The concept of assessing the risks of cybersecurity of the information system of the critical infrastructure object
DOI:
https://doi.org/10.30837/rt.2022.2.209.12Keywords:
cybersecurity, informational security, information system, critical infrastructure object, risk assessment, asset value, the likelihood of attacksAbstract
Ensuring cyber and information security for critical infrastructure is achieved through the implementation of an appropriate set of information security management measures, which can be provided in the form of software policies, methods, procedures, organizational structures and functions. Information security requirements are determined, in particular, by systematic risk assessment of information security, which can be one of the elements of the predicted approach to identifying hazards in the provision of services to service participants in the information interaction of the information system. The paper presents conceptual provisions for assessing and managing cybersecurity risks of the critical infrastructure information system. The proposed concept involves the definition of: areas of security threats to the information system; involved information assets and calculation of their value; assessment of the probability of attacks on the information system; assessment of the probability of success of attacks on the information system and more. Risk assessment methods are proposed that take into account the probability of success of an attack and the probability of an attack occurring, which makes it possible to eliminate the shortcomings inherent in known approaches and provide more accurate identification of attack methods associated with the attacker's behavior. The concept of cybersecurity risk assessment and the methodology for analyzing and assessing security threats that are presented in the work correspond to approaches to building risk-oriented information security management systems and can become the basis for developing an information security system in the information system of a critical infrastructure object.
References
Schneier B. Attack trees. Dr Dobbs J. 1999;24:21–29. doi: 10.1002/9781119183631.ch21. [CrossRef] [Google Scholar]
NIST SP800–37 Rev. 2. Risk Management Framework for Information Systems and Organizations, 2018.
Потій О.В., Горбенко І.Д., Замула О.А., Ісірова К.В. Аналіз методів оцінки і управління ризиками кібер і інформаційної безпеки // Радіотехніка. 2021. Вип. 206. С. 5-23.
Maji A, Mukhoty A, Majumdar A, Mukhopadhyay J, Sural S, Paul S, et al. Security analysis and implementation of web-based telemedicine services with a four-tier architecture // Proceedings of the Second International Conference on Pervasive Computing Technologies for Healthcare. Tampere; 2008. p. 46–54. 10.4108/icst.pervasivehealth2008.2518.
She H, Lu Z, Jantsch A, Zheng LR, Zhou D. A network-based system architecture for remote medical applications. Asia-Pac Adv Netw. 2007;1:27–31. [Google Scholar].
International Organization for Standardization. Information security risk management. (second edition). ISO/IEC 27005:2011. 2011. [Google Scholar].
International Organization for Standardization . Health informatics – Information security management in health using ISO/IEC 27002. ISO/DIS 27799:2014(E) 2015. [Google Scholar].
Camara C., Peris-Lopez P., Tapiador JE. Security and privacy issues in implantable medical devices: a comprehensive survey. J Biomed Inf. 2015;55:272–289. doi: 10.1016/j.jbi.2015.04.007. [PubMed] [CrossRef] [Google Scholar].
Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J, Gulick J. Guide for mapping types of information and information systems to security categories. NIST SP800–64 Rev. 4. 2008. [Google Scholar].
International Organization for Standardization. Risk management. ISO 31000:2018. 2018. [Google Scholar].
International Organization for Standardization. Information technology – Security techniques – Evaluation criteria for IT security Part 1: Introduction and general model. ISO/IEC 15408–1:2009. 2009. [Google Scholar].
International Organization for Standardization. Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045. ISO/IEC 18045. 2015. [Google Scholar].
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
