Development of the Space-Time Structure of the Methodology for Modeling the Behavior of Antagonistic Agents of the Security System

The rapid development of computer technology, the emergence of modern cyber threats with signs of hybridity and synergy put forward strict requirements for the economic component of national security and especially the processes of ensuring the economy cybersecurity. The cybersecurity industry is trying to meet today's requirements by introducing new and more advanced security technologies and methods, but it is believed that such a universal approach is not enough. The study is devoted to resolving the objective contradiction between the growing practical requirements for an appropriate level of cybersecurity of business process contours while increasing the number and technological complexity of cybersecurity threats. Also the fact that threats acquire hybrid features on the one hand, and imperfection, and sometimes the lack of methodology for modeling the behavior of interacting agents of security systems should be taken into account. However, this does not allow timely prediction of future actions of attackers, and as a result, determining the required level of investment in security, which will provide the required level of cybersecurity.<br><br>The paper proposes the Concept of modeling the behavior of interacting agents, the basis of which is a three-level structure of modeling the subjects and business processes of the contours of the organization and security system, based on modeling the behavior of antagonistic agents. The proposed methodology for modeling the behavior of interacting agents, which is based on the Concept of behavior of antagonistic agents, allows assessing and increasing the current level of security by reducing the number of hybrid threats by 1.76 times, which reduces losses by 1.65 times and increases the time for choosing threat counteraction means by reducing the time to identify threats online by 38%.


The rapid development of computer technology, the emergence of modern cyber threats with signs of hybridity and synergy put forward strict requirements for the economic component of national security and especially the processes of ensuring the economy cybersecurity. The cybersecurity industry is trying to meet today's requirements by introducing new and more advanced security technologies and methods, but it is believed that such a universal approach is not enough. The study is devoted to resolving the objective contradiction between the growing practical requirements for an appropriate level of cybersecurity of business process contours while increasing the number and technological complexity of cybersecurity threats. Also the fact that threats acquire hybrid features on the one hand, and imperfection, and sometimes the lack of methodology for modeling the behavior of interacting agents of security systems should be taken into account. However, this does not allow timely prediction of future actions of attackers, and as a result, determining the required level of investment in security, which will provide the required level of cybersecurity. The paper proposes the Concept of modeling the behavior of interacting agents, the basis of which is a three-level structure of modeling the subjects and business processes of the contours of the organization and security system, based on modeling the behavior of antagonistic agents. The proposed methodology for modeling the behavior of interacting agents, which is based on the Concept of behavior of antagonistic agents, allows assessing and increasing the current level of security by reducing the number of hybrid threats by 1.76 times, which reduces losses by 1.65 times and increases the time for choosing threat counteraction means by reducing the time to identify threats online by 38 % Keywords: cybersecurity, antagonistic agents, modeling methodology, reflexive agent, multiagent systems, business process contour
nesses and potential attacks that can be implemented. But this does not provide any information about what attacks can be carried out by attackers, based on their point of view. Because each person is individual, the process by which an attacker will attack the network will be different for each attacker. Understanding differences between attackers and their behavior can be used to analyze the consequences of attacks, and then for early detection and prediction.
By simulating cyber attacks, focusing on how a real cyber attacker will make decisions based on skills, rules, and knowledge, it is possible to synthesize data about an attacker's behavior that would otherwise be difficult to achieve. The combination of rule-based and knowledge-based attack generation provides reliable and diverse generations of attack trajectories, while providing realistic results because rules and knowledge are constantly coordinated with each other. This means that rules cannot be applied if knowledge is underdeveloped, and knowledge flexibility cannot be used if the rules are too limited. Applying this scheme to simulation allows a better understanding of how many different types of attackers affect by analyzing the types of attacks performed and being able to learn what the attacker needed to know to perform attacks. Finally, you should turn to potential end users trying to protect their networks from attacks that intrusion testers didn't think of, or other tools that don't have security tools. This provides a deeper understanding of how vulnerabilities are exploited and how they can affect the network before an attack can occur, and then something can be done about it. The cybersecurity industry is trying to meet today's requirements by introducing new and more advanced security technologies and methods. Modern methods of studying cyber threats are usually performed using static analysis of network and system vulnerabilities. But only a few address the most volatile and most important part of the problem -the attackers themselves. The human factor underlying cybersecurity provides a better understanding of this issue and highlights the behavior of individuals as a key factor of greatest concern. The human element at the heart of cybersecurity is what makes cyberspace a complex, adaptive system. A comprehensive, interdisciplinary, comprehensive approach that combines technical and behavioral elements is needed to increase cybersecurity. Therefore, the creation of a scientifically sound methodology for modeling the processes of agent behavior in security systems is an urgent scientific and applied problem of theoretical and practical significance.

