2 Research Papers and 1 Discussion

profileSinners0043
heMethodofAssessingtheLevelofComplianceofDivisionsoftheComplexNetworkfortheCorporateInformationSecurityPolicyIndicators.pdf

978-1-7281-1730-0/19/$31.00 ©2019 IEEE

The Method of Assessing the Level of Compliance of

Divisions of the Complex Network for the Corporate

Information Security Policy Indicators

Aleksandr Kozlov

Complex Networks Lab

V. A. Trapeznikov Institute of Control Sciences of Russian Academy of

Sciences

Moscow, Russia

[email protected]

Nikolai Noga

Complex Networks Lab

V. A. Trapeznikov Institute of Control Sciences of Russian Academy of

Sciences

Moscow, Russia

[email protected]

Abstract—The method of assessment of degree of compliance

of divisions of the complex distributed corporate information

system to a number of information security indicators is offered.

As a result of the methodology implementation a comparative

assessment of compliance level of each of the divisions for the

corporate information security policy requirements may be

given. This assessment may be used for the purpose of further

decision-making by the management of the corporation on

measures to minimize risks as a result of possible implementation

of threats to information security.

Keywords— information security, criteria, ranking of the values

of indicators, comparative assessment, the ratio of Pareto, maximin

and minimax procedures, the accounts of the Board, the Hamming

distance.

I. INTRODUCTION

Recently due to the development of digitalization of economic processes one of the most important tasks of organizations is the protection of information resources. Usually the basic requirements for the security of these resources are defined in the documents on corporate information security policy.

These documents in accordance with accepted standards, prescribes rules for the collection, storage, processing and access to information, both employees and external users. Their responsibility at all stages of information passing is defined. Also there are set the characteristics of the processed information, formulated various organizational, technological and technical requirements for information security.

To ensure the protection of information resources the company should constantly monitor the state of information security, record any illegal attempts to violate the availability, integrity, confidentiality of information. According to the results of monitoring and analysis of vulnerabilities and violations the company's security service should offer the company's management solutions to minimize possible damage from emerging threats to information security.

For organizations (corporations) with a geographically distributed structure the task of making management decisions is significantly complicated since it is difficult to cover all

divisions at the same time. Therefore it is important to identify the most critical divisions. Divisions ranking helps to do this. In the authors paper [1] considered a method of ranking divisions, but there was not given the comparative evaluation of the result obtained with other methods.

In this paper authors propose to consider the methods of ranking and comparative evaluation of divisions on important indicators approved by the corporate information security policy. As a result of the implementation of such methods, a comparative assessment of the degree of satisfaction of the information security requirements of each of the divisions will be provided and the most critical of them will be found for further modeling of various management situations, generation on this basis of decisions on taking measures to protect the corporation information resources.

II. STATEMENT OF THE PROBLEM

We define the security indicators as some criteria that take values in certain intervals, which values boundaries may be defined both in international standards and in various organization methodological and regulatory documents. Depending on the values of these criteria, each division of the Corporation will be assigned a certain rank r. Let's build all ranks, for example, in ascending order. We assume that the higher the rank, the higher the degree of satisfaction of information security requirements.

Let B – the set of considered divisions, and divisions designated as x, y, z,...; I – number of considered indicators, Ki is the i-th indicator, i = 1,...,I; rj = rj (K1, K2, ..., KI) is the rank of the j-th division, j = 1, ..., N, where N is the number of considered divisions. Under the assumption that the larger the rank value, the better the situation with the information security of the division, it is necessary to sort the ranks in ascending order.

Suppose that we estimate the division x on i indicators, that is: K1(x), K2(x), ..., Ki(x).

Next, we will carry out the implementation of the methodology on the example of corporation with an extensive network of 10 divisions by 3 criteria (indicators), which indicate the degree of satisfaction of the information security

requirements of the division for each indicator [1]. Choose, for example, the following indicators:

• F - frequency of occurrence of illegal data requests received from the j-th division in relation to the total number of requests from this division;

• S - frequency of prevented security incidents in the j-th division in relation to the total number of identified incidents in that division;

• D - relative number of users in the j-th division, who meet the requirements of the security policy to change user passwords.

The corresponding estimates are given in Table I, in the first case deducted from the unit, with rounding to two decimal places are given.

