DEVELOPMENT OF A MECHANISM FOR INFORMATION SECURITY RISK MANAGEMENT OF TRANSPORT SERVICE PROVISION SYSTEMS

information security risk management was carried out on an example of the taxi company «Taxifay N». Threats and challenges of the company’s information sys-tem were evaluated by an expert method. Based on the results of the analysis of expert risk assessment, it was found that the concordance coefficient (0.86) confirms the high level of agreement of experts’ opinions. As a result, the company’s information security risk management program was developed. The effectiveness of the program was assessed by the efficiency ratio, which was 0.64. This testifies to the effectiveness of the implemented program of measures to manage information security risks. The scope of application may be the activity of business entities that provide transport services to the population, aimed at data storage and processing. The prospect of this study is to expand the list of threats and categories of vulnerabilities depending on the characteristics of the economic activity of various enterprises


Introduction
With the rapid development of information technologies, the goals of storing information in transportation industry, its protection, increasing the influence of road safety, the occurrence of accidents and catastrophes have gained considerable relevance.Virtually all important information is currently not stored in paper form and is not processed using analog (non-digital) systems.Therefore, the methods of their protection should be digital [1].
Measures for information security in transportation industry have been implemented for more than a dozen years.However, the all-pervasive development of information technologies has led to the need for a significant expansion of the spectrum and purposes of their use.Information systems in transportation industry are increasingly becoming the object of possible sabotage aimed at disabling them or stealing valuable data.Ignorance of safety issues can harm the functioning of transport systems.Ignoring existing threats is naive, so assessing and managing risks and taking protective measures is becoming an increasingly logical response.
Transport systems belong to the critical information infrastructure (CII).In particular, these are information systems, information and telecommunication networks, automated management systems of CII subjects, as well as telecommunication networks used to organize their interaction.In turn, CII subjects are both transport systems and companies working in strategically important domains of transport provision of the state and society [2].
Modern knowledge of risk management in transportation industry allows skillful forecasting and response to threats and challenges.After all, transport, especially automobile, is one of the sources of increased level of physical, social, economic, and ecological danger.Thus, deepening the research into the information security in the systems of providing transport services is an urgent issue under today's conditions.

Literature review and problem statement
To a large extent, the attention of researchers is focused on the security analysis of business approaches, from the point of view of achieving the operational goal of the company [3].In particular, in the aspect of dynamic modeling and optimization of the design of transport systems [4], risk management in the field of international forwarding and logistics operations [5], transportation of dangerous goods [6].At the same time, aspects of the seriousness of the consequences of traffic accidents, routing efficiency, and the need for social risk assessment are taken into account.However, studies [3,4] are of a review nature and do not offer clear tools for risk management.In studies [5,6], transportation risks are analyzed, but little mention is made of the problems of ensuring the security of the information environment of the enterprise.
Information risks relate to the rationality of logistics chains [7], the vulnerability of the logistics service provider [8], and the effectiveness of information processing [9].But paper [7] offers only tools to protect information systems from cyberattacks and does not take into account other risks of enterprise activity.Study [8] is based only on its own static data.In work [9], risks associated only with information processing are taken into account.The problems of taking into account uncertainties in logistics chains, their optimization [10] and substantiation of management strategies [11] were studied.However, studies [10,11] are more focused on the influence of external factors and the risks they create.
A number of methodological approaches to risk assessment and management belong to [12], in particular, they relate to the use of a certain scale of probability or confidence, the need to connect security with knowledge of the principles and methods of information transmission.Study [12] adapted Nassim Taleb's concept of anti-fragility, which focuses on the condition that risks are considered according to their importance.The author focuses attention on the need to comply with the conditions of compliance with scientific quality requirements, taking into account social aspects, interdisciplinary approaches.However, study [12] emphasized the bias of risk measurements.
In favor of the importance of the conducted analysis, the provisions of the ISO and NIST standards, which establish requirements, specifications, guidelines and characteristics, processes for achieving the goals of risk management, testify.In particular, in the field of information security, they are guarantors of high quality, reliability and safety of services of motor transport enterprises.According to [13], these standards are powerful and effective tools for solving information security issues at the enterprise or in the management system in the conditions of the modern market.However, study [13] reports only the analysis of information security standards and does not provide a comprehensive view of risk management.
The above research results based on the review of [3][4][5][6][7][8][9][10][11][12][13] are largely indirectly related to the chosen topic but are important for the formation of approaches to the management of information security risks in transportation industry.However, they emphasize the importance of forming and complying with information security requirements in terms of complexity and the need for optimization, the priority of ensuring reliability, taking into account dynamism and social orientation, as well as complexities in design and operation.
Thus, the scientific problem is defined by the need to improve the risk management methodology of information security of the system of providing transport services by developing an appropriate mechanism for its implementation in practice.These questions are related to the study of vulnerabilities and threats, the choice of methods and criteria for probabilistic assessment of information security components.In addition, the problem is related to the justification of forms, methods, and means of information risk management in the presence of contradictions in existing approaches.

