Risk assessment methodology for information systems, based on the user behavior and IT-security incidents analysis

Obtaining trustworthy estimates for the reliability and security of corporate information systems is an urgent problem. It is not enough just to have estimations for security of software and hardware components. Constant monitoring of a user's actions and a comprehensive analysis of his (her) behavior in the system are necessary. The novelty of the proposed approach consists in application of psychological profiling methods, models of neuro-fuzzy inference and mechanisms of multidimensional data analysis. Vulnerabilities of computer information systems are determined on the basis of a retrospective analysis of information security incidents. The user's profile is based on the analysis of his (her) behavior. The patterns of this behavior in a particular computer information system are determined. The work studies the influence of intentional and unintentional user behavior on the probability of information security threats and identifies the threshold values of the number and frequency of the events indicating an information security incident. Such data helped to build a model to search for an intruder during an information security incident. The proposed method was tested in the MatLab software package. The experimental calculations of potential vulnerabilities were performed in the “1C: Enterprise 8.3” system of programs. As the initial data for the calculation, we used the log entries of the actions of more than 100 users with different roles for a period of one year. It is noted that the risk management policy should include a continuous analysis of user actions, as well as the consequences of these actions, in order to identify the goals of such behavior and prevent information security incidents. It is shown that when implementing the proposed methodology, it is necessary to constantly identify users who should not have access to sensitive information from the inside, assuming that a current violator is located within the boundaries of a computer information network. The application of the proposed methodology allows us to increase the level of information security with a constant change in the “working environment” of the information system. It will help to significantly simplify the process of making an objective and reasonable management decision about the most likely implementation of information security incidents. This allows one to take appropriate preventive measures in advance.