Models and methods for assessing the security of an informatization object

The paper substantiates the need of creation an information decision support system in the development of systems for protecting informatization objects. Analyzes of existing systems in various fields of activity, the requirements for the functionality of the system in relation to the field of information protection, methods for developing models of functioning of protected information systems in a destructive environment impact on the basis of Bayesian networks are considered. The paper gives a description of a typical module functioning of this model. The structures of probabilistic models of the relationship of vulnerabilities, information security threats, methods and scenarios for their implementation, the formation of measures to protect informatization objects, the formation and assessment of the risks of incidents and their damage are considered. Clusters of typical information security events, methodological apparatus for calculating the joint distribution of the probabilities of protective and destructive events are determined. Finally, typical chains of interconnections of such events are identified.  Mathematical apparatus for calculating their probabilities, a verbal description of the patterns of their mutual influence, and a method for converting quantitative probabilistic values of informatization object security indicators into qualitative ones are presented, and the results of the study are summarized.

1. Prikaz FSTEK Rossii "Ob utverzhdenii trebovanij k zashchite informacii, ne sostavlyayushchej gosudarstvennuyu tajnu, soderzhashchejsya v gosudarstvennyh informacionnyh sistemah" ot 12.02.2013 № 17 [Order of the FSTEC of Russia "On approval of requirements for the protection of information that does not constitute a state secret contained in state information systems" dated 12.02.2013 no. 17], available at: https://fstec.ru/normotvorcheskaya/akty/53-prikazy/702-prikaz-fstek-rossii-ot-11-fevralya-2013-g-n-17 (accessed 20.12.2021).

2. Prikaz FSTEK Rossii "Ob utverzhdenii sostava i soderzhaniya organizacionnyh i tekhnicheskih meropriyatij po obespecheniyu bezopasnosti personal'nyh dannyh pri ih obrabotke v informacionnyh sistemah personal'nyh dannyh" ot 18.02.2013 № 21 [Order of the FSTEC of Russia "On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems" dated 02/18/2013 no. 21], available at: https://fstec.ru/normotvorcheskaya/akty/53-prikazy/691-prikaz-fstek-rossii-ot-18-fevralya-2013-g-n-21 (accessed 20.12.2021).

3. Prikaz FSTEK Rossii "Ob utverzhdenii trebovanij k obespecheniyu zashchity informacii v avtomatizirovannyh sistemah upravleniya proizvodstvennymi i tekhnologicheskimi processami na kriticheski vazhnyh ob"ektah, potencial'no opasnyh ob"ektah, a takzhe ob"ektah, predstavlyayushchih povyshennuyu opasnost' dlya zhizni i zdorov'ya lyudej i okruzhayushchej sredy" ot 14.03.2014 № 31 [Order of the FSTEC of Russia "On approval of requirements for ensuring the protection of information in automated control systems for production and technological processes at critical facilities, potentially dangerous facilities, as well as facilities that pose an increased danger to human life and health and to the environment" dated 14.03.2014 no. 31], available at: https://fstec.ru/normotvorcheskaya/akty/53-prikazy/868-prikaz-fstek-rossii-ot-14-marta-2014-g-n-31 (accessed 20.12.2021).

4. Prikaz FSTEK Rossii ot 25.12.2017 № 239 "Ob utverzhdenii trebovanij k obespecheniyu bezopasnosti znachimyh ob"ektov kriticheskoj informacionnoj infrastruktury Rossijskoj Federacii" [Order of the FSTEC of Russia dated 25.12.2017 no. 239 "On Approval of requirements for ensuring the security of Significant Objects of Critical Information Infrastructure of the Russian Federation], available at: https://fstec.ru/en/53-normotvorcheskaya/akty/prikazy/1592-prikaz-fstek-rossii-ot-25-dekabrya-2017-g-n-239 (accessed 20.12.2021).

