Abstract
The paper addresses the task on a multicriterial analysis of the effectiveness of conservative information security systems whose structure and components do not change over a certain period of time. The principal scheme of such systems includes a protected object, vulnerabilities ‒ channels for attacks, threats, and protection tools. Based on the assumption about the independence of attacks and protection tools, we have developed a discrete probabilistic model of damage to a protected object. For a random variable of the amount of damage over a fixed period of time, we have derived a representation in the form of a sum of binomially-distributed random variables, dependent on the parameters for attacks and protection. We have described in a similar manner the random variables for economic losses, recovery time, as well as recovery costs, for which mathematical expectations and variances have been obtained in the analytical form. To ensure the high statistical confidence, it has been proposed to determine the risk indicators using a Cantelli’s inequality. On this basis, we have defined performance indicators for a protection system, which characterize the probability of protected object’s safety, residual losses, conditionally saved costs, survivability, and the cost of recovery. By using a Pareto optimality theory, we have devised a procedure for multi-criteria analysis and rational design of conservative systems of information protection. Verification has been carried out for the audio information protection systems. A Pareto frontier has been investigated according to the criteria of economic benefit and investment costs for 66 variants of protection. We have examined the influence of protection level on the Cantelli’s measure for conditional savings, as well as the contribution of various types of protection devices to it. The research results have confirmed the saturation law by Gordon-Loeb for the case when over-protection does not improve the effectiveness of protection systems.
Highlights
The three main resources used by humans in their life activities are information, matter, and energy
Our analysis testifies to the expediency of devising a procedure for a multicriterial estimation of the effectiveness of information security systems by using an adequate and simple model of damage caused by attacks, which would take into consideration the structure of protection, as well as the stochastic character of threats’ effect
For a conservative system of information security, under a series of simplifying assumptions on attacks and protection, we have defined a series of indicators, averaged over a period, which variously characterize a system of protection
Summary
Technical Department Kujawy and Pomorze University in Bydgoszcz Torunska str., 55-57, Bydgoszcz, Poland, 85-023
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