The aim and objectives of the study
The purpose of our study is to develop a mechanism for managing information security risks of transport service provision systems, which could become a new integrated prospect of preventing and countering risks in the information domain.This will provide an opportunity to improve the methodology of risk management, prevention and countermeasures against threats and challenges to information security in transportation industry.In practice, this will facilitate the process of assessing and managing contingencies based on a toolkit of vulnerability analysis, assessment and risk management strategies.
To achieve the goal, the following tasks were set and completed: -to carry out a categorization of cause-and-effect relationships between vulnerabilities and threats to the information security of transport service provision systems; -to systematize the process of risk assessment and devise a methodical risk management approach for information security of transport service provision systems; -to validate the devised methodical approach to information security risk management.

The study materials and methods
The object of this study is the process of analysis, assessment, and management of information security risks in the systems of providing transport services to the population to prevent and counter threats and challenges.
The main hypothesis of the study assumes that determining the cause-and-effect relationships between vulnerabilities and threats to the information security of transport service delivery systems could lead to an objective assessment of risks.
The basis of the development is the information security ma nagement system, which is considered part of the management of technologies for providing transport services to the population.The research methodology is based on the results of the analysis of the literature and provisions of international standards.In particular, ISO 27001 approaches were used to protect and manage confidential information, build a system for responding to information security incidents, determine the conditions for the operation and development of the information security system.Methodological approaches were used during the risk assessment: identification of risk-prone assets; determination of importance status by magnitude, sensitivity and criticality; detection of potential threats.The study combines safety management tools (ISO 27001) with the organizational structure of the management system of transport services (ISO 27002).
Risk management processes are evaluated in accordance with the ISO 31000 methodology, which includes the following stages: specifying the scope, context, and criteria; risk assessment; risk management; data collection and reporting; monitoring and review; communication and consultation.
The NIST SP 800-30 standards, the NIST FIPS 200 Cybersecurity Framework of the US National Institute of Standards and Technology (NIST) are also included in the methodological support of the research.This approach is based on five functions: identification; protection; detection; reaction; recovery [14].Also taken into account are the cyber security rules in force in the European Union -NIS2 [15], which are aimed at improving the management of information risks, including in the field of transport.
Systematization methods with appropriate models were used to determine the location of threats in the information security system, which indicates its properties.
The study of the mechanism of risk management was carried out on the example of a system of providing transport services to the population of a large city.For security reasons, the name of the city is hidden, and the organization, which takes care of providing transport services to the population, and the object of specification is given the conditional name «Taxifay N».The developed IS SNTP risk management mechanism was assessed by an expert method based on the results of its implementation during 2022 in the Taxifay N transport system.Taxifay N uses information technologies to automate and optimize the business processes of providing taxi transport services that use managed data with the help of appropriate software and related services.

