Integrated information security risk management model based on ahp and bayesian networks
DOI:
https://doi.org/10.30837/2522-9818.2025.3.166Keywords:
CRAMM methodology, SIEM systems, Analytic Hierarchy Process (AHP), Bayesian Networks (BN), Expert evaluation, Threat and vulnerability analysis.Abstract
The subject of the study is information security risk management in a modern digital environment, where the integration of strategic and tactical approaches is necessary to ensure adaptive protection. The purpose of the work is to develop a hybrid model of cyber risk management by combining methodological analysis, expert assessments, probabilistic modeling and technical monitoring. The objectives of the study are: (1) analysis of the complementarity of the CRAMM methodology and SIEM systems; (2) construction of a procedure for quantitative prioritization of threats and vulnerabilities based on the analytical hierarchy process (AHP); (3) integration of the obtained estimates into Bayesian networks (BN) for probabilistic risk forecasting; (4) implementation of the proposed approach using modern automation tools. The methods used in the work include: CRAMM methodology for identifying assets, threats and vulnerabilities; Thomas Saati's AHP for quantitative assessment of priorities based on expert judgments with measurement of consistency using the Kendall concordance coefficient; mathematical modeling of causal relationships using Bayesian networks (BN); and the use of SIEM-class systems for operational monitoring of security events. The practical implementation of the approach was carried out using Python, in particular the Numpy, SciPy, pgmpy libraries, and the Streamlit web interface. Results. An integrated approach was developed that combines CRAMM, AHP, BN, and SIEM into a single adaptive risk management system. It is shown that AHP allows you to transform subjective expert assessments into objective weighting factors, which increases the reliability of the analysis. Based on these data, a Bayesian network was built to assess the risk of financial losses, which takes into account the presence of a threat, vulnerability, and a possible incident. The model is implemented programmatically, demonstrating the process of factoring the joint distribution and marginalizing latent variables to obtain posterior probabilities. The web interface based on Streamlit ensures the ease of use of the tool by non-professional users. Conclusions. The proposed hybrid approach allows for the effective combination of strategic planning (CRAMM), expert assessments (AHP), probabilistic modeling (BN) and operational monitoring (SIEM), forming a proactive, scientifically sound risk management system. Such integration provides a high level of adaptability and accuracy in a dynamic threat landscape, which makes the model practically applicable for organizations of various levels.
References
Список літератури
Сидоркін П. Г., Горліченко С. О., Некоз В. С., Шилан М. В. Методи управління ризиками інформаційної безпеки CRAMM та COBIT 5 FOR RISK. Сучасні інформаційні технології у сфері безпеки та оборони. 2023. № 2 (47). С. 41 – 47. DOI: https://doi.org/10.33099/2311-7249/2023-47-2-41-47
Берко А. Ю., Висоцька В. А., Рішняк І. В. Методи та засоби оцінювання ризиків безпеки інформації в системах електронної комерції. Інформаційні системи та мережі: [збірник наукових праць]: Видавництво Львівської політехніки. 2008. № 610 (1). С. 20 – 33. URL: https://science.lpnu.ua/sites/default/files/journal-paper/2019/apr/16336/vis610inform-syst-20-33.pdf
Залива В. В. Методики захисту API за допомогою JavaScript: математичні моделі для підвищення безпеки. Телекомунікаційні та інформаційні технології. 2024. № 3 (84). С. 4 – 11. DOI: 10.31673/2412-4338.2024.030411
Карпович І.М., Гладка О.М., Наконечна Ю.А. Аналіз ризиків безпеки інформаційної системи ІТ-підприємства. Вчені записки ТНУ імені В.І. Вернадського. 2020. Том 31 (70) № 5 С. 9-74. DOI https://doi.org/10.32838/2663-5941/2020.5/12
A multicriterial analysis of the efficiency of conservative information security systems / Dudykevych V., Prokopyshyn I., Chekurin V., Opirskyy I., Lakh Yu., Kret T., Ivanchenko Ye., Ivanchenko I., Eastern-European Journal of Enterprise Technologies. 2019.Vol. 3, Issue 9 (99). Р. 6–13. DOI: https://doi.org/10.15587/1729-4061.2019.166349
Gaute Wangen, Christoffer Hallstensen, Einar Snekkenes. A framework for estimating information security risk assessment method completeness. Int. J. Inf. Secur. 2018. Vol. 17. P. 681 – 699. DOI: https://doi.org/10.1007/s10207-017-0382-0
Барченко Н. Л., Любчак В. О., Лаврик Т. В. Модель індикаторів оцінки національного рівня цифровізації та кібербезпеки держав світу. КІБЕРБЕЗПЕКА: освіта, наука, техніка. 2022. № 2(18). С. 73 – 85.