TABLE I. EVALUATION OF DIVISIONS

Division 1-F S D

1 0.68 0.82 0.59

2 0.82 0.93 0,55

3 0.91 0.87 0.58

4 0.74 0.72 0.53

5 0.70 0.97 0.51

6 0.55 0.56 0.60

7 0.52 0.79 0.60

8 0.68 0.80 0.55

9 0.60 0.65 0.57

10 0.64 0.96 0.53

Before we present the evaluation method, we introduce some concepts that are used below [2-3]. Construct a relation R between x and y, such that

},)()(

& )()( {

0000 iii

iii

yKxKi

yKxKixRy

+

+

(1)

where x and y are the divisions, Ki is the i-th indicator with

respect to which estimated a division, i = 1..., I; i  - the

parameter "sensitivity" is a threshold value that corresponds to each i-th indicator.

The relationship in (1) is the R generalized Pareto relation is interpreted as, "better than", that is, xRy means "x is better than y", or "the degree of satisfaction of the security requirements of division x is higher than of division y" [4]. I.e., a relation xRy is executed if for any indicator division x has higher or equal values than y, taking into account the sensitivity  , and at least for one indicator, the division of x has strictly higher results on the degree of satisfaction of safety requirements than the division of y, given .

The relation R constructed by the indices {Ki (x)}, i= 1..., I, and is a strict partial order, that is, strict and transitive binary relation.

For the above example the relation R, constructed with  = 0.02, is shown in Table II.

TABLE II. RELATION R

1 2 3 4 5 6 7 8 9 10

1 0 0 0 0 0 0 0 0 1 0

2 0 0 0 1 0 0 0 1 0 0

3 0 0 0 1 0 0 0 1 1 0

4 0 0 0 0 0 0 0 0 0 0

5 0 0 0 0 0 0 0 0 0 0

6 0 0 0 0 0 0 0 0 0 0

7 0 0 0 0 0 0 0 0 0 0

8 0 0 0 0 0 0 0 0 0 0

9 0 0 0 0 0 0 0 0 0 0

10 0 0 0 0 0 0 0 0 0 0

From Table I it is easy to see that the division {1} has large values of all indicators than the division {9}, therefore, the intersection row division {1} with a column for division {9} is 1; the same is true for the division {2} in relation to the division {4} and {8}. And the same is true for division {3} in relation to the divisions {4}, {8} and {9}. Divisions {1}, {2} and {3} are in the Pareto frontier, but the division {4} – Pareto dominated by divisions {2} and {3}.

However, it is not possible to compare divisions with each other using the relation R, as may be the situation when you do not satisfy the condition of transitivity. Indeed, in the example above, the division {2} "better" than the division {4}, but the division {1} cannot be compared with these two divisions (see table I).

Usually in this case, proceed as follows. It is necessary to approximate relation R through some weak order in W is irreflexive, transitive and negatively transitive binary relation. Thus, for any two divisions or one better than another or are they both equal in terms of final evaluation operations. In this case, the best group of divisions can be denoted as C1(B). Then, once excluded the best divisions of comparison, using the same procedure, can be found the second best group of divisions. This group of divisions is indicated as C2(B). Continuing this process, we can obtain a sequence of sets of C3(B), C4(B), C5(B), etc., until they are distributed to all divisions.

Next, it is proposed to consider some fairly simple methods of ranking division and compare them in order to select the most optimal method. The first two methods are based on game matrices, the third one is based on the Board accounts method, the fourth one is based on the Board accounts averaging method [5].

III. METHOD OF MAXIMIN PROCEDURE AND MAXIMIZATION OF WINS

To conduct the ranking, we use the method based on the game matrix, for example in the maximin procedure of maximizing winnings.

Build the matrix P, such that  x, yB,

},(y)K)({),(

if &, -"-),( )},,({

ii +=

==

xKlyxl

yxxxlyxlP

i

where the rows and columns of the matrix P correspond to the multiple divisions in B. At the intersection of the x-th row and y-th column is placed the number l(x, y) equal to the number of indicators (criteria) in which the division x has higher values on the degree of satisfaction of safety requirements than division y, given the measurement errors.

Note the minima of the rows (in each row, i.e. for each division) in the penultimate column of Table III. For any

z B the minimum row shows the degree of satisfaction of the safety requirements of z in comparison with the "toughest" opponent. Then select the division that has the maximum of these row minima. It corresponds to the best division, i.e.

)}},({min{max),()(1 nmlyxlBCx BnBm 

= for

some .By

Then exclude x from the set B and repeat the procedure again, getting a C2(B), etc.