Literature review and problem statement
In recent years, research has been conducted on the dynamics and implementation of cyber attacks to better analyze the impact of those attackers. Studies have been conducted on the use of network vulnerabilities to identify possible and realistic ways to attack [1][2][3][4][5][6]. Thus, [1] provides specific examples of large-scale cyber attacks. The paper [2] analyzes the trend of using third-party service providers to gain access to victim organizations. A new paradigm of attack graph analysis, which complements the traditional graph-centric representation based on graphs adjacency matrices, is presented in [3]. The work [4] is devoted to the issue of forecasting potential attacks on the basis of observed attacks. [5] gives an example of a Bayesian network based on the current model of the security graph. The variable-length Markov model, which captures the features of attack tracks, which allows predicting the probable subsequent actions in current attacks, is analyzed in [6]. It should be noted that the disadvantage of these works is that these methods take into account only vulnerabilities in the network, but do not reveal real differences between the types of attackers. In other works, this issue was considered by modeling the capabilities of opponents [7] or applying the methodology of game theory [8] to simulate the attacker and defender. None of these methods simulate an attacker based on the information that an attacker receives during an attack, although it plays an important role in making decisions about the attack. This concept is well implemented in agent modeling methods in the NeSSi2 (NeSSi -Network Security Simulator) [9] and in the attacker's behavior model in multistage attack scenario simulation (MASSmultistage attack scenario simulation) [10]. However, agent modeling techniques do not provide a structure in which an attacker obtains specific details about targets and can dynamically change targets and strategies during an attack. This type of knowledge-based design for attacker modeling makes it possible to flexibly describe cyber attacks, which allows modeling the proactive and reactive behavior of participants in cyber conflict.
In [10,11], simulations were performed to analyze possible cyber attacks that may occur in the network. The paper focuses on modeling the behavior of a cyber attacker so that it is possible to flexibly describe many different types of attackers, while maintaining reasonable realism in the types of attacks that can be performed. Modeling attacker's decision-making processes in terms of reflexive control is more like how an attacker actually thinks. This allows understanding the features that different attackers have in the same network, or how one attacker can affect different types of networks. This flexibility can help to ease the skills and to reduce the time to perform this type of analysis. The main goal is to develop a structure for modeling the attacker's decision-making process, based on both deterministic factors, such as network and knowledge, as well as probabilistic factors. This structure takes into account randomness in the simulation. Although the goal is not to be able to comprehensively model each type of attacker's behavior, but to determine what exactly needs to be modeled to describe the attacker.
Cyber threat analytics is a relatively young industry and is diverse in the types of approaches used to perform predictive cyber attack analysis. These approaches consist of vulnerability assessment and mitigation, analytical approaches such as the use of attack graphs and game theory, and mathematical and simulation modeling of cyber attacks. Each approach has its advantages and disadvantages, and one approach is not necessarily better than another because of the complexity of predicting, primarily human behavior. Currently, mathematical models such as attack graphs, attack ontologies or simulation, game theory models, or multi-agent models are used to analyze the enemy.
The purpose of a network intrusion test is to identify potential vulnerabilities in a network accessible to a potential attacker. Knowing the vulnerabilities of the network, the tester/attacker can use them to further penetrate the network for more information. The intrusion tester will use this information to detect more vulnerabilities until the attackers have exhausted all their options. To do this, a so-called attack graph is developed, which is a set of all possible ways that an attacker can follow in the network. This process has traditionally been performed manually by an attacker or a group of analysts and can be a grueling process. In [12], the process is formalized to automatically generate a comprehensive set of possible attack graphs for a given network. Attack graphs are generated using a description of the network and the attacker's knowledge of that network, followed by a description of a set of states that describe the actual attacks that may occur. In [12], a network of two hosts with an IDS (IDS -Intrusion detection system) and a firewall was modeled. The result was an attack graph of 5,948 nodes with 68,364 edges, which is extremely large for very few types of attacks and unrealistically small network. This method of analysis is not flexible, scalable or easy to use, which is necessary to successfully assess network weaknesses.
Given the size of the network, it should be noted that the number of possible ways of attack can be extremely large. In [13], two methods were proposed to determine which attack graphs are the most critical and which are the most effective. Automatic attack graph generation requires modeling of all possible types of attacks. The paper [13] considered only 4 possible types of attacks. [14] describes the use of attack graphs to generate IDS alert templates to help predict future and ongoing attacks. Using these attack graphs and knowledge of the area of cyber attacks, the probability of achieving attack goals to predict future attacks can be estimated. This method requires that each attack graph be converted to a network, and a cybersecurity expert analyze it to determine the likelihood of a successful cyber attack. This approach has two problems: the first attacks that do not strictly follow the attack plan cannot be modeled, and the probability is based solely on the expert's experience. [13,14] define only the different ways that an attacker can follow, and not whether the attacker will actually implement this attack or not.
In [15], the authors eliminated the uncertainty of attack variation, success and accuracy of sensory warning data by combining attack graphs with Bayesian networks. This has led to the creation of real vulnerability databases, such as the National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS). Using real data from these databases provides a basis for calculating the probability without the need for expertise for each function.
In [16,17], the generation of a real-time attack graph is estimated to predict the probability of an attacker's next steps based on various security breaches. Based on security breaches, the basic level of attacker's skills can be determined, which can then be used with CVSS to determine the possibility of further steps based on the attacker's position in the network. A common problem of the above works is the development of a base attack graph that describes the attacker's scenario and targets. Using common attack pattern enumeration and classifi-cation (CAPEC) from MITRE, attack graphs based on real scenarios are generated in [18,19]. These scenarios are used to obtain more realistic predictions and other attack graphs.
In [12][13][14][15][16][17][18][19], network security is analyzed on the basis of possible attacks that can be implemented in the network in one or more scenarios. In these cases, the scenarios are clearly defined, and different attackers may pursue the same goal, regardless of whether they are successful or not. Understanding the attacker's impact on a network is very important, because in fact not all vulnerabilities can be closed, and some can prioritize which vulnerabilities need to be addressed over time. Suppose there is an exploit that can be performed by anyone and that can have a harmful effect on the network. In this case, it should have a higher priority than the exploit, which only 1 % of attackers can perform on a non-critical machine. Publications [15,[17][18][19] show the use of publicly available data from cyber attack scenarios to create attack paths that were identified as realistic but did not take into account the skills or behavior of the attacker. Modern cyber attack predicting methods have become more focused on the behavior and decision-making of the attacker during the attack. Publications in scientific periodicals can be divided into two categories. The first category includes publications focused on methods of modeling the behavior of interacting agents. The second includes publications, focused on the behavioral aspects of security agents, and more specifically on decision-making processes. Attention to the use of game theory is due to the fact that this theory is the basis for agent modeling in conflict. Fig. 1 demonstrates the results of the analysis of modern approaches to agent behavior modeling, the main advantages of which are the following: -reflection of the purposefulness of agents' behavior, as well as the agents' ability to formulate their goals in the model; -ability to simulate both the behavior of an individual agent and the interaction between different agents that make up the model; -learning ability of agents. In [22][23][24], the authors propose approaches to assess the quality of service based on multifactor analysis and the current state of information security of the organization. However, possible preventive actions based on modeling and evaluating the capabilities of both the attacker and the defense side are not taken into account.
Thus, the analysis of the possibilities of ensuring both the security of the business process contour and the tasks of modeling the behavior of antagonistic agents, showed the following. Along with a large number of works on the security of organization's business processes, the problem of creating a holistic modeling methodology remains unresolved. The implementation of such a methodology in practice will contribute to the sustainable development of security systems of any level, based on modeling the behavioral characteristics of security system agents.
The lack of an appropriate methodology today is due to the contradiction, which is defined as follows. Practice requires the theory to find new approaches to cybersecurity and information security of the business process contour in terms of increasing the number of threats while increasing their technological complexity.

