MANAGING THE RISKS OF INFORMATION AND COMMUNICATION NETWORK IN THE CONTEXT OF PLANNING THE SECURITY OF CRITICAL INFRASTRUCTURE SYSTEMS
Keywords:information and communication network, critical infrastructure systems, information security risk, security measures, modelling
AbstractThe subject matter of the article is information and communication networks of critical infrastructure systems. The goal of the work is to create an approach for strategic managing the security of critical infrastructure systems taking into account the risks of the information and communication network. The article deals with the following tasks: determining the procedure of strategic managing the security of critical infrastructure systems, identifying the risks of the information and communication network, assessing the importance and probability of partial network risks. The following methods are used: a systematic approach, cause-and-effect analysis, statistical methods. The following results are obtained: the diagram of multi-level risk management of critical infrastructure systems is developed; the diagram of the step-by-step method of information risks management is developed for increasing the safety of the system; the complex index is suggested for determining the category of information system security; probable variants of the full-factor environment of a set of values of the complex index elements and the corresponding categories of information systems security are analyzed; the process of adaptation of the system as an integral part of the selection and specification of measures for the risk reduction of the information and communication network is determined; the example of the risk assessment of the information and communication network for a software and hardware complex in the automated control system of technological processes is considered. Taking into account the categories of factors, a list of probable risks of the information and communication network and factors that cause them is given; the cause-and-effect diagram of "cause-risk-effect" interaction is created; the total effect of each factor on the final vertices of the diagram, that is possible effects, is calculated; the factors were grouped as the most important, quite important, of mean importance, and inconsiderable ones. Conclusions: On the basis of the analysis of information and communication network risks, appropriate security measures can be planned. The application of the obtained results contributes to enhancing the operational and informational security of critical infrastructure systems at the strategic planning stage.
Australian Government Critical Infrastructure Resilience Strategy, available at : http://www.tisn.gov.au/
Cichonski P., Millar T., Grance T., Scarfone K. Computer Security Incident Handling Guide. National Institute of Standards and Technology, 2012. 79 p.
Ross R. Guide for Conducting Risk Assessments. National Institute of Standards and Technology, 2012. 95 p.
Paulsen S., Boens J. Summary of the Workshop on information and communication technologies supply chain risk management. National Institute of Standards and Technology. 2012. 21 p.
Karpov É. A., Kosareva Y. N., Kobzeva A. H. Otsenka ynformatsyonnykh ryskov po metodyke SRAMM [Information Risk Assessment by the CAMM methodology]. Visnyk NTU «KHPI». Seriya: Aktual’ni problemy upravlinnya ta finansovo-hospodars’koyi diyal’nosti pidpryyemstva [Bulletin of the NTU "KhPI". Series: actual problems of property management and financial and economic activity of the enterprise ]. 2013, no. 52 (1025), pp. 69-72.
Hornyts‟ka D. A., Zakharova M. V., Kladochnyy A. I. Systema analizu ta otsinky rivnya zakhyshchenosti derzhavnykh informatsiynykh resursiv vid sotsiotekhnichnykh atak [System of analysis and estimation of the level of protection of state information resources from sociotechnical attacks]. National Aviation University. 5 p.
Shatovs‟ka T. B., Kamenyeva I. V. Doslidzhennya efektyvnosti zastosuvannya BDD-freymvorkiv u testuvanni bezpeky web-oriyentovanoho prohramnoho zabezpechennya [The study of the effectiveness of the use of BDD-frameworks in the testing of security of web-based software]. Visnyk NTU «KHPI». Seriya: «Mekhaniko-tekhnolohichni systemy ta kompleksy» [Bulletin of the NTU "KhPI". Series: "Mechanic-technological systems and complexes"]. 2015, no. 21 (1130), pp. 69-75.
Furmanov A. A., Lakhizha I. N., Kharchenko V. S. Modeling of service-oriented service-oriented architectures in attacks using vulnerabilities [Modelirovaniye garantosposobnykh servis-oriyentirovannykh arkhitektur pri atakakh s ispol'zovaniyem uyazvimostey]. Radiotechnical and computer systems. 2009, no. 7 (41), pp. 65-69.
Boyarchuk A. V., Kharchenko, V. S. ed. Bezopasnost' kriticheskikh infrastruktur: matemati-cheskiye i inzhenernyye metody analiza i obespecheniya [Safety of critical infrastructures: mathematical and engineering methods of analysis and provision]. National Aerospace University "Kharkiv Aviation Institute"(KhAI), 2011. 641 p.
