Comparative Risk Assessment of Cyber Threats Based on Average and Fuzzy Sets Theory

Full Text (PDF, 779KB), PP.24-34

Views: 0 Downloads: 0

Author(s)

Oleksandr Evgeniyovych Korystin 1,2,* Oleksandr Korchenko 3,4 Svitlana Kazmirchuk 4 Serhii Demediuk 2,5 Oleksandr Oleksandrovych Korystin 4,6

1. State Scientifically Research Institute of the MIA of Ukraine, Kyiv, Ukraine

2. National Academy of the Security Service of Ukraine, Kyiv, Ukraine

3. University of the National Education Commission, Cracow, Poland

4. National Aviation University, Kyiv, Ukraine

5. National Security and Defense Council of Ukraine, Kyiv, Ukraine

6. National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv, Ukraine

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2024.01.02

Received: 19 Jan. 2023 / Revised: 18 Mar. 2023 / Accepted: 27 Apr. 2023 / Published: 8 Feb. 2024

Index Terms

Cybersecurity, Cyber Threats, Risk Assessment, Information Security, Fuzzy Logic, Fuzzy Set, Critical Infrastructures

Abstract

Applied results of scientific analysis should be the key focus of modern security research. A comparative analysis of research results obtained using different methods, as an applied task, forms a broader basis for interpreting the results and substantiating the conclusions. A social survey and expert opinion research were conducted to implement the general concept of strategic analysis of cybersecurity in Ukraine. Using the method based on determining the average value in a certain set of estimates, as well as the method based on the theory of fuzzy sets, the risks of spreading certain cyber threats in Ukraine were assessed. The results were compared. Although the use of different measurement methods led to some differences in quantitative risk indicators, the comparative analysis of the ratio of the level of different cyber threats did not change significantly. At the same time, the fuzzy set method provided more flexible interpretation of the results to characterize cyber threats in terms of their upward or downward trend. In general, the combined approach to cyber threat risk assessment can become an important risk management tool, as it takes advantage of different methods and allows for a deeper understanding of the current situation and the formation of more informed management decisions.

Cite This Paper

Oleksandr Evgeniyovych Korystin, Oleksandr Korchenko, Svitlana Kazmirchuk, Serhii Demediuk, Oleksandr Oleksandrovych Korystin, "Comparative Risk Assessment of Cyber Threats Based on Average and Fuzzy Sets Theory", International Journal of Computer Network and Information Security(IJCNIS), Vol.16, No.1, pp.24-34, 2024. DOI:10.5815/ijcnis.2024.01.02

