|Article title||MODELING ESTIMATES OF THE EFFECTIVENESS OF INFORMATION SECURITY COMPANY AFFECTED BY RANDOM ENVIRONMENTAL FACTORS|
|Section||SECTION V. CONCEPTUAL AND APPLIED ISSUES OF INFORMATION SECURITY|
|Month, Year||05, 2015 @en|
|Abstract||At all stages of the life cycle of the information security system inherent uncertainty of its properties in terms of the real impact of random factors of the external and internal environment. As the project system uncertainty is reduced, but never the efficiency cannot be adequately expressed and described by deterministic parameters. Then to evaluate the effectiveness of the implementation and operation of information security systems to best apply probabilistic methods. In accordance with these methods, the levels of the safeguards system are transformed to the probability of the corresponding estimates. Under these conditions, data to assess the effectiveness of measures to improve information security can be obtained using simulation. The methods of calculating the evaluation result from the effects of measures for information security in the company is based on modeling estimates of avoided losses. The value of avoided losses can be calculated on the basis of the likelihood of incident information security and possible economic losses from him before and after the implementation of measures to ensure information security on the object. The resulting simulation of the total value of avoided losses for all information security incidents allows you to specify and implement scenario-based calculation of possible benefits from these measures. The final calculation of efficiency measures to improve information security can be performed by any known methods. In the world practice for evaluating the effectiveness of it projects widely used standard method of analysis of costs and benefits (Cost Benefit Analysis - CBA). Implementation of the proposed calculation of the effectiveness of measures to improve information security is made on the example in the method of CBA. The main advantage of the proposed method of calculating the effectiveness of measures to improve information security is the uncertainty of the real world with simulations. This allows, to a certain extent, to increase the validity of the estimates of effect.|
|Keywords||Information security; efficiency; modeling; prevented loss; scenario of the calculation.|
|References||1. BS 7799-3:2006 Information security management systems – Part 3: Guidelines for information security risk management, 2006.
2. Lyon Gordon F. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley; 2 edition. April 14, 2008.
3. Bautov A. Effektivnost' zashchity informatsii [The effectiveness of information protection], Otkrytye sistemy [Open Systems], 2003, No. 07-08. Available at: http://www.osp.ru/os/2003/ 07-08/183282/.
4. Denisov M.Yu., Dolzhenko A.I., Efimov E.N. Kognitivnoe modelirovanie otsenki ef-fektivnosti elektronnykh biznes–otnosheniy predpriyatiya [Cognitive modeling evaluation of the effectiveness of e–business relations of the company], Vestnik Rostovskogo gosudarstvennogo ekonomicheskogo universiteta «RINKh» [Bulletin of the Rostov state economic University "RINH"], 2012, No. 1 (37), pp. 83-90.
5. Efimov E.N. Otsenka effektivnosti elektronnykh biznes–otnosheniy predpriyatiya [Assessment of the effectiveness of e-business relations between enterprises], Problemy federal'noy i regional'noy ekonomiki: uchenye zapiski [The problems of the Federal and regional Economics: proceedings of the]. Rostov-on-Don: Rost. gos. ekonom. un-t (RINKh), 201I, Issue 14, pp. 68-75.
6. Efimov E.N. Investitsionnyy analiz proekta informatsionnykh tekhnologiy v usloviyakh neopredelennosti [Investment analysis of the project of information technology in conditions of uncertainty], Izvestiya YuFU. Tekhnicheskie nauki [Izvestiya SFedU. Engineering Sciences], 2014, No. 8 (157), pp. 66-74.
7. Efimov E.N. Effektivnost' IT-proektov v sisteme sbalansirovannykh pokazateley [The effectiveness of it projects in the balanced scorecard], Aspirant [Postgraduate Student], 2015, No. 2, pp. 8-10.
8. Efimov E.N., Efimova E.V. Modeli i tekhnologii setevykh elektronnykh biznes–otnosheniy: monografiya [Models and technologies of a network of e–business relations: monograph]. Rostov-on-Don: Izd-vo RGEU (RINKh), 2014, 198 p.
9. Efimov E.N., Lapitskaya G.M. Otsenka effektivnosti IT-proektov v ramkakh Balanced Scorecard [Evaluation of the effectiveness of it projects within the framework of the Balanced Scorecard], Informatsionnye sistemy, ekonomika, upravlenie trudom i proizvodstvom: Uch. zapiski [Information systems, Economics, management of work and production: proceedings of the], Issue. 15. Rostov-on-Don: RGEU (RINKh), 2013, pp. 59-65.
10. Efimov E.N., Lapitskaya G.M. Informatsionnaya bezopasnost' i biznes-protsessy kompanii [Information security and business processes of the company], Izvestiya YuFU. Tekhnicheskie nauki [Izvestiya SFedU. Engineering Sciences], 2013, No. 12 (149), pp. 253-260.
11. Petukhov G.B., Yakunin V.I. Metodologicheskie osnovy vneshnego proektirovaniya tselenapravlennykh protsessov i tseleustremlennykh system [Methodological basis of the external design of targeted processes and dedicated systems]. Moscow: AST, 2006, 504 p.
12. Brotby Krag, Hinson Gary PRAGMATIC Security Metrics: Applying Metametrics to Information Security. СRC Press. January 8, 2013.
13. Shostack Adam Threat Modeling: Designing for Security. WILEY. February 17, 2014.
14. Gorbunov A., Chumenko V. Vybor ratsional'noy struktury sredstv zashchity informatsii v ASU [The choice of rational structure of information protection in automated control system]. Available at: http://kiev-security.org.ua/box/2/26.shtml.
15. Javaid Muhammad A. Information Security: How to Ensure Privacy in a Computing Environment. September 6, 2013.
16. Collins Michael S. Network Security Through Data Analysis: Building Situational Awareness. O’REILLY. February 23, 2014.
17. Jacobs Jay, Rudis Bob. Data-Driven Security: Analysis, Visualization and Dashboards. WILEY. February 24, 2014.
18. Andreev Kirill. Metod otsenki ekonomicheskoy effektivnosti podrazdeleniya po zashchite informatsii [Method of economic evaluation division information security], Informatsionnaya bezopasnost [Information Security], 2010, No. 5. Available at: http://www.itsec.ru/ articles2/Oborandteh/metod-ocenki-ekonomicheskoi-effektivnosti-podrazdeleniya-po-zashite-informacii.
19. Khubaev G.N. Protsessno-statisticheskiy podkhod k uchetu zatrat resursov pri otsenke (kal'kulyatsii) sebestoimosti produktsii i uslug: osobennosti realizatsii, preimushchestva [Process-statistical approach to cost accounting resources when estimating (costing) cost of products and services: implementation and benefits], Voprosy ekonomicheskikh nauk [Questions of Economic Sciences], 2008, No. 2, pp. 158-166.
20. Krepkov I.M., Efimov E.N., Fomenko N.M. Analiz i uchet riskov prodvizheniya Internet–proektov predpriyatiya [Analysis and risk-based promotion of Internet–projects of the enterprise], Vestnik MEI [MPEI Vestnik], 2010, No. 2, pp. 101-107.