Development of the concept for determining the level of critical business processes security
DOI:
https://doi.org/10.15587/1729-4061.2023.274301Keywords:
security concept, critical business process, multi-loop protection systemsAbstract
The development of technologies and computing resources not only expanded the spectrum of digital services in all areas of human activity, but also defined the spectrum of targeted cyber attacks. The object of the study is the process of ensuring the safety of critical business processes that ensure the continuity of production and/or functioning of the company/organization/enterprise as a whole. Targeted attacks are aimed at destroying not only the business structure, but also its individual components that determine critical business processes. Continuity of such business processes is a critical component of any company, organization or enterprise of any form of government, which critically affects the earning of profits or the organization of production processes. The proposed concept of determining the security level of critical business processes is based on the need to use multi-loop information protection systems. This allows to ensure the continuity of critical business processes through a timely objective assessment of the level of security and the timely formation of preventive measures. This approach is based on the proposed rules for determining the achievement of a given level of security, which are based on assessments of the integrity, availability and confidentiality of information arrays, as well as computer equipment in relation to various points of the organization's business processes. The use of threat integration on the internal and external contours of the protection system allows to ensure the necessary level of security and continuity of the production/technological process of critical business processes. The proposed practical implementation of the system security level assessment system in the declarative programming language Prolog, which allows to form requirements regarding the achievement of a given system security level depending on the state assessments of individual system components
References
- Fenz, S., Ekelhart, A. (2011). Verification, Validation, and Evaluation in Information Security Risk Management. IEEE Security & Privacy Magazine, 9 (2), 58–65. doi: https://doi.org/10.1109/msp.2010.117
- IEC 31010:2019. Risk management – Risk assessment techniques. ISO. Available at: https://www.iso.org/standard/72140.html
- Shaikh, F. A., Siponen, M. (2023). Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity. Computers & Security, 124, 102974. doi: https://doi.org/10.1016/j.cose.2022.102974
- Haag, S., Siponen, M., Liu, F. (2021). Protection Motivation Theory in Information Systems Security Research. ACM SIGMIS Database: The DATABASE for Advances in Information Systems, 52 (2), 25–67. doi: https://doi.org/10.1145/3462766.3462770
- Li, Y., Xin, T., Siponen, M. (2022). Citizens’ Cybersecurity Behavior: Some Major Challenges. IEEE Security & Privacy, 20 (1), 54–61. doi: https://doi.org/10.1109/msec.2021.3117371
- Chen, S., Xiao, H., He, W., Mou, J., Siponen, M., Qiu, H., Xu, F. (2021). Determinants of Individual Knowledge Innovation Behavior. Journal of Organizational and End User Computing, 33 (6), 1–24. doi: https://doi.org/10.4018/joeuc.20211101.oa27
- ISO/IEC 15408-1:2009. Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model. ISO. Available at: https://www.iso.org/standard/50341.html
- ISO/IEC 15408-2:2008. Information technology – Security techniques – Evaluation criteria for IT security – Part 2: Security functional components. ISO. Available at: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46414
- ISO/IEC 15408-3:2008. Information technology – Security techniques – Evaluation criteria for IT security – Part 3: Security assurance components. ISO. Available at: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46413
- ISO/IEC 13335-1:2004. Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management. ISO. Available at: https://www.iso.org/ru/standard/39066.html
- ISO/IEC 27005:2008. Information technology – Security techniques – Information security risk management. ISO. Available at: https://www.iso.org/ru/standard/42107.html
- ISO/IEC 18028-1:2006. Information technology – Security techniques – IT network security – Part 1: Network security management. ISO. Available at: https://www.iso.org/ru/standard/40008.html
