MANAGEMENT OF INFORMATION PROTECTION BASED ON THE INTEGRATED IMPLEMENTATION OF DECISION SUPPORT SYSTEMS

Current stage of development of the postindustrial society has been accompanied by a rise in the number and complexity of cyberattacks against various IO ‒ information-communication system (ICS), automated control systems, etc. More and more funds are allocated every year on cybersecurity (CS) and information protection (IP) is appropriated more funds [1]. Global practice, however, has demonstrated vividly that a simple increase in the number of means and activities on IP does not always produce a tangible effect [2], while in certain situations [3] it only adds up to the workload of stuff of companies and in organizations. Thus, a new promising alternative direction emerges for providing IO CS based on employing intelligent information technologies of cyber defense. Such technologies include decision support systems (DSS) for IP and CS [4]. The relevance of present study is determined, above all, by the state of problems in IP and the management level of CS under conditions of growing number and complexity of intentional destructive attacks on the enterprises’ ICS. The research relevance is predetermined by the need for further development of the methodological apparatus, which allows implementation of the new intelligent DSS into management tasks on information protection and cybersecurity at various objects of informatization.


Introduction
Current stage of development of the postindustrial society has been accompanied by a rise in the number and complexity of cyberattacks against various IOinformation-communication system (ICS), automated control systems, etc.More and more funds are allocated every year on cybersecurity (CS) and information protection (IP) is appropriated more funds [1].Global practice, however, has demonstrated vividly that a simple increase in the number of means and activities on IP does not always produce a tangible effect [2], while in certain situations [3] it only adds up to the workload of stuff of companies and in organizations.Thus, a new promising alternative direction emerges for providing IO CS based on employing intelligent information technologies of cyber defense.Such technologies include decision support systems (DSS) for IP and CS [4].The relevance of present study is determined, above all, by the state of problems in IP and the management level of CS under conditions of growing number and complexity of intentional destructive attacks on the enterprises' ICS.
The research relevance is predetermined by the need for further development of the methodological apparatus, which allows implementation of the new intelligent DSS into management tasks on information protection and cybersecurity at various objects of informatization.
In papers [9,10], authors analyzed models for estimating risks for CS at the objects of informatization by using ES.The studies have failed to introduce any application software to the market.
Articles [11,12] describe a decision-making procedure in the ICS IP situations that are not structured sufficiently enough.The research [12] did not result in any hardware/ software implementation.
The practice of employing DSS and ES for the tasks on managing IP and CS at separate enterprises was outlined in [13,14].As shown in [15,16], the existing commercial DSS and ES for the information (IS) and cybersecurity are of closed character, and their acquisition by individual enterprises implies significant financial costs.At the same time, the existing non-profit DSS and ES for information protection lack functionality.
As shown in [17], the problem of the integrated implementation of DSS and ES was not systematically addressed in the context of management tasks for IS.
Given the conclusions drawn by authors of [7,8,12], there is still an unresolved problem on the systemic implementation of intelligentized DSS and ES into the management tasks on IP.Support for a decision-making procedure and quality expert assessment allow solving the tasks of IS and CS in the most efficient way.A decision can be based on the models that take into account different expert interval estimates of the degree of IO protection.Thus, conceptually innovative approaches can be based on the paradigm of integrated implementation of DSS for the tasks of IP and for providing cybersecurity.

The aim and objectives of the study
The aim of present work is to develop a method and a model for managing cybersecurity at the objects of informatization based on the automation of a procedure of coordination of expert opinions in a DSS.
To achieve the set aim, the following tasks have to be solved: -to develop a method and a model for managing IS based on the systemic DSS implementation into tasks on managing cybersecurity of IO; -to design and test IO cyber security management DSS based on the application of the Delphi method, which would as well as take into account the IS interval estimates and metrics for different classes of threats, anomalies, and cyber-attacks.

