2 Research Papers and 1 Discussion
978-1-7281-1730-0/19/$31.00 ©2019 IEEE
The Method of Assessing the Level of Compliance of
Divisions of the Complex Network for the Corporate
Information Security Policy Indicators
Aleksandr Kozlov
Complex Networks Lab
V. A. Trapeznikov Institute of Control Sciences of Russian Academy of
Sciences
Moscow, Russia
Nikolai Noga
Complex Networks Lab
V. A. Trapeznikov Institute of Control Sciences of Russian Academy of
Sciences
Moscow, Russia
Abstract—The method of assessment of degree of compliance
of divisions of the complex distributed corporate information
system to a number of information security indicators is offered.
As a result of the methodology implementation a comparative
assessment of compliance level of each of the divisions for the
corporate information security policy requirements may be
given. This assessment may be used for the purpose of further
decision-making by the management of the corporation on
measures to minimize risks as a result of possible implementation
of threats to information security.
Keywords— information security, criteria, ranking of the values
of indicators, comparative assessment, the ratio of Pareto, maximin
and minimax procedures, the accounts of the Board, the Hamming
distance.
I. INTRODUCTION
Recently due to the development of digitalization of economic processes one of the most important tasks of organizations is the protection of information resources. Usually the basic requirements for the security of these resources are defined in the documents on corporate information security policy.
These documents in accordance with accepted standards, prescribes rules for the collection, storage, processing and access to information, both employees and external users. Their responsibility at all stages of information passing is defined. Also there are set the characteristics of the processed information, formulated various organizational, technological and technical requirements for information security.
To ensure the protection of information resources the company should constantly monitor the state of information security, record any illegal attempts to violate the availability, integrity, confidentiality of information. According to the results of monitoring and analysis of vulnerabilities and violations the company's security service should offer the company's management solutions to minimize possible damage from emerging threats to information security.
For organizations (corporations) with a geographically distributed structure the task of making management decisions is significantly complicated since it is difficult to cover all
divisions at the same time. Therefore it is important to identify the most critical divisions. Divisions ranking helps to do this. In the authors paper [1] considered a method of ranking divisions, but there was not given the comparative evaluation of the result obtained with other methods.
In this paper authors propose to consider the methods of ranking and comparative evaluation of divisions on important indicators approved by the corporate information security policy. As a result of the implementation of such methods, a comparative assessment of the degree of satisfaction of the information security requirements of each of the divisions will be provided and the most critical of them will be found for further modeling of various management situations, generation on this basis of decisions on taking measures to protect the corporation information resources.
II. STATEMENT OF THE PROBLEM
We define the security indicators as some criteria that take values in certain intervals, which values boundaries may be defined both in international standards and in various organization methodological and regulatory documents. Depending on the values of these criteria, each division of the Corporation will be assigned a certain rank r. Let's build all ranks, for example, in ascending order. We assume that the higher the rank, the higher the degree of satisfaction of information security requirements.
Let B – the set of considered divisions, and divisions designated as x, y, z,...; I – number of considered indicators, Ki is the i-th indicator, i = 1,...,I; rj = rj (K1, K2, ..., KI) is the rank of the j-th division, j = 1, ..., N, where N is the number of considered divisions. Under the assumption that the larger the rank value, the better the situation with the information security of the division, it is necessary to sort the ranks in ascending order.
Suppose that we estimate the division x on i indicators, that is: K1(x), K2(x), ..., Ki(x).
Next, we will carry out the implementation of the methodology on the example of corporation with an extensive network of 10 divisions by 3 criteria (indicators), which indicate the degree of satisfaction of the information security
requirements of the division for each indicator [1]. Choose, for example, the following indicators:
• F - frequency of occurrence of illegal data requests received from the j-th division in relation to the total number of requests from this division;
• S - frequency of prevented security incidents in the j-th division in relation to the total number of identified incidents in that division;
• D - relative number of users in the j-th division, who meet the requirements of the security policy to change user passwords.
The corresponding estimates are given in Table I, in the first case deducted from the unit, with rounding to two decimal places are given.