1. Construction of a categorical model of causal relationships between vulnerabilities and threats
The structure of cause-and-effect relationships and the threat modeling methodology are considered at the func-tional and operational levels and are the basis of risk assessment [16].Systematic methods have been established for the analysis of information security problems in transportation industry service provision systems, which are not identical and must be used taking into account specific conditions.They are listed below: 1.In the process of solving information support tasks at the pre-project stage of building a transport system, preliminary advertising of services and enterprise using information and communication technologies.A method based on the OCTAVE model [17] can be used to provide data about the transport system and its components to consumers, to inform consumers about the functioning of transport in real time.At the same time, the formation of understanding and the possibility of categorization of information threats is achieved on the basis of a systemic approach to interrelated processes and the possibility of dividing them into components of activities.
2. With regard to the tasks of formation or operational change of the route system, drawing up traffic schedules and their correction, fare payment and registration of preferential categories of passengers.Expert assessment should be based on the principles of project or activity program security at the stages of their development life cycle with threat modeling according to the OWASP methodology [18].This allows us to avoid or minimize risks at various stages of development.
3. Regarding the tasks of ensuring unhindered movement of vehicles and safe conditions for the consumption of transport services, logistical management of the transport process, providing technical assistance to vehicles on the line.In this case, a method based on the PASTA model [19] can be used.This model involves the reproduction of threats with a consistent approach to their identification and analysis using a seven-step risk assessment algorithm.It allows us to monitor alignment in business processes and establish appropriate requirements for the decision-making process.
4. For tasks of managing the provision of accompanying and additional transport services to the population and carriers, organization of services for consumers with disabilities.In particular, the CORAS method and model [20] can be used.At the same time, a unified eight-step procedure is used, which provides the opportunity to achieve a cascading effect in determining the individual vulnerability that caused the incident.
This model is built according to the directions: hardware, personnel, network, software.For its construction, an analysis method based on the OCTAVE model [17] was used.Remaining business information and the possibility of its use by competitors V w6 Improper maintenance of hardware T w6 Low maintainability of hardware V w7 Disconnection, susceptibility to changes in power supply T w7 Failure of the power source and lack of its replacement

2. Systematization of the risk assessment process and development of a methodical approach to their management
The systematization of the risk assessment process should be based on system-wide risk management provisions that relate to: -assessment of the stability of the system and solutions [25], differentiation of indicators of importance [26], their variability and inaccuracy, which affects the risk assessment; -priorities of optimizing reliability [27], taking into account environmental and social factors [28], as well as expanding the basis of statistics for the integration of threats [29]; -clarification of the potential role of the theory of uncertainty in the process of risk analysis [30], the concept of a reliable risk measure [31], especially in the selection of portfolios of infrastructure projects [32]; -the possibility of using a simplified approach to risk management [33], the methodology for determining the main events in their assessment [34], the discussion of legislative coherent risk prevention measures [35]; -ethical issues related to the acceptability of risk from the standpoint of society or its constituents [36], understanding the impact on the risk of business operations [37].
To systematize the process of assessing information security risks of transport service delivery systems, it is important to characterize the relevant consequences for each vulnerability and threat separately for each asset [13].At the same time, it is necessary to assess the probability of risks.The severity of the risk is an overall assessment of both the level of probability that the event will occur (probability) and the impact of the event if it occurs (impact).
Potential vulnerability and/or threat is described as: almost certain, likely, possible, unlikely, rare (Table 2) with corresponding levels of impact (Table 3).
The consequences of a security incident were defined in terms of loss of confidentiality, integrity, and availability.Exposure quantification and risk level determination are based on NIST SP 800-30, Revision 1 [14]    The loss of availability, confidentiality, or integrity is significant, critical, and/or immediately affects the organization's cash flows, operations, functionality, legal, contractual obligations, and/or reputation Loss of confidentiality, availability or integrity may result in costs and moderate or minor impact on legal, contractual obligations and/or reputation Loss of confidentiality, availability or integrity does not affect the organization's monetary losses, legal, contractual obligations and/or reputation A scale and a risk level matrix were used to measure the recognized risk [24].The final measure of risk is obtained by multiplying the rating given by the probability of the threat and the effect of the threat: where G Ir,i is the rating given to the probability of the ith threat, G Ir ∈[0;15]; E Ir,i -the effect of the ith threat (weight).
Comprehensive risk ratings can be established based on inputs on probability groups and threat exposures.For this purpose, a risk level matrix (Table 4) of size Y × X is constructed: where x is measured from 1 to X relative to the rating given to the threat impact level (high, medium, low); y is measured from 1 to Y relative to the probability of the threat (almost certain, likely, possible, unlikely, rare).
The matrix shows how the overall risk levels are determined.Determining these risk levels or assessments can be subjective.The basis of this explanation can be expressed in terms of the probability assigned to each level of threat probability and the value assigned to each level of exposure.
The rating scale for the levels of influence is established as a 15-point rating scale for all levels of influence.These criteria were based on ISO 27005.The rating scale for the probability levels is set as a 5-point rating scale: 0.20 -rare, 0.40 -unlikely, 0.60 -possible, 0.80 -likely, 1.00 -assured.The risk limit is set at 2.9.The matrix of risk levels with its ratings characterizes the level of risk to which an information system, asset and/or process may be exposed in the presence of a known vulnerability and threat.For a better understanding, you should use the levels of consequences and their description (Tables 5, 6).The matrix of the consequences of an event according to the level of probability of its occurrence is a 5 × 5 matrix with elements in the form of text values, which can be written using a set-theoretic description: , ... , (3) where I r,1 …I r,5 are rows of the matrix that correspond to the levels of probability of the occurrence of the event; N r,1 …N r,5 -columns of the matrix that correspond to the degree of severity of the occurrence of the event (consequences).Thus, the function of applying a methodical risk management approach will tale a formalized form: where V kj is the j-th vulnerability category of the k-th direction; T kj is the j-th threat of the kth direction; R i -i-th risk; N r,i is the degree of severity of the occurrence of the event (consequences).Risk management in logistics support extends to the field of transport services [38].There are four levels of risk management mechanisms: acceptance (low level of consequences), reduction (medium level), transfer (significant level) and removal (high or critical level).The conceptual scheme of risk management of a motor vehicle enterprise according to the proposed approach is shown in Fig. 2.
At the first level, risk-taking should be reserved for low-priority risks where other options for action would cost more than the potential impact.In order to reduce the risk identified, all risks should include a recommendation for controls and alternative solutions according to NIS2.
At the second level, risk mitigation involves minimizing the probability and/or consequences of risk-threats and vulnerabilities.Preventive measures against a risk are always more effective than repairing the damage caused by an identified risk.
At the third level, risk transfer involves transferring the negative effect of a threat or vulnerability.Transferring risk to third parties (vendors) does not eliminate the threat or vulnerability.The other party will be responsible for handling the relevant risk.
At the last level, risk prevention involves changing aspects of common business processes or system architecture to eliminate threats -preventing the risk by stopping the associated business activity.The provisions of NIS2 can be applied to plan and develop future controls to eliminate the identified risk.

