Methodical approach to quantitative assessment of the risks of the implementation of threats unauthorized access to an information resource automated systems of internal affairs bodies

Objective. A characteristic feature of the current stage of development of the sphere of informatization of internal affairs bodies (OVD) is a significant increase in the volume and variety of types of service information of limited distribution, stored, processed and transmitted in automated systems (AS). This gives rise to the emergence of a large number and expansion of the range of threats to information security, primarily threats associated with unauthorized access (UAS) to the information resource of the ATS AS, and necessitates the improvement of existing methods to combat this type of crime in order to ensure the information security of objects of informatization of ATS. To obtain information that allows assessing the degree of threats, it is necessary to conduct a quantitative risk assessment.

Method. The method for assessing the risks of implementing threats of unauthorized access to the information resource of the ATS AS and obtaining data in a quantitative representation is based on the use of mathematical modeling methods. The advantage of a quantitative assessment compared to a qualitative assessment is the ability to compare risks with the final result, which can be represented in monetary terms, and further use in assessing the likelihood of information threats and calculating the damage caused.

Result. A methodical approach to the quantitative assessment of the risks of the implementation of UA threats to the information resource of the ATS AS is proposed, which makes it possible to assess the level of security of service information.

Conclusion. The proposed methodological approach to quantitative assessment of the risks of the implementation of UA threats to the information resource of the ATS AS provides a visual representation in monetary terms of the objects of assessment (damage, costs). These calculations can be used to justify the requirements for the level of security of ATS ASs during their development and operation.

1. FSTEC of the Russian Federation. Guidance document. Protection against unauthorized access to information. Terms and definitions. (In Russ)

2. GOST R 50922-2006. Information protection. Basic terms and definition. Moscow: Federal Agency for Technical Regulation and Metrology. 2006.12 K. (In Russ)

3. GOST R 56546-2015. Information protection. Communications of information systems. Classification of information systems. 2016; 8. (In Russ)

4. FSTEC of the Russian Federation. Guidance document. Automated systems. Protection against unauthorized access to information. Classification of automated systems and information security requirements. (In Russ)

5. GOST R 15408-2013. Methods and means of ensuring security. Criteria for assessing the security of information technologies Moscow: Standartinform. 2014;152. (In Russ)

6. GOST R 53114-2008. Information protection. Ensuring information security in the organization. Basic terms and definitions. 2008; 22. (In Russ)

7. Guidance document. Information technology security. The concept of assessing the compliance of automated systems with information security requirements: approved by FSTEC of Russia 2004. (In Russ)

8. The guiding document of the State Technical Commission. Information technology security. Criteria for assessing the security of information technologies: approved. By Order of the State Technical Commission No. 187 dated 06/19/2002. (In Russ)

9. Methodology for determining the risk of information security in information systems: approved by FSTEC of Russia 2015 (In Russ)

10. Kotsynyak M. A., Kuleshov I. A., Kudryavtsev A.M., Lauta O. S. Cyberstability of ITCS. St. Petersburg, 2015(In Russ)

11. Requirements for the protection of information contained in public information systems: approved by Order No. 489 of the FSTEC of Russia dated August 31, 2010. (In Russ)

12. Beshelev S. D., Gurvich F. G. Mathematical and statistical methods of expert assessments. M.: Statistics, 1980; 263. (In Russ)

13. Mochalov D. A., Wolf V. A., Romanova V. R., Rogozin E. A., Kalach A.V. Analysis of existing threats of an external intruder to the information resource of web servers in automated systems of the Armed forces of the Russian Federation. Bulletin of the Voronezh Institute of the Federal Penitentiary Service of Russia 2022; 1: 68-75. (In Russ)

14. Konovalenko S.A., Korolev I.D. Identification of vulnerabilities of information systems by means of a combined method of analysis of parametric data determined by monitoring systems of computer networks. Almanac of modern science and education 2016; 11:60-66. (In Russ)

15. Information protection system from unauthorized access "Sentinel NT". Description of the application. Stole: http://www.rubinteh.ru/public/opis30.pdf (accessed: 06/23/2022). (In Russ)

16. Yang N. Modeling and quantitatively predicting software security based on stochastic Petri Nets / N. Yang, H. yu, Z. kIan, H. Sun. Mathematical and Computer Modeling. 2012; 55: 1-2:102-112.

17. Klaik A. Conceptual Modeling of Information Systems within the Information Security Policies / A. Klaik, M. Golob / Journal of Economics. Business and Management. 2013; l (4): 371-376.

18. Nazareth D. System dynamics model for Information security management / D. Nazareth, J. Choi. Information & Management. 2015; 52 (1): 123-134.

19. Complex Event Processing Modeling would be Prioritized Colored Petri Nets / H. Makià [and others]. IEEE Access. 2016; 4: 7425-7439.

20. Nikishin K., N. Konnov, D. Pashchenko. Implementation of time-triggered ethernet using colored Petri net. International Conference on Industrial Engineering, Applications and Manufacturing (IKIEAM). 2017; 1-5.

21. Kornienko B. Y. Design and research of mathematical model for Information security system in computer network / B. Y. Kornienko, L. P. Galata. Science-Based Technologies. 2017; 34(2): 114-118.

22. White S. C. Comparison of Security Models: Attack Graphs Versus Petri Nets / S. S. White, S. S. Sarvestany. Advances in Computers. 2014; 94:1-24.

23. Zhasiul V. Detection and Modeling of Cyber Attacks in Petri Nets / B. Zhasiul, M. Szpyrka, J. Sliva . Entropy. 2014; 16; 12: 6602-6623.