Risk assessment and analysis for threats and vulnerabilities of the corporate infrastructure information system
Вантажиться...
Дата
2025
Науковий керівник
Назва журналу
Номер ISSN
Назва тому
Видавець
Institute of Special Communication and Information Protection of National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”
Анотація
This article presents a methodological approach to assessing risks associated with the threats and vulnerabilities of the information system of a corporate infrastructure object (ISCIO). The relevance of this topic is due to the growing number and complexity of cyber threats and the need for more accurate risk assessment tools that account for the structure of interdependencies between potential vulnerabilities and attacks.The main problem addressed in the study is the insufficient precision of traditional risk assessment methods that do not reflect the composite nature of threats within complex systems. To solve this issue, the authors employ an extended Q-analysis methodology, which considers the structural relationships between threats and vulnerabilities to form a more detailed risk model.The purpose of the study is to apply the theoretical foundations of extended Q-analysis to a practical example using real expert data. As part of this, the authors construct an incidence matrix between threats and vulnerabilities, form a simplex complex, and build a structural tree to visualize interdependencies. Based on these models, calculations are performed to estimate the loss values associated with each threat and their combinations (“gluing”). Using optimization methods, including the Lagrange method, the authors identify conditions for maximum and minimum risk, analyze the behavior of the risk function under different probability distributions, and construct comparative graphs.The results demonstrate that the refined methodology allows a reduction in overall risk by up to 23.3% compared to linear models, depending on the threat distribution. The findings confirm the practical value of the proposed approach, offering more accurate risk estimates and improved decision-making support in cybersecurity management of complex information systems
Опис
Ключові слова
risk assessment, infrastructure, Q-analysis, information system, оцінювання ризику, інфраструктура, Q-аналіз, інформаційна система
Бібліографічний опис
Smirnov, S. Risk assessment and analysis for threats and vulnerabilities of the corporate infrastructure information system / Serhii Smirnov, Viktoriia Polutsyhanova // Information Technology and Security. – 2025. – Vol. 13, Iss. 2 (25). – P. 192-203. – Bibliogr.: 8 ref.