3. Verifying the devised methodical approach to information security risk management
Based on the expert method, all possible threats were considered for each asset of the conditional transport company «Taxifay N».The company's income for 2022 was 2 million 713 thousand monetary units, the value of the company's assets was 1 million 150 thousand monetary units.The company «Taxifay N» provides services for searching, ordering, and paying for trips by car, motorcycle, and electric scooter through the mobile application Bolt (Estonia) in Ukraine.
That is, the communication system enables the collection, search, processing and forwarding of information.
Information and communication technologies are used by «Taxifay N» not only in the process of receiving and executing the order but also at the preparatory stage based on photocopies of the relevant documents.In particular, in the taxi sector, this applies to the admission of candidate drivers (executives) based on age, driving experience, citizenship, and the presence of a smartphone.Cars are checked by brand, term of use, appearance, availability of insurance documents, with the right to apply Bolt symbols.To connect to the server, the presence of a bank card for non-cash payments is checked.
Later, the risks were specified with the involvement of 10 experts using the example of the taxi service system in the city.To determine the probability of events and risks that can cause potential damage to the company's information systems, an analysis was conducted based on the OCTAVE model (Table 1).The corresponding weighted expert assessment of the level of impact and the level of probability of occurrence of the event was evaluated according to matrices (Tables 4, 5) and given in Table 7.

