A TECHNIQUE FOR EVALUATION OF INFORMATION PROTECTION LEVEL 
Автор Administrator  
26.06.2014 г.  
Author: Valeriy I. Sorokovikov
A TECHNIQUE FOR EVALUATION OF INFORMATION PROTECTION LEVEL IN INFORMATION TECHNOLOGY SYSTEMS
Moscow 2001
1 IntroductionThis work is devoted to a problem of the information protection efficiency evaluation in a system with the help of the model of information protection efficiency evaluation in the system in conditions of effect on it of threats implementation means. Usage of such model in practice will help to define a set of methods and information protection means, which are most expedient by criterion the efficiency  cost for a specific system. Difference of the method for evaluation of information protection efficiency in IT systems, shown in the given work, and the most known methods as well as approaches is that here process of an evaluation of IT systems is considered not only as a certain logical sequence of operations necessary for obtaining the justified evaluation, but also the confidence of the evaluation is based on stringent mathematical model. Besides, the given model allows to provide the justified conclusion under the simulation of various versions of construction and usage of a system about necessity and sufficiency both means and information protection methods, which are used for information protection in a system. 2 Posedness of Information Technologies System Protection Level Evaluation2.1 BackgroundsIn a general the task of information protection in a IT system relate with providing of reliable access of the system authorized subject to object and reliable information protection connected to process of such access. One of major task is the definition of the basic purposes of protected IT system at various levels of expedient expenses of the threat agent and at various modes of operations of these systems for the further decision of the following tasks:
As in work the security of the information in IT systems is considered, when the purposes of IT systems and their information protection systems in many respects coincide. Really, the information protection system is generally necessary for protection of confidentiality, integrity and availability of the information, but any IT system generally should give on an output the necessary or authentic information in time (otherwise we speak, that the IT system does not achieve the purposes). Thus, for achieving the purposes of system in principles of work, architecture and the topology of any IT system must be incorporated mechanisms preventing deny in service of the information, which is processed in system, and mechanisms preventing nonauthorized information modification. There is other question  as far as in those or other conditions are these mechanisms sufficient and whether are necessary for the given IT system to use the appropriate additional protection means of this IT system information? For the decision of the above mentioned posedness it is necessary to us to develop mathematical model of IT system information protection efficiency evaluation in dynamics of influence on system of threats implementation means. For the given model, generally, it is expedient as the basic criterion of system information protection efficiency evaluation to accept probability function of reception on an exit of IT system of the authentic information without infringement of its security for the given time. The important subtask of the task connected to development of mathematical model, is the task of rational distribution of threats implementation means of a threat agent on elements information of IT system. The following important task of an information protection evaluation in IT systems is the choice of rational variant of IT system construction for its functioning in necessary modes or scenarios of its using and at most probable for IT system influences of threats implementation means. The mathematical model is necessary for an IT system chosen variants evaluation by the proved criterion for evaluation. Thus, the received evaluation of the most rational variant of IT system construction we shall call as an security functions sufficiency evaluation level (SFSEL) of IT system. We consider the basic tasks which are necessary for an processed information importance evaluation, information protection evaluation and for definition of necessary expenses for maintenance of required security. Let's determine further restrictions and initial data given for the decision of these tasks with use of mathematical model. 2.2 The common assamption and limitationsAt the decision of the above mentioned tasks we shall establish the following assumptions and restrictions: 1. In work don’t consider any special purposes of IT systems and processed information protection systems. We consider only two kinds of these systems purposes which are related with next questions: whether a authentic information reception in time or a authentic information reception in time without its confidentiality infringement. 2. Not always it is possible precisely to divide the specific purposes of IT system and purpose of information protection systems. Also as in many respects these purposes coincide, when instead of word collocations – “IT system and their information protection system” we shall use more simple word collocation “protected system” or simply word "system", assuming, that generally any IT system should be protected 3. To take into consideration the purposes of protected systems, which determined in the work, it is expediently to accept as the basic system functioning efficiency evaluation criterion a probability function of reception on an exit of system of the authentic information for the given time, or probability function of reception on an exit of system of the authentic information without infringement of its confidentiality for the given time. 4. The systems can have set of entrances and set of exits, however in work the system is considered with one generalized entrance and with one generalized exit for the given mode of system functioning. Thus, the given mode of functioning of system is considered as a certain access of the object to object in system, characteristic for the given mode. 5. From statistic we known probability of not infringements of information confidentiality, integrity and availability on each system element at influence on it of any known threat implementation means, or in other case (when we have not statistic) we can use for definition of these parameters the linguistic variable. We also know from statistics of information processing reliability on each of system elements, or in other case (when we have not statistic) we can use for definition of these parameters the linguistic variable. 1  absolute chances, ( 0.95  1)  it is exclusively(extreme) big chances, ( 0.9  0.95)  rather big chances, ( 0.7  0.9)  big chances, ( 0.5 0.7)  average chances, ( 0.25  0.5)  low chances, ( 0.10  0.25)  rather low chances, ( 0.05  0.10)  extremely low chances, ( 0.01  0.05)  practically chances are not present, 0  is absolute of any chances is not present. The Harrington scale can be used for an object quality evaluation, if there is no opportunity to evaluate by analytical way. 6. The necessary times (temporary delays) for processing the information on system elements are known for us and the system elements costs are known as well. 7. The expenses of the threat agent at influence on information security in an system element are incorporated in cost of a threat implementation means on this element. 8. The throughputs of system elements are taken into consideration by temporary delays at processing the information on these elements. 9. The importance (value) of the information, which is being processed in an element, is probability that if the information security in this system element will be broken, the information value of the on the exit of system will be lost (this information is needn’t). 10. The threat agent knows the characteristics, structure and work principles of system, on which an attack is directed, and can rationally distribute the means of an attack for system elements. 11. All meanings initial data given for model are known with accuracy appropriate accuracy of methods, used in model. 12. The influence by vth threats implementation means on ith system element does not influence on any other element of system. 15. We have the most complete knowledge base about threats and about means of their implementation on elements of system. The assumption about system bipolarity is not absolutely necessary for development of mathematical model of system when we consider the given functioning mode of system. Given restrictions only simplify the decision of our tasks and in the subsequent works we may to reconsider these restrictions.
