A multicriterial analysis of the efficiency of conservative information security systems

Authors

DOI:

https://doi.org/10.15587/1729-4061.2019.166349

Keywords:

information security systems, risk, efficiency, multicriterial analysis, Gordon-Loeb model.

Abstract

The paper addresses the task on a multicriterial analysis of the effectiveness of conservative information security systems whose structure and components do not change over a certain period of time. The principal scheme of such systems includes a protected object, vulnerabilities ‒ channels for attacks, threats, and protection tools.

Based on the assumption about the independence of attacks and protection tools, we have developed a discrete probabilistic model of damage to a protected object. For a random variable of the amount of damage over a fixed period of time, we have derived a representation in the form of a sum of binomially-distributed random variables, dependent on the parameters for attacks and protection. We have described in a similar manner the random variables for economic losses, recovery time, as well as recovery costs, for which mathematical expectations and variances have been obtained in the analytical form. To ensure the high statistical confidence, it has been proposed to determine the risk indicators using a Cantelli’s inequality. On this basis, we have defined performance indicators for a protection system, which characterize the probability of protected object’s safety, residual losses, conditionally saved costs, survivability, and the cost of recovery.

By using a Pareto optimality theory, we have devised a procedure for multi-criteria analysis and rational design of conservative systems of information protection. Verification has been carried out for the audio information protection systems. A Pareto frontier has been investigated according to the criteria of economic benefit and investment costs for 66 variants of protection. We have examined the influence of protection level on the Cantelli’s measure for conditional savings, as well as the contribution of various types of protection devices to it.

The research results have confirmed the saturation law by Gordon-Loeb for the case when over-protection does not improve the effectiveness of protection systems.

Author Biographies

Valeriy Dudykevych, Lviv Polytechnic National University S. Bandery str., 12, Lviv, Ukraine, 79013

Doctor of Technical Sciences, Professor

Department of Information Security

Ivan Prokopyshyn, Ivan Franko National University of Lviv Universitetska str., 1, Lviv, Ukraine, 79000

PhD, Associate Professor

Department of Mathematical Modeling

Vasyl Chekurin, Pidstryhach Institute for Applied Problems of Mechanics and Mathematics of the National Academy of Sciences of Ukraine Naukova str., 3-b, Lviv, Ukraine, 79060 Kujawy and Pomorze University in Bydgoszcz Torunska str., 55-57, Bydgoszcz, Poland, 85-023

Doctor of Physical and Mathematical Sciences, Professor

Department for Mathematical Problems of Mechanics of Heterogeneous Solids

Technical Department

Ivan Opirskyy, Lviv Polytechnic National University S. Bandery str., 12, Lviv, Ukraine, 79013

Doctor of Technical Sciences

Department of Information Security

Yuriy Lakh, Lviv Polytechnic National University S. Bandery str., 12, Lviv, Ukraine, 79013

PhD

Department of Information Security

Taras Kret, Lviv Polytechnic National University S. Bandery str., 12, Lviv, Ukraine, 79013

Assistant

Department of Information Security

Yevheniia Ivanchenko, National Aviation University Kosmonavta Komarova ave., 1, Kyiv, Ukraine, 03058

PhD, Associate Professor

Department of Information Technology Security

Ihor Ivanchenko, National Aviation University Kosmonavta Komarova ave., 1, Kyiv, Ukraine, 03058