- ISO/IEC 27001:2013. Information technology – Security techniques – Information security management systems – Requirements. ISO. Available at: https://www.iso.org/standard/54534.html
- ISO/IEC 27002:2013. Information technology – Security techniques – Code of practice for information security controls. ISO. Available at: https://www.iso.org/standard/54533.html
- ISO/IEC 27003:2017. Information technology – Security techniques – Information security management systems – Guidance. ISO. Available at: https://www.iso.org/ru/standard/63417.html
- ISO/IEC 27006:2015. Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems. ISO. Available at: https://www.iso.org/standard/62313.html
- ISO/IEC 27032:2012. Information technology – Security techniques – Guidelines for cybersecurity. ISO. Available at: https://www.iso.org/ru/standard/44375.html
- ISO/IEC 27035-1:2023. Information technology – Information security incident management – Part 1: Principles and process. ISO. Available at: https://www.iso.org/ru/standard/78973.html
- ISO/IEC 27035-2:2023. Information technology – Information security incident management – Part 2: Guidelines to plan and prepare for incident response. ISO. Available at: https://www.iso.org/ru/standard/78974.html
- ISO/IEC 27035-3:2020. Information technology – Information security incident management – Part 3: Guidelines for ICT incident response operations. ISO. Available at: https://www.iso.org/ru/standard/74033.html
- ISO/IEC 27000:2018. Information technology – Security techniques – Information security management systems – Overview and vocabulary. ISO. Available at: https://www.iso.org/standard/73906.html
- Große, C. (2023). A review of the foundations of systems, infrastructure and governance. Safety Science, 160, 106060. doi: https://doi.org/10.1016/j.ssci.2023.106060
- Gorbenko, I. D., Potiy, A. V., Tereschenko, P. I. (2000). Kriterii i metodologiya otsenki bezopasnosti informatsionnykh tekhnologiy. Radiotekhnika, 114, 25–38. Available at: https://openarchive.nure.ua/items/409b6535-c863-4544-b651-801fc67b239a/full
- The ISO/IEC Directives are published in two parts. Part 1: Procedures for the technical work. Part 2: Principles and rules for the structure and drafting of ISO and IEC documents. Available at: https://www.iso.org/sites/directives/current/part1/index.xhtml
- Scarfone, K., Jansen, W., Tracy, M. (2008). Guide to general server security. National Institute of Standards and Technology (NIST). Available at: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf
- Stoneburner, G., Goguen, A., Feringa, A. (2002). Risk management guide for information technology systems. National Institute of Standards and Technology (NIST). doi: https://doi.org/10.6028/nist.sp.800-30
- Khanmohammadi, K., Houmb, S. H. (2010). Business Process-Based Information Security Risk Assessment. 2010 Fourth International Conference on Network and System Security. doi: https://doi.org/10.1109/nss.2010.37
- Kuzminykh, I., Ghita, B., Sokolov, V., Bakhshi, T. (2021). Information Security Risk Assessment. Encyclopedia, 1 (3), 602–617. doi: https://doi.org/10.3390/encyclopedia1030050
- Liu, C., Tan, C.-K., Fang, Y.-S., Lok, T.-S. (2012). The Security Risk Assessment Methodology. Procedia Engineering, 43, 600–609. doi: https://doi.org/10.1016/j.proeng.2012.08.106
- Identifying Information Assets and Business Requirements. The National Archives. Available at: https://cdn.nationalarchives.gov.uk/documents/identify-information-assets.pdf
- Martin, C., Kadry, A., Abu-Shady, G. (2014). Quantifying the financial impact of it security breaches on business processes. 2014 Twelfth Annual International Conference on Privacy, Security and Trust. doi: https://doi.org/10.1109/pst.2014.6890934
- Lund, M. S., Solhaug, B., Stølen, K. (2011). Model-Driven Risk Analysis. Springer, 460. doi: https://doi.org/10.1007/978-3-642-12323-8
- Matulevičius, R. (2017). Domain Model for Information Systems Security Risk Management. Fundamentals of Secure System Modelling, 17–30. doi: https://doi.org/10.1007/978-3-319-61717-6_2
- Innerhofer-Oberperfler, F., Mitterer, M., Hafner, M., Breu, R. (2010). Security Analysis of Service Oriented Systems. Web Services Security Development and Architecture, 33–56. doi: https://doi.org/10.4018/978-1-60566-950-2.ch002
- Innerhofer-Oberperfler, F., Breu, R. (2010). Potential Rating Indicators for Cyberinsurance: An Exploratory Qualitative Study. Economics of Information Security and Privacy, 249–278. doi: https://doi.org/10.1007/978-1-4419-6967-5_13