Amanda Gearharta, D. Terrance Booth, Kevin Sedivec and Christopher Schauer. Use of Kendall’s coefficient of concordance to assess agreement among observers of very high resolution imagery. Geocarto International 2013. Vol. 28, No. 6, P. 517–526. DOI: 10.1080/10106049.2012.725775
Бурячок В. Л., Толубко В. Б., Хорошко В. О., Толюпа С. В. Інформаційна та кібербезпека: соціотехнічний аспект: за заг. ред. д-ра техн. наук, професора В. Б. Толубка. Київ: ДУТ. 2015. 288 с.
Дзюба Л. Ф., Чмир О. Ю. Оцінювання ризиків інформаційної безпеки з використанням методів математичної статистики. Львівський державний університет безпеки життєдіяльності. Вісник ЛДУБЖД. 2022. №26. С. 47–54. URL: http://www.irbis-nbuv.gov.ua/cgi-bin/irbis_nbuv/cgiirbis_64.exe?I21DBN=LINK&P21DBN=UJRN&Z21ID=&S21REF=10&S21CNR=20&S21STN=1&S21FMT=ASP_meta&C21COM=S&2_S21P03=FILA=&2_S21STR=Vldubzh_2022_26_8
Олецький О. В. Підвищення узгодженості матриць попарних порівнянь у методі аналізу ієрархій на основі розв’язків систем лінійних алгебраїчних рівнянь. Наукові записки НаУКМА. Комп’ютерні науки. 2022. Том 5. 2022. С. 85-91. DOI: 10.18523/2617-3808.2022.5.85-91
Wilson, Simon and De Persis, Cristina and Bosque, José Luis and Huertas, Irene and Sillero Denamiel, Maria Remedios, Quantitative System Risk Assessment from Incomplete Data with Belief Networks and Pairwise Comparison Elicitation. URL: https://ssrn.com/abstract=4577878 (дата звернення 01.07.2025)
CRAMM Version 5.1 User Guide. URL: https://pdfcoffee.com/cramm-version-51-user-guide-pdf-free.html (дата звернення 01.07.2025
Смірнова Т. В., Константинова Л. В., Конопліцька-Слободенюк О. К., Козлов Я. О., Кравчук О. В., Козірова Н. Л., Смірнов О. А. Дослідження сучасного стану SIEM-систем. "Кібербезпека: освіта, наука, техніка" No 1(25), Р. 6-18. 2024 DOI: https://doi.org/10.28925/2663-4023.2024.25.618
Ankur Ankan, Abinash Panda. pgmpy: Probabilistic Graphical Models using Python. 2015. URL: https://www.researchgate.net/publication/328778465_pgmpy_Probabilistic_Graphical_Models_using_Python (дата звернення 01.07.2025)
Saaty T. L. The Analytic Hierarchy Process: Planning, Priority Setting, Resource Allocation. McGraw-Hill. 1980. URL: https://www.scirp.org/reference/ReferencesPapers?ReferenceID=1895817
Fenton N., Neil M. Risk Assessment and Decision Analysis with Bayesian Networks. CRC Press. 2012. 4 р. DOI: https://doi.org/10.1080/15598608.2014.847770
Khakzad N., Khan F., Amyotte P. Safety analysis in process facilities: Comparison of fault tree and Bayesian network approaches. Reliability Engineering & System Safety, №111, 2013. Р. 81–92. DOI: https://doi.org/10.1016/j.ress.2012.10.015
Borg A., Feldt R., Hansson K. Cyber security risk assessments: Systematic development of a risk assessment process using the ISO. IEC 27005 standard. Computers & Security, № 47, Р. 128–143. 2014. DOI: https://doi.org/10.1016/j.cose.2014.07.003
Sharma S., Singh S., Sharma A. A hybrid framework for cyber risk assessment using fuzzy AHP and Bayesian networks. Journal of Information Security and Applications, № 52, 102492 р. 2020. DOI: https://doi.org/10.1016/j.jisa.2020.102492
Cherdantseva Y., Hilton J. A reference model of information security risk management. Proceedings of the 2013 9th International Conference on Availability, Reliability and Security (ARES), Р. 546–555. 2013. DOI: https://doi.org/10.1109/ARES.2013.72
Onwuegbuzie A. J., Collins K. M. T., Jiao, Q. G. The role of theory in advanced mixed research designs. International Journal of Multiple Research Approaches, № 4(1), Р. 8–22. 2010. DOI: https://doi.org/10.5172/mra.4.1.8