Let us demonstrate this rule on the data from Table I. The augmented matrix of the game in this case takes the form

specified in Table III ( i  = 0.01 for all i = 1, 2, 3):

TABLE III. AUGMENTED MATRIX

1 2 3 4 5 6 7 8 9 10 min w(x)

1 -“- 1 0 2 1 2 2 2 3 2 0 15

2 2 -“- 1 3 2 2 2 2 2 2 1 18

3 2 2 -“- 3 2 2 2 3 2 2 2 20

4 1 0 0 -“- 2 2 1 1 2 1 0 10

5 2 1 1 1 -“- 2 2 2 2 1 1 14

6 0 1 1 1 1 -“- 1 1 1 1 0 8

7 0 1 1 2 1 1 -“- 1 2 1 0 10

8 0 0 0 2 1 2 1 -“- 2 2 0 10

9 0 1 0 1 1 2 1 1 -“- 1 0 8

10 1 1 1 1 1 2 2 1 2 -“- 1 12

2 3 1 3 2 2 2 3 3 2 max 8 8 5 16 12 17 14 14 18 13 w(y)

Thus, C1(B) = {3}. Eliminating the division {3} from consideration, we obtain the C2(B) = {2}, then C3(B) = {1, 4, 5, 10}, C4(B) = {8}, C5(B) = {6, 7, 9}. To order divisions in C3(B) and C5(B) use the procedure of maximizing winnings.

Let l(x, y), as above, is equal to the number of indicators in which division x has higher values than division y, then the sum

,

( ) ( , ) y y x

w x l x y 

= 

will express the total number of wins division x over other divisions [3]. The function w(x) defines a natural order with respect to a set B, while w(x) takes the values listed in the last column of augmented matrix (Table III). Now the set {1, 4, 5, 10} is ordered as follows: {1}, {5}, {10}, {4} in descending order. And the set {6, 7, 9} is ordered thus: {7}, {6, 9}. This last set arrange, returning to the previous maximin procedure

by eliminating all divisions, except {6} and {9}. Then we obtain the following ordering: {9}, {6} in descending order. Finally (Table IV):

TABLE IV. RESULTS OF THE FIRST METHOD

Division 1 2 3 4 5 6 7 8 9 10

Rank1 3 2 1 6 4 10 8 7 9 5

IV. METHOD OF MINIMAX PROCEDURE AND MINIMIZATION OF LOSSES

Consider the matrix P from the previous section, where the rows and columns of the matrix P correspond to the set of divisions in B. at the intersection of the x-th row and the y-th column is placed l(x, y) equal to the number of indicators (criteria) in which the division x has higher values of the degree of satisfaction of security requirements than the division y, taking into account the measurement error. Note the column maximums (in each column) (for each division) in

the penultimate row of Table III. For anyone z B , this number (maximum column) shows the worst degree of satisfaction with the security requirements of z compared to the "worst" division. Next, select the division that corresponds to the minimum of the column maxima, that is, select the division that has indicators of the degree of satisfaction of security requirements better than other divisions, that is

1 ( ) ( , )x C B l x y  = min

n B { max

m B { ( , )l m n }} for

some y B .

Then exclude x from the set B and repeat the procedure again, getting a C2(B), etc.

Let us demonstrate this rule on the data from Table I. The augmented matrix of the game in this case is the same as in

Table III ( i  = 0.01 for all i = 1, 2, 3). Thus C1(B) = {3}.

Eliminating the division {3} from consideration, we obtain the C2(B) = {2}, then C3(B) = {1, 4, 5, 6, 7, 8, 10}, C4(B) = {9}. To order divisions in C3(B) use the procedure of minimizing losses. Let l(x, y) be the same as in the previous section, then the sum

 

= xyx

yxlyw ,

),()(

will express the total number of losses division y over other divisions. The function w(y) defines a natural order with respect to a set B, while w(y) takes the values listed in the last row of augmented matrix (Table III). Now the set {1, 4, 5, 6, 7, 8, 10} is ordered as follows: {1}, {5}, {8, 10}, {4, 7}, {6}. The sets {8, 10}, {4, 7} is ordered as follows: {8}, {10}, {7}, {4}. Finally (Table V):

TABLE V. RESULTS OF THE SECOND METHOD

Division 1 2 3 4 5 6 7 8 9 10

Rank2 3 2 1 8 4 9 7 5 10 6

V. METHOD OF BORDA COUNTS

Now let's carry out the ranking using the method of Borda counts [5]. Define the lower boundary of the set W(x) for the division x as the set of divisions that are worse than x with respect to R, i.e., W(x) = {y| xRy}. The number of divisions in

the set W(x) is denoted by )(xW . Consider the division xB

and assign to x the score ti(x), which is the number of elements of the lower boundary of the set x in Ki(x), i.e.

