Моделювання роботи групи реагування на інциденти інформаційної безпеки в умовах зростання інтенсивності кібератак

Abstract

Modeling of the Information Security Incident Response Team (ISIRT) functioning and decision-making in the process cyberattacks requires the simultaneous use of parameters and characteristics at, on the one hand, directly characterize cyberattacks and their deployment over time, and, on the other hand, require taking into account the parameters and indicators that characterize the activities of specialists in a stressful situation. ISIRT’s activities are to counter cyberattacks aimed at destabilizing the social state of society by disseminating harmful information. The paper builds a model to describe the features of the ISIRT, taking into account the impact of the parameter of increasing the intensity of information security incidents on the quality of analysis of the system in real time, using the functions of responding to information security violations. The peculiarity of the constructed model is that for the first time the overload mode is taken into account, i.e. the influence of the introduced parameter of increasing the intensity of information security event identification is taken into account. The conditions under which the ISIRT is transitioning to a regime that does not meet the sufficient criterion of ergodicity, when the group will not be able to effectively cope with the deployment of cyber attacks in time. Simulation modeling of ISIRT activity is carried out and the presence of transition to the mode, which is caused by the lack of ergodic property of the system functioning, when changing the parameter of increasing the intensity of information security event identification, is shown. The obtained results allow predicting the appearance of the overload mode caused by the lack of ergodic properties of the system operation, in the conditions of which the activity of this ISIRT ceases to be effective. This allows you to set certain thresholds for the time of effective operation of this ISIRT during a cyber attack. As a result, the existing set of ISIRT can be characterized by certain quantitative indicators that characterize the time of effective operation of this ISIRT, depending on the identified characteristics of the cyber attack. Based on the developed model, new methods of countering cyberattacks can be developed, which will be based on identifying the required characteristics of the temporal deployment of cybersecurity incidents and on their basis redirecting control from one ISIRT to another during the incident. This will require the creation of a database with the necessary characteristics for those ISIRTs that may be involved in the process of countering cyberattacks.