Reference

[1]Bek U. Obshhestvo riska. Na puti k drugomu modernu. Per. s nem. V. Sedel'niku i N.Fѐdorovoj. Moskva: Progress-Tradicija, 2000. 384 s.
[2]Oleksandr Korystin, Nataliia Svyrydiuk. “Activities of Illegal Weapons Criminal Component of Hybrid Threats”. Proceedings of the International Conference on Economics, Law and Education Research (ELER 2021). Series: Advances in Social Science, Education and Humanities Research, vol. 170, 22 March 2021, pp. 86-91.
[3]Nazareth, Derek L., and Jae Choi (2015). A system dynamics model for information security management, Information & Management. Vol. 52 (1). Pp. 123-134.
[4]Joshi, Chanchala, and Umesh Kumar Singh (2017). “Information security risks management framework–A step towards mitigating security risks in university network”. Journal of Information Security and Applications. Vol. 35. Pp. 128-137.
[5]Soomro, Zahoor Ahmed, Mahmood Hussain Shah, and Javed Ahmed (2016). Information securi ty management needs more holistic approach: A literature review. International Journal of Information Management. Vol. 36 (2). Pp. 215-225.
[6]Nitin Deepak, Shishir Kumar, "Flexible Self-Managing Pipe-line Framework Reducing Development Risk to Improve Software Quality", International Journal of Information Technology and Computer Science, vol.7, no.7, pp.35-47, 2015.
[7]Adil Bashir, Sahil Sholla, "Resource Efficient Security Mechanism for Cloud of Things", International Journal of Wireless and Microwave Technologies, Vol.11, No.4, pp. 41-45, 2021.
[8]Shuaiqi Zhang, "Some Results on Optimal Dividend Problem in Two Risk Models", International Journal of Information Engineering and Electronic Business, Vol. 2, No.2, pp.24-30, 2010.
[9]Peltier, Thomas R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
[10]Layton, Timothy P. (2016). Information Security: Design, implementation, measurement, and compliance. Auerbach Publications.
[11]Yoon, Junseob, and Kyungho Lee (2016). Advanced assessment model for improving effective ness of information security measurement. International Journal of Advanced Media and Communication. Vol. 6 (1). Pp. 4-19.
[12]Hakan Kekül, Burhan Ergen, Halil Arslan (2022). Estimating Missing Security Vectors in NVD Database Security Reports. International Journal of Engineering and Manufacturing, Vol. 12. No. 3. Pp. 1-13.
[13]P. Mell, K. Scarfone, and S. Romanosky (2007). A Complete Guide to the Common Vulnerability Scoring System Version 2.0. FIRSTForum of Incident Response and Security Teams.
[14]G. Spanos, A. Sioziou, and L. Angelis (2013). WIVSS: A New Methodology for Scoring Information Systems Vulnerabilities, Proceedings of the 17th Panhellenic Conference on Informatics. Pp. 83–90.
[15]Hakan Kekül, Burhan Ergen, Halil Arslan (2021). A New Vulnerability Reporting Framework for Software Vulnerability Databases, International Journal of Education and Management Engineering. Vol. 11. No. 3. Pp. 11-19.
[16]M. M. A. Muhammad Noman Khalid, Muhammad iqbal, Kamran Rasheed (2020). Web Vulnerability Finder (WVF): Automated Black- Box Web Vulnerability Scanner, International Journal of Information Technology and Computer Science, Vol. 12. No. 4. Pp. 38–46.
[17]Abhinandan H. Patil, Neena Goveas, Krishnan Rangarajan,"Regression Test Suite Prioritization using Residual Test Coverage Algorithm and Statistical Techniques", International Journal of Education and Management Engineering, Vol.6, No.5, pp.32-39, 2016.
[18]R. Ranjan, G. Sahoo (2014). A new clustering approach for anomaly intrusion detection. International Journal of Data Mining & Knowledge Management Process (IJDKP). Vol. 4. No. 2. Pp. 29–38.
[19]Serhii Zybin, Yana Bielozorova, "Risk-based Decision-making System for Information Processing Systems", International Journal of Information Technology and Computer Science, Vol.13, No.5, pp.1-18, 2021.
[20]I. Parkhomey, S. Gnatyuk, R. Odarchenko, T. Zhmurko et al, “Method for UAV Trajectory Parameters Estimation Using Additional Radar Data”, Proceedings of the 2016 4th International Conference on Methods and Systems of Navigation and Motion Control, Kyiv, Ukraine, October 18-20, 2016, рр.39-42.
[21]F. Adeyinka, E. S. Oluyemi, A. N. Victor, U. C. Uchenna, O. Ogedengbe, S. Ale (2017). Parametric Equation for Capturing Dynamics of Cyber Attack Malware Transmission with Mitigation on Computer Network, International Journal of Mathematical Sciences and Computing, Vol. 3. No. 4. Pp. 37-51.
[22]Y. Ghaderipour, H. Dinari (2020). A Flow-Based Technique to Detect Network Intrusions Using Support Vector Regression (SVR) over Some Distinguished Graph Features, International Journal of Mathematical Sciences and Computing. Vol. 6. No. 4. Pp.1-11.
[23]Pyskun Igor, Tkach Yuliia, Khoroshko Volodymyr, Khokhlachova Yulia, Ayasrah Ahmad Rasmi Ali, Al-Dalvash Ablullah Fowad, Quantitative assessment and determination of the level of cyber security of state information systems, Ukrainian Scientific Journal of Information Security, Vol. 26 No. 3, Pp. 31-138, 2020.
[24]Korchenko Anna, Shcherbina Vladimir, Vishnevskaya Natalia A methodology for building cyberattack-generated anomaly detection systems, Ukrainian Information Security Research Journal, Vol. 18 No.1, Pp.312-324, 2016.