Akhgar B., Chalkidis G., Hessami A. G. Cybersecurity Big Data Analytics: Governance and strategic decision making in cyberspace. Springer. 2020. DOI: https://doi.org/10.1007/978-3-030-43541-7
Zargar S. T., Joshi J., Tipper D. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Communications Surveys & Tutorials, 15(4), Р. 2046–2069. 2013. DOI: https://doi.org/10.1109/SURV.2013.031413.00127
Wilson S. P., De Persis C. Quantitative system risk assessment from incomplete data with belief networks and pairwise comparison elicitation. Risk Analysis, 42(8), Р. 1683–1702. 2022. DOI: https://doi.org/10.1111/risa.13878
References
Sydorkin, P. H., Horlichenko, S. O., Nekoz, V. S., Shylan, M. V. (2023), "Methods of information security risk management CRAMM and COBIT 5 FOR RISK". ["Metody upravlinnia ryzykamy informatsiinoi bezpeky CRAMM ta COBIT 5 FOR RISK"]. Modern Information Technologies in the Sphere of Security and Defense, № 2(47), Р. 41–47. DOI: https://doi.org/10.33099/2311-7249/2023-47-2-41-47
Berko, A. Yu., Vysotska, V. A., Rishniak, I. V. (2008), "Methods and means of assessing information security risks in e-commerce systems". [Metody ta zasoby otsiniuvannia ryzykiv bezpeky informatsii v systemakh elektronnoi komertsii]. Information Systems and Networks: [collection of scientific papers]: Lviv Polytechnic Publishing House, 610(1), Р. 20–33. available at: https://science.lpnu.ua/sites/default/files/journal-paper/2019/apr/16336/vis610inform-syst-20-33.pdf
Zalyva, V. V. (2024), "API protection methods using JavaScript: mathematical models for enhancing security". ["Metodyky zakhystu API za dopomohoiu JavaScript: matematychni modeli dlia pidvyshchennia bezpeky"], Telecommunication and Information Technologies, № 3(84), Р. 4–11. DOI: 10.31673/2412-4338.2024.030411
Karpovych, I. M., Hladka, O. M., Nakonechna, Yu. A. (2020), "Analysis of information system security risks of an IT enterprise". ["Analiz ryzykiv bezpeky informatsiinoi systemy IT-pidpryiemstva"]. Scientific Notes of V.I. Vernadsky TNU, № 31(70)(5), Р. 9–74. DOI https://doi.org/10.32838/2663-5941/2020.5/12
Dudykevych, V., Prokopyshyn, I., Chekurin, V., Opirskyy, I., Lakh, Yu., Kret, T., Ivanchenko, Ye., Ivanchenko, I. (2019), "A multicriterial analysis of the efficiency of conservative information security systems". Eastern-European Journal of Enterprise Technologies, № 3(9)(99), P. 6–13. DOI: https://doi.org/10.15587/1729-4061.2019.166349
Wangen, G., Hallstensen, C., Snekkenes, E. (2018), "A framework for estimating information security risk assessment method completeness". International Journal of Information Security, № 17, Р. 681–699. DOI: https://doi.org/10.1007/s10207-017-0382-0
Barchenko, N. L., Liubchak, V. O., Lavryk, T. V. (2022), "Model of indicators for assessing the national level of digitalization and cybersecurity of world states". ["Model indykatoriv otsinky natsionalnoho rivnia tsyfrovizatsii ta kiberbezpeky derzhav svitu"] Cybersecurity: education, science, technology, 2(18), Р. 73–85.
Gearharta, A., Booth, D. T., Sedivec, K., Schauer, C. (2013), "Use of Kendall’s coefficient of concordance to assess agreement among observers of very high resolution imagery". Geocarto International, № 28(6), Р. 517–526. DOI: 10.1080/10106049.2012.725775
Buriachok, V. L., Tolubko, V. B., Khoroshko, V. O., Toliupa, S. V. (2015), "Information and cybersecurity: sociotechnical aspect". [Informatsiina ta kiberbezpeka: sotsiotekhnichnyi aspekt]. Kyiv: DUT. 288 р.
