The qualitative and quantitative method of information security risk assessment

Authors

  • Александр Григорьевич Корченко National Aviation University
  • Светлана Владимировна Казмирчук National Aviation University

DOI:

https://doi.org/10.18372/2410-7840.18.10595

Keywords:

risk, risk assessment, system analysis and risk assessment, risk parameters, fuzzy variable, fuzzy numbers, conversion of fuzzy numbers standards, qualita-tive-quantitative method of risk assessment, database vulnerabilities

Abstract

The basis of information security management system (ISMS) is the processes of analysis and risk assessment. The known methods of analysis and risk assessment based on expert assessments are applied for their imple-mentation. Often in the process of assessment there are situations when the expert cannot always clearly deter-mine a particular vulnerability of Information Systems Resources (ISR). Therefore, it is advisable to use the cor-responding database vulnerabilities. The existing ap-proaches do not solve the task effectively. For this pur-pose, the qualitative and quantitative method of risk as-sessment is offered. It, in contrast to the known methods, through the use of assessments that are available in exist-ing databases, automates the process of risk assessment not involving the experts for this related subject area.

Author Biographies

Александр Григорьевич Корченко, National Aviation University

Dr Eng (Information security), professor, laureate of the State Prize of Ukraine in Science and Technology, Head of IT-Security Academic Department, National Aviation University

Светлана Владимировна Казмирчук, National Aviation University

PhD in Eng., Associate Professor of IT-Security Academic Department, National AviationUniversity.

References

Information technology. Security techniques. Infor-mation security management systems. Requirements: ISO/IEC 27001:2013, International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC), 2013, 34 р.

Казмирчук С.В. Интегрированный метод анализа и оценивания рисков информационной безопас-ности / С.В. Казмирчук, А.Ю. Гололобов // За-щита информации – 2014. – №3. – С. 252-261.

Корченко А.Г. Анализ и оценивание рисков ин-формационной безопасности / А.Г. Корченко, А.Е. Архипов, С.В. Казмирчук // Монография. – К.: ООО «Лазурит-Полиграф», 2013. – 275 с.

Корченко А.Г. Построение систем защиты ин-формации на нечетких множествах. Теория и практические решения / А.Г. Корченко – К. : «МК-Пресс», 2006. – 320с.

National Vulnerability Database [Electronic resource] / National Institute of Standards and Technology – Gaithersburg, 2016 – Access mode: World Wide Web. – URL: https:// nvd.nist.gov / home.cfm.

Банк данных угроз безопасности информации [Электронный ресурс] / Федеральной службой по техническому и экспортному контролю России – Москва, 2016 – Режим доступа: World Wide Web. – URL: http://bdu.fstec.ru/.

Open Sourced Vulnerability Database [Electronic resource] / Open Security Foundation – Lafayette, 2016 – Access mode: World Wide Web. – URL: https:// http://osvdb.org/.

IBM X-Force Exchange [Electronic resource] / IBM Corporation – New York, 2016 – Access mode: World Wide Web. – URL: https:// ex-change.xforce.ibmcloud.com/vulnerabilities/109429.

Vulnerability Notes Database [Electronic resource] / United States Computer Emergency Readiness Team Murray Lane, 2016 Access mode: World Wide Web. – URL: https:// www. kb.cert.org /vuls/#.

Vulnerabilities [Electronic resource] / SecurityFocus - Mountain View, 2016 - Access mode: World Wide Web. – URL: http:// www. securityfocus.com /.

A Complete Guide to the Common Vulnerability Scoring System. Version 2.0 [Electronic resource] / Forum of Incident Response and Security Teams – Morrisville, 2016 – Access mode: World Wide Web. – URL: http:// www.first.org /cvss/ v2/guide.

Корченко А.Г. Метод n-кратного понижения чис-ла термов лингвистических переменных в задачах анализа и оценивания рисков / А.Г. Корченко, Б.С. Ахметов, С.В. Казмирчук, А.Ю. Гололобов, Н. А. Сейлова // Защита информации – 2014. – Том 16 №4 (65), жовтень-грудень. – С. 284-291.

Корченко А.Г. Метод n-кратного инкрементирования числа термов лингвистических переменных в задачах анализа и оценивания рисков / А.Г. Корченко, Б.С. Ахметов, С.В. Казмирчук, М.Н. Жекамбаева // Безпека інформації. – 2015. – Т.21. –№2. – С. 191-200.

Корченко А.Г. Метод преобразования интервалов в нечеткие числа для систем анализа и оценивания рисков / А.Г. Корченко, С.В. Казмирчук // Правовое, нормативное и метрологическое обес-печение системы защиты информации в Украине – 2016. - № 1(31). - С. 57-64.

Downloads

Published

2016-05-30

How to Cite

Корченко, А. Г., & Казмирчук, С. В. (2016). The qualitative and quantitative method of information security risk assessment. Ukrainian Information Security Research Journal, 18(2), 157–170. https://doi.org/10.18372/2410-7840.18.10595

Issue

Vol. 18 No. 2 (2016)

Section

Articles

License

The scientific journal adheres to the principles of Open Access and provides free, immediate, and permanent access to all published materials without financial, technical, or legal barriers for readers.

All articles are published in Open Access under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.

Copyright

Authors who publish their works in the journal:

  • retain the copyright to their publications;

  • grant the journal the right of first publication of the article;

  • agree to the distribution of their materials under the CC BY 4.0 license;

  • have the right to reuse, archive, and distribute their works (including in institutional and subject repositories), provided that proper reference is made to the original publication in the journal.