.})()({)()( iiiii aKxKBaxWxt +==

The sum of these scores for each Nj is called the Borda count of the j-th division

 =

= I

i

ij xtxt 1

)()( .

We find the Borda counts for the divisions in our example with the divisions from Table I. The relevant counts are shown

in Table VI with assumption j

 = 0.01 for all considered

indicators.

TABLE VI. THE BORDA COUNTS FOR THE DIVISIONS

Division t1 (1-F) t2 (S) t3 (D) tj 1 4 5 6 15

2 8 7 3 18

3 9 6 5 20

4 7 2 1 10

5 6 8 0 14

6 1 0 7 8

7 0 3 7 10

8 4 3 3 10

9 2 1 5 8

10 3 8 1 12

Then

. )),()(),(\( ),(

)),()(,( ),(

12

1

etcytxtBCByifBCx

ytxtByifBCx



 (2)

In our example, we get from Table VI: C1(B) = {3}, C2(B) = {2}, C3(B) = {1}, C4(B) = {5}, C5(B) = {10}, C6(B) = {4, 7, 8}, C7(B) = {6, 9}. To order C6(B) we build a shortened Table VII of Board accounts only for divisions {4}, {7} and {8}. Similarly, we proceed for ordering C7(B) = {6, 9}.

TABLE VII. THE BORDA COUNTS FOR THREE DIVISIONS

Division t1 (1-F) t2 (S) t3 (D) tj 4 2 0 0 2

7 0 1 2 3

8 1 2 1 4

Finally we build (Table VIII):

TABLE VIII. RESULTS OF THE THIRD METHOD

Division 1 2 3 4 5 6 7 8 9 10

Rank3 3 2 1 8 4 9 7 6 10 5

VI. METHOD AVERAGES OF BORDA COUNTS

We now construct the ranking array by using the procedure of averaging of Borda counts. The Borda counts for each division in the B obtained from Table VI. Then we find the average of these counts. Eliminate those divisions that have lower scores than the obtained average value. Calculate again counts Borda in a reduced number of divisions. We find the average in this set of divisions. Then eliminate the similar divisions, whose have lower scores than the last average value. Continue on like this until there is no division to eliminate from our reduced set. So, first one should compute

( ( )) a B

t t a B 

=  .

Then exclude b B , if t(b) < t and

build { ( ) }X a B t a t=   . Next apply the same

procedure to X. Continue the procedure of reduction of the set to obtain a C1(B). Then exclude C1(B) of B and apply the entire procedure again to obtain C2(B), etc. We now apply this

procedure to the data from Table VI. In this case, t = 125/10 = 12,5. Then it is easy to obtain that C1(B) = {3}. After exclusion of the office from the set B will result in the following Table IX:

TABLE IX. BOARD ACCOUNTS WITHOUT THIRD DIVISION

Division t1 (1-F ) t2 (S) t3 (D) t

1 4 5 6 15

2 8 6 3 17

4 7 2 1 10

5 6 7 0 13

6 1 0 6 7

7 0 3 6 9

8 4 3 3 10

9 2 1 5 8

10 3 7 1 11

Acting on the above-mentioned methods, again calculated

from Table IX t = 100/9  11,1. Hence, X = {1, 2, 5} and then immediately one can obtain that C2(B) = {2}. Further, similarly, the C3(B) = {1}, C4(B) = {5}, C5(B) = {8}, C6(B) = {10}, C7(B) = {7}, C8(B) = {4}, C9(B) = {9}, C10(B) = {6}. The result of the ranking presented in Table X:

TABLE X. RESULTS OF THE FOURTH METHOD

Division 1 2 3 4 5 6 7 8 9 10

Rank4 3 2 1 8 4 10 7 5 9 6

VII. RESULTS COMPARISON

In Table XI provides the results of the four methods from Tables IV, V, VIII, X:

TABLE XI. RANKINGS OF DIVISIONS

Division 1 2 3 4 5 6 7 8 9 10

Rank1 3 2 1 6 4 10 8 7 9 5

Rank2 3 2 1 8 4 9 7 5 10 6

Rank3 3 2 1 8 4 9 7 6 10 5

Rank4 3 2 1 8 4 10 7 5 9 6

As we can see from Table XI the ranking results are

different. To make ranking result comparison let R1 and R2 two

ranking and 1

ij  ,

2

ij  are their adjacent matrices, where the

adjacent matrix ij

 of a ranking R is constructed as follows:

1 ij

 =  when i preferable to j in R, otherwise 0.