2.3 Initial dataLet's present IT system as some a graph, which is consisted of set of nodes (system objects) and arches (communications between objects), which are connecting nodes. Let's name units and arches of the graph as the graph elements (which are appropriated to elements of system). The graph can be submitted as G(D, B), where D  set of the G graph nodes, B  set of the G graph arches. At the given mode of system functioning we consider the system as a certain bipolar graph, where is a entrance node in system (set uniting of all information inputs in system at the given mode of system functioning) and there is an exit node (set uniting of all information outputs from system at the given mode of system functioning). As one of our major task is the development of protected IT system model were criterion function of system is maximization of probability not infringement of information security, where the information is the access purpose of an object to another. Let’s consider, what initial data are necessary for definition of this criterion function. The set E = {D, B} = {e_{i}}_{L} is set of the graph G elements (appropriate to system elements). For each system element are known: We know the importance values of processed information: 2.4 That it is required to determineThus, as we known initial data, which is describing system, when we need to define the most rational distribution of threats on the system elements. The rationality is determined by minimization of criterion function, which estimates efficiency of the information protection in system at minimization of a threat agent expenses for implementation of threats. Further, in view of rational distribution of threats on elements of system it is necessary to determine probability of duly and authentic one object to another access implementation in system, without infringement of its confidentiality. As was told above, it is necessary to consider two kinds of tasks:
However in work only last variant will be considered, as most complex. Further it is necessary to define the most rational variant of system construction by criterion efficiencycost, estimating system at the various scripts and modes of its functioning and at various threats models. It is necessary to define, whether the system security level is sufficient for the given value (importance) of the information is processed in system.
3 The protection evaluation model of information technologies systems
3.1 Information importance evaluationThe information importance, is processed in system, depends on the purposes of protected system. The system can be intended for processing the limited access information and can be intended for the information was given to the user in time and was nonauthorized modified. Any of qualities of the information: confidentiality, integrity and availability can have in system the large or smaller importance. 3.1.1 Information confidentiality importanceThe importance of information confidentiality is defined by information owner. The information of limited access has strict hierarchical classification and at each level of classification this information can be divided into an belonging to the various users, various themes and various areas of knowledge. The basis of information confidentiality importance is made by its classification. However not only the classification determines importance of the information. The information can not have a classification level, but belong to some category and to be important on its confidentiality. This information can be commercial, personal, medical etc. In any case, importance of this information, obviously, can not be higher than importance of the information at the lowermost level of classification hierarchy. As well at each level of classification hierarchy of the information importance, the information can not be equally important. At each level of classification the information can be divided into a parts, correspond to various levels of the clearance and have various priorities. However the common information importance at the given classification level with its priority at this level can not exceed importance of the following more high level of information classification. It is obvious, that if classification level of the information, is processed in system, will higher, when the probability A_{c} is higher as well. For development of our system security evaluation model we shall define that the processed information can have three levels of classification of its importance. Let's assume, that we have the following levels of information classification:
Let's assume also, that A_{c} = 0, if the infringement of the information confidentiality in system does not result in loss of the information value. In this case we speak, that the confidentiality of the information in system is not importance. As was considered earlier, the confidentiality of the information is determined not only by level of the information classification, but also categories, to which this information belongs. Let's consider a case, when 0 < A_{c} < 0.25. In this case information does not fall under any level of classification, i.e. at a global point of view the information confidentiality level hasn’t any value, but, for example, at a level of the person it can be valuable. Besides this information can be devided on a category and each category in system can have own importance. Let’s consider an example. Let for a system, where the 3rd classification level information (is divided into a category) is being processed, we can to define A_{c} for each kind of a category. So, for example, if in our system the information can either not belong to any theme, or belong to a theme №1 (category 1), or to a theme №2 (category 2), when the information which is not belonging to any theme has importance A_{c} = 0.25. If the theme 2 more important, than theme 1,when we can to define, that for a theme №1 – A_{c} = 0.3, and for a theme №2 – A_{c} = 0.4. The above mentioned examples evidently show, that it is quite possible to express importance of the information confidentiality in view of its classification and category through probability of its value loss when the information is disclosed in system. 3.1.2 Information integrity importanceThe importance of information integrity is defined by information owner as well. Let's accept as criterion of the information integrity importance evaluation in system – probability A_{i} that on the system exit the information will be presented without the nonauthorized infringement of integrity and at condition if we know, that the information will be send from the system entrance and will be arrived on the system exit in time. Thus, A_{i}(t_{d}) determines the risk level connected to nonauthorized modification of the information in system. These levels are necessary for rational distribution of threats implementation means of a threats agent on elements of system, as well as for definition of a level of a threats agent potential for modification of the given information.
3.1.3 Information availability importance Thus, A_{a}(t_{d}) determine the risk level connected to denial in access service to the information in system. These levels are necessary for rational distribution of threats implementation means of a threats agent on elements of system, as well as for definition of a level of a threats agent potential for denial implementation in access service to the given information. 

Последнее обновление ( 15.07.2014 г. ) 