METHODOLOGY FOR DEVELOPING INFORMATION SECURITY MANAGEMENT SYSTEMS USING NETWORK ANALYSIS AND GAME THEORY
DOI:
https://doi.org/10.35546/kntu2078-4481.2025.3.2.62Keywords:
information security management system, network analysis, critical path, game theory, resource optimization, CISO, managerial decisionsAbstract
In the context of digitalization and the rapid evolution of cyber threats, building a reliable Information Security Management System (ISMS) becomes critically important. Existing international and national ISMS standards do not take into account the specifics of resource allocation; instead, they only emphasize the importance of providing resources for the creation, implementation, maintenance, and continuous improvement of ISMS. This indicates a certain lack of mechanisms for making management decisions and optimizing allocated resources. Therefore, the problem of identifying, distributing, and rationally using resources to achieve an adequate level of ISMS efficiency remains relevant. Moreover, during ISMS implementation based on any methodology, one of the most challenging steps is the identification and integration of effective information security measures and tools. In this context, there is a shortage of practical and methodological optimization tools, since even with substantial investments and large-scale deployment of information security measures (ISMs), doubts may arise regarding the expediency and efficiency of such solutions. This paper proposes a methodology for building ISMS that combines the Analytic Hierarchy Process (AHP), network analysis methods, and the mathematical apparatus of game theory to select the optimal baseline methodology and protection tools under conditions of limited resources and existing threats. The proposed approach also involves the use of network analysis to model the project, taking into account timelines, costs, resources, and possible implementation scenarios.The methodology includes the construction of a project network model, calculation of the critical path, identification of critical and non-critical activities, analysis of time reserves, acceleration options, and assessment of the impact of acceleration on total cost. A method for comparative evaluation of several implementation scenarios is proposed: with normal timelines, with acceleration of only critical activities, as well as with acceleration of all or only non-critical activities. As a result, resource allocation over time, financial cost, and human resource engagement charts are obtained, enabling more informed management decisions. The methodology is a practical tool for the Chief Information Security Officer (CISO) and executives, allowing them to determine the optimal investment amount at each stage of the ISMS project and to substantiate resource requirements while ensuring a balance between efficiency and cost.
References
ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection – Information security management systems – Requirements. (б. д.). iso.org. https://www.iso.org/standard/27001
IT-Grundschutz. (б. д.). Federal Office for Information Security. https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/it-grundschutz_node.html
Про затвердження Положення про організацію заходів із забезпечення інформаційної безпеки в банківській системі України, Постанова Національного банку України № 95 (2017) (Україна). https://zakon.rada.gov.ua/laws/show/v0095500-17#Text
Hoban, S. (2024, 19 листопада). What is A resource in project management? 7 key types to know. dpm. https://thedigitalprojectmanager.com/projects/managing-schedules/what-is-resource-project-management/
Gordon, L. A., & Loeb, M. P. (б. д.). The economics of information security investment. У Economics of information security. Kluwer Academic Publishers. https://doi.org/10.1007/1-4020-8090-5_9
Фукс, М. А. (2024). Моделювання багатокритеріальної задачі оптимізації вибору методики побудови СУІБ методами Томаса Сааті. У Радіоелектроніка та молодь у XXI столітті (с. 92–93). ХНУРЕ.
Жаринова, С., & Бабенко, А. (2014). Оптимізація інвестицій в інформаційну безпеку підприємства. Науково-технічний журнал, 3(83), 115.
Lemeshko, O., Yeremenko, O., Kurenko, V., & Fuks, M. (2024). Method of designing a cyber-resilient information and communication network. Problemi telekomunìkacìj, (2(35)), 14–25. https://doi.org/10.30837/pt.2024.2.02
Пшеничних, С. В., Добринін, І. С., & Клочкова, Д. Ю. (2023). Математична модель оптимального вибору засобів захисту інформації при проектуванні комплексної системи захисту на об’єкті інформатизації. Проблеми телекомунікацій, 1(32), 45–58. https://doi.org/10.30837/pt.2023.1.04
Saaty, T. L. (б. д.). The analytic network process. У Decision making with the analytic network process (с. 1–26). Springer US. https://doi.org/10.1007/0-387-33987-6_1
Saaty, T. L., & Vargas, L. G. (2012). Models, methods, concepts & applications of the analytic hierarchy process. Springer US. https://doi.org/10.1007/978-1-4614-3597-6
Фукс, М. А., & Добринін, І. С. (2023). Визначення стратегії захисту інформації на основі безкоаліційної гри двох гравців із ненульовою сумою. У Інформаційно-комунікаційні технології та кібербезпека (IКTK-2023) (с. 185–188). ХНУРЕ. https://openarchive.nure.ua/handle/document/25471
CAPEC – CAPEC list version 3.9. (2019, 30 вересня). CAPEC – Common Attack Pattern Enumeration and Classification (CAPEC™). https://capec.mitre.org/data/index.html
OWASP Top Ten | OWASP Foundation. (б. д.). OWASP Foundation, the Open Source Foundation for Application Security | OWASP Foundation. https://owasp.org/www-project-top-ten/
GitHub – CVEProject/cvelistV5: CVE cache of the official CVE List in CVE JSON 5 format. (б. д.). GitHub. https://github.com/CVEProject/cvelistV5
Common vulnerability scoring system CVSS SIG. (б. д.). FIRST – Forum of Incident Response and Security Teams. https://www.first.org/cvss/
Phillips, D. T. (1981). Fundamentals of network analysis. Prentice-Hall.
Aston, B. (2025, 29 липня). PERT vs CPM: 8 key differences for project managers to grasp. dpm. https://thedigitalprojectmanager.com/project-management/pert-vs-cpm
Publications | ENISA. (б. д.). ENISA. https://www.enisa.europa.eu/publications#c3=2014&c3=2024&c3=false&c5=publicationDate&reversed=on&b_start=0
Business and technology insights and trends. (б. д.). GARTNER. https://www.gartner.com/en/insights
Federal office for information security. (б. д.). BSI. https://www.bsi.bund.de/EN/Home/home_node.html