Dziuba, L. F., Chmyr, O. Yu. (2022), "Assessment of information security risks using methods of mathematical statistics". ["Otsiniuvannia ryzykiv informatsiinoi bezpeky z vykorystanniam metodiv matematychnoi statystyky"]. Bulletin of Lviv State University of Life Safety, № 26, Р. 47–54. available at: http://www.irbis-nbuv.gov.ua/cgi-bin/irbis_nbuv/cgiirbis_64.exe?I21DBN=LINK&P21DBN=UJRN&Z21ID=&S21REF=10&S21CNR=20&S21STN=1&S21FMT=ASP_meta&C21COM=S&2_S21P03=FILA=&2_S21STR=Vldubzh_2022_26_8
Olietskyi, O. V. (2022), "Improving the Consistency of Pairwise Comparison Matrices in the Analytic Hierarchy Process Based on Solutions of Systems of Linear Algebraic Equations". Scientific Notes of NaUKMA. Computer Sciences. Vol. 5. P. 85–91. DOI: 10.18523/2617-3808.2022.5.85-91
Wilson, Simon, De Persis, Cristina, Bosque, José Luis, Huertas, Irene, Sillero, Denamiel, Maria, Remedios "Quantitative System Risk Assessment from Incomplete Data with Belief Networks and Pairwise Comparison Elicitation". available at: https://ssrn.com/abstract=4577878 (last accessed 01.07.2025)
"CRAMM Version 5.1 User Guide". available at: https://pdfcoffee.com/cramm-version-51-user-guide-pdf-free.html (last accessed 01.07.2025
Smirnova, T. V., Konstantinova, L. V., Konoplitska-Slobodeniuk, O. K., Kozlov, Y. O., Kravchuk, O. V., Kozirova, N. L., Smirnov, O. A. (2024), "Research on the Current State of SIEM Systems". Cybersecurity: Education, Science, Technology, 1(25). Р. 6-18. DOI: https://doi.org/10.28925/2663-4023.2024.25.618
"Ankur Ankan, Abinash Panda. pgmpy: Probabilistic Graphical Models using Python". 2015. available at: https://www.researchgate.net/publication/328778465_pgmpy_Probabilistic_Graphical_Models_using_Python (last accessed 01.07.2025)
Saaty, T. L. (1980), "The Analytic Hierarchy Process: Planning, Priority Setting, Resource Allocation". McGraw-Hill. available at: https://www.scirp.org/reference/ReferencesPapers?ReferenceID=1895817
Fenton, N., Neil, M. (2012), "Risk Assessment and Decision Analysis with Bayesian Networks". CRC Press. 4 р. DOI: https://doi.org/10.1080/15598608.2014.847770
Khakzad, N., Khan, F., Amyotte, P. (2013), "Safety analysis in process facilities: Comparison of fault tree and Bayesian network approaches". Reliability Engineering & System Safety, № 111, Р. 81–92. DOI: https://doi.org/10.1016/j.ress.2012.10.015
Borg, A., Feldt, R., & Hansson, K. (2014), "Cyber security risk assessments: Systematic development of a risk assessment process using the ISO". IEC 27005 standard. Computers & Security, № 47, Р. 128–143. DOI: https://doi.org/10.1016/j.cose.2014.07.003
Sharma, S., Singh, S., & Sharma, A. (2020), "A hybrid framework for cyber risk assessment using fuzzy AHP and Bayesian networks". Journal of Information Security and Applications, № 52, 102492 р. DOI: https://doi.org/10.1016/j.jisa.2020.102492
Cherdantseva, Y., Hilton, J. (2013), "A reference model of information security risk management". Proceedings of the 2013 9th International Conference on Availability, Reliability and Security (ARES), Р. 546–555. DOI: https://doi.org/10.1109/ARES.2013.72
Onwuegbuzie, A. J., Collins, K. M. T., Jiao, Q. G. (2010), "The role of theory in advanced mixed research designs". International Journal of Multiple Research Approaches, № 4(1), Р. 8–22. DOI: https://doi.org/10.5172/mra.4.1.8
Akhgar, B., Chalkidis, G., Hessami, A. G. (2020), "Cybersecurity Big Data Analytics: Governance and strategic decision making in cyberspace". Springer. DOI: https://doi.org/10.1007/978-3-030-43541-7
Zargar, S. T., Joshi, J., & Tipper, D. (2013), A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Communications Surveys & Tutorials, № 15(4), Р. 2046–2069. DOI: https://doi.org/10.1109/SURV.2013.031413.00127
Wilson, S. P., De Persis, C. (2022), "Quantitative system risk assessment from incomplete data with belief networks and pairwise comparison elicitation". Risk Analysis, № 42(8), Р. 1683–1702. DOI: https://doi.org/10.1111/risa.13878
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Our journal abides by the Creative Commons copyright rights and permissions for open access journals.
Authors who publish with this journal agree to the following terms:
Authors hold the copyright without restrictions and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0) that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
Authors are able to enter into separate, additional contractual arrangements for the non-commercial and non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
Authors are permitted and encouraged to post their published work online (e.g., in institutional repositories or on their website) as it can lead to productive exchanges, as well as earlier and greater citation of published work.
