Basic approaches to assessing the Security of Information Systems and prospects for their application in the internal affairs agencies of the Russian Federation

Objective. The article analyzes the main approaches to assessing the security of information systems, highlights their advantages and disadvantages, and considers their applicability to the internal affairs bodies of the Russian Federation. The aim of the study is to determine the prospects for the development of methodological approaches to assessing the security of internal affairs bodies of the Russian Federation.

Method. The present study is based on the study of various methods for assessing the security of information systems, as well as on the analysis of scientific literature and publications on this topic.

Result. The authors propose an approach to the further development of methods for assessing the security of information systems, taking into account the specifics of the internal affairs bodies of the Russian Federation.

Conclusion. The authors note the prospects of research in the framework of creating specialized software that combines expert knowledge and quantitative algorithms, which could simplify the assessment of the security of information systems of law enforcement agencies, ensuring accuracy, accessibility and adaptability to the specifics of law enforcement activities. Such software would be a valuable tool for improving the data security of law enforcement agencies, minimizing risks and optimizing resources, opening up new opportunities to protect critical information systems.

1. Makovsky K.E. Comparison of Methods for Assessing the Security of Corporate Information Systems. Modern Science: Current Problems of Theory and Practice. Series: Natural and Technical Sciences. 2021; 4:124-127. DOI: 10.37882/2223-2966.2021.04.27. EDN: XUKXKX. (In Russ)

2. Titov D.V., Filipova E.E. Using the Expert Assessment Method in Determining the Level of Security of an Information System. Information Security Issues. 2022;2(137):51-53. DOI: 10.52190/2073-2600_2022_2_51. EDN: KYSIHX. (In Russ)

3. Borzenkova S.Yu., Kazarina E.E. Analysis of methods for assessing the level of security of information systems during their operation. Bulletin of Tula State University. Technical sciences. 2020; 5:93-97. EDN: OBDQBR. (In Russ)

4. Polyansky D.A. Comprehensive protection of information technology objects. Book 10. Security assessment: a tutorial. Vladimir: Publishing house of Vladimir. state University, 2005; 80 p. (In Russ)

5. GOST R ISO/IEC 15408-1–2012. Information technology. Methods and means of security. Criteria for assessing the security of information technology. Part 1. Introduction and general model [Electronic resource]. – Available at: https://docs.cntd.ru/document/1200101777 (Accessed: 13.04.2025). (In Russ)

6. GOST R ISO/IEC 15408-2–2013. Information technology. Security methods and tools. Information technology security evaluation criteria. Part 2. Security functional components [Electronic resource]. – Available at: https://docs.cntd.ru/document/1200105710 (Accessed: 13.04.2025). (In Russ)

7. GOST R ISO/IEC 15408-3–2013. Information technology. Security methods and tools. Information technology security evaluation criteria. Part 3. Security assurance requirements [Electronic resource]. – Access mode: https://docs.cntd.ru/document/1200105711 (date accessed: 13.04.2025). (In Russ)

8. Rodin, S.V. Mathematical modeling of the security policy of an automated information system of non-departmental security. Bulletin of the Voronezh Institute of the Ministry of Internal Affairs of Russia. 2009;. 1:174-181. EDN JXUTPX. (In Russ)

9. Sumin, V.I. Development of a network model of target settings of complex organizational systems for special purposes. V.I. Sumin, A.S. Kravchenko, S.V. Rodin. Modeling of systems and processes. 2024;17(3): 79-87. – DOI: 10.12737/22190767-2024-77-85. – EDN QIRWOK. (In Russ)

10. Rodin, S.V. Analysis of the influence of tiered distribution of information on the integrity control characteristics in automated information systems of information centers of the Ministry of Internal Affairs / S. V. Rodin, M. A. Zhukova. Bulletin of the Voronezh Institute of the Ministry of Internal Affairs of Russia. 2011; 2: 80-85. – EDN NUZWEF. (In Russ)

11. Common Vulnerability Scoring System v3.1: Specification Document [Electronic resource]. – Access mode: https://www.first.org/cvss/specification-document (accessed: 13.04.2025).

12. Scarfone K., Mell P. An analysis of CVSS version 2 vulnerability scoring // 2009 3rd International Symposium on Empirical Software Engineering and Measurement. – IEEE, 2009:516–525.

13. Spring J. et al. Time to Change the CVSS?. IEEE Security & Privacy. 2021;19(2):74–78.

14. Houmb S.H., Franqueira V.N.L., Engum E.A. Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software. 2010; 83( 9):1622–1634.

15. Spring J. et al. Towards improving CVSS. SEI, CMU, Tech. Rep. 2018.

16. Figueroa-Lorenzo S., Añorga J., Arrizabalaga S. A survey of IIoT protocols: A measure of vulnerability risk analysis based on CVSS. ACM Computing Surveys (CSUR). 2020;53(2):1–53.

17. Fruhwirth C., Mannisto T. Improving CVSS-based vulnerability prioritization and response with context information. 2009 3rd International Symposium on Empirical Software Engineering and Measurement. – IEEE, 2009;535–544.

18. Khazaei A., Ghasemzadeh M., Derhami V. An automatic method for CVSS score prediction using vulnerabilities description. Journal of Intelligent & Fuzzy Systems. 2015; 30(1):89–96.

19. Costa J. C. et al. Predicting CVSS metric via description interpretation. IEEE Access. 2022;10:59125–59134.

20. Franklin J. et al. CVSS implementation guidance. National Institute of Standards and Technology, NISTIR-7946; 2014.

21. Wang R. et al. An improved CVSS-based vulnerability scoring mechanism. 2011 Third International Conference on Multimedia Information Networking and Security. IEEE, 2011: 352–355.

22. Gallon L., Bascou J.J. Using CVSS in attack graphs. 2011 Sixth International Conference on Availability, Reliability and Security. IEEE, 2011:59–66.

23. Aksu M.U. et al. A quantitative CVSS-based cyber security risk assessment methodology for IT systems. 2017 International Carnahan Conference on Security Technology (ICCST). IEEE, 2017;1–8.