The concept of assessing the risks of cybersecurity of the information system of the critical infrastructure object

Authors

  • I.D. Gorbenko Харківський національний університет імені В.Н. Каразіна, АТ «Інститут інформаційних технологій», Ukraine https://orcid.org/0000-0003-4616-3449
  • О.A. Zamula Харківський національний університет імені В.Н. Каразіна, Ukraine http://orcid.org/0000-0002-8973-6190
  • Yu.S. Osipenko Харківський національний університет імені В.Н. Каразіна, Ukraine

DOI:

https://doi.org/10.30837/rt.2022.2.209.12

Keywords:

cybersecurity, informational security, information system, critical infrastructure object, risk assessment, asset value, the likelihood of attacks

Abstract

Ensuring cyber and information security for critical infrastructure is achieved through the implementation of an appropriate set of information security management measures, which can be provided in the form of software policies, methods, procedures, organizational structures and functions. Information security requirements are determined, in particular, by systematic risk assessment of information security, which can be one of the elements of the predicted approach to identifying hazards in the provision of services to service participants in the information interaction of the information system. The paper presents conceptual provisions for assessing and managing cybersecurity risks of the critical infrastructure information system. The proposed concept involves the definition of: areas of security threats to the information system; involved information assets and calculation of their value; assessment of the probability of attacks on the information system; assessment of the probability of success of attacks on the information system and more. Risk assessment methods are proposed that take into account the probability of success of an attack and the probability of an attack occurring, which makes it possible to eliminate the shortcomings inherent in known approaches and provide more accurate identification of attack methods associated with the attacker's behavior. The concept of cybersecurity risk assessment and the methodology for analyzing and assessing security threats that are presented in the work correspond to approaches to building risk-oriented information security management systems and can become the basis for developing an information security system in the information system of a critical infrastructure object.

References

Schneier B. Attack trees. Dr Dobbs J. 1999;24:21–29. doi: 10.1002/9781119183631.ch21. [CrossRef] [Google Scholar]

NIST SP800–37 Rev. 2. Risk Management Framework for Information Systems and Organizations, 2018.

Потій О.В., Горбенко І.Д., Замула О.А., Ісірова К.В. Аналіз методів оцінки і управління ризиками кібер і інформаційної безпеки // Радіотехніка. 2021. Вип. 206. С. 5-23.

Maji A, Mukhoty A, Majumdar A, Mukhopadhyay J, Sural S, Paul S, et al. Security analysis and implementation of web-based telemedicine services with a four-tier architecture // Proceedings of the Second International Conference on Pervasive Computing Technologies for Healthcare. Tampere; 2008. p. 46–54. 10.4108/icst.pervasivehealth2008.2518.

She H, Lu Z, Jantsch A, Zheng LR, Zhou D. A network-based system architecture for remote medical applications. Asia-Pac Adv Netw. 2007;1:27–31. [Google Scholar].

International Organization for Standardization. Information security risk management. (second edition). ISO/IEC 27005:2011. 2011. [Google Scholar].

International Organization for Standardization . Health informatics – Information security management in health using ISO/IEC 27002. ISO/DIS 27799:2014(E) 2015. [Google Scholar].

Camara C., Peris-Lopez P., Tapiador JE. Security and privacy issues in implantable medical devices: a comprehensive survey. J Biomed Inf. 2015;55:272–289. doi: 10.1016/j.jbi.2015.04.007. [PubMed] [CrossRef] [Google Scholar].

Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J, Gulick J. Guide for mapping types of information and information systems to security categories. NIST SP800–64 Rev. 4. 2008. [Google Scholar].

International Organization for Standardization. Risk management. ISO 31000:2018. 2018. [Google Scholar].

International Organization for Standardization. Information technology – Security techniques – Evaluation criteria for IT security Part 1: Introduction and general model. ISO/IEC 15408–1:2009. 2009. [Google Scholar].

International Organization for Standardization. Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045. ISO/IEC 18045. 2015. [Google Scholar].

Published

2022-06-24

How to Cite

Gorbenko, I. ., Zamula О. ., & Osipenko, Y. . (2022). The concept of assessing the risks of cybersecurity of the information system of the critical infrastructure object. Radiotekhnika, 2(209), 118–129. https://doi.org/10.30837/rt.2022.2.209.12

Issue

Section

Articles

Most read articles by the same author(s)

1 2 3 4 > >>