TABLE I. EVALUATION OF DIVISIONS
Division 1-F S D
1 0.68 0.82 0.59
2 0.82 0.93 0,55
3 0.91 0.87 0.58
4 0.74 0.72 0.53
5 0.70 0.97 0.51
6 0.55 0.56 0.60
7 0.52 0.79 0.60
8 0.68 0.80 0.55
9 0.60 0.65 0.57
10 0.64 0.96 0.53
Before we present the evaluation method, we introduce some concepts that are used below [2-3]. Construct a relation R between x and y, such that
},)()(
& )()( {
0000 iii
iii
yKxKi
yKxKixRy
+
+
(1)
where x and y are the divisions, Ki is the i-th indicator with
respect to which estimated a division, i = 1..., I; i - the
parameter "sensitivity" is a threshold value that corresponds to each i-th indicator.
The relationship in (1) is the R generalized Pareto relation is interpreted as, "better than", that is, xRy means "x is better than y", or "the degree of satisfaction of the security requirements of division x is higher than of division y" [4]. I.e., a relation xRy is executed if for any indicator division x has higher or equal values than y, taking into account the sensitivity , and at least for one indicator, the division of x has strictly higher results on the degree of satisfaction of safety requirements than the division of y, given .
The relation R constructed by the indices {Ki (x)}, i= 1..., I, and is a strict partial order, that is, strict and transitive binary relation.
For the above example the relation R, constructed with = 0.02, is shown in Table II.
TABLE II. RELATION R
1 2 3 4 5 6 7 8 9 10
1 0 0 0 0 0 0 0 0 1 0
2 0 0 0 1 0 0 0 1 0 0
3 0 0 0 1 0 0 0 1 1 0
4 0 0 0 0 0 0 0 0 0 0
5 0 0 0 0 0 0 0 0 0 0
6 0 0 0 0 0 0 0 0 0 0
7 0 0 0 0 0 0 0 0 0 0
8 0 0 0 0 0 0 0 0 0 0
9 0 0 0 0 0 0 0 0 0 0
10 0 0 0 0 0 0 0 0 0 0
From Table I it is easy to see that the division {1} has large values of all indicators than the division {9}, therefore, the intersection row division {1} with a column for division {9} is 1; the same is true for the division {2} in relation to the division {4} and {8}. And the same is true for division {3} in relation to the divisions {4}, {8} and {9}. Divisions {1}, {2} and {3} are in the Pareto frontier, but the division {4} – Pareto dominated by divisions {2} and {3}.
However, it is not possible to compare divisions with each other using the relation R, as may be the situation when you do not satisfy the condition of transitivity. Indeed, in the example above, the division {2} "better" than the division {4}, but the division {1} cannot be compared with these two divisions (see table I).
Usually in this case, proceed as follows. It is necessary to approximate relation R through some weak order in W is irreflexive, transitive and negatively transitive binary relation. Thus, for any two divisions or one better than another or are they both equal in terms of final evaluation operations. In this case, the best group of divisions can be denoted as C1(B). Then, once excluded the best divisions of comparison, using the same procedure, can be found the second best group of divisions. This group of divisions is indicated as C2(B). Continuing this process, we can obtain a sequence of sets of C3(B), C4(B), C5(B), etc., until they are distributed to all divisions.
Next, it is proposed to consider some fairly simple methods of ranking division and compare them in order to select the most optimal method. The first two methods are based on game matrices, the third one is based on the Board accounts method, the fourth one is based on the Board accounts averaging method [5].
III. METHOD OF MAXIMIN PROCEDURE AND MAXIMIZATION OF WINS
To conduct the ranking, we use the method based on the game matrix, for example in the maximin procedure of maximizing winnings.
Build the matrix P, such that x, yB,
},(y)K)({),(
if &, -"-),( )},,({
ii +=
==
xKlyxl
yxxxlyxlP
i
where the rows and columns of the matrix P correspond to the multiple divisions in B. At the intersection of the x-th row and y-th column is placed the number l(x, y) equal to the number of indicators (criteria) in which the division x has higher values on the degree of satisfaction of safety requirements than division y, given the measurement errors.
Note the minima of the rows (in each row, i.e. for each division) in the penultimate column of Table III. For any
z B the minimum row shows the degree of satisfaction of the safety requirements of z in comparison with the "toughest" opponent. Then select the division that has the maximum of these row minima. It corresponds to the best division, i.e.
)}},({min{max),()(1 nmlyxlBCx BnBm
= for
some .By
Then exclude x from the set B and repeat the procedure again, getting a C2(B), etc.