PhD

Department of Information Technology Security

References

  1. Allianz Risk Barometer: Top Business Risks for 2018. Available at: https://www.agcs.allianz.com/content/dam/onemarketing/agcs/agcs/reports/Allianz-Risk-Barometer-2018.pdf
  2. Regional Risks for Doing Business 2018: Insight Report (2018). Geneva, 40. Available at: http://www3.weforum.org/docs/WEF_Regional_Risks_Doing_Business_report_2018.pdf
  3. Brotby, W. K. (2009). Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement. Taylor & Francis, 200. doi: https://doi.org/10.1201/9781420052862
  4. Sahinoglu, M. (2016). Cyber‐Risk Informatics: engineering evaluation with data science. Wiley & Sons, 560. doi: https://doi.org/10.1002/9781119087540
  5. Korchenko, O. H., Kazmirchuk, S. V., Akhmetov, B. B. (2017). Prykladni systemy otsiniuvannia ryzykiv informatsiynoi bezpeky. Kyiv, 435.
  6. Yudin, A., Buchyk, S. (2016). Technology of construction and defence of the Ukrainian segment of the identifiers’ tree of state informative resources on the basis of risk management. Zakhyst informatsiyi, 18 (2), 107–114. Available at: http://nbuv.gov.ua/UJRN/Zi_2016_18_2_5
  7. Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision Support Systems, 86, 13–23. doi: https://doi.org/10.1016/j.dss.2016.02.012
  8. Hu, Z., Khokhlachova, Y., Sydorenko, V., Opirskyy, I. (2017). Method for Optimization of Information Security Systems Behavior under Conditions of Influences. International Journal of Intelligent Systems and Applications, 9 (12), 46–58. doi: https://doi.org/10.5815/ijisa.2017.12.05
  9. Gordon, L. A., Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5 (4), 438–457. doi: https://doi.org/10.1145/581271.581274
  10. Gordon, L. A., Loeb, M. P., Zhou, L. (2016). Investing in Cybersecurity: Insights from the Gordon-Loeb Model. Journal of Information Security, 07 (02), 49–59. doi: https://doi.org/10.4236/jis.2016.72004
  11. Artzner, P., Delbaen, F., Eber, J.-M., Heath, D. (1999). Coherent Measures of Risk. Mathematical Finance, 9 (3), 203–228. doi: https://doi.org/10.1111/1467-9965.00068
  12. McNeil, A. J., Frey, R., Embrechts, P. (2005). Quantitative Risk Management: Concepts, Techniques and Tool. Princeton and Oxford, 538.
  13. Wang, J., Chaudhury, A., Rao, H. R. (2008). Research Note – A Value-at-Risk Approach to Information Security Investment. Information Systems Research, 19 (1), 106–120. doi: https://doi.org/10.1287/isre.1070.0143
  14. Raugas, M., Ulrich, J., Faux, R., Finkelstein, S., Cabot, C. (2013). CyberV@R. A Cyber Security Model for Value at Risk. Technical report. Baltimore MD, 45. Available at: https://www.cyberpointllc.com/docs/CyberVaR.pdf
  15. Dudykevych, V. B., Lakh, Yu. V., Prokopyshyn, I. A. (2011). Otsinka vartosti ryzyku dlia system zakhystu informatsiyi. Informatsiyna bezpeka, 1 (5), 44–49.
  16. Sawik, T. (2013). Selection of optimal countermeasure portfolio in IT security planning. Decision Support Systems, 55 (1), 156–164. doi: https://doi.org/10.1016/j.dss.2013.01.001
  17. Ross, S. M. (2002). Probability models for computer science. Elsevier Science, 288.
  18. Dudykevych, V. B., Ivaniuk, V. M., Prokopyshyn, I. A. (2014). Efektyvnist investytsiy u systemy zakhystu prymishchen vid vytoku movnoi informatsiyi. Kompiuterni tekhnolohiyi drukarstva, 32, 20–28. Available at: http://nbuv.gov.ua/UJRN/Ktd_2014_32_4
  19. Ganin, A. A., Quach, P., Panwar, M., Collier, Z. A., Keisler, J. M., Marchese, D., Linkov, I. (2017). Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management. Risk Analysis. doi: https://doi.org/10.1111/risa.12891
  20. Motzek, A., Gonzalez-Granadillo, G., Debar, H., Garcia-Alfaro, J., Möller, R. (2017). Selection of Pareto-efficient response plans based on financial and operational assessments. EURASIP Journal on Information Security, 2017 (1). doi: https://doi.org/10.1186/s13635-017-0063-6
  21. Dudykevych, V. B., Prokopyshyn, I. A., Chekurin, V. F. (2012). Problems of efficiency estimation of security systems. Visnyk NU "Lvivska politekhnika". Avtomatyka, vymiriuvannia ta keruvannia, 741, 118–122. Available at: http://science.lpnu.ua/uk/node/3718
  22. Ehrgott, M. (2005). Multicriteria Optimization. Berlin Heidelberg, 323. doi: https://doi.org/10.1007/3-540-27659-9
  23. Lakhno, V., Kozlovskii, V., Boiko, Y., Mishchenko, A., Opirskyy, I. (2017). Management of information protection based on the integrated implementation of decision support systems. Eastern-European Journal of Enterprise Technologies, 5 (9 (89)), 36–42. doi: https://doi.org/10.15587/1729-4061.2017.111081

Downloads

Published

2019-05-08

How to Cite

Dudykevych, V., Prokopyshyn, I., Chekurin, V., Opirskyy, I., Lakh, Y., Kret, T., Ivanchenko, Y., & Ivanchenko, I. (2019). A multicriterial analysis of the efficiency of conservative information security systems. Eastern-European Journal of Enterprise Technologies, 3(9 (99), 6–13. https://doi.org/10.15587/1729-4061.2019.166349

Issue

Vol. 3 No. 9 (99) (2019): Information and controlling system

Section

Information and controlling system

License

Copyright (c) 2019 Valeriy Dudykevych, Ivan Prokopyshyn, Vasyl Chekurin, Ivan Opirskyy, Yuriy Lakh, Taras Kret, Yevheniia Ivanchenko, Ihor Ivanchenko

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The consolidation and conditions for the transfer of copyright (identification of authorship) is carried out in the License Agreement. In particular, the authors reserve the right to the authorship of their manuscript and transfer the first publication of this work to the journal under the terms of the Creative Commons CC BY license. At the same time, they have the right to conclude on their own additional agreements concerning the non-exclusive distribution of the work in the form in which it was published by this journal, but provided that the link to the first publication of the article in this journal is preserved.

A license agreement is a document in which the author warrants that he/she owns all copyright for the work (manuscript, article, etc.).
The authors, signing the License Agreement with TECHNOLOGY CENTER PC, have all rights to the further use of their work, provided that they link to our edition in which the work was published.
According to the terms of the License Agreement, the Publisher TECHNOLOGY CENTER PC does not take away your copyrights and receives permission from the authors to use and dissemination of the publication through the world's scientific resources (own electronic resources, scientometric databases, repositories, libraries, etc.).
In the absence of a signed License Agreement or in the absence of this agreement of identifiers allowing to identify the identity of the author, the editors have no right to work with the manuscript.
It is important to remember that there is another type of agreement between authors and publishers – when copyright is transferred from the authors to the publisher. In this case, the authors lose ownership of their work and may not use it in any way.