METHOD FOR BUILDING A KEY CYBERSECURITY RISK FACTORS PROFILE OF MODERN DISTRIBUTED INFORMATION SYSTEMS

Authors

DOI:

https://doi.org/10.18372/2410-7840.26.20014

Keywords:

information security, information security risk, risk factors, risk assessment, risk management, risk evaluation, distributed information system, neural network

Abstract

The assessment and analysis of cybersecurity risks are fundamental aspects of developing a reliable and effective information security management system, especially in the context of rapid technological advancements and the increasing complexity of modern distributed information systems. Traditional risk assessment methods, which are primarily based on conceptual approaches and classical techniques, have several limitations and prove to be inefficient in large-scale distributed systems. These methods fail to account for the dynamic nature of the environment and do not provide an effective analysis of interdependencies between numerous risk factors. This study proposes a method for constructing a profile of key risk factors in modern distributed information systems based on correlation analysis and modeling of their interrelationships. This approach enhances the efficiency of cybersecurity risk assessment in dynamic environments. Additionally, the proposed method was used to develop a profile of key risk factors for modern distributed systems, analyze their statistical significance and correlation, and identify and structure priority information security measures and controls, which demonstrate high efficiency in distributed environments, considering both technological and organizational aspects, ensure a systematic approach to information security risk management, reduce the impact of threats, and enhance the resilience of distributed systems against potential attacks. The proposed approach to optimizing the selection of input features and identifying the most significant risk factors, based on the developed risk factor profile for modern distributed information systems, demonstrated comparable numerical results with factor analysis using the principal component analysis (PCA) – method 42 selected metrics versus 40 for PCA. However, it provided a 4% improvement in overall classification accuracy for the designed cybersecurity risk assessment models in DIS compared to the PCA-based control model. This confirms its effectiveness in the context of adaptive risk analysis in distributed environments.

Author Biographies

Dmytro Palko, Taras Shevchenko National University of Kyiv

PhD-student, Department of Cyber Security and Information Protection Faculty of information technology, Taras Shevchenko National University of Kyiv, Ukraine.

Larysa Myrutenko, Taras Shevchenko National University of Kyiv

Candidate of Technical Sciences, Associate Professor of the Department of Cyber Security and Information Protection Faculty of information technology, Taras Shevchenko National University of Kyiv, Ukraine.

References

Andrew S. Tanenbaum, Maarten Van Steen Distributed Systems: Principles and Paradigms, Prentice Hall of India; 2nd edition (January 1, 2007)

The State of Cybersecurity 2022 Report, Global Update on Workforce Efforts, Resources and Cyberoperations. ISACA [Електронний ресурс]. – Режим доступу до ресурсу: https://www.isaca.org/resources/reports/state-of-cybersecurity-2022.

Cybersecurity Assessment Report 2024. Bitdefender [Електронний ресурс]. – Режим доступу до ресурсу: https://www.bitdefender.com/content/dam/bitdefender/business/campaign/2024-Assessment-Report.pdf

Henry K. Risk management and analysis / Kevin Henry // Information Security Management Handbook / Edited by Harold F. Tipton, Micki Krauze. - 6th edition. - Boca Raton: Auerbach Publications, 2017. - Part 1, Section 1.4, Ch. 28. - P. 321-329.

Rot A. IT Risk Assessment: Quantitative and Qualitative Approach // Proceedings of the World Congress on Engineering and Computer Science, 2008. - p. 1073-1078.

Dmytro Palko, Vira Vialkova, Tetiana Babenko «Intellectual models for cyber security risk assessment» // Processing, transmission and security of information : Monografia. Tom 2. / Akademia Techniczno- Humanistyczna w Bielsku-Białej. –Bielsku-Biała : Wydawnictwo Naukowe Akademii Techniczno- Humanistycznej w Bielsku-Białej, 2019. – S. 284–288.

Chang, L.-Y. Applying fuzzy expert system to information security risk Assessment - A case study on an attendance system [Text] / L.-Y. Chang, Z.-J. Lee // 2013 International Conference on Fuzzy Theory and Its Applications (iFUZZY). - 2013. doi: 10.1109/ifuzzy.2013.6825462

Xin Y. et al. Machine learning and deep learning methods for cybersecurity //IEEE access. – 2018. – Vol. 6. – P. 35365-35381.

State of Enterprise Risk Management 2020 Survey // ISACA, CMMI Institute. - 2019. [Електронний ресурс]. – Режим доступу до ресурсу: https://www.isaca.org/-/media/info/state-of-enterprise-risk- management-survey/index.html

Dmitry Palko, Tetiana Babenko, Larysa Myrutenko, Andrii Bigdan «Model of information security critical incident risk assessment» // Proceedings of the 2020 IEEE International Conference «Problems of infocommunications. Science and technology» PIC S&T′2020, 6-9 October 2020, Kharkiv, Ukraine DOI: 10.1109/PICST51311.2020.9468107.

Johora, F. T., Khan, M. S. I., Kanon, E., Rony, M. A. T., Zubair, M., & Sarker, I. H. (2024). A Data-Driven Predictive Analysis on Cyber Security Threats with Key Risk Factors. arXiv preprint arXiv:2404.00068.

NIST Special Publication 800-30 Rev A. Risk Management Guide for Information Technology Systems, Gary Stoneburner, Alice Goguen, and Alexis Feringa, July 2002.

Palko D, Babenko T, Bigdan A, Kiktev N, Hutsol T, Kuboń M, Hnatiienko H, Tabor S, Gorbovy O, Borusiewicz A. Cyber Security Risk Modeling in Distributed Information Systems. Applied Sciences. 2023; 13(4):2393. https://doi.org/10.3390/app13042393

Dmytro Palko, Hrygorii Hnatienko, Tetiana Babenko, Andrii Bigdan «Determining Key Risks for Modern Distributed Information Systems» // IntSol-2021 Intelligent Solutions, September 28–30, 2021, Taras Shevchenko National University of Kyiv, Kyiv, Ukraine.

ISO/IEC 27001:2022. Information technology - Security techniques - Information security management systems - Requirements. 2022.

ISO/IEC 27002:2022. Information technology - Security techniques - Code of practice for information security controls. 2022

ISO/IEC 27005:2022. Information technology - Security techniques - Information security risk management. 2022.

Haykin S. Neural networks / S. Haykin. − W.: Williams, 2006. − 1104 p. – Режим доступу до ресурсу: https://cours.etsmtl.ca/sys843/REFS/Books/ebook_Haykin09.pdf.

Rassel S. Artificial Intelligence: Modern approach / S. Rassel, P. Norvig. − W.: Williams, 2005. − 1424 p. – Режим доступу до ресурсу: https://www.twirpx.com/file/1626837/.

Downloads

Published

2025-05-20

Issue

Vol. 26 No. 2 (2024): Ukrainian Information Security Research Journal

Section

Articles

License

Authors who publish with this journal agree to the following terms:

  1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

  2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

  3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).