Areas of information security:
-  Consistency of experts' opinions regarding the impact of loss of confidentiality, integrity and availability of information was assessed using the concordance method, which is described in detail in study [39].The value of the concordance coefficient of W = 0.86 confirms the reliability of the obtained results.
The risk assessment criteria were established to ensure a common understanding of security measures that would minimize potential exposure to an acceptable level according to ISO 31000.
According to the conducted risk assessment, a risk management and mitigation program was developed in 2023 for the motor vehicle enterprise «Taxifai N» according to the devised methodical approach of information security risk management.According to the proposed «Taxify N» program, it is recommended at the first level for threats T n6 , T s3 , T s6 , T n7 , T s2 to accept the identified risk.At the second level, for threats T p2 , T n5 , T p3 , T n4 «Taxify N» is proposed to plan and develop future controls to eliminate the identified risk.At the third level for the T s4 threat, «Taxify N» should consider all options for transferring the identified risk to other organizations (for example, insurance companies).At the last of risk prevention for threats T p2 , T w3 , T w4 , T n1 , T w5 , it is recommended to choose the appropriate control objectives in order to reduce the identified risks and minimize the potential impact on the information systems of «Taxify N» in accordance with the rules of annex to ISO/IEC 27001.
The results of comparing the economic activity of the enterprise before the introduction of the program in 2022 and according to the results of the program in 2023 were evaluated using economic efficiency analysis (CEA).This approach is based on a comparison of performance indicators for different years of the company's activity: where C is the gross costs of the enterprise; E -gross revenues of the enterprise; t 1 -the period before the introduction of the information security risk management program; t 2 -the period based on the results of the information security risk management program.
The criterion for the effectiveness of the measures is the value of the F indicator greater than zero.For the company «Taxifay N», this indicator was 0.64, which indicates the effectiveness of the proposed program.

Discussion of results of verifying the devised methodical approach to information security risk management
The devised methodical approach to information security risk management is based on the use of the OCTAVE model with further improvement in accordance with internatio nal risk management standards.This makes it possible to implement an effective expert approach to risk assessment and management.At the first stage, a categorical model of causal relationships between vulnerabilities and threats was built ( Table 1, Fig. 1).Subsequently, the process of assessing information security risks of transport service provision systems is systematized by using probability levels (Table 2) and event impact le vels ( Table 3).A matrix of risk levels (2) with its ratings was constructed ( Table 4).It is proposed to carry out further risk assessment according to the matrix of consequences of the event (3) according to the level of probability of its occurrence ( Table 5).The application of a methodological approach to risk management is represented in the form of objective function (4) and a conceptual scheme (Fig. 2).Unlike [12,13], in which the basis is the determination of cause-and-effect relationships between vulnerabilities and threats to information security, the devised methodical approach includes further risk assessment based on the event's consequences matrix.This makes it possible to develop an effective information security risk management program based on a conceptual scheme (Fig. 2).
The effectiveness of the devised methodical approach was evaluated by the expert method using an example of the taxi company «Taxifai N» (Table 7).After establishing cause-andeffect relationships between vulnerabilities and threats to Low, R i = 0.2 Insignificant information security, an assessment of the probability of the occurrence of a potential danger was performed.The threat probability (threat level) was described as the probable occurrence of the event.When determining the likelihood of a threat, «Taxify N» took into account the causes of the threat, possible susceptibility, and available controls.At the second stage, the analysis of the threat to the information system included the analysis of vulnerabilities related to the «Taxify N» environment -the assessment of vulnerability levels for the threat scenario.As a result of the assessment, it was established that 5 risks have a high level of consequences, 4 -me dium, 1 -significant, 5 -low.The determined degree of severity of the occurrence of the event (consequences) for «Taxify N» for 2 threats has a severe form, for 3 threats -increased, for 6 threats -minor, for 4 threats -medium.For each group of threats with corresponding consequences, measures were developed to manage information security risks of the enterprise, which were included in the corresponding program.
The results of the expert risk assessment analysis were statistically processed using the concordance method.The calculated concordance coefficient was W = 0.86, which testifies to a high level of consistency of experts' opinions.
The effectiveness of the measures was assessed by the non-negativity of the effectiveness coefficient.For this motor vehicle enterprise, this indicator was 0.64, which indicates the effectiveness of the implemented program of measures to manage information security risks.
Limitations in using the devised methodical approach for assessing information risks are that it is focused only on motor vehicle enterprises.The disadvantages of this approach are that in the process of its implementation there may be certain obstacles associated with the implementation of ISO 27001 since it requires the full support of employees.The further development of this study consists in expanding the list of threats and categories of vulnerabilities, depending on the characteristics of the economic activity of various enterprises.
In the future, it is planned to test the devised methodological approach at enterprises of another type of activity or sector.This will make it possible to expand the list of threats and categories of vulnerabilities, depending on the specificity of the economic activity of various enterprises.