A method and a model for managing protection of an informatization object based on the systemic DSS implementation
In the process of project implementation, a critical part of development as a whole is the correct definition of the problemmanagement of protection of informatization objects on the basis of integrated implementation of decision support systems on cybersecurity.The approaches, analyzed in [1][2][3][4][5], aimed at providing cybersecurity of IO, which imply extensive build-up of means and activities on IP, do not always guarantee reliable protection.Expert systems, including adaptive [4,8,14], and DSS do not eliminate the need for antivirus software, intrusion detection systems, etc.However, in the complex situations on IO cyber security in which the outcome of the task depends on subjective knowledge, the effect of their implementation into integrated IPS is sufficiently high.
The proposed method for the IO protection management includes the following stages: Stage 1.Analysts perform division of the tasks on IO protection.For example, category 1: formation of requirements and a comprehensive information protection system (IPS) and objects of protection, based on the characteristics of OI; category 2: systematization and updating of information arrays on IPS and IO protection objects; category 3: analytics, control and analysis of effectiveness of the mechanisms of IO cyber security; category 4: working out (correction) of decisions on IO protection management.
Stage 2. The formalization of requirements to the IS management processes for IO is performed.Logical rules for DSS on IS are created.
Stage 3. Knowledge base (KB) is compiled for DSS with the participation of analysts (experts).
The implementation of a systemic approach to the tasks on managing protection of IO employing a DSS, in particular under on-line mode, is represented by the formalization of a support process in the form of program modules for the situation center (SC) on cybersecurity, Fig. 1.Support of the process of interviewing experts (analysts) in DSS under on-line mode predetermined the choice of an interactive-dialog mode of system operation.Emphasis is placed on the tasks of evaluating parameters of IO protection, as well as a predictive estimate of situation transformation during detection of threats, anomalies or targeted cyber-attacks.External experts who evaluate different parameters of IO protection can, by using their own portal (shown in green in Fig. 1), employing a DSS or independently, give a necessary assessment of the situation.
When registered on the portal related to DSS, the user account is created on the server.This allows the analyst to participate in subsequent surveys and studies, including expert evaluation of the situation.
For example, experts, independently or with the help of a DSS, are encouraged to identify parameters of interaction between the sources of threats and their destructive influences on IO.
Experts, independently or in collaboration with a DSS, fill in questionnaires in the form of matrix: where N is the number of sources of threats for the analyzed IO; MI is the number of techniques to implement each threat.i is the number of experts working with a DSS.
Processing of experts' opinions in a DSS is based on the Delphi method.A distinctive feature of the designed system is the capability to dynamically generate questionnaire forms using the frames in each round of the survey under on-line mode.
Upon completion of filling the questionnaire forms, the Web page that is connected to the DSS dynamically displays tabular and graphical results.
Stage 4. Systematization of the obtained data is performed by the minimally significant components of the object of protection.A procedure is implemented of assigning a category to the determined classifiersthreats to IO; state of ICS for IO; the recommended methods and tools to protect information, etc.As a result, the metadata for KB are created and the principles of formation of new knowledge or rules for the DSS are synthesized.
Stage 5. Given the dynamics of emergence of new types of destructive influence on IO [18,19], a degree of adjustment of classifiers is determined.The models of their interaction are refined [20,21].At this stage, the logical rules are formed for a dynamical change in the expert assessments for possible classifiers.
Reaching a consensus among experts in the process of DSS operation under on-line mode is based on the application of the Delphi method [22][23][24].The method proposed, taking into account results of [7,14], is supplemented by a model of expert assessments coordination, which considers different interval estimations and metrics of IS [25,26] for the known threats, anomalies and cyber-attacks [14,27,28].
Interval estimates of the situation transformation related to the assessment of IO protection are described as follows: where ER pse is the expert estimate for the w-th level [8,22,23], the e-th expert, relative to the s-th indicator for estimated parameter p.
Interval estimates are correlated with the metrics of IS [14,25,26].
In accordance with [14,25,26], for the interval estimates of IO protection (similarly for other parameters), the IS metrics are assigned: (5) where ; .
Significance of the opinion of the e-th expert was evaluated as follows: 1 , , where C pse is the competence of the expert relative to the analyzed metric of IP.Expression (6) allows us to analyze the results when one group of experts employed DSS while another did not.In this case, the results being compared differ [23,24].
The average interval estimate is calculated as follows: ( ) where T is the time of situation's transformation related to the assessment of IS parameterp.
For the first round of experts' survey using DSS, the resulting confidence interval determines the radius of the set of expert estimates: Thus, the model that enables coordination of expert opinions and takes into account interval estimates and IS metrics, makes it possible to fill DSS KB.Correction of KB is also possible in the case of detecting new knowledge or discrepancies between expert estimates.
Stage 6.The rules are worked out for the evaluation of compliance of the selected comprehensive IPS with IS requirements.Thanks to the developed DSS, there is the possibility of correcting the decisions based on operative assessment of the current state of IO protection.
Stage 7. Basic management concepts are generated, as well as rules and guidelines on response and timely application of preventive, governing, correcting and other influences on events related to IS incidents at IO.
Stage 8. Long-term plans are devised for the development of integrated IPS for IO.
If necessary, stages 1-8 can be repeated with regard to correction of ES and DSS KB.

