The qualitative and quantitative method of information security risk assessment

Authors

  • Александр Григорьевич Корченко National Aviation University
  • Светлана Владимировна Казмирчук National Aviation University

DOI:

https://doi.org/10.18372/2410-7840.18.10595

Keywords:

risk, risk assessment, system analysis and risk assessment, risk parameters, fuzzy variable, fuzzy numbers, conversion of fuzzy numbers standards, qualita-tive-quantitative method of risk assessment, database vulnerabilities

Abstract

The basis of information security management system (ISMS) is the processes of analysis and risk assessment. The known methods of analysis and risk assessment based on expert assessments are applied for their imple-mentation. Often in the process of assessment there are situations when the expert cannot always clearly deter-mine a particular vulnerability of Information Systems Resources (ISR). Therefore, it is advisable to use the cor-responding database vulnerabilities. The existing ap-proaches do not solve the task effectively. For this pur-pose, the qualitative and quantitative method of risk as-sessment is offered. It, in contrast to the known methods, through the use of assessments that are available in exist-ing databases, automates the process of risk assessment not involving the experts for this related subject area.

Author Biographies

Александр Григорьевич Корченко, National Aviation University

Dr Eng (Information security), professor, laureate of the State Prize of Ukraine in Science and Technology, Head of IT-Security Academic Department, National Aviation University

Светлана Владимировна Казмирчук, National Aviation University

PhD in Eng., Associate Professor of IT-Security Academic Department, National AviationUniversity.

References

Information technology. Security techniques. Infor-mation security management systems. Requirements: ISO/IEC 27001:2013, International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC), 2013, 34 р.

Казмирчук С.В. Интегрированный метод анализа и оценивания рисков информационной безопас-ности / С.В. Казмирчук, А.Ю. Гололобов // За-щита информации – 2014. – №3. – С. 252-261.

Корченко А.Г. Анализ и оценивание рисков ин-формационной безопасности / А.Г. Корченко, А.Е. Архипов, С.В. Казмирчук // Монография. – К.: ООО «Лазурит-Полиграф», 2013. – 275 с.

Корченко А.Г. Построение систем защиты ин-формации на нечетких множествах. Теория и практические решения / А.Г. Корченко – К. : «МК-Пресс», 2006. – 320с.

National Vulnerability Database [Electronic resource] / National Institute of Standards and Technology – Gaithersburg, 2016 – Access mode: World Wide Web. – URL: https:// nvd.nist.gov / home.cfm.

Банк данных угроз безопасности информации [Электронный ресурс] / Федеральной службой по техническому и экспортному контролю России – Москва, 2016 – Режим доступа: World Wide Web. – URL: http://bdu.fstec.ru/.

Open Sourced Vulnerability Database [Electronic resource] / Open Security Foundation – Lafayette, 2016 – Access mode: World Wide Web. – URL: https:// http://osvdb.org/.

IBM X-Force Exchange [Electronic resource] / IBM Corporation – New York, 2016 – Access mode: World Wide Web. – URL: https:// ex-change.xforce.ibmcloud.com/vulnerabilities/109429.

Vulnerability Notes Database [Electronic resource] / United States Computer Emergency Readiness Team Murray Lane, 2016 Access mode: World Wide Web. – URL: https:// www. kb.cert.org /vuls/#.

Vulnerabilities [Electronic resource] / SecurityFocus - Mountain View, 2016 - Access mode: World Wide Web. – URL: http:// www. securityfocus.com /.

A Complete Guide to the Common Vulnerability Scoring System. Version 2.0 [Electronic resource] / Forum of Incident Response and Security Teams – Morrisville, 2016 – Access mode: World Wide Web. – URL: http:// www.first.org /cvss/ v2/guide.

Корченко А.Г. Метод n-кратного понижения чис-ла термов лингвистических переменных в задачах анализа и оценивания рисков / А.Г. Корченко, Б.С. Ахметов, С.В. Казмирчук, А.Ю. Гололобов, Н. А. Сейлова // Защита информации – 2014. – Том 16 №4 (65), жовтень-грудень. – С. 284-291.

Корченко А.Г. Метод n-кратного инкрементирования числа термов лингвистических переменных в задачах анализа и оценивания рисков / А.Г. Корченко, Б.С. Ахметов, С.В. Казмирчук, М.Н. Жекамбаева // Безпека інформації. – 2015. – Т.21. –№2. – С. 191-200.

Корченко А.Г. Метод преобразования интервалов в нечеткие числа для систем анализа и оценивания рисков / А.Г. Корченко, С.В. Казмирчук // Правовое, нормативное и метрологическое обес-печение системы защиты информации в Украине – 2016. - № 1(31). - С. 57-64.

Downloads

Published

2016-05-30

Issue

Vol. 18 No. 2 (2016)

Section

Articles

License

Authors who publish with this journal agree to the following terms:

  1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

  2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

  3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).