Voropayeva V. Ya., Shcherbov I. L., Khaustova E. D. Upravlinnya informatsiynoyu bezpekoyu infor-matsiyno–telekomunikatsiynykh system na osnovi modeli "PLAN–DO–CHECK–ACT" [Information Security Management of Informational-Telecommunication Systems on the basis of the model "PLAN-DO-CHECK-ACT"]. Scientific works of DonNTU. Series: Computing and Automation. 2013, no. 2 (25). 7 p.
Prikhod'ko T. A. Issledovaniye voprosov bezopasnosti lokal'nykh setey na kanal'nom urov-ne modeli OSI [Investigation of the security of local networks on the channel level of the OSI model]. Scientific publications of DonNTU Computer Engineering Department. 2011. 4 p.
Sklyar V. V., Kharchenko V. S. ed. Metodologiya risk-analiza funktsional'noy bezopasnosti informatsionno-upravlyayushchikh sistem. Bezopasnost' kriticheskikh infrastruktur: matematicheskiye i inzhenernyye metody analiza i obespecheniya [Methodology of risk analysis of functional safety of information-control systems. Security of critical infrastructures: mathematical and engineering methods of analysis and security]. National Aerospace University "Kharkiv Aviation Institute"(KhAI), 2011, section 12, pp. 360-408.
Domarev V. V. Bezopasnost' informatsionnykh tekhnologiy. Metodologiya sozdaniya sistem zashchity [Information Technology Security. Methodology for creating protection systems]. Kyiv: OOO "TID "DS", 2001. 688 p.
Kosenko V. Principles and structure of the methodology of risk-adaptive management of parameters of information and telecommunication networks of critical application systems. Innovative technologies and scientific solutions for industries. Kharkiv. 2017, no. 1 (1), pp. 45-51.
Malyeyeva O. V., Sytnik N. I. Analiz vzaimodeystviya vnutrennikh i vneshnikh riskov na osno-ve prichinno-sledstvennoy diagrammy [Analysis of the interaction of internal and external risks on the basis of the cause-effect diagram]. Radiotechnical and computer systems. 2007, no. 1. pp. 73-76.
Kosenko V. V., Persiyanova E. Yu., Timofyeyev V. O. ed., Chumachenko I. V. ed. Adaptyvne uprav-linnya ryzykamy informatsiynoyi merezhi dlya informatsiynoyi bezpeky system krytychnoyi infrastruktury [Adaptive risk management of the information network for information security of critical infrastructure systems]. Mathematical models and new technologies of management of economic and technical systems: monograph. Kharkiv, KNURE, 2017, pp. 284-301.
Budushcheye informatsionnoy bezopasnosti: integrirovannaya sistema okhrany perimetra [The future of information security: an integrated perimeter security system]. Zashchita informatsii. Konfident [Data protection. Confident]. 2001, no. 2, pp. 56-59.
Il'in V. Ye., Komarovich V. F., Osadchiy A. I. Analiz problemy adaptivnoy zashchity IVS v usloviyakh informatsionnogo protivoborstva [Analysis of the problem of adaptive protection of IVS in the context of information confrontation]. Zashchita informatsii. Konfident [Data protection. Confident]. 2002, no. 4-5, pp. 99-107.
Kheys D. Causal analysis in statistical studies. Moscow: Finance and Statistics. 1981. 255 p.
Kosenko V., Malyeyeva O., Persiyanova E., Rogovyi A. Analysis of information-telecommunication network risk based on cognitive maps and cause-effect diagram. Advanced Information Systems. 2017, vol. 1, no. 1, pp. 49-56. doi: 10.20998/2522-9052.2017.1.09.
Copyright (c) 2018 Roman Artiukh, Viktor Kosenko, Olga Malyeyeva, Eduard Lysenko
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Our journal abides by the Creative Commons copyright rights and permissions for open access journals.
Authors who publish with this journal agree to the following terms:
Authors hold the copyright without restrictions and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0) that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
Authors are able to enter into separate, additional contractual arrangements for the non-commercial and non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
Authors are permitted and encouraged to post their published work online (e.g., in institutional repositories or on their website) as it can lead to productive exchanges, as well as earlier and greater citation of published work.