The aim and objectives of the study
The aim of the work is to develop a space-time structure of the methodology for modeling the behavior of antagonistic agents of the security system based on the proposed models, methods and algorithms to determine the critical point of effective investment in security, to effectively resist modern hybrid threats to the elements of the business process contour structure, to increase the organization security level through an effective level of investment in the security system.
To achieve the aim, the following objectives are set: − to identify the features of modeling the behavior of interacting agents of security systems in cyberconflict; -to develop a concept for modeling the behavior of interacting agents; -to develop a space-time structure of the methodology for modeling the behavior of interacting agents; -to verify the proposed methodology by simulation.

Identifying the features of modeling the behavior of interacting agents of security systems in cyberconflict
When developing programs to simulate agent behavior, it is necessary to answer the question of how to model the decision-making processes of agents in the security system.
In computational social science in general and in the field of agent-based social modeling (ABSM), in particular, there is a constant discussion about the best way to simulate human decision-making. The reason for this is that most computational models of the decision-making process are  quite simple [25]. As with any good scientific model, when modeling human behavior, the objects being modeled should be analyzed in terms of only those properties that are relevant to the given behavior scenario. Therefore, the question arises: "What is a good (computational) human (and decision-making) model for a particular research issue?" A large number of architectures and models have been developed for ABSM that attempt to represent the human decision-making process. Despite the common goal, each architecture has slightly different goals and, as a result, includes different assumptions and simplifications. Therefore, knowledge of these differences is important when choosing an agent's decision model in ABSM.
To be able to discuss the suitability of different agent architectures for different types of ABSM, it is necessary to answer the questions of which types of ABSM exist and which ones are of interest to the ABSM community.
One of the previous attempts to classify ABSM was made in [26]. The paper identifies five high-level aspects by which ABSM as a whole can be classified, including the extent to which ABSM attempts to include details of specific objectives. The last of these measurements concerns agents (and decision making), comparing ABSM by the complexity of the agents they model. According to Gilbert, this complexity of agents can vary from "product system architectures" (i.e. agents that follow simple IF-THEN rules) to agents with complex cognitive architectures such as SOAR (Security Orchestration, Automation and Response (symbolic cognitive architecture)) or ACT-R (Adaptive Control of Thought -Rational). Considering the suitability of different architectures for different research issues, [27] concludes that simpler agent models come in handy when the goal is to predict the behavior of the organization as a whole. Whereas accurate representations require complex and more cognitively accurate architectures to predict behavior at the level of individuals or small groups.
In [28], three categories of models are proposed: − physical models that assume that people respond mutually to current (and/or past) interactions; − economic models that assume that people respond to their future expectations and make decisions in a selfish way; − sociological models that assume that people respond to their own and others' expectations (as well as to their past experiences).
In the classification [28], simple agent architectures, such as rule-based production systems, are best suited for physical models, and the complexity and capabilities of agents will need to increase in the transition to sociological models. In these sociological models, the emphasis on modeling social (human) interaction may require the agent to perceive the social network he or she is embedded in, or even the requirements for more complex social concepts.
Summing up, two main dimensions should be identified that are useful for distinguishing between agent architectures: − cognitive level of agents, i.e. they are purely reactive or inspired psychologically or neurologically (to model person's decision-making as accurately as possible); − social level of agents, i.e. the degree to which they are able to distinguish between social network relationships (and status), what levels of communication they are capable of, whether they have a theory of thinking or to what extent they are able to perceive complex social concepts.
Another way to classify ABSM in terms of applications is given in [29]. Examples of application areas include: emergence and collective behavior, development, learning, norms, markets, institutional design and (social) networks.
Other candidates for distinguishing agent architectures are: − agents' ability to think about (social) norms, institutions and organizational structures; what impact norms, policies, institutions and organizational structures have on system performance at the macro level; and how to design regulatory structures that support the goals of the system developer (or other stakeholders); − agents' ability to learn and, if so, at what level they can learn; for example, whether agents are able to learn only the best values of their decision-making functions and whether they can learn new decision-making rules.
So, two more dimensions should be added: norm and learning.
The last dimension proposed by researchers is the affective level that the agent is able to express. Most of the categories found are similar [29]. They also include emotions as an area of research.
Summing up, five main dimensions can be identified to classify the operation of ABSM in general and, therefore, to determine the agents architecture, which are shown in Fig. 2. Fig. 3 shows the basic ABSM architectures, relevant models and application levels. MAIN  To what extent do architectures allow the modeling of agents who are able to reason explicitly about formal and social norms, as well as about the emergence and spread of the latter?

Fig. 2. Main dimensions of ABSM classification
Production rule systems are symbolic systems [31], which consist of a set of behavioral "IF-THEN rules" [30], and are an information processing architecture based on pattern matching.
The main components that make up production rule systems and determine which actions are selected by the agent on the basis of input data (the so-called direct recognition cycle [32]) are shown in Fig. 3.
Advantages: − simplicity in terms of understanding the relationship between rules and their results; − availability of convenient graphical tools for presenting decision-making processes (for example, decision trees). Disadvantages: − incomplete adequacy for modeling human behavior; − agents of production rule systems are generally incapable of affective behavior, understanding and responding to norms, considering social structures (including communication), or learning new rules or updating existing ones; − ability to model the agent's behavior only due to the great complexity and use of many rules; − increase the likelihood of conflicts between the rules as their number increases; − long computing time under a large number of decision-making rules.
The Belief-Desire-Intention (BDI) and emotional BDI (eBDI) models are one of the most popular models for agent decision-making in the agent environment. The model is es-Architecture of procedural thinking (PRS)

BASIC LEVELS OF ABSM MODELS
Belief -assimilated information that the agent has about the operating environment Desire -all possible state of affairs that the agent would like to perform Intention -commitment to certain courses of action to achieve a specific goal Model "Belief-Desire-Intention" (BDI)

Direct recognition architecture
Set of rules Ci → Ai Knowledge databases

Rule interpreter
Systems of production rules Emotional BDI (eBDI) They act by changing the set of their beliefs and establishing the desire to achieve a certain state of affairs

Normative models
The architecture of an intentional regulatory agent Hybrid approaches that take into account heuristics, as well as rules of reasoning and reactive products, may be more appropriate.

