REVIEW OF EXISTING METHODS FOR ASSESSING THE EFFECTIVENESS OF THE OPERATION OF E-COMMERCE SERVICE PROTECTION SYSTEMS
DOI:
https://doi.org/10.35546/kntu2078-4481.2023.3.13Keywords:
e-commerce, information security, system, performance indicators, modelingAbstract
The evaluation of the effectiveness of information system protection systems, and in particular, e-commerce services, is a crucial task that necessitates continual advancement and development. This paper provides an overview of existing methods for evaluating the effectiveness of information systems protection systems and considers existing approaches for building models of information system security risks. One of the primary requirements for evaluating the effectiveness of information system protection systems is the consistency and continuity of measures aimed at identifying potential threats and vulnerable system elements. This approach ensures timely response to security incidents and minimizes their consequences. Automation plays a significant role in this process, as it allows for faster decision-making on security incidents and excludes or minimizes the influence of the human factor. To ensure wider coverage of automation of the processes of evaluating the effectiveness of information system protection systems, there is an urgent need for the formalization of the processes that take place within the information system and the construction of appropriate models of these processes, which in turn allow to work on various scenarios for decision-making in the event of security incidents. Additionally, this provides an opportunity to identify key performance indicators of information system protection systems, the values of which represent the overall state of the system and help to conduct a qualitative assessment of the effectiveness of its work. One of the approaches to evaluate the effectiveness of the security system, which is proposed by researchers, is the use of the cyberspace security econometrics system (Cyberspace Security Econometrics System (CSES)). A key feature of this system for evaluating the effectiveness of the security is the consideration of economic risks in the event of security incidents, which in turn allows to assess the financial impact on the operation of the information system in the event of a failure of the protection systems. An important part of the evaluation of the effectiveness of information system protection systems is the modeling of attacks on the system within controlled environment. This allows to obtain information on the compliance of the protection system with modern threats and identify its elements that need to be improved or modernized. It should be noted that there are different standards and frameworks for modeling attacks on information systems. This diversity is due to the differences in security standards for different industries and the goals pursued in modeling attacks.
References
Bernik I, Prislan K. Measuring information security performance with 10 by 10 model for holistic state evaluation. PLoS ONE. 2016. Vol. 11, no. 9. URL: https://doi.org/10.1371/journal.pone.0163050.
Sheldon F. Evaluating security controls based on key performance indicators and stakeholder mission. proceedings of the 4th annual workshop on cyber security and informaiton intelligence research developing strategies to meet the cyber security and information intelligence challenges ahead. Cyber security and information intelligence research workshop. 2008.
Conklin L., Drake V., Strittmatter S. Threat modeling process | OWASP foundation. OWASP Foundation, the Open Source Foundation for Application Security | OWASP Foundation. URL: https://owasp.org/www-community/Threat_Modeling_Process.
What is threat modeling and how does it work? | synopsys. Synopsys | EDA Tools, Semiconductor IP and Application Security Solutions. URL: https://www.synopsys.com/glossary/what-is-threat-modeling.html.
Rencelj Ling E., Ekstedt M. A threat modeling language for generating attack graphs of substation automation systems. International journal of critical infrastructure protection. 2023. Vol. 41. P. 100601. URL: https://doi.org/10.1016/j.ijcip.2023.100601.
Introduction to bowtie | civil aviation authority. Civil Aviation Authority. URL: https://www.caa.co.uk/safetyinitiatives-and-resources/working-with-industry/bowtie/about-bowtie/introduction-to-bowtie/.
The CORAS Method. The CORAS Method. URL: https://coras.sourceforge.net/.
Kirvan P. Pen testing guide: Types, steps, methodologies and frameworks | TechTarget. Security. URL: https://www.techtarget.com/searchsecurity/tip/Pen-testing-guide-Types-steps-methodologies-and-frameworks.
Nicholls M. Penetration testing methodologies – the top 5 | redscan. Redscan. URL: https://www.redscan.com/news/top-five-penetration-testing-methodologies.
WSTG – latest | OWASP foundation. OWASP Foundation, the Open Source Foundation for Application Security | OWASP Foundation. URL: https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies.
A systematic method for measuring the performance of a cyber security operations centre analyst / E. Agyepong et al. Computers & security. 2022. P. 102959. URL: https://doi.org/10.1016/j.cose.2022.102959.
Current state and trends in the development of e-commerce software protection systems / V. Pleskach et al. CEUR workshop proceedings. 2021. No. 3179. P. 79–88.
Cyber security risk modeling in distributed information systems / D. Palko et al. Applied sciences. 2023. Vol. 13, no. 4. P. 2393. URL: https://doi.org/10.3390/app13042393.
An integrated conceptual model for information system security risk management supported by enterprise architecture management / N. Mayer et al. Software & systems modeling. 2018. Vol. 18, no. 3. P. 2285–2312. URL: https://doi.org/10.1007/s10270-018-0661-x.
Security risk assessments: modeling and risk level propagation / D. Angermeier et al. ACM transactions on cyberphysical systems. 2022. URL: https://doi.org/10.1145/3569458 (date of access: 24.09.2023).
