Information Security Risk Assessment for Personnel During Access Segregation to Company Resources
DOI:
https://doi.org/10.30837/rt.2024.4.219.01Keywords:
information security, risks, personnel, access segregation, personnel profiling, restricting access to corporate resourcesAbstract
The article addresses the problem of information security risk assessment in the context of the human factor and the specifics of restricting employees’ access to corporate resources. The aim of the study is to improve approaches to assessing information security risks for company personnel during the segregation of access to corporate information resources by developing and implementing a modified sequence of processes that considers the specifics of the human factor and helps minimize threats arising from employees’ mistakes and malicious actions. The object of the research is the process of ensuring information security while managing personnel access to corporate resources. The subject of the research consists in the methods and procedures of information security risk assessment related to personnel activities, as well as the technological sequence of their implementation to minimize threats. The authors emphasize that, on the one hand, company personnel are among its most valuable assets, and on the other hand, they can also be a potential source of threats to information security. Modern approaches to risk assessment are analyzed, including international standards that can serve as a foundation for implementing a comprehensive protection system. It is demonstrated that the key task in protecting information resources is the appropriate definition of roles and categories of personnel, considering their responsibilities and level of accountability. A nine-step sequence is proposed to optimize access segregation, encompassing resource identification and classification, auditing the current security system, proactive risk assessment, formulating recommendations, and implementing new measures. Methods of profiling employees are described, taking into consideration their competencies, behavioral characteristics, and opportunities to access confidential data. Special attention is paid to Role-Based Access Control policies and authentication methods, including password systems and more advanced technologies. The importance of regular auditing and monitoring for timely detection of new threats and vulnerabilities is highlighted. Thus, the application of the developed risk assessment model makes it possible to reduce the number of human errors, enhance the level of business process security, and optimize the management of access to critical resources. The results obtained can be integrated into the company’s information security system to ensure the continuous improvement of protective mechanisms, which positively affects the enterprise’s reputation and minimizes potential financial losses.
References
N. Kaloudi and J. Li. AST-SafeSec: Adaptive Stress Testing for Safety and Security Co-Analysis of Cyber-Physical Systems // IEEE Transactions on Information Forensics and Security. 2023. Vol. 18. pp. 5567–5579. doi: 10.1109/TIFS.2023.3309160.
«Ukraine - Data Protection Overview.» DataGuidance, 12 Nov. 2024, www.dataguidance.com/notes/ukraine-data-protection-overview.
Korobeinikova T., Tachenko I., Romanyuk O., Romanyuk S., Stakhov O. and Reyda O.. Assessing Network Security Risks: a Technological Chain Perspective // 14th International Conference on Advanced Computer Information Technologies (ACIT), Ceske Budejovice, Czech Republic, 2024, pp. 565–570,
doi: 10.1109/ACIT62333.2024.10712586.
Міщук Є., Іванов Р. (2024). Управління персоналом для забезпечення кадрової безпеки підприємства // Успіхи і досягнення у науці, 2024. № 6.
Корченко А. та ін. Метод формування параметрів та оцінювання загроз у соціотехнічних системах // Information Technology: Computer Science, Software Engineering and Cyber Security. 2023. № 2. С. 3–11. Режим доступу: https://doi.org/10.32782/IT/2023-2-1.
Kurii Y. Opirskyy I. ISO 27001: аналіз змін та особливості відповідності новій версії стандарту // Електронне фахове наукове видання Кібербезпека: освіта, наука, техніка. 2023. 3(19). С. 46–55.
Korobeinikova T., Tachenko I., Chekhmestruk R., Mykhaylov P., Romanyuk O. and Romanyuk S. A General Method of Risk Estimation // 13th International Conference on Advanced Computer Information Technologies (ACIT). Wrocław, Poland, 2023, pp. 410–413. doi: 10.1109/ACIT58437.2023.10275626.
Воронкова В. Г., Нікітенко В. О. Цифрова трансформація промислового підприємства : наук.-метод. посіб. Запоріжжя : ЗНУ, 2023. 158 с.
Мазник Л. В., Драган О. І. Інформаційна безпека організації як фактор посилення бренду роботодавця // Київський економічний науковий журнал. 2023. № 1. С. 39–44. Режим доступу: https://doi.org/10.32782/2786-765X/2023-1-5.
Смоквіна Г., Янковська O. Кадрова безпека промислових підприємств: сутність, складові та заходи мінімізації загроз // Економічний журнал Одеського політехнічного університету. 2019. Вип. 7. № 1. С. 38–45. Режим доступу: https://doi.org/10.5281/zenodo.3402729.
Якименко Ю., Мужанова Т., Легомінова С. Системний аналіз технічних систем забезпечення інформаційної безпеки підприємств від компанії FireEye // Кібербезпека: освіта, наука, техніка. 2021. Вип. 4. № 12. С. 36–50. Режим доступу: https://doi.org/10.28925/2663-4023.2021.12.3650.
Кір’ян О., Торяник Д., Ягнеша Н. Кадрова складова інформаційної безпеки підприємства // Адаптивне управління: теорія і практика. Сер. Економіка. 2024. Вип. 18. № 36. Режим доступу: https://doi.org/10.33296/2707-0654-18(36)-12.
Тітова В. та ін. Розроблення політики інформаційної безпеки приватного підприємства // Measuring and computing devices in technological processes. 2024. № 3. С. 79–83. Режим доступу: https://doi.org/10.31891/2219-9365-2024-79-10.
Karjalainen M., Siponen M., Sarker S. Toward a stage theory of the development of employees’ information security behavior // Computers & Security. 2020. Vol. 93. P. 1–18. Режим доступу: https://doi.org/10.1016/j.cose.2020.101782.
Khando K. et al. Enhancing employees information security awareness in private and public organisations: A systematic literature review // Computers & Security. 2021. Vol. 106. P. 1–22. Режим доступу: https://doi.org/10.1016/j.cose.2021.102267.
Sharma S., Warkentin M. Do I really belong?: Impact of employment status on information security policy compliance // Computers & Security. 2019. Vol. 87. Режим доступу: https://doi.org/10.1016/j.cose.2018.09.005.
ISO 27001 Requirements – Information Security Management // Sprinto, 2021.
URL: https://sprinto.com/blog/iso-27001-requirements/.
“ISO/IEC 27701:2019.” ISO, 17 Oct. 2022, www.iso.org/standard/71670.html.
Ямнич А. Б. Модель контролю доступу персоналу до інформаційних ресурсів підприємств на основі RBAC та технології BLOCKCHAIN / А.Б. Ямнич, Т.І. Коробейнікова // Вісник Хмельницького нац. ун-ту. 2024. Т. 343, №6(1). С. 380–386.
Imperva. Information Security: The Ultimate Guide. Режим доступу: https://www.imperva.com/learn/data-security/information-security-infosec/
Секель А. Цілі інформаційної безпеки та їх значення. Режим доступу: https://www.dqsglobal.com/uk-ua/navchajtesya/blog/cili-informacijnoyi-bezpeki-ta-yih-znachennya.
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