Cognitive level
The approach is based on emotional architecture, ie when it comes to the level of compliance, information about the architecture of agents can be used

Affective level
The approach focuses on the representation of the human brain in order to analyze the social dynamics and models of the global level arising from the interactions of agents at the local level

Social level
An approach that includes two types of norms: social norms and legal norms, and policy

Regulatory level
An approach from simply updating the values of variables in the rules, to the study of strategies for successful decision-making Level of training pecially popular for building reasoning systems for complex problems in dynamic environments [34]. In contrast to the production rule system, the basic idea of BDI (Belief-Desire-Intention) is that agents' mental state is the basis for their reasoning. As the name implies, the BDI model is centered around three mental attitudes, namely beliefs, desires, and especially intentions [35,36]. Table 1 shows the advantages and disadvantages of the BDI model depending on the purpose (modeling) [37−40].

Table1
Advantages and disadvantages of the BDI model depending on the purpose Normative models [41]. In BDI, agents act by changing a set of beliefs and establishing a desire to achieve a certain state of affairs (for which agents then choose specific intentions in the form of plans they want to carry out). Agents' behavior is driven solely by their intrinsic motivators, such as beliefs and desires. The advantage of normative models was the use of an additional element that influenced the agent's reasoning. Unlike beliefs and desires, this element was external to the agent, and it took into account the behavioral norms established in the environment in which the agent was. Therefore, such elements were considered as external motivators, and agents in the system were called agents regulated by the relevant norms.
Intentional normative agents focus on the idea that social norms should be involved in the agent's decision-making process [42]. That is, autonomous agents should be able to reason, communicate, and negotiate norms, including deciding whether to violate social norms if they are unfavorable to commercial agents.
The advantages of this model are: − ability to represent social norms not just as constraints and external fixed rules in the agent architecture [43], but also as mental objects. These objects have their own mental representation and interact with other mental objects (i.e. beliefs and desires) and the agent's plans [44]; − allocation of separate levels of the agent architecture. The first level is the interaction management level, which controls the agent's interaction with other agents (through communication), as well as the overall environment. The second level is the information service level, which stores the agent's information about the environment (information about the world), about other agents and about the agent society as a whole. The third level includes the process management level, where information is processed and decisions are justified.
This allows, on the one hand, considering the relevant processes as relatively independent, and on the other -as different manifestations of one general process of agent behavior; − ability to display semantic differences between different types of information (three levels of information: one object level and two metalevels). The object level includes information that the agent believes in. The first metalevel contains information on how to process input information based on its context. Meta-information determines how an agent's internal processes can be changed and under what circumstances.
The disadvantages are as follows: − emergence of an additional level of complexity due to the fact that the norms learned by the agent can affect both the generation and the choice of intentions.
Cognitive models [45] and social modeling models, although they often pursue the same goal (represent the behavior of decision-makers), tend to have a different idea of what is a good model for human decision-making.
As a disadvantage, it is noted that social modeling researchers often focus only on agent models specially adapted to the task, which limits the realism and applicability of social modeling.
The advantages of this class of models are clearly manifested in the form of the results of cognitive processes, namely the construction of so-called cognitive maps: − clarity of factors influencing the decision-making process; − clarity of connections between factors (not only qualitative, but also quantitative); − ability to conduct so-called cognitive modeling, changing the weight of a factor that affects the final decision.
Psychological and neurological models are often referred to as cognitive architectures. However, because they have a different focus than the "cognitive architectures" that were mentioned, they are allocated to a separate group. The main difference and advantage is that their architectures take into account the expected structural properties of the human brain.
Model human processor (MHP) [46,47] is based on the synthesis of cognitive science and human-computer interaction. The advantage of the Model Human Processor is that it includes detailed specifications of the duration of actions and cognitive processing and breaks down complex actions into detailed small steps that can be analyzed. This allows system developers to predict the time it takes for a person to complete a task, avoiding the need to experiment with the people involved.
The advantages of the CLARION [48] architecture are as follows: − use of hybrid neural networks for modeling problems in cognitive and social psychology, as well as for implementing intelligent artificial intelligence systems. This makes it relatively easy to implement architectures of this class on any artificial neural network platforms; − presence of a built-in motivational structure and metacognitive structures; − presence of two dichotomies: explicit and implicit representation, focused on action rather than representation; − combining training from top to bottom and from bottom to top; − inclusion of a number of functional subsystems that significantly expand both the scope of the architecture and the set of processes to be modeled. The main of these subsystems are as follows. The action-oriented subsystem that controls all actions. The action base subsystem supports knowledge, both explicit and implicit. The motivational subsystem provides the main motivation for perception, action and cognition. The metacognitive subsystem dynamically monitors and manages the operations of all subsystems.
Thus, the CLARION architecture combines reactive procedures, general rules, training and decision-making to develop universal agents that learn under specific conditions and summarize the knowledge gained in different environments.
SOAR [49] is a symbolic cognitive architecture that implements decision-making as purposeful behavior, which includes searching in the problem space and studying the results.
The advantages of this architecture: − consideration of decision-making processes as a combination of search in the problem space, and study of the obtained results (i.e. feedback systems); − combination of results of studying human behavior (descriptive models) and results of artificial intelligence (prescriptive models); − use of two memory types in the system architecture: symbolic long-term memory (production rules), and shortterm (working) memory (graph structure to allow the representation of objects with properties and relationships); − ability to apply the rules in parallel, extracting several pieces of knowledge simultaneously; − availability of additional context-sensitive knowledge for the decision-making process; − distribution of operators according to several rules, which allows flexible presentation of knowledge about operators, as well as constant updating of knowledge structures for operators, allowing to redefine operators if required by circumstances [50,51].
These models can be used at different levels of application, as shown in Fig. 3. For a more detailed acquaintance with the application levels of the models, please refer to the links [52][53][54][55].