5. Postanovlenie Pravitel'stva Rossijskoj Federacii ot 17.02.2018 № 162 "Ob utverzhdenii Pravil osushchestvleniya gosudarstvennogo kontrolya v oblasti obespecheniya bezopasnosti znachimyh ob"ektov kriticheskoj informacionnoj infrastruktury" [Resolution of the Government of the Russian Federation dated 17.02.2018 no. 162 "On approval of the Rules for the implementation of state control in the field of ensuring the security of significant objects of critical information infrastructure"], available at: https://www.garant.ru/products/ipo/prime/doc/71783452/ (accessed 20.12.2021).

6. Postanovlenie Pravitel'stva Rossijskoj Federacii ot 08.02.2018 № 127 "Ob utverzhdenii Pravil kategorizacii ob"ektov kriticheskoj informacionnoj infrastruktury Rossijskoj Federacii, a takzhe perechnya pokazatelej kriteriev znachimosti ob"ektov kriticheskoj informacionnoj infrastruktury Rossijskoj Federacii i ih znachenij" [Decree of the Government of the Russian Federation no. 127 dated 08.02.2018 "On approval of the Rules for categorizing objects of critical information infrastructure of the Russian Federation, as well as a list of indicators of criteria for the significance of objects of critical information infrastructure of the Russian Federation and their values"], available at: http://government.ru/docs/6339/ (accessed 20.12.2021).

7. Postanovlenie Pravitel'stva Rossijskoj Federacii ot 01.10.2012 № 1119 "Ob utverzhdenii trebovanij k zashchite personal'nyh dannyh pri ih obrabotke v informacionnyh sistemah personal'nyh dannyh" [Decree of the Government of the Russian Federation no. 1119 of 01.10.2012 "On approval of requirements for the protection of personal data during their processing in personal data information systems"], available at: https://www.garant.ru/products/ipo/prime/doc/72166260/ (accessed 20.12.2021).

8. Metodicheskij dokument. Utverzhdennaya FSTEK Rossii 5 fevralya 2021 goda "Metodika ocenki ugroz informacionnoj bezopasnosti" [Methodological document. Approved by the FSTEC of Russia on February 5, 2021, "Methodology for assessing threats to information security"], available at: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114-spetsialnye-normativnye-dokumenty/2170-metodicheskij-dokument-utverzhden-fstek-rossii-5-fevralya-2021-g (accessed 20.12.2021).

9. Bazovaya model' ugroz bezopasnosti 2008 "Bazovaya model' ugroz bezopasnosti personal'nyh dannyh pri ih obrabotke v informacionnyh sistemah personal'nyh dannyh. FSTEK Rossii" [Basic model of security threats 2008 "Basic model of threats to the security of personal data during their processing in personal data information systems. FSTEC of Russia"], available at: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114-spetsialnye-normativnye-dokumenty/379-bazovaya-model-ugroz-bezopasnosti-personalnykh-dannykh-pri-ikh-obrabotke-v-informatsionnykh-sistemakh-personalnykh-dannykh-vypiska-fstek-rossii-2008-god (accessed 20.12.2021).

10. Giarratano D., Riley G. Ekspertnye sistemy: principy razrabotki i programmirovaniya. [Expert systems: principles of development and programming]. 4 nd edition, translated from English, Williams Publishing House, ISBN: 978-5-8459-1156-8, 2007, рр. 115-201.

11. Russell S., Norvig P. Iskusstvennyj intellekt: sovremennyj podhod. [Artificial Intelligence: a Modern approach]. 2 nd edition, translated from English, Williams Publishing House, ISBN: 5-8459-0887-6, 2006, рр. 345-428.

12. Pearl D. Laboratoriya kognitivnyh sistem Kalifornijskogo universiteta, Los Angeles. Bajesovskie seti. [Laboratory of Cognitive Systems of the University of California, Los Angeles. Bayesian networks]. Moscow, Mir, 2000, 102 p.

13. Jaxen F. Bajesovskie seti i grafiki prinyatiya reshenij. [Bayesian networks and decision graphs]. M, Sprinnger, 2001, рp. 54-120.