- Alkubaisy, D., Piras, L., Al-Obeidallah, M. G., Cox, K., Mouratidis, H. (2022). A Framework for Privacy and Security Requirements Analysis and Conflict Resolution for Supporting GDPR Compliance Through Privacy-by-Design. Evaluation of Novel Approaches to Software Engineering, 67–87. doi: https://doi.org/10.1007/978-3-030-96648-5_4
- Pullonen, P., Tom, J., Matulevičius, R., Toots, A. (2019). Privacy-enhanced BPMN: enabling data privacy analysis in business processes models. Software and Systems Modeling, 18 (6), 3235–3264. doi: https://doi.org/10.1007/s10270-019-00718-z
- Malina, L., Dzurenda, P., Ricci, S., Hajny, J., Srivastava, G., Matulevicius, R. et al. (2021). Post-Quantum Era Privacy Protection for Intelligent Infrastructures. IEEE Access, 9, 36038–36077. doi: https://doi.org/10.1109/access.2021.3062201
- Rikhardsson, P., Rohde, C., Christensen, L., Batt, C. E. (2021). Management controls and crisis: evidence from the banking sector. Accounting, Auditing & Accountability Journal, 34 (4), 757–785. doi: https://doi.org/10.1108/aaaj-01-2020-4400
- Koeze, R. (2017). Designing a Cyber Risk Assessment Tool for Small to Medium Enterprises. TUDelft. Available at: https://repository.tudelft.nl/islandora/object/uuid:8ffae35d-0695-4eb9-b488-471bd1c9e10d/datastream/OBJ/download
- Milov, O., Khvostenko, V., Natalia, V., Korol, O., Zviertseva, N. (2022). Situational Control of Cyber Security in Socio-Cyber-Physical Systems. 2022 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA). doi: https://doi.org/10.1109/hora55278.2022.9800049
- Milov, O., Yevseiev, S., Zviertseva, N., Zviertsev, H., Motalyhin, Y. (2022). Pseudo-Physical Logics in Control of Cyber Security Systems. 2022 International Symposium on Multidisciplinary Studies and Innovative Technologies (ISMSIT). doi: https://doi.org/10.1109/ismsit56059.2022.9932711
- SWI-Prolog. Available at: https://www.swi-prolog.org/
- Pohasii, S., Yevseiev, S., Zhuchenko, O., Milov, O., Lysechko, V., Kovalenko, O. et al. (2022). Development of crypto-code constructs based on LDPC codes. Eastern-European Journal of Enterprise Technologies, 2 (9 (116)), 44–59. doi: https://doi.org/10.15587/1729-4061.2022.254545
- Yevseiev, S., Ponomarenko, V., Laptiev, O., Milov, O., Korol, O., Milevskyi, S. et. al.; Yevseiev, S., Ponomarenko, V., Laptiev, O., Milov, O. (Eds.) (2021). Synergy of building cybersecurity systems. Kharkiv: РС ТЕСHNOLOGY СЕNTЕR, 188. doi: https://doi.org/10.15587/978-617-7319-31-2
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Serhii Yevseiev, Oleksandr Milov, Nataliia Zviertseva, Oleksandr Lezik, Olena Komisarenko, Andrii Nalyvaiko, Volodymyr Pogorelov, Vitaliy Katsalap, Yurii Pribyliev, Iryna Husarova
This work is licensed under a Creative Commons Attribution 4.0 International License.
The consolidation and conditions for the transfer of copyright (identification of authorship) is carried out in the License Agreement. In particular, the authors reserve the right to the authorship of their manuscript and transfer the first publication of this work to the journal under the terms of the Creative Commons CC BY license. At the same time, they have the right to conclude on their own additional agreements concerning the non-exclusive distribution of the work in the form in which it was published by this journal, but provided that the link to the first publication of the article in this journal is preserved.
A license agreement is a document in which the author warrants that he/she owns all copyright for the work (manuscript, article, etc.).
The authors, signing the License Agreement with TECHNOLOGY CENTER PC, have all rights to the further use of their work, provided that they link to our edition in which the work was published.
According to the terms of the License Agreement, the Publisher TECHNOLOGY CENTER PC does not take away your copyrights and receives permission from the authors to use and dissemination of the publication through the world's scientific resources (own electronic resources, scientometric databases, repositories, libraries, etc.).
In the absence of a signed License Agreement or in the absence of this agreement of identifiers allowing to identify the identity of the author, the editors have no right to work with the manuscript.
It is important to remember that there is another type of agreement between authors and publishers – when copyright is transferred from the authors to the publisher. In this case, the authors lose ownership of their work and may not use it in any way.