Let us demonstrate this rule on the data from Table I. The augmented matrix of the game in this case takes the form
specified in Table III ( i = 0.01 for all i = 1, 2, 3):
TABLE III. AUGMENTED MATRIX
1 2 3 4 5 6 7 8 9 10 min w(x)
1 -“- 1 0 2 1 2 2 2 3 2 0 15
2 2 -“- 1 3 2 2 2 2 2 2 1 18
3 2 2 -“- 3 2 2 2 3 2 2 2 20
4 1 0 0 -“- 2 2 1 1 2 1 0 10
5 2 1 1 1 -“- 2 2 2 2 1 1 14
6 0 1 1 1 1 -“- 1 1 1 1 0 8
7 0 1 1 2 1 1 -“- 1 2 1 0 10
8 0 0 0 2 1 2 1 -“- 2 2 0 10
9 0 1 0 1 1 2 1 1 -“- 1 0 8
10 1 1 1 1 1 2 2 1 2 -“- 1 12
2 3 1 3 2 2 2 3 3 2 max 8 8 5 16 12 17 14 14 18 13 w(y)
Thus, C1(B) = {3}. Eliminating the division {3} from consideration, we obtain the C2(B) = {2}, then C3(B) = {1, 4, 5, 10}, C4(B) = {8}, C5(B) = {6, 7, 9}. To order divisions in C3(B) and C5(B) use the procedure of maximizing winnings.
Let l(x, y), as above, is equal to the number of indicators in which division x has higher values than division y, then the sum
,
( ) ( , ) y y x
w x l x y
=
will express the total number of wins division x over other divisions [3]. The function w(x) defines a natural order with respect to a set B, while w(x) takes the values listed in the last column of augmented matrix (Table III). Now the set {1, 4, 5, 10} is ordered as follows: {1}, {5}, {10}, {4} in descending order. And the set {6, 7, 9} is ordered thus: {7}, {6, 9}. This last set arrange, returning to the previous maximin procedure
by eliminating all divisions, except {6} and {9}. Then we obtain the following ordering: {9}, {6} in descending order. Finally (Table IV):
TABLE IV. RESULTS OF THE FIRST METHOD
Division 1 2 3 4 5 6 7 8 9 10
Rank1 3 2 1 6 4 10 8 7 9 5
IV. METHOD OF MINIMAX PROCEDURE AND MINIMIZATION OF LOSSES
Consider the matrix P from the previous section, where the rows and columns of the matrix P correspond to the set of divisions in B. at the intersection of the x-th row and the y-th column is placed l(x, y) equal to the number of indicators (criteria) in which the division x has higher values of the degree of satisfaction of security requirements than the division y, taking into account the measurement error. Note the column maximums (in each column) (for each division) in
the penultimate row of Table III. For anyone z B , this number (maximum column) shows the worst degree of satisfaction with the security requirements of z compared to the "worst" division. Next, select the division that corresponds to the minimum of the column maxima, that is, select the division that has indicators of the degree of satisfaction of security requirements better than other divisions, that is
1 ( ) ( , )x C B l x y = min
n B { max
m B { ( , )l m n }} for
some y B .
Then exclude x from the set B and repeat the procedure again, getting a C2(B), etc.
Let us demonstrate this rule on the data from Table I. The augmented matrix of the game in this case is the same as in
Table III ( i = 0.01 for all i = 1, 2, 3). Thus C1(B) = {3}.
Eliminating the division {3} from consideration, we obtain the C2(B) = {2}, then C3(B) = {1, 4, 5, 6, 7, 8, 10}, C4(B) = {9}. To order divisions in C3(B) use the procedure of minimizing losses. Let l(x, y) be the same as in the previous section, then the sum
= xyx
yxlyw ,
),()(
will express the total number of losses division y over other divisions. The function w(y) defines a natural order with respect to a set B, while w(y) takes the values listed in the last row of augmented matrix (Table III). Now the set {1, 4, 5, 6, 7, 8, 10} is ordered as follows: {1}, {5}, {8, 10}, {4, 7}, {6}. The sets {8, 10}, {4, 7} is ordered as follows: {8}, {10}, {7}, {4}. Finally (Table V):
TABLE V. RESULTS OF THE SECOND METHOD
Division 1 2 3 4 5 6 7 8 9 10
Rank2 3 2 1 8 4 9 7 5 10 6
V. METHOD OF BORDA COUNTS
Now let's carry out the ranking using the method of Borda counts [5]. Define the lower boundary of the set W(x) for the division x as the set of divisions that are worse than x with respect to R, i.e., W(x) = {y| xRy}. The number of divisions in
the set W(x) is denoted by )(xW . Consider the division xB
and assign to x the score ti(x), which is the number of elements of the lower boundary of the set x in Ki(x), i.e.