Conclusions
1. Categorization of cause-and-effect relationships between vulnerabilities and threats to information security of transport service provision systems has been carried out.The categorical model built can be considered a form of genetic interconnection of phenomena and processes of their functioning and development since one phenomenon (cause) in the presence of certain conditions necessarily generates, determines a positive or negative consequence.It is recommended to use a risk-oriented approach, which involves the process of identifying requirements for information security of service provision systems, that is, identifying vulnerabilities and related threats.
2. We have systematized the process of assessing information security risks in the systems of providing transport services according to the levels of their probability and impact on the means of control and management of operations.At the same time, a list of events that can prevent or delay the achievement of business goals of a specific system of providing transport services to the population has been compiled.A methodical approach to information security risk management of transport service provision systems has been devised, which involves four levels: acceptance, reduction, transfer, and removal of risks.A matrix of risk levels with its subsequent rating has been built.It is proposed to carry out a final risk assessment based on the event consequences matrix.This approach will make it possible to devise risk management measures for information security of transport service provision systems in accordance with groups of consequences.
3. The possibilities of using our methodical approach were assessed by an expert method using an example of the conditional motor vehicle company «Taxifay N».Cause-and-effect relationships between vulnerabilities and threats to information security were established, and the probability of occurrence of potential dangers was assessed.The results of the assessment showed that 5 risks have a high level of consequences, 4 -moderate, 1 -significant, 5 -low.A risk management program was proposed for Taxify N, which included measures for each group of identified threats.The experts' assessments were checked for consistency using the concordance method, with an estimated coefficient of 0.86.The evaluation of the effectiveness of the information security risk management of «Taxifay N» based on the results of the implementation of the program indicates the improvement of the resulting indicators.In particular, the efficiency criterion of the proposed measures has a positive value of 0.64. .
Legal regulation of personnel activities T p1 Violation of contractual relations or legislation V p2 Inadequate safety training for staff T p2 Errors in the use of hardware and information V p3 Lack of mechanisms for monitoring personnel activities T p3 Unauthorized modification of information V p4 Uncontrolled work of external personnel T p4 Theft of media or documents V p5 Defects in the distribution of responsibilities for access and use of information T p5 Denial of illegal actions Information network (N i ) V n1 Poor password management in the information network T n1 Abuse of access rights V n2 The presence of running services that are not in use T n2 Illegal data processing V n3 Imperfect software T n3 Software failure V n4 Unsecured lines of communication T n4 Listening V n5 Insecure network architecture T n5 Damage to the information network and resources V n6 Transmission of passwords in open form T n6 Remote espionage V n7 Unsecured connection to a public information network T n7 Unauthorized use of equipment Software (S i ) V s1 Insufficient software testing T s1 Distribution of computer viruses V s2 Improper organization of «exit-exit» T s2 The possibility of violation of the right of access V s3 Insufficient number of checks (revisions) T s3 Software and Access DenialsV s4 Incorrect definition of access conditions T s4 The possibility of access by third-party users V s5 Use of unlicensed software T s5 Data distortion V s6 Incorrect organizational regulation T s6 Errors in the use of the software V s7 Unsafe rebooting of hardware T s7 Loss of information and software V s8 Incorrect data T s8 Error using the software Note: index k denotes direction, k ∈{W i ,P i ,N i ,S i }; subscript j denotes the serial number of the vulnerability category and its correspond ing threatContinuation of Table1

Fig. 1 .
Fig. 1.Categorical model of causal relationships between vulnerabilities and threats in the field of information security

Fig. 2 .
Fig. 2. Conceptual scheme of risk management of a motor transport enterprise

Table 1
Categories of vulnerabilities and threats in the field of information security w3 Criminal activities, unprotected storage of hardware T w3 Vandalism, theft of media or documents V w4 Possibility of uncontrolled copying T w4 Illegal transfer of information V w5 Carelessness when replacing or destroying hardware T w5

Table 2
Probability levels and their characteristics

Table 4
Risk determination matrix A

Table 5
Matrix of the consequences of an event according to the level of probability of its occurrence B

Table 6
Description of the levels of consequences according to the levels of probability according to the matrix HighHigh risk -urgent risk response is required Considerable Significant risk -requires management attention Average Medium risk -one needs to carry out the division of responsibility Low Low risk -consider it an everyday occurrence

Table 7
Assessment of threats, levels of their probability and consequences for Taxify N