Development of the concept of modeling the interacting agents behavior
To predict the possible behavior of the attacker, justify the choice of countermeasures for cyber threats at the systemic level and calculate the required amount of investment in cybersecurity with an appropriate distribution of areas and time of investment, a concept of modeling the behavior of security agents is proposed, which is implemented at three levels (level of security system, level of individual agents, level of agents group) and is aimed at ensuring the security of organization's business processes, which allows creating a business process contour of the security system (Fig. 4).
The following notation was used to formally describe the model basis of the concept of modeling the behavior of security agents. For the ontology model: C -set, the elements of which are called concepts; H C -hierarchy of concepts; R -set, the elements of which are called relations; -function that correlates concepts not taxonomically; : dom R C → -function that specifies the subject area R, and For the decision-making and training model: w -specific situation; W -set of all possible situations; DM i -decision made by the i-th agent.
For the self-organization model: Σ -system structure; Φ -system function; R w -emergence relations; G -set of goals; A -adaptability relations; P -set of memory elements; Θ -set of time points.
The following definitions are determined: -definition 1. Critical business processes -processes whose improper organization or non-compliance with the requirements for their implementation may pose an actual or potential threat to product quality and, consequently, to business efficiency; -definition 2. Organization's business process contoura set of information resources and related business processes, the implementation of which in a given sequence ensures the achievement of the organization's goal where S BP -business process contour as a set of business processes, each of which represents: S Bpi -i-th business process, defined by the structure of the links of individual business operations performed in a certain sequence; IR BPi -set of information resources of the i-th business process; T BPi -set of threats affecting the i-th business process; -definition 3. Business process contour of the security system -a set of business processes and the resources necessary for them, the implementation of which ensures the proper functioning of the organization's business process contour: where S BP -business process contour of the security system as a set of business processes, each of which represents: S BSii-th business process, defined by the structure of the links of individual business operations performed in a certain sequence in the security system; IR BSi -set of information resources protected by the i-th business process of the security system; T BSi -set of threats, protection from which provides the i-th business process of the security system.
The business process contour of the security system combines business processes: security management, security assurance, implementation, planning, testing and improvement.
At the first level of the Concept, the proposed ontological model is used as a carrier of knowledge about conflict-cooperative interactions of security system agents. The formalized ontology model is proposed as follows: where C -set, the elements of which are called concepts; H C :H C -hierarchy of concepts, at ; Rset, the elements of which are called relations, C and R do not intersect; : rel R C C → × -function that correlates concepts not taxonomically; : , , ; R C C A O -set of ontology axioms, expressed in the corresponding logical language.
The analysis of the classifier of existing threats, which is proposed in [56], allowed us to formulate the relationship between hybridity and synergy of threats depending on their type and direction. The threat classifier introduces a platform of cost indicators of attacks, which allows assessing threats in terms of their economic efficiency and counteraction. The scale of measuring the cost of losses for expert evaluation is proposed in the form: {insignificant, low, medium, high, critical}. Let us mark: i -current threat number The average experts' estimate of the cost of losses for all threats for a certain business process contour for defenders, and the cost of the whole set of attacks for attackers can be written as follows: At the third level of the Concept, the previous level models are used to build group behavior models, namely coordination, adaptation and self-organization models: Thus, the concept of modeling the behavior of interacting agents is developed, the basis of which is a three-level structure of modeling subjects and business processes of the organization and security system contours. The proposed concept differs from the existing ones by using a synergistic threat model in the formation of areas for protecting information resources of the business process contour.

Development of space-time structure of the methodology for modeling the behavior of interacting agents
Based on the purpose of the methodology, it should reflect behavioral processes from two sides. On the one hand, display the processes related to the behavior and characteristics of an individual security agent. And on the other hand -the behaviors and processes that arise as a result of the joint functioning of agents. It is necessary to pay attention to modeling the environment of agents, because such an environment is a carrier of system-forming functions that significantly affect the behavior of a party to the conflict and their characteristics.
Within the framework of the proposed concept, a sequence of developing models, methods and algorithms that make it up is formed. The process of building the methodology consists of 5 stages.
where A i K -rating coefficient (importance) of implementing the threat to the i-th information resource; D j K -rating coefficient (importance) of building protection of the j-th information resource.
Below are the corresponding sets of models, methods and algorithms that form a particular level of methodology, with a brief description of the content of this level. It is clear that all the processes that take place in the business process contours, the security of which is provided by security agents, are significantly affected by threats aimed at disrupting the normal functioning of business processes. Threats are implemented through attacks on all components of security, namely, cybersecurity, information security and security of information. As a result, the analysis of business process contours as the main purpose of threats directed on it should begin with the analysis of threats, the set of which is reflected by the classifier with the relevant indicators. The compliance of the threat classifier with all models, methods and algorithms of the methodology determines and guarantees the effectiveness of the methodology for modeling the behavior of security agents in general. Thus, the analysis of the business process contour should begin with the analysis and improvement of the threat classifier. In addition to the existing platforms 1-4, a new platform has been added to the threat classifier -a platform of attack cost indicators. This allows assessing threats in terms of their economic efficiency and counteraction. The improved classifier of threats to the security of information resources, in contrast to the existing ones, contains cost indicators of threat implementation and counteraction. The improved classifier also allows assessing the likelihood of a threat and developing an effective defense strategy (Fig. 5).
Marks in Fig. 5 have the following meaning: -for the ontology model: C -set, the elements of which are called concepts; H C -hierarchy of concepts; R -set, the elements of which are called relations; : rel R C C → ×function that correlates concepts not taxonomically; : dom R C → -function that specifies the subject area R, and The resulting model of the first level of the methodology is a model of the ontology of relationships between the agents of the parties to the cyber conflict, which can be considered as a carrier of knowledge about the subject area. To build the model, the approach of automated ontology construction based on various scientific sources (planar texts) TextToOnto was used. The ontology model of agent behavior in the conflict conditions contains basic concepts of interaction processes of security system agents, and also concepts reflecting the interaction of counteraction agents, instead of technical parties of a cyber conflict. This orientation of the ontology model allows justifying the choice of a behavior model of antagonistic agents in the conditions of hybrid threats.
At the level of individual agents, the basic model is a model of a reflexive agent (Fig. 6). The main assumption of building a model is the assumption that the decision maker is considered as an information channel. In this case, the main indicators of its functioning can be obtained using information theory. These include bandwidth, generation, blocking and coordination of information. These indicators can be used for both an individual agent and a group of agents. The basic function of a security agent is the decision function. These decisions can concern both the process of assessing the situation and determining the type of threats, and determining countermeasures. The basic decision-making model proposed at this level by an individual agent implements the decision-making process in two stages. Each of these stages (assessment of the situation and choice of countermeasures) involves the coordination of the formed estimate with the estimates of other decision-makers. The presence of the processes of information exchange at all stages of decision-making with other cooperating agents in the dynamic behavior model of an individual agent, in contrast to existing models, is a significant difference. Taking into account this feature of decision-making behavior significantly affects the effectiveness of business process contour protection from cyber attacks in the

