Module for expected losses assessing in the information security risk management system of a construction company
Keywords:BIM – technology, BIM-model, corporate information system for building lifecycle management (CIS LM), risk management system, information asset (IA), information security threat, expected losses, aggregated and comprehensive losses assessment, expert assessment
The article examines the problem of the expected losses effective assessment in a construction company upon materialization of information security threats. One of the ways to partially solve this problem is proposed. It is suggested to improve the capabilities of the respective module of the risk management system, which provides the user with a human-machine toolkit for expert assessment of expected losses. This toolkit consists of several stages. The toolkit considers the most effective evaluation scenario given the existing situational decision-making conditions. In order to ensure the operation of the module, the informational and logical connections between the evaluation stages are also defined and the apparatus for the formation of various evaluation scenarios is designed. In addition, to increase the accuracy of the results and increase the flexibility of the proposed algorithm, the possibility of selecting the evaluation scenario by the user with the appropriate role is provided. Since the paper considers the problem of multi-criteria evaluation, the hierarchy of criteria is formalized, and the weight of their influence on the calculation results is also taken into account. When building a logical-mathematical apparatus, the possibility of realizing various types of threats to various information assets (IA) of the enterprise is also considered. The assessment of the consequences of information security threats can be carried out at different levels: general and distributed, taking into account various indicators such as violations of confidentiality, integrity and availability of information. The methods of direct expert evaluation, analytic hierarchy process (AHP), Delphi, linear convolution of criteria, probabilistic modeling are used in the development of the logico-mathematical apparatus. A qualitative-quantitative scale is used to formalize expert judgments. The necessary roles of experts for effective evaluation have been defined. Summarization of experts' assessments is carried out with control of the adequacy of the degree of logic and dispersion of the opinions of each expert, in accordance with the established requirements for the degree of agreement of the opinions of a group of experts. Competence of the experts is also taken into account during assessment.
Николаев В.П. Новейшие методы и информационные технологии управления в строительстве. URL: http://www. infobud.com.ua
Хлапонін Ю.І., Ізмайлова О.В. Підхід до забезпечення захисту корпоративних інформаційних систем в будівництві. Управління розвитком складних систем. 2017. Вип. 31. С. 126-131.
Кожедуб Ю. Реалізація процесного підходу до керування ризиками інформаційної безпеки в документах NIST. Information Technology and Security. July-December 2017. Vol. 5. Iss. 2 (9), С. 76-89
Корченко О.Г., Казмірчук С.В., Ахметов Б.Б., Прикладні системи оцінювання ризиків інформаційної безпеки. Монографія, Київ, ЦП «Компринт», 2017 435 с.
Dudykevych V., Prokopyshyn I., Chekurin V., Opirskyy I., Lakh Y., Kret T., Ivanchenko Y., & Ivanchenko I. A multicriterial analysis of the efficiency of conservative information security systems. Eastern-European Journal of Enterprise Technologies, vol. 3(9(99), P. 6–13, 2019. https://doi.org/10.15587/1729-4061.2019.166349
Izmailova, O., Krasovska, H., Krasovska, K., & Zaslavskyi, V. (2020). Assessing the Variety of Expected Losses upon the Materialisation of Threats to Banking Information Systems. Information & Security: An International Journal, 45, 89–118. https://doi.org/10.11610/isij.4506
Ізмайлова О.В., Пида С.В., Мельник І.М., Красовська К.К. Підвищення достовірності оцінок значущості критеріїв при визначенні ринкової вартості об’єктів нерухомості. Управління розвитком складних систем. 2017. Вип. 29. С. 109-118.
Khlaponin, Y., Izmailova, O., Qasim, N. H., Krasovska, H., & Krasovska, K. (2021). Management Risks of Dependence on Key Employees: Identification of Personnel. Cybersecurity Providing in Information and Elecommunication Systems, 2923, 295–308. http://ceur-ws.org/Vol-2923/paper33.pdf.
Saaty, T.L., & Vargas, L.G. (2013). Decision making with the Analytic Network Process: Economic, political, social and technological applications with benefits, opportunities, costs and risks. https://link.springer.com/book/10.1007/0-387-33987-6
How to Cite
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).