Development of the concept for determining the level of critical business processes security

Authors

DOI:

https://doi.org/10.15587/1729-4061.2023.274301

Keywords:

security concept, critical business process, multi-loop protection systems

Abstract

The development of technologies and computing resources not only expanded the spectrum of digital services in all areas of human activity, but also defined the spectrum of targeted cyber attacks. The object of the study is the process of ensuring the safety of critical business processes that ensure the continuity of production and/or functioning of the company/organization/enterprise as a whole. Targeted attacks are aimed at destroying not only the business structure, but also its individual components that determine critical business processes. Continuity of such business processes is a critical component of any company, organization or enterprise of any form of government, which critically affects the earning of profits or the organization of production processes. The proposed concept of determining the security level of critical business processes is based on the need to use multi-loop information protection systems. This allows to ensure the continuity of critical business processes through a timely objective assessment of the level of security and the timely formation of preventive measures. This approach is based on the proposed rules for determining the achievement of a given level of security, which are based on assessments of the integrity, availability and confidentiality of information arrays, as well as computer equipment in relation to various points of the organization's business processes. The use of threat integration on the internal and external contours of the protection system allows to ensure the necessary level of security and continuity of the production/technological process of critical business processes. The proposed practical implementation of the system security level assessment system in the declarative programming language Prolog, which allows to form requirements regarding the achievement of a given system security level depending on the state assessments of individual system components

Author Biographies

Serhii Yevseiev, National Technical University “Kharkiv Polytechnic Institute”

Doctor of Technical Sciences, Professor, Head of Department

Department of Cyber Security

Oleksandr Milov, National Technical University “Kharkiv Polytechnic Institute”

Doctor of Technical Sciences, Professor

Department of Cyber Security

Nataliia Zviertseva, National Technical University “Kharkiv Polytechnic Institute”

Postgraduate Student

Department of Software Engineering and Management Intelligent Technologies

Oleksandr Lezik, Ivan Kozhedub Kharkiv National Air Force University

PhD, Associate Professor

Department of Tactics of the Air Defense Troops

Olena Komisarenko, National Transport University

PhD, Associate Professor

Department of Information Systems and Technologies

Andrii Nalyvaiko, The National Defence University of Ukraine named after Ivan Cherniakhovskyi

PhD, Associate Professor, Leading Researcher

Centr of Military and Strategic Research

Volodymyr Pogorelov, National Aviation University

PhD, Associate Professor

Department of Information Technology Security

Vitaliy Katsalap, The National Defence University of Ukraine named after Ivan Cherniakhovskyi

PhD, Associate Professor

Department of Information Technology and Information Security

Yurii Pribyliev, The National Defence University of Ukraine named after Ivan Cherniakhovskyi

