Development of a Tool for Modeling Security Threats of an Enterprise Information System

Abstract

A qualitative risk assessment of information security threats make it possible to solve the problem of information security most effectively. The paper analyzes existing approaches to assessing the security risks of information systems based on existing techniques. The stages and methods of compiling a threat model of an information system are considered. Methodological approaches to improving the methods of assessing information security risks are considered. Existing software solutions for compiling threat models based on building attack trees have been analyzed, and their capabilities have been tested. A conceptual approach is proposed to optimize the process of analyzing information security threats. The paper explains the feasibility of using software modeling approaches to optimize threat assessment procedures. For this purpose, an attack graph is used, which is automatically compiled taking into account the current information assets of an enterprise. The process of assessing information security threats is carried out considering a study of the initial state of the information system security and probabilistic characteristics of an actions of a violator. To automate the process of modeling threats of information security, a method for calculating the probability of the implementation of threats based on the fuzzy logic algorithm is proposed. The proposed software solution uses the threat database FSTEC of Russia. The program database is updated offline.