 
Contour of business processes of the security system Business processes  conditions of hybrid threats. Such an exchange can be considered as a basis for forming group behavior scenarios. The second feature of the model is the ability to assign a level of reflection, which allows the counteraction party to build a model of possible behavior of the counteraction party to the conflict. Thus, a zero level of reflection indicates that the security agent has no information about the agent environment of counteraction. Whereas the first level of reflection indicates that the agent has an idea of functioning in the environment of other agents.The second level indicates that the opposite side of the conflict is also reflexive, i.e. has a model of behavior of the opposite side, and so on. The recursive model of the reflexive agent contains models of the attacker behavior and allows modeling the probable actions of attackers, and thus predicting the consequences of decisions made by the defense. Analysis of the reflexive abilities of agents shows that it is impractical to implement reflection above the 2 nd level.
The second feature of the model of an individual security agent is the ability to take into account learning processes when countering cyber threats. The learning processes also reflect the reflexive properties of agents. In traditional learning models, it is possible to accumulate information about changes in the behavior of the opposite side of the conflict and to make predictions about the actions of the opposite side of the conflict. That is, one's own behavior is carried out within the framework of formal decision-making theory as a game against passive nature. And training in the face of the active side of the conflict takes into account that the enemy is an active agent, has its own goals and responds based on their own goals and taking into account the previous actions of the enemy. That is, the opposite side is active and also implements the learning process, i.e. the choice of reaction should be analyzed on the basis of game theory and taking into account the reflexive abilities of the agent.
Thus, at the level of individual agents, models of training of reflexive agents are proposed, which differ from traditional training models in that they take into account changes in the behavior of agents of the environment. To assess the quality of training and the dynamics of processes, the following indicators are proposed: the rate of changes in agent decisions, the rate of changes, the retention rate, and the generalized volatility ratio. The proposed coefficients show how long the agent will adhere to the decision, the agent's willingness to review the previous decision and his ability to respond quickly to changes in the environment of counteraction.
In contrast to the existing ones, the proposed model of agent training takes into account the multi-agent operating environment, which allows adapting agent behavior in a dynamic environment. In other words, when training, the agent takes into account the fact that he is in the process of counteraction with an active opponent. An active opponent may have his own goals, is characterized by an appropriate level of rationality, and has the ability to learn.
To develop models of the third level of methodology, the behavior model of an individual agent is modified to take into account the dynamics of processes and interactions of individual agents. That is, the agent's reaction is formed not only under the influence of the obtained results of the situation analysis, but also taking into account similar decisions made by agents of the dynamic environment (Fig. 7).
In Fig. 7, the following notation is used: W={w i } -set of counteraction states (information about cyber attacks); A={a i }set of actions that an agent can perform; Z={z j } -set of states in which the agent may be; ( ) -local output function. The level of the agent group should include various methods of coordination in the groups of security agents. Different methods of coordinating agent behavior are explained by the fact that the method takes into account the level of agent reflexivity. Thus, the method of coordination without communication reflects the fact that the agent has the 0 th level of reflexivity, i.e. it is an agent that in no way takes into account the functioning of such agents. The method of coordination with abstraction, on the contrary, is used in the case when the agent builds a model of the opponent's behavior, which in turn also has a model of the opponent's behavior. The use of different methods of coordination allows organizing cooperation between security agents to ensure cybersecurity in a fairly wide range of operating conditions.
The application of the proposed characteristics to assess the effectiveness of the agent functioning can be demonstrated by the example of two structures of agent interaction. The first structure is parallel, when agents work together, possibly independently, coordinating their actions independently.
In the second structure, one of the agents coordinates the work of the other two agents. Knowledge of the specific characteristics of agents, in particular their effectiveness in making decisions and coordinating work, will allow concluding which of the structures is more effective in terms of productivity of a group of agents.
The method of assessing the effectiveness of the structure of interaction of a group of security agents allows justifying the choice of the interaction structure, as well as distributing the functions of protection of business process resources, which provides increased security of the business process contour. In contrast to the existing ones, the proposed method considers the agent as a processor of information with appropriate characteristics and is based on information processing processes and relevant characteristics of the effectiveness of the security system.
The final self-organization model combines models of the structure and functions of the security system, the relationship of emergence and adaptability, as well as sets of goals, memory elements, time points and input influences. The self-organization model provides the construction of a robust security system in the conditions of synergetic and hybrid threats, is based on the synergy of advanced models, and provides emergent properties of business processes in the security loop. The ability to aggregate models that focus on hybrid and synergistic threats significantly distinguishes it from known similar models (Fig. 8).
In Fig. 8, the following notation was used for the self-organization model: Σ-system structure; Φ -system function; R w -emergence relations; G -set of goals; A -adaptive relations; P -set of memory elements; Θ -set of time points.
The main purpose of developing a methodology for modeling agent behavior is to increase the level of security of the organization's business process contour. This is done by obtaining an estimate of the likelihood of an attack on business processes and information resources that ensure their functioning. The proposed algorithm for assessing the economic effectiveness of threats and countering them allows identifying the most likely threats aimed at violating the security of information resources. As a result, it is necessary to economically justify the distribution of limited funds between different information resources and business processes that require protection. The proposed algorithm for determining the most likely threat allows organizing an effective allocation of limited funds to protect the resources of the business process contour. This is done on the basis of using the results of modeling the behavior of cooperative-antagonistic agents, to determine and assess the likelihood of a threat. The model of determining the most probable threat allows organizing an effective allocation of limited funds to protect the resources of the business process contour based on the results of modeling the behavior of cooperative-antagonistic agents to determine and calculate the probability of threats. The proposed evaluation algorithm takes into account possible decisions on the attack and countering it, made by all parties to the cyber conflict in conditions of synergistic and hybrid threats. That is, taking into account the decisions of all parties to the conflict, which have reflexive properties and reflect the cost of resources to be protected, and the cost of the attack, is a significant feature of the proposed algorithm. As a result, the algorithm allows identifying the range of resources that are most likely to carry out cyber attacks (Fig. 9). The security assessment method is based on the assumption that the security assessment is described by Gaussian law.