Doctor of Technical Sciences, Associate Professor

Department of Information Technology and Information Security

Iryna Husarova, Kharkiv National University of Radio Electronics

PhD, Associate Professor

Department of Applied Mathematics

References

  1. Fenz, S., Ekelhart, A. (2011). Verification, Validation, and Evaluation in Information Security Risk Management. IEEE Security & Privacy Magazine, 9 (2), 58–65. doi: https://doi.org/10.1109/msp.2010.117
  2. IEC 31010:2019. Risk management – Risk assessment techniques. ISO. Available at: https://www.iso.org/standard/72140.html
  3. Shaikh, F. A., Siponen, M. (2023). Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity. Computers & Security, 124, 102974. doi: https://doi.org/10.1016/j.cose.2022.102974
  4. Haag, S., Siponen, M., Liu, F. (2021). Protection Motivation Theory in Information Systems Security Research. ACM SIGMIS Database: The DATABASE for Advances in Information Systems, 52 (2), 25–67. doi: https://doi.org/10.1145/3462766.3462770
  5. Li, Y., Xin, T., Siponen, M. (2022). Citizens’ Cybersecurity Behavior: Some Major Challenges. IEEE Security & Privacy, 20 (1), 54–61. doi: https://doi.org/10.1109/msec.2021.3117371
  6. Chen, S., Xiao, H., He, W., Mou, J., Siponen, M., Qiu, H., Xu, F. (2021). Determinants of Individual Knowledge Innovation Behavior. Journal of Organizational and End User Computing, 33 (6), 1–24. doi: https://doi.org/10.4018/joeuc.20211101.oa27
  7. ISO/IEC 15408-1:2009. Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model. ISO. Available at: https://www.iso.org/standard/50341.html
  8. ISO/IEC 15408-2:2008. Information technology – Security techniques – Evaluation criteria for IT security – Part 2: Security functional components. ISO. Available at: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46414
  9. ISO/IEC 15408-3:2008. Information technology – Security techniques – Evaluation criteria for IT security – Part 3: Security assurance components. ISO. Available at: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46413
  10. ISO/IEC 13335-1:2004. Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management. ISO. Available at: https://www.iso.org/ru/standard/39066.html
  11. ISO/IEC 27005:2008. Information technology – Security techniques – Information security risk management. ISO. Available at: https://www.iso.org/ru/standard/42107.html
  12. ISO/IEC 18028-1:2006. Information technology – Security techniques – IT network security – Part 1: Network security management. ISO. Available at: https://www.iso.org/ru/standard/40008.html
  13. ISO/IEC 27001:2013. Information technology – Security techniques – Information security management systems – Requirements. ISO. Available at: https://www.iso.org/standard/54534.html
  14. ISO/IEC 27002:2013. Information technology – Security techniques – Code of practice for information security controls. ISO. Available at: https://www.iso.org/standard/54533.html
  15. ISO/IEC 27003:2017. Information technology – Security techniques – Information security management systems – Guidance. ISO. Available at: https://www.iso.org/ru/standard/63417.html
  16. ISO/IEC 27006:2015. Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems. ISO. Available at: https://www.iso.org/standard/62313.html
  17. ISO/IEC 27032:2012. Information technology – Security techniques – Guidelines for cybersecurity. ISO. Available at: https://www.iso.org/ru/standard/44375.html
  18. ISO/IEC 27035-1:2023. Information technology – Information security incident management – Part 1: Principles and process. ISO. Available at: https://www.iso.org/ru/standard/78973.html
  19. ISO/IEC 27035-2:2023. Information technology – Information security incident management – Part 2: Guidelines to plan and prepare for incident response. ISO. Available at: https://www.iso.org/ru/standard/78974.html
  20. ISO/IEC 27035-3:2020. Information technology – Information security incident management – Part 3: Guidelines for ICT incident response operations. ISO. Available at: https://www.iso.org/ru/standard/74033.html
  21. ISO/IEC 27000:2018. Information technology – Security techniques – Information security management systems – Overview and vocabulary. ISO. Available at: https://www.iso.org/standard/73906.html
  22. Große, C. (2023). A review of the foundations of systems, infrastructure and governance. Safety Science, 160, 106060. doi: https://doi.org/10.1016/j.ssci.2023.106060
  23. Gorbenko, I. D., Potiy, A. V., Tereschenko, P. I. (2000). Kriterii i metodologiya otsenki bezopasnosti informatsionnykh tekhnologiy. Radiotekhnika, 114, 25–38. Available at: https://openarchive.nure.ua/items/409b6535-c863-4544-b651-801fc67b239a/full
  24. The ISO/IEC Directives are published in two parts. Part 1: Procedures for the technical work. Part 2: Principles and rules for the structure and drafting of ISO and IEC documents. Available at: https://www.iso.org/sites/directives/current/part1/index.xhtml
  25. Scarfone, K., Jansen, W., Tracy, M. (2008). Guide to general server security. National Institute of Standards and Technology (NIST). Available at: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf
  26. Stoneburner, G., Goguen, A., Feringa, A. (2002). Risk management guide for information technology systems. National Institute of Standards and Technology (NIST). doi: https://doi.org/10.6028/nist.sp.800-30
  27. Khanmohammadi, K., Houmb, S. H. (2010). Business Process-Based Information Security Risk Assessment. 2010 Fourth International Conference on Network and System Security. doi: https://doi.org/10.1109/nss.2010.37
  28. Kuzminykh, I., Ghita, B., Sokolov, V., Bakhshi, T. (2021). Information Security Risk Assessment. Encyclopedia, 1 (3), 602–617. doi: https://doi.org/10.3390/encyclopedia1030050
  29. Liu, C., Tan, C.-K., Fang, Y.-S., Lok, T.-S. (2012). The Security Risk Assessment Methodology. Procedia Engineering, 43, 600–609. doi: https://doi.org/10.1016/j.proeng.2012.08.106
  30. Identifying Information Assets and Business Requirements. The National Archives. Available at: https://cdn.nationalarchives.gov.uk/documents/identify-information-assets.pdf
  31. Martin, C., Kadry, A., Abu-Shady, G. (2014). Quantifying the financial impact of it security breaches on business processes. 2014 Twelfth Annual International Conference on Privacy, Security and Trust. doi: https://doi.org/10.1109/pst.2014.6890934
  32. Lund, M. S., Solhaug, B., Stølen, K. (2011). Model-Driven Risk Analysis. Springer, 460. doi: https://doi.org/10.1007/978-3-642-12323-8
  33. Matulevičius, R. (2017). Domain Model for Information Systems Security Risk Management. Fundamentals of Secure System Modelling, 17–30. doi: https://doi.org/10.1007/978-3-319-61717-6_2
  34. Innerhofer-Oberperfler, F., Mitterer, M., Hafner, M., Breu, R. (2010). Security Analysis of Service Oriented Systems. Web Services Security Development and Architecture, 33–56. doi: https://doi.org/10.4018/978-1-60566-950-2.ch002
  35. Innerhofer-Oberperfler, F., Breu, R. (2010). Potential Rating Indicators for Cyberinsurance: An Exploratory Qualitative Study. Economics of Information Security and Privacy, 249–278. doi: https://doi.org/10.1007/978-1-4419-6967-5_13
  36. Alkubaisy, D., Piras, L., Al-Obeidallah, M. G., Cox, K., Mouratidis, H. (2022). A Framework for Privacy and Security Requirements Analysis and Conflict Resolution for Supporting GDPR Compliance Through Privacy-by-Design. Evaluation of Novel Approaches to Software Engineering, 67–87. doi: https://doi.org/10.1007/978-3-030-96648-5_4
  37. Pullonen, P., Tom, J., Matulevičius, R., Toots, A. (2019). Privacy-enhanced BPMN: enabling data privacy analysis in business processes models. Software and Systems Modeling, 18 (6), 3235–3264. doi: https://doi.org/10.1007/s10270-019-00718-z
  38. Malina, L., Dzurenda, P., Ricci, S., Hajny, J., Srivastava, G., Matulevicius, R. et al. (2021). Post-Quantum Era Privacy Protection for Intelligent Infrastructures. IEEE Access, 9, 36038–36077. doi: https://doi.org/10.1109/access.2021.3062201
  39. Rikhardsson, P., Rohde, C., Christensen, L., Batt, C. E. (2021). Management controls and crisis: evidence from the banking sector. Accounting, Auditing & Accountability Journal, 34 (4), 757–785. doi: https://doi.org/10.1108/aaaj-01-2020-4400
  40. Koeze, R. (2017). Designing a Cyber Risk Assessment Tool for Small to Medium Enterprises. TUDelft. Available at: https://repository.tudelft.nl/islandora/object/uuid:8ffae35d-0695-4eb9-b488-471bd1c9e10d/datastream/OBJ/download
  41. Milov, O., Khvostenko, V., Natalia, V., Korol, O., Zviertseva, N. (2022). Situational Control of Cyber Security in Socio-Cyber-Physical Systems. 2022 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA). doi: https://doi.org/10.1109/hora55278.2022.9800049
  42. Milov, O., Yevseiev, S., Zviertseva, N., Zviertsev, H., Motalyhin, Y. (2022). Pseudo-Physical Logics in Control of Cyber Security Systems. 2022 International Symposium on Multidisciplinary Studies and Innovative Technologies (ISMSIT). doi: https://doi.org/10.1109/ismsit56059.2022.9932711
  43. SWI-Prolog. Available at: https://www.swi-prolog.org/
  44. Pohasii, S., Yevseiev, S., Zhuchenko, O., Milov, O., Lysechko, V., Kovalenko, O. et al. (2022). Development of crypto-code constructs based on LDPC codes. Eastern-European Journal of Enterprise Technologies, 2 (9 (116)), 44–59. doi: https://doi.org/10.15587/1729-4061.2022.254545
  45. Yevseiev, S., Ponomarenko, V., Laptiev, O., Milov, O., Korol, O., Milevskyi, S. et. al.; Yevseiev, S., Ponomarenko, V., Laptiev, O., Milov, O. (Eds.) (2021). Synergy of building cybersecurity systems. Kharkiv: РС ТЕСHNOLOGY СЕNTЕR, 188. doi: https://doi.org/10.15587/978-617-7319-31-2
Development of the concept for determining the level of critical business processes security