.})()({)()( iiiii aKxKBaxWxt +==
The sum of these scores for each Nj is called the Borda count of the j-th division
=
= I
i
ij xtxt 1
)()( .
We find the Borda counts for the divisions in our example with the divisions from Table I. The relevant counts are shown
in Table VI with assumption j
= 0.01 for all considered
indicators.
TABLE VI. THE BORDA COUNTS FOR THE DIVISIONS
Division t1 (1-F) t2 (S) t3 (D) tj 1 4 5 6 15
2 8 7 3 18
3 9 6 5 20
4 7 2 1 10
5 6 8 0 14
6 1 0 7 8
7 0 3 7 10
8 4 3 3 10
9 2 1 5 8
10 3 8 1 12
Then
. )),()(),(\( ),(
)),()(,( ),(
12
1
etcytxtBCByifBCx
ytxtByifBCx
(2)
In our example, we get from Table VI: C1(B) = {3}, C2(B) = {2}, C3(B) = {1}, C4(B) = {5}, C5(B) = {10}, C6(B) = {4, 7, 8}, C7(B) = {6, 9}. To order C6(B) we build a shortened Table VII of Board accounts only for divisions {4}, {7} and {8}. Similarly, we proceed for ordering C7(B) = {6, 9}.
TABLE VII. THE BORDA COUNTS FOR THREE DIVISIONS
Division t1 (1-F) t2 (S) t3 (D) tj 4 2 0 0 2
7 0 1 2 3
8 1 2 1 4
Finally we build (Table VIII):
TABLE VIII. RESULTS OF THE THIRD METHOD
Division 1 2 3 4 5 6 7 8 9 10
Rank3 3 2 1 8 4 9 7 6 10 5
VI. METHOD AVERAGES OF BORDA COUNTS
We now construct the ranking array by using the procedure of averaging of Borda counts. The Borda counts for each division in the B obtained from Table VI. Then we find the average of these counts. Eliminate those divisions that have lower scores than the obtained average value. Calculate again counts Borda in a reduced number of divisions. We find the average in this set of divisions. Then eliminate the similar divisions, whose have lower scores than the last average value. Continue on like this until there is no division to eliminate from our reduced set. So, first one should compute
( ( )) a B
t t a B
= .
Then exclude b B , if t(b) < t and
build { ( ) }X a B t a t= . Next apply the same
procedure to X. Continue the procedure of reduction of the set to obtain a C1(B). Then exclude C1(B) of B and apply the entire procedure again to obtain C2(B), etc. We now apply this
procedure to the data from Table VI. In this case, t = 125/10 = 12,5. Then it is easy to obtain that C1(B) = {3}. After exclusion of the office from the set B will result in the following Table IX:
TABLE IX. BOARD ACCOUNTS WITHOUT THIRD DIVISION
Division t1 (1-F ) t2 (S) t3 (D) t
1 4 5 6 15
2 8 6 3 17
4 7 2 1 10
5 6 7 0 13
6 1 0 6 7
7 0 3 6 9
8 4 3 3 10
9 2 1 5 8
10 3 7 1 11
Acting on the above-mentioned methods, again calculated
from Table IX t = 100/9 11,1. Hence, X = {1, 2, 5} and then immediately one can obtain that C2(B) = {2}. Further, similarly, the C3(B) = {1}, C4(B) = {5}, C5(B) = {8}, C6(B) = {10}, C7(B) = {7}, C8(B) = {4}, C9(B) = {9}, C10(B) = {6}. The result of the ranking presented in Table X:
TABLE X. RESULTS OF THE FOURTH METHOD
Division 1 2 3 4 5 6 7 8 9 10
Rank4 3 2 1 8 4 10 7 5 9 6
VII. RESULTS COMPARISON
In Table XI provides the results of the four methods from Tables IV, V, VIII, X:
TABLE XI. RANKINGS OF DIVISIONS
Division 1 2 3 4 5 6 7 8 9 10
Rank1 3 2 1 6 4 10 8 7 9 5
Rank2 3 2 1 8 4 9 7 5 10 6
Rank3 3 2 1 8 4 9 7 6 10 5
Rank4 3 2 1 8 4 10 7 5 9 6
As we can see from Table XI the ranking results are
different. To make ranking result comparison let R1 and R2 two
ranking and 1
ij ,
2
ij are their adjacent matrices, where the
adjacent matrix ij
of a ranking R is constructed as follows:
1 ij
= when i preferable to j in R, otherwise 0.