Modification of the model of a single agent
Parallel structure of agents` functioning Hierarchical structure of agents' functioning The proposed methodology is based on the combined use of all the above set of models, methods and algorithms. It can be argued that the combined use of models, methods and algorithms leads to a synergistic effect in the modeling process. The methodology allows predicting the possible behavior of the attacker, justifying the choice of cyber threat countermeasures at the system level and calculating the required amount of investment in cybersecurity with an appropriate distribution of security components and investment time. A graphical representation of the levels of representation of models, methods and algorithms as components of the methodology for modeling agent behavior is shown in Fig. 10.
Thus, the proposed methodology for modeling the behavior of interacting agents, the basis of which is a three-level structure of modeling subjects and business processes of security systems and organizations, increases the level of security of business processes by reducing the number of hybrid threats by 1.76 times, which reduces losses by 1.65 times and increases the time to choose counteraction means by reducing the time to identify the threat online by 38 %.

Verification of the proposed methodology by simulation
To verify the behavior models developed within the proposed modeling methodology, different conditions were used to conduct and counter attacks on the business process contour. Simulation was performed for business processes of banking, as one of the systems that, on the one hand, is the most attractive for attacks, and on the other hand, has detailed business processes for the main functions of the system.

 
The conditions that determine the so-called basic run were considered as the basis for simulation. These conditions imply, first of all, equal capabilities of attackers and defenders and a certain basic value of the time to switch to another attack vector. The conditions for each scenario were formed on the basis of the basic run, information asymmetry of the defender/ attacker's capabilities and the values of the security vector. These three conditions were chosen for the following reasons.
First, the baseline scenario shows the behavior of the system when the capabilities of the parties and the values of the attack vectors are equal. This allows for the implementation of "weakest link" (WL), as well as "wait and see" (WAS) strategies in both conditions of certainty and uncertainty in decision-making.
Second, the capabilities of defenders and attackers determine how likely attackers are to use attack vectors as part of the WL strategy, and how likely defenders are to respond to violations based on the WAS strategy. If the attacker has higher resources than the defender, he will be able to implement attacks using different vectors. On the other hand, higher capabilities of defenders mean that defenders will be able to block all incoming attacks. This means no response to violations (since they are never implemented) and, consequently, no use of the WAS strategy.
Finally, the asymmetry in the value of attack vectors makes the analysis more realistic, because in reality security vectors have different values of weights that determine the value of the resource that the attack is aimed at. Therefore, violations on a vector with a large weight can lead to greater or lesser damage to the defender's performance, depending on the value of such a vector.
The scenario space is a set of alternative conditions in relation to the conditions of the baseline run. This space includes baseline scenario conditions, asymmetric possibilities and values of the asymmetric vector relative to the baseline scenario with an uncertainty equal to zero and three levels of uncertainty classified as low, medium and high uncertainty.
The business process contours of the bank's strategic management system, the bank's business process management system, the bank's personnel management system and organizational structure, the bank's quality management system, the project management system, the risk management system and the marketing management system were considered as objects of bank system protection.
The description of the main variables used in simulation models of behavior scenarios of agents of business process contours and restrictions of the proposed models are given in [60]. A detailed description of the set of scenarios that were modeled within the proposed methodology is given in [61].
The financial costs of organizing the protection of critical infrastructure from both conventional and hybrid attacks can be significantly reduced as follows. First, in preventing errors in organizing cyber attack countermeasures, and secondly, in detecting errors when choosing the inadequate attack counteraction method and the behavior of the counteraction party in the stages preceding the implementation of the attack. The resulting goal setting should focus on finding adequate patterns of behavior of conflicting agents in the face of a possible cyber conflict, without waiting for its implementation.
Simulation of a set of scenarios of security agents' behavior was performed using the PowerSim visual system modeling environment.
The run of the baseline scenario shows that the attacks are successful, starting with vector A, as shown by the initial period (Fig. 11). However, attackers switch to the next weakest link, when the defender corrects security flaws, and the attacker receives information about the most successful attacks.
The purpose of the asymmetric capability scenario is to show the behavior of agents when one of the opponents has more resources than the other, and what is the impact of this behavior on successful attacks and financial results of both parties. The following assumptions are considered in the asymmetric capability scenario: − defenders' capabilities − 1,000 units; − attackers' capabilities − 100±20; − values of the security vectors are the same and equal to one.
In further modeling and analysis of the behavior of interacting agents, we take into account that to successfully repel an attack requires much more capabilities than to organize and conduct it. For the parameters used in the behavior scenario modeling process, this ratio is approximately 10 to 1.
In the case of successful attacks, if the capabilities of defenders far exceed the capabilities of attackers, successful attacks do not occur. On the contrary, when the capabilities of attackers exceed a certain level corresponding to the limit level of possible reflection by defenders, attackers will constantly use all attack vectors.
Of particular interest is the behavior of interacting agents when crossing the specified ratio of attackers and defenders means.
When the ratio of attackers-defenders' capabilities is 125: 1,000, the attackers' capabilities are enough to carry out successful attacks on all vectors. At the same time, switching between attack vectors is quite intense, which does not allow the defense to react in a timely manner, identify and ensure protection of the weakest link (Fig. 12). The point of intersection of financial indicators of defenders and attackers can be interpreted as the critical point of the breakdown of the security system. It corresponds to a state of counteraction, when the financial performance of defenders begins to decline sharply at a time when the profit of the attacking party, although slowly, increases. In other words, the capabilities of defenders are not enough to protect any resource of the business process contour.
With increased defense capabilities, it becomes possible to protect more and more resources. Fig. 13 demonstrates the emergence of a critical point of recovery of the protection system, when the financial performance of the security system begins to exceed the performance of the attacker and show a steady upward trend. Fig. 14-16 clearly demonstrate the dynamics of the ratio of financial indicators of counteraction parties. As the defense's capabilities increase, the period of time when successful attacks are carried out becomes smaller. And at a certain ratio there comes a turning point, when defenders are able to repel more and more attacks, and this moment comes earlier (Fig. 14-16).