Software complex "Decision support system for managing cyber security of an enterprise -DMSSCSE"
In order to implement DSS in software, we chose MySQL, HTML, CSS, which allowed us to develop an intuitive interface, Fig. 2. To implement modules for the information and graphic representation of results, we used the programming language Python.DSS "DMSSCSE" was tested during modernization of IPS in computer centers at enterprises in Kyiv, Lviv, Chernihiv and others (Ukraine).Fig. 3, 4 show comparative results obtained during interviewing the experts, independently and using the DSS "DMSSCSE".From 7 to 11 experts were involved for the enterprises participating in the testing of DSS.We invited experts with experience in the field of information protection not less than 5 years.Without the DSS "DMSSCSE", the experts filled in questionnaires evaluating ICS protection parameters of the analyzed enterprises.At the second stage of the study, the experts were asked to perform the evaluation using the DSS "DMSSCSE".
Fig. 3 shows results of the evaluation of experts of vulnerability of the analyzed enterprise, independently and using the DSS "DMSSCSE" [13,14].Figure 4 shows results of the evaluation of the enterprises' web-sites.Reference value of the estimated parameters (p) was accepted equal to 1 [3,14,17].If the parameter's estimate is equal to 0 -protection is missing.Fig. 5 shows results of the experts' evaluation of vulnerability of the enterprises' computing centers [3,14], independently (red bars) and using the DSS "DMSSCSE" (green bars).
The results obtained show that when not using the DSS "DMSSCSE" experts estimate protection of ICS more optimistically.However, the follow-up audit of IS of the analyzed enterprises did not always confirm the assessment of experts and the received estimations were more consistent with the variant that employed the DSS "DMSSCSE".In this case, the IS audit was conducted by analysts with an experience in the field of information protection of not less than 10 years.
Fig. 6 shows comparison histogram of time (in minutes) spent by the experts, independently (red bars) and using the interface of "DMSSCSE" (green bars), to evaluate signs of unauthorized access to the information system of an enterprise's computing center.Fig. 5. Results of the experts' evaluation, independently and using the interface of "DMSSCSE", of the degree of protection of enterprises' computing centers Fig. 6.Time spent by the experts, independently and using the interface of "DMSSCSE", to evaluate signs of unauthorized access to the information system of an enterprise Fig. 7 shows comparison histogram of the time taken to assess protection of an enterprise's web-site.
The time spent by experts for data processing using "DMSSCSE" is 35-50 % less compared to an independent analysis by the analysts.In addition, the number of rules involved in the process of logical output of "DMSSCSE" is 1.5 times larger.The result of the use of the interface of DSS "DMSSCSE" in computing centers at the enterprises in Kyiv, Chernihiv, Lviv is a reduction in costs for the organization of cyber protection by 32ş35 %.Reducing the time needed for the evaluation (using the DSS) and response to cyber incidents by 11-14 % allows us to argue about improvements in the effectiveness of IS management system.In the course of testing the DSS, we also verified mechanisms of the interaction between experts and "DMSSCSE" in the synthesis of governing rules for the tasks on managing protection of IO.Fig. 7. Time spent to estimate protection of an enterprise's web-site

Discussion of results of testing DSS and the prospects for further research
The method and the model proposed form a set of basic rules and establish relations between the subclasses of cyberattacks and IS incident categories.Expert assessment (using the DSS "DMSSCSE") of action against IS of the object of protection, as well as coordination of judgments by experts, make it possible to predict the categories of CS incidents for the existing and new classes of cyberattacks.In the course of testing, the time needed to assess threats to IO was reduced by 11-12 %.The application of DSS "DMSSCSE" decreased the cost of organizing integrated IPS by 12-15 % (compared with alternative techniques [2,6,10,25]).
It was established that the application of DSS "DMS-SCSE" makes it possible to reduce expenses for the organization of integrated IPS by 12-15 % compared with alternative methods [2,6,10,25].The described solutions complement existing studies [4,8,11,17], in the context of solving tasks on managing protection of IO based on the implementation into comprehensive IPS of DSS on cybersecurity.The results obtained allowed us to recommend the DSS "DMSSCSE" for the implementation into integrated IPS at a number of enterprises in the cities of Kyiv and Dnipro.
When compared to similar solutions reviewed in papers [8,11,17], ES and DSS "DMSSCSE" has the following advantages: -it is possible to integrate the developed software into existing comprehensive IPS; -the efficiency of decision-making in the tasks on managing information protection of IO improves; -a flexible adjustment of the DSS is possible with regard to the specificity of IO protection.
The shortcoming of DSS "DMSSCSE", identified in the process of testing, is the need to engage, at an early stage of the formation of knowledge base, independent experts familiar with the characteristics of protection of a particular IO.
A promising direction for development of the present work is to fill the knowledge base and the database of logical rules for DSS taking into account the expansion of test information and the results of approbation of "DMSSCSE".

Fig. 1 .
Fig. 1.Structural diagram of the platform for expert estimation of the informatization object protection using a DSS under on-line mode module of DSS, confidence interval of the first round of expert estimate of the situation was determined as follows:

Fig. 3 .Fig. 4 .
Fig. 3. Results of experts' evaluation of the degree of ICS vulnerability, independently and using the interface of "DMSSCSE"

Fig. 2 .
Fig.2.General view of the software complex "Decision support system for managing cyber security of enterprises -DMSSCSE" (for the work of experts on-line)