A METHOD FOR IT THREAT MANAGEMENT AT CRITICAL INFORMATION INFRASTRUCTURE FACILITIES
DOI:
https://doi.org/10.18372/2310-5461.62.18687Keywords:
critical infrastructure, critical information infrastructure, IT threats, threat management, STRIDE, classification of threats, TODIMAbstract
In today's digital world, protecting critical information infrastructure (CII) is one of the most important tasks for organisations and the state. The growing number of different categories of threats increases the need to implement reliable security measures. In this article, the authors develop and propose their own method for managing IT threats at critical information infrastructure (CII) facilities. The method includes a synthesis of the multi-criteria decision-making method TODIM and the threat model STRIDE, which allows to effectively identify, assess and prioritise threats, taking into account their probability, potential damage and complexity of implementation. The IT threat management method consists of seven stages: identifying threats, defining assessment criteria, normalising data, determining criteria weights, making pairwise comparisons of alternative threats, obtaining an integrative assessment, and prioritising threats. An experimental study of the method conducted for the CII's Electronic Communications sub-sector showed its effectiveness in prioritising threats and improving the security of critical information systems. The results of the study indicate the need for priority measures to neutralise the Denial of Service threat, which has the highest level of criticality for the Electronic Communications subsector. Further research will be aimed at optimising the method, expanding the recommendations for IT threat management and improving the assessment of combined threats.
References
T. Lechachenko, T. Gancarczyk, T. Lobur, A. Postoliuk. “Cybersecurity Assessments Based on Combining TODIM Method and STRIDE Model for Learning Management Systems”. CITI 2023: 250-256.
Macher, G., Armengaud, E., Brenner, E., & Kreiner, C. (2016). Threat and risk assessment methodologies in the automotive domain. Procedia Computer Science, 83, 1288–1294. https://doi.org/10.1016/j.procs.2016.04.268
G. Holtrup, W. Blonay, M. Strohmeier, A. Mermoud, J. -P. Chavanne and V. Lenders, "Modeling 5G Threat Scenarios for Critical Infrastructure Protection," 2023 15th International Conference on Cyber Conflict: Meeting Reality (CyCon), Tallinn, Estonia, 2023, pp. 161-180, doi: 10.23919/CyCon58705.2023.10
R. Khan, K. McLaughlin, D. Laverty and S. Sezer, "STRIDE-based threat modeling for cyber-physical systems," 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), Turin, Italy, 2017, pp. 1-6, doi: 10.1109/ISGTEurope.2017.8260283.
Wang J, Wei G, Lu M. TODIM Method for Multiple Attribute Group Decision Making under 2-Tuple Linguistic Neutrosophic Environment. Symmetry. 2018; 10(10):486. https://doi.org/10.3390/sym10100486
M. Abomhara, M. Gerdes, and G. M. Koien, “A STRIDE-Based Threat Model for Telehealth Systems”, NISK, 2015.
Microsoft Corporation. The STRIDE Threat Model, 2005.
Ross, R. (2012). Guide for Conducting Risk Assessments, Special Publication (NIST SP) 800-30 Rev 1. National Institute of Standards and Technology, Gaithersburg, MD. Available at NIST.
International Organization for Standardization. (2022). ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection — Guidance on managing information security risks. ISO. Available at ISO.
Caralli, R. A., Stevens, J. F., Young, L. R., & Wilson, W. R. (2007). Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Carnegie Mellon University, Software Engineering Institute. Available at SEI CMU.
ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. Information Systems Audit and Control Association (ISACA). Available at ISACA.
Saaty, T. L. (2008). Decision making with the analytic hierarchy process. International Journal of Services Sciences, 1(1), 83. https://doi.org/10.1504/ijssci.2008.017590
Llamazares, B. (2018). An analysis of the generalized TODIM method. European Journal of Operational Research, 269(3), 1041–1049. https://doi.org/10.1016/j.ejor.2018.02.054
Tzeng, G. H., & Huang, J. J. (2011). Multiple attribute decision making: methods and applications. CRC press.
Закон України про критичну інфраструктуру. Верховна Рада України. URL: https://zakon.rada.gov.ua/laws/show/1882-20#Text (дата звернення: 01.06.2024).
Кабінет Міністрів України. (2020). Деякі питання об’єктів критичної інфраструктури: Постанова від 9 жовтня 2020 р. № 1109. URL: https://zakon.rada.gov.ua/laws/show/1109-2020-%D0%BF#Text (дата звернення: 01.06.2024).