To compare rankings R1 and R2 are encouraged to use well-known measure: the Hemming distance. The Hemming distance d(x, y) between two binary sequences (vectors) x and y of length n is the number of positions in which they are different [6-7]. The Hemming distance between R1 and R2 in our case we define as follows:

1 2

1 2

,

1 ( , ) .

( 1) ij ij

i j

d R R N N

 =  −  −

The data from Table XII shows the assessment of how far away the ranking obtained from each other after the counting of Hemming distances. You can see that the two closest ranking is obtained according to the methods of game matrices and the Borda counts.

TABLE XII. HEMMING DISTANCE BETWEEN RANKINGS

Method 1 2 3 4

1 - 0,067 0,056 0,044

2 - 0,022 0,022

3 - 0,044

4 -

Since the Hemming distance as the measure is symmetric, filled only half the table. Be aware that these methods can give a ranking very different from each other. However, in our case, all the ranking are rather close to each other in terms of Hemming distance.

VIII. CONCLUSION

The task of assessing the degree of satisfaction of the information security requirements of each of the divisions of a geographically distributed organization with a complex structure is a necessary, although quite difficult task that the information security service of the organization has to deal with. In this situation, you can go in different ways.

One way is to propose the information security service to define a target function for a large set of variables related to threats, vulnerabilities and damage, in order to be able to manage the provision of various information services depending on a variety of both economic and organizational conditions. At the same time, the staff of this service should have outstanding ability to process such information.

Another way is suggested in this report. It allows you to significantly reduce the information requirements for the organization's information security staff by suggesting that the service form a selection function based on the ranking methods proposed above. Depending on the task set by the management, for example, to impose penalties for errors in the process of ensuring information security divisions. Or to solve the following problem: optimally distribute the resources of the organization between divisions according to the results of ranking. Management is encouraged to use one or another method (for example, the method of Board accounts in case of punishment). Once the information security service of the organization has made an assessment of the information security state in the divisions, it is possible to make appropriate organizational and technical decisions approved by the organization management.

It should be noted that the proposed methods can be applied to any complex network structure, both public authorities and private corporations, which allows to take into account the regional characteristics of the divisions (the number and qualifications of employees in the division, distance, etc.).

REFERENCES

[1] A.D. Kozlov, N.L. Noga “Methods of ranking the divisions of the distributed corporate system according to the degree of compliance with the information security policy,” / Proceedings of the XIII all-Russian meeting on management problems (VSPU-2019). M.: IPU RAS, 2019. (in print)

[2] A.D. Kozlov, V.N. Lebedev “The methods of ranking and comparative assessment of branches of a distributed corporate system,” Proceedings of the 10th International Conference "Management of Large-Scale System Development" (MLSD-2017), IEEE, ieeexplore.ieee.org/document/8109647.

[3] F. Aleskerov, H. Ersel, R. Yolalan, “Multicriterial ranking approach for evaluating bank branch performance,” International Journal of Information Technology & Decision Making, Vol. 3, No. 2 (2004), pp.321–335, World Scientific Publishing Company.

[4] V.V. Podinovski, V.D. Nogin, “Pareto optimal solutions of multicriteria problems,” – 2nd ed. – M.: FIZMATLIT, 2007, – 256 p.

[5] O.F. Bystrov, V.I. Pozdnyakov, V.M. Prudnikov, V.V. Pertsov, S.V. Kazakov, “Management of investment activities in the regions of the Russian Federation,” - M.: INFRA-M, 2008, – 358 p.

[6] Hamming distance: The number of digit positions in which the corresponding digits of two binary words of the same length are different (Federal Standard 1037C)

[7] X. Alex, Liu, Ke Shen, Eric Torng, “Large Scale Hamming Distance Query Processing,” ICDE Conference, - pp. 553 — 564, 2011.