14. Litvinenko N.G., Litvinenko A.G., Mamyrbayev O.J., Shayakhmetova A.S. Agenarisk. Rabota s bajesovskimi setyami [Agenarisk. Work with bayesian networks]. Almaty: Institut informacionnyh i vychislitel'nyh tekhnologij, 2019, 233 p.

15. Konradi S., Juff L. Bajesovskie seti i Bajesovskaya laboratoriya, Prakticheskoe vvedenie dlya issledovatelej [Bayesian networks and the Bayesian Laboratory, A practical introduction for researchers], available at: https://www.researchgate.net/publication/282362899 (accessed 20.12.2021).

16. BAYESIALAB User's Guide, available at: https://library.bayesia.com (accessed 20.12.2021).

17. Konradi S., Juff L. Introduction to Bayesian Networks and the Bayesian Laboratory, available at: https://library.bayesia.com/download/attachments/10092794/BayesianNetworksIntroductionv16.pdf (accessed 20.12.2021).

18. Advanced modeling using AgenaRisk, available at: https://www.agenarisk.com (accessed 20.12.2021).

19. Agena Bayesian network technology, available at: https://www.agenarisk.com (accessed 20.12.2021).

20. Getting started with AgenaRisk, available at: https://www.agenarisk.com (accessed 20.12.2021).

21. Expert Hugin, Building a Bayesian network, available at: https://www.hugin.com/wp-content/uploads/2016/05/Building-a-BN-Tutorial.pdf (accessed 20.12.2021).

22. Expert Hugin, Technical Technical Document, available at: http://download.hugin.com/web-docs/technicaldocument/huginexpert-technicaldocument.pdf (accessed 20.12.2021).

23. Fenton N., Neil M. Risk assessment and decision analysis using Bayesian networks. Queen Mary, University of London and Agena Ltd. CRC press. ISBN: 9781439809105, ISBN 10: 1439809100.

24. Basaker R., Saati T. Konechnye grafy i seti [Finite graphs and networks]. Moscow, Nauka, 1974, рp. 205-278.

25. Swami M., Thulasiraman K. Grafiki, seti i algoritmy [Graphs, networks and algorithms]. Moscow, Mir, 1984, рp. 55-146.

26. Gavrishev A.A. Analiz programm modelirovaniya nechetkih sistem. [Analysis of fuzzy systems modeling programs]. Distancionnoe i virtual'noe obuchenie], 2017, no. 6, pp. 76-83.

27. Gavrishev A.A. Modelirovanie i kolichestvennyj i kachestvennyj analiz shiroko rasprostranennyh system zashchishchennoj svyazi. [Modeling and quantitative and qualitative analysis of widespread secure communication systems]. Prikladnaya informatika, 2018, vol. 13, no 5 (77), рp. 84-122.

28. Baranov V.V., Sekretarev A.V., Ignatieva A.R. Avtomatizaciya razrabotki metodov zashchity ob"ektov informatizacii [Automation of development of methods of protection of informatization objects]. Vserossijskaya nauchno-prakticheskaya konferenciya. Sociotekhnicheskie i gumanitarnye aspekty informacionnoj bezopasnosti, Pyatigorsk, Pyatigorskij gosudarstvennyj universitet, 10-13, Аpril, 2019, pp. 21-30.

29. Baranov V.V., Maksimova E.A., Lauta O.S. Analiz modeli informacionnoj podderzhki processov i sistem pri realizacii mnogoagentnogo intellektual'nogo vzaimodejstviya [Analysis of the model of information support of processes and systems in the implementation of multi-agent intellectual interaction]. Ustrojstva i sistemy. Upravlenie, kontrol', diagnostika, 2019, no. 4, pp. 32-41.

30. Baranov V.V., Maksimova E.A. Prognozirovanie razrushitel'nyh vrednyh vozdejstvij na ob"ekty kriticheskoj informacionnoj infrastruktury [Forecasting destructive harmful effects on objects of critical information infrastructure]. Kommunikacii v komp'yuternyh i informacionnyh naukah, 2021, 1395 CCIS, pp. 88-99.