To compare rankings R1 and R2 are encouraged to use well-known measure: the Hemming distance. The Hemming distance d(x, y) between two binary sequences (vectors) x and y of length n is the number of positions in which they are different [6-7]. The Hemming distance between R1 and R2 in our case we define as follows:
1 2
1 2
,
1 ( , ) .
( 1) ij ij
i j
d R R N N
= − −
The data from Table XII shows the assessment of how far away the ranking obtained from each other after the counting of Hemming distances. You can see that the two closest ranking is obtained according to the methods of game matrices and the Borda counts.
TABLE XII. HEMMING DISTANCE BETWEEN RANKINGS
Method 1 2 3 4
1 - 0,067 0,056 0,044
2 - 0,022 0,022
3 - 0,044
4 -
Since the Hemming distance as the measure is symmetric, filled only half the table. Be aware that these methods can give a ranking very different from each other. However, in our case, all the ranking are rather close to each other in terms of Hemming distance.
VIII. CONCLUSION
The task of assessing the degree of satisfaction of the information security requirements of each of the divisions of a geographically distributed organization with a complex structure is a necessary, although quite difficult task that the information security service of the organization has to deal with. In this situation, you can go in different ways.
One way is to propose the information security service to define a target function for a large set of variables related to threats, vulnerabilities and damage, in order to be able to manage the provision of various information services depending on a variety of both economic and organizational conditions. At the same time, the staff of this service should have outstanding ability to process such information.
Another way is suggested in this report. It allows you to significantly reduce the information requirements for the organization's information security staff by suggesting that the service form a selection function based on the ranking methods proposed above. Depending on the task set by the management, for example, to impose penalties for errors in the process of ensuring information security divisions. Or to solve the following problem: optimally distribute the resources of the organization between divisions according to the results of ranking. Management is encouraged to use one or another method (for example, the method of Board accounts in case of punishment). Once the information security service of the organization has made an assessment of the information security state in the divisions, it is possible to make appropriate organizational and technical decisions approved by the organization management.
It should be noted that the proposed methods can be applied to any complex network structure, both public authorities and private corporations, which allows to take into account the regional characteristics of the divisions (the number and qualifications of employees in the division, distance, etc.).
REFERENCES
[1] A.D. Kozlov, N.L. Noga “Methods of ranking the divisions of the distributed corporate system according to the degree of compliance with the information security policy,” / Proceedings of the XIII all-Russian meeting on management problems (VSPU-2019). M.: IPU RAS, 2019. (in print)
[2] A.D. Kozlov, V.N. Lebedev “The methods of ranking and comparative assessment of branches of a distributed corporate system,” Proceedings of the 10th International Conference "Management of Large-Scale System Development" (MLSD-2017), IEEE, ieeexplore.ieee.org/document/8109647.
[3] F. Aleskerov, H. Ersel, R. Yolalan, “Multicriterial ranking approach for evaluating bank branch performance,” International Journal of Information Technology & Decision Making, Vol. 3, No. 2 (2004), pp.321–335, World Scientific Publishing Company.
[4] V.V. Podinovski, V.D. Nogin, “Pareto optimal solutions of multicriteria problems,” – 2nd ed. – M.: FIZMATLIT, 2007, – 256 p.
[5] O.F. Bystrov, V.I. Pozdnyakov, V.M. Prudnikov, V.V. Pertsov, S.V. Kazakov, “Management of investment activities in the regions of the Russian Federation,” - M.: INFRA-M, 2008, – 358 p.
[6] Hamming distance: The number of digit positions in which the corresponding digits of two binary words of the same length are different (Federal Standard 1037C)
[7] X. Alex, Liu, Ke Shen, Eric Torng, “Large Scale Hamming Distance Query Processing,” ICDE Conference, - pp. 553 — 564, 2011.