Downloads

Published

2023-02-28

How to Cite

Yevseiev, S., Milov, O., Zviertseva, N., Lezik, O., Komisarenko, O., Nalyvaiko, A., Pogorelov, V., Katsalap, V., Pribyliev, Y., & Husarova, I. (2023). Development of the concept for determining the level of critical business processes security. Eastern-European Journal of Enterprise Technologies, 1(9 (121), 21–40. https://doi.org/10.15587/1729-4061.2023.274301

Issue

Vol. 1 No. 9 (121) (2023): Information and controlling system

Section

Information and controlling system

License

Copyright (c) 2023 Serhii Yevseiev, Oleksandr Milov, Nataliia Zviertseva, Oleksandr Lezik, Olena Komisarenko, Andrii Nalyvaiko, Volodymyr Pogorelov, Vitaliy Katsalap, Yurii Pribyliev, Iryna Husarova

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The consolidation and conditions for the transfer of copyright (identification of authorship) is carried out in the License Agreement. In particular, the authors reserve the right to the authorship of their manuscript and transfer the first publication of this work to the journal under the terms of the Creative Commons CC BY license. At the same time, they have the right to conclude on their own additional agreements concerning the non-exclusive distribution of the work in the form in which it was published by this journal, but provided that the link to the first publication of the article in this journal is preserved.

A license agreement is a document in which the author warrants that he/she owns all copyright for the work (manuscript, article, etc.).
The authors, signing the License Agreement with TECHNOLOGY CENTER PC, have all rights to the further use of their work, provided that they link to our edition in which the work was published.
According to the terms of the License Agreement, the Publisher TECHNOLOGY CENTER PC does not take away your copyrights and receives permission from the authors to use and dissemination of the publication through the world's scientific resources (own electronic resources, scientometric databases, repositories, libraries, etc.).
In the absence of a signed License Agreement or in the absence of this agreement of identifiers allowing to identify the identity of the author, the editors have no right to work with the manuscript.
It is important to remember that there is another type of agreement between authors and publishers – when copyright is transferred from the authors to the publisher. In this case, the authors lose ownership of their work and may not use it in any way.