Development of an Information Security Risk Assessment Model Through the Calculation of the Vulnerability Danger Factor

Abstract

The relevance and necessity of research in the field of information security risk assessment are justified against the backdrop of the trend towards digitalization and as part of the national projects “Digital Economy” and its successor “Data Economy and Digital Transformation of the State”. The existing standards for information security risk management have been analyzed. A description has been given of the classic statistical risk assessment model and a dynamic model that takes into account a parameter responsible for the intensity of destructive effects accumulation. The disadvantages of the classic risk assessment model have been identified, which relate to problems with expert assessments that affect the quality of the assessment: the lack of accumulated statistics over the years or lack of qualified experts. An analysis has been conducted of the open standard for vulnerability danger quantification, CVSS. A risk assessment model has been developed based on an evaluation of the risk associated with CVSS vulnerabilities. The possibility of defining risk as a combination of two linguistic variables has also been considered. The model is described using linguistic fuzzy logic, and the levels of danger for each parameter in the revised model are determined. Additionally, the option of modifying the model to include the cost of addressing the vulnerability has been explored. Prospects for further development of this approach are discussed.