Use of entropy approach for information security risks assessment

Abstract

The risk of information security as an influence of uncertainty on the achievement of goals is considered. In achieving the goals meant to ensure the confidentiality, integrity and availability of information. Estimation of such influence is carried out by the elimination of entropy as a measure of uncertainty. The state of uncertainty is described by the final scheme. The variety of threats for information security and loss resulting from their implementation is set for its definition. It takes into account the existence of different threats that lead to the same losses, and threats, due to the implementation of which there are no losses. At the same time, the distribution of likelihood of damage as a result of the implementation of threats for information security is considered as known. The correctness of that approach is confirmed by the implementation of the entropy characteristics. Therefore, the use of an entropy approach allows to construct an intuitively more correct basis for quantitative risk assessment of information security. It is associated with a fact of operating the form of the distribution of a random variable but not its specific values. In this case, the advantages and disadvantages of the entropy approach are established. The using of fuzzy set theory and likelihood is offered to overcome the identified shortcomings in prospect.