent Sustainable Systems. Lecture Notes in Networks and Systems, vol 213. Springer, Singapore. https://doi.org/10.1007/978-981-16-2422-3_49
Lakhno V., Akhmetov B., Ydyryshbayeva M., Bebeshko B., Desiatko A., Khorolska K. (2021) Models for Forming Knowledge Databases for Decision Support Systems for Recognizing Cyberattacks. In: Vasant P., Zelinka I., Weber GW. (eds) Intelligent Computing and Optimization. ICO 2020. Advances in Intelligent Systems and Computing, vol 1324. Springer, Cham. https://doi.org/10.1007/978-3-030-68154-8_42.
Downloads
Published
Issue
Section
License
Copyright (c) 2022 International Journal of Electronics and Telecommunications
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
1. License
The non-commercial use of the article will be governed by the Creative Commons Attribution license as currently displayed on https://creativecommons.org/licenses/by/4.0/.
2. Author’s Warranties
The author warrants that the article is original, written by stated author/s, has not been published before, contains no unlawful statements, does not infringe the rights of others, is subject to copyright that is vested exclusively in the author and free of any third party rights, and that any necessary written permissions to quote from other sources have been obtained by the author/s. The undersigned also warrants that the manuscript (or its essential substance) has not been published other than as an abstract or doctorate thesis and has not been submitted for consideration elsewhere, for print, electronic or digital publication.
3. User Rights
Under the Creative Commons Attribution license, the author(s) and users are free to share (copy, distribute and transmit the contribution) under the following conditions: 1. they must attribute the contribution in the manner specified by the author or licensor, 2. they may alter, transform, or build upon this work, 3. they may use this contribution for commercial purposes.
4. Rights of Authors
Authors retain the following rights:
- copyright, and other proprietary rights relating to the article, such as patent rights,
- the right to use the substance of the article in own future works, including lectures and books,
- the right to reproduce the article for own purposes, provided the copies are not offered for sale,
- the right to self-archive the article
- the right to supervision over the integrity of the content of the work and its fair use.
5. Co-Authorship
If the article was prepared jointly with other authors, the signatory of this form warrants that he/she has been authorized by all co-authors to sign this agreement on their behalf, and agrees to inform his/her co-authors of the terms of this agreement.
6. Termination
This agreement can be terminated by the author or the Journal Owner upon two months’ notice where the other party has materially breached this agreement and failed to remedy such breach within a month of being given the terminating party’s notice requesting such breach to be remedied. No breach or violation of this agreement will cause this agreement or any license granted in it to terminate automatically or affect the definition of the Journal Owner. The author and the Journal Owner may agree to terminate this agreement at any time. This agreement or any license granted in it cannot be terminated otherwise than in accordance with this section 6. This License shall remain in effect throughout the term of copyright in the Work and may not be revoked without the express written consent of both parties.
7. Royalties
This agreement entitles the author to no royalties or other fees. To such extent as legally permissible, the author waives his or her right to collect royalties relative to the article in respect of any use of the article by the Journal Owner or its sublicensee.
8. Miscellaneous
The Journal Owner will publish the article (or have it published) in the Journal if the article’s editorial process is successfully completed and the Journal Owner or its sublicensee has become obligated to have the article published. Where such obligation depends on the payment of a fee, it shall not be deemed to exist until such time as that fee is paid. The Journal Owner may conform the article to a style of punctuation, spelling, capitalization and usage that it deems appropriate. The Journal Owner will be allowed to sublicense the rights that are licensed to it under this agreement. This agreement will be governed by the laws of Poland.
By signing this License, Author(s) warrant(s) that they have the full power to enter into this agreement. This License shall remain in effect throughout the term of copyright in the Work and may not be revoked without the express written consent of both parties.