The obtained ratios allow estimating the required level of investment in cyber defense to partially or completely block attacks on the system. It can be assumed that the obtained ratios (when adjusting the model to the specific conditions of cyber attacks) can be used to assess the capabilities of the attacker, based on the available means of protection and the dynamics of repelling attacks.  The proposed methodology with the given space-time structure allows increasing the level of security of the business process contour by reducing the number of hybrid threats. Defenders make investment decisions based on evidence of successful attacks. This means that attacks must be stopped after a while, either because they have been repelled, or attempts are being made to find another vulnerability in the security system (Fig. 17).
The main purpose of the scenario of increasing the time of switching between attacks is to increase the time of switching to another attack vector. Therefore, the defender "stores" reports of successful attacks for a longer time to extract more information from them and, as a result, reduce the uncertainty associated with future attacks (Fig. 18). Fig. 19 shows the data demonstrating that when increasing the interval for switching from one threat vector to another by 2 times, the number of successful attacks decreases by 1.76 times. A further increase in switching time has almost no effect on reducing the number of successful attacks.
With an increased security level of the business process contour due to additional funding, the switching time can be increased up to 3 times (Fig. 20).
The main purpose of the scenario of increasing the time of switching between attacks is to increase the time of switching to another attack vector. Therefore, the defender "stores" reports of successful attacks for a longer time to extract more information from them and, as a result, reduce the uncertainty associated with future attacks. This is achieved by reducing the time to identify the threat online using a variety of models and methods of the methodology to predict the most likely threats. As a result, this reduces losses and increases the time to choose counteraction means.
The proposed methodology allows finding the minimum level of investment in protection, which provides a critical point for the recovery of the security system (Fig. 9). The implementation of scenario modeling demonstrates the relationship between the ratio of funds of counteraction sides and the dynamics of critical points of breakdown and recovery of the security system (Fig. 14-16).
The proposed model allows determining the critical point of the level of effective investment in the security system, provides effective counteraction to modern hybrid threats to the elements of the business process contour, increases the security level of the organization due to the effective level of investment in the security system. The dependence of the security level of the business process contour of the security system on the time of switching from the protection of one security vector to another was revealed. The identified dependence exists in the range of the ratio of resources of the defense and counteraction parties, in which attacks can be carried out and countermeasures can be used. This is most evident in the small range of balance between the defenders' and attackers' capabilities. Fig. 17 shows the dynamics of successful attacks in the case of reactive response to attacks, and Fig. 18 -in proactive response, when the interval of switching from one attack vector to another increases. Fig. 19 shows the data demonstrating that when the interval for switching from one threat vector to another increases by 2 times, the number of successful attacks decreases by 1.76 times (from 3,485 to 1,975). A further increase in switching time has almost no effect on reducing the number of successful attacks.
Thus, the proposed methodology allows predicting the possible behavior of the attacker, justifying the choice of cyber threat countermeasures at the system level and calculating the required amount of investment in cybersecurity with an appropriate distribution of security components and investment time.
However, using it requires not only mathematical modeling, but also simulation skills. Agent behavior scenarios are built into these models, so to implement new behavior scenarios it is necessary to develop new or modify existing models, which is not always possible.
As a follow-up to this study, a situational management approach can be suggested. In contrast to the existing business process security management system, which is based on models of both business processes and models of attacks, agent behavior, etc., situational management can be considered as precedent management. The central object is the concept of the situation that combines the current state of the system, available resources and possible actions of one or another party. The situation model is the basis for building a database of situations, for which it is necessary to develop appropriate methods to supplement the description of situations, generalization and classification of situations, as well as develop a language for describing situations. The concept of scenario and its description are an integral part of precedent management. The issues of decision-making procedures, planning in the space of tasks and situations need to be implemented in security systems. It should be noted that the methods of situational management are focused on use in conditions where the construction of a mathematical model of the object or subject of management is impossible or extremely time-consuming. From the very beginning, these methods take into account the presence of a person in the control circuit and his subjectivity of perception of the processes that take place, and his characteristics in decision-making and behavior in security systems.
In the post-quantum period, with the emergence of a full-scale quantum computer, the question of what mechanisms will be able to provide preventive measures becomes acute. One of the promising areas, according to the USA NIST experts, is the use of McEliece and Niederreiter crypto-code structures. Practical algorithms for providing basic security services: confidentiality, integrity and authenticity are proposed in [57][58][59]. This approach, taking into account their commercial implementation, does not contain cryptocurrencies and provides not only the required level of cryptographic security, but also the reliability and efficiency of the transmitted data. Thus, the synthesis is based on the proposed methodology with promising algorithms for providing security services will significantly reduce the possibility of threats to the security of the organization's business processes.

Conclusions
1. Features of modeling the behavior of interacting agents of security systems in cyberconflict, which allowed determining the minimum required set of models, methods and algorithms that provide effective modeling to assess the necessary means of ensuring the appropriate level of security of business processes are revealed. Sets of models, methods and algorithms allow predicting the possible behavior of the attacker and the required amount of investment to justify the choice of countermeasures for modern threats.
2. The concept of modeling the behavior of interacting agents is developed, the basis of which is a three-level structure of modeling the subjects and business processes of the contours of the organization and security system, based on modeling the behavior of antagonistic agents. The concept can be used to predict the possible behavior of the attacker, justify the choice of cyber threat countermeasures at the system level and calculate the required amount of investment in cybersecurity with an appropriate distribution of areas and time of investment.
3. A methodology for modeling the behavior of antagonistic agents of security systems is developed, which allows predicting the possible behavior of the attacker, justifying the choice of cyber threat countermeasures at the system level and calculating the required amount of investment in cybersecurity. The space-time structure of the methodology for modeling the behavior of antagonistic agents of the security system determines the appropriate models, methods and algorithms.
4. The proposed methodology is verified on the basis of simulation modeling of three scenarios of security agents behavior: the baseline scenario, the scenario of asymmetric capabilities and the scenario of changing the time of switching from one threat vector to another. The verification demonstrated the practical possibility of applying the developed methodology to ensure the required level of protection of the business process contour with limited funds for the investment in security.