[25]Nikolay Karpinsky, Anna Korchenko, Sanzira Akhmetova The method of development of basic detection rules for intrusion detection systems, Ukrainian Information Security Research Journal, Vol.17, No.4, Pp.30-38, 2015.
[26]Оleksandr Korystin, Svyrydiuk Nataliia, Olena Mitina, "Risk Forecasting of Data Confidentiality Breach Using Linear Regression Algorithm", International Journal of Computer Network and Information Security, Vol.14, No.4, pp.1-13, 2022.
[27]Serhii Zybin, Yana Bielozorova, "Risk-based Decision-making System for Information Processing Systems", International Journal of Information Technology and Computer Science, Vol.13, No.5, pp.1-18, 2021.
[28]Gulzhanat Beketova, Berik Akhmetov, Alexander Korchenko, Valery Lakhno Design of a model for intellectual detection of cyber-attacks, based on the logical procedures and the coverage matrices of features, Ukrainian Scientific Journal of Information Security, Vol. 22, No.3, Pp.242-254, 2016.
[29]O.G. Korchenko, S.V. Kazmirchuk, B.B. Akhmetov, Applied information security risk assessment systems. Monograph, Kyiv, CP "Comprint", 435 p., 2017.
[30]L. -Y. Chang and Z. -J. Lee, "Applying fuzzy expert system to information security risk Assessment - A case study on an attendance system", 2013 International Conference on Fuzzy Theory and Its Applications (iFUZZY), Taipei, Taiwan, 2013, pp. 346-351.
[31]S. A. Abdymanapov, M. Muratbekov, S. Altynbek and A. Barlybayev, "Fuzzy Expert System of Information Security Risk Assessment on the Example of Analysis Learning Management Systems," in IEEE Access, vol. 9, pp. 156556-156565, 2021.
[32]F. Z. Gozon, D. Vaczi and E. Toth-Laufer, "Fuzzy-based Human Factor Centered Cybersecurity Risk Assessment," 2021 IEEE 19th International Symposium on Intelligent Systems and Informatics (SISY), Subotica, Serbia, 2021, pp. 83-88.
[33]K. S. Duisebekova and T. Duisebekov, "Utilization of Fuzzy Mathematics for Security Model of a System," 2018 IEEE 12th International Conference on Application of Information and Communication Technologies (AICT), Almaty, Kazakhstan, 2018, pp.1-6.
[34]W. Shang, T. Gong, J. Hou, J. Lu and Z. Cao, "Quantitative Evaluation Method for Industrial Control System Vulnerability Based on Improved Expert Elicitation and Fuzzy Set Method", in IEEE Access, vol. 11, pp. 101007-101019, 2023.
[35]Higgins, J. et al., 2019. Cochrane Handbook for Systematic Reviews of Interventions, 2nd Edition ed. Chichester (UK): John Wiley & Sons.
[36]Weidt, F. & Silva, R., 2016. Systematic Literature Review in Computer Science-A Practical Guide, Relatórios Técnicos do DCC/UFJF, 1(0), pp.1-7.
[37]Ralph Eckmaier, Walter Fumy, Stéfane Mouille, Jean-Pierre Quemard, Nineta Polemi, Rainer Rumpel. (2022) Risk Management Standards. Analysis of standardisation requirements in support of cybersecurity policy. ENISA.
[38]Stouffer, K. et al., 2015. Guide to Industrial Control Systems (ICS) Security.
[39]Alberts, C., Behrens, S., Pethia, R. & Wilson, W., 1999. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0.
[40]Costas Lambrinoudakis, Stefanos Gritzalis, Christos Xenakis, Sokratis Katsikas, Maria Karyda, Aggeliki Tsochou European Union Agency for Cybersecurity (2022). Compendium of Risk Management Frameworks with Potential Interoperability.
[41]Korystin, O.Ye. & Korystin, O.O. (2022), “Threats in the sphere of cyber security in Ukraine”, Nauka i pravookhoronna, vol. 1, pp. 127–131.
[42]Goldammer, P., Annen, H., Stöckli, P. L., & Jonas, K. (2020). Careless responding in questionnaire measures: Detection, impact, and remedies. The Leadership Quarterly, 31(4), 101384.
[43]Oleksandr Korystin, Nataliia Svyrydiuk, Alexander Vinogradov. “The Use of Sociological Methods in Criminological Research”, Proceedings of the International Conference on Social Science, Psychology and Legal Regulation (SPL 2021). Series: Advances in Social Science, Education and Humanities Research, vol. 617, 18 December 2021, pp.1-6.
[44]ISO 31000:2018 - Risk Management, URL: https://www.iso.org/ru/publication/PUB100464.html
[45]Korystin О., Svyrydiuk N. Methodological principles of risk assessment in law enforcement activity. Nauka i pravooxoronna. No. 3, Р.191-197, 2020.
[46]Oleksandr Korystin, Nataliia Svyrydiuk, Volodymyr Tkachenko, “Fiscal Security of the State Considering Threats of Macroeconomic Nature”. Proceedings of the International Conference on Business, Accounting, Management, Banking, Economic Security and Legal Regulation Research (BAMBEL2021). Series: Advances in Social Science, Education and Humanities Research, vol. 188, 27 August 2021, pp. 65-691.
[47]Morklyanik B., Korchenko O., Kubiv S., Kazmirchuk S., Teliushchenko V. The method of phasification of intervals for solving cybersecurity assessment tasks at critical infrastructure facilities, Ukrainian Scientific Journal of Information Security, Tom. 29, Vol.3, Pp.103-113, 2023.
[48]А. Korchenko, V. Breslavskyi, S. Yevseiev, N. Zhumangalieva, A. Zvarych, S. Kazmirchuk, O. Kurchenko, О. Laptiev, О. Sievierinov, S. Tkachuk, Development of a method for constructing linguistic standards for multi-criteria assessment of honeypot efficiency, Eastern-European Journal of Enterprise Technologies, Vol.111. No.3/9, Pp. 63-83, 2021.