The current trends in the development of information and communication technologies (ICT) caused a phenomenal dependence on social services, which are provided by various sectors of infrastructure. Today, with the cutting-edge technologies, fundamentally new global concepts have emerged, such as information and cyber space, cybersecurity, cyber threat, critical infrastructure (CI), which have nearly unlimited power and a leading role in the economic and social development of each country in the world. However, in addition to its benefits, there are a number of problems caused by the growing vulnerability of the information assets from external cybersecurity impact, which the world’s community has also received.

A number of planned in advance, well-executed attacks in cyberspace increase every year, these are so-called APT attacks (Advanced Persistent Threat). According to that, there is a need to control and further regulate the relevant relationships in cyberspace, and therefore urgently creat a reliable cybersecurity system [ 1 ].

In October 2017, the Parliament of Ukraine has signed the Law “On Basic Principles of Cybersecurity of Ukraine” [ 2 ], in that paper Article 8 clearly describes the definitions, main tasks and stages of the National Cybersecurity System operation. In order to provide the necessary protection (vital interests of the individual, society and state, national interests of Ukraine in cyberspace) of critical information infrastructure (CII) sectors, according to [ 2 ], it is necessary to constantly maintain and improve the National Cybersecurity System of Ukraine, by developing and rapidly adapting the public cybersecurity policie; creating a legal and terminological framework for cybersecurity; establishing the mandatory information security requirements of CII sectors; involing the expert scientific institutions, professional and public associations in the preparation of conceptual documents in the cybersecurity field; conducting drills for emergency situations in cyberspace; developing and improving the technical and cryptographic information protection systems; ensuring compliance with the requirements of the legislation on protection of state’s information resources and public information; periodicaly review the National Cybersecurity System; developing the cybersecurity indicators etc.

1.Identification the state CII objects and forming the list of them 2.Assessment the importance (criticality) of the state CII objects 3.Assessment vulnerabilities and threats of the state CII objects 5.Identification the level of cybersecurity of state CII objects

4.Development and implementation methods and tools of the state CII objects protection

Rather complicated issues are the development of appropriate indicators and determination of the required protection level of cybersecurity, according to which the price of the security system will not be higher than the usefulness of the information to be protected. This problem can be solved, for example, by determining the necessary level of cybersecurity for a certain facility or relevant CII sector, according to basic approach, presented in [ 3 ] and CIIP concept (Fig. 1, Stage 5).

Related research analysis and problem statement In 2016, the International Telecommunication Union (ITU) conducted a complex study of the cybersecurity level of 143 countries.

In 2017 the main results were announced in the report [ 4 ], accroding to which, the method for assessing state’s security in cyberspace was proposed. It has five pillars – Legal Measures, Technical Measures, Organizational Measures, Capacity Building, and Cooperation. There are twenty-five pillars in total of all indicators. Global Cybersecurity Index (GCI) is calculated as the arithmetic mean of all pillars. A representative from an analised state should answer the 157 question to compleate the poll. Having received the answers, ITU has defined a state’s index and a global ranking list was created. State’s security level in cyberspace takes value from “1” (highest) to “0” (smallest). What allows to define a worldwide overwiev of the cybersecurity level, to assess the protection level in some parts of the world and to analyze the cybersecurity level of each state separetly. The main disadvantage of this approach is unjustified used indicators, their assessment is subjective. Thus, obtaining the reliable data is a complicated task.

A flexible method for determining the cybersecurity level is reflected in [ 5 ]. The authors propose to use cybersecurity metrics that can be used for evaluation, revision, and improvement of the research entity cybersecurity level.

The approach is based on the metrics, which companies and organizations are using in their business processes. To determine the new metric or specific measures, which mathematically described, a set of relevant parameters should be identified. They can be used to analyze and continually improve the business of an organization or a state. The matrics usage is widely used nowadays. The disadvantages of this approach are preliminary modeling, mathematical justification for the development and implementation of these metrics, which is a difficult problem, also the result may not be unbiased enough.

A comprehensive method is proposed in [ 6 ].The cybersecurity level can be determined by using completely independent metrics NSCI (National Cyber Security Index) and ISD (Informational Society Score). NSCI consists of some sub-indexes: ISD is divided on the following sub-indexes – IDI (The ICT Development Index) and NRI (Networked Readiness Index) [ 7 ]. The disadvantage of this method is necessity to allocate considerable resources for research due to the large number of indicators in order to collect a reliable data.

Mathematical and statistical approach is described in [ 8 ]. It is a method for assessing the cybersecurity level of CII assets, which allows to calculate a criticality index of the entity. In order to implement the method, it is necessary to identify key indicators, such as Severity level, the Availability of continuous operation systems, Cost, Downtime etc. Thereafter, a weighting factor must be used for each determinant indicator. Each of them must have a value from “0” to “100”, according to the proposed scale of the value calculation. The mportance index of the CII entity can be calculated based on the value of its criticality index. The disadvantage of this method is a difficult adaption to the new systems and complexity of justifying weighting factors and indicators.

In the next paper [ 9 ] was proposed a methodology for assessing ICT security, using the example of automated banking systems, which is based on the concept of a complex security management of those systems. The mentioned concept provides a mutually valid approach to select the most effective ways of achieving the cybersecurity goals. Which also is taking into account the risk value at each level of the management model. It makes it possible to comprehensively select the alternative options for potential cybersecurity strategic decisions. However, the proposed concept is focused exclusively on the banking sector and is not flexible, which means it can not be used for other CII sectors.

According to [ 3 ], the analysis results of the mentioned approaches of determining the cybersecurity level by the following criteria are reflected (Table 1): CS is consideration of cybersecurity means and measures; ICT is consideration of ICT implementation; QP is quantitative parameters; CIIP is CII sector protection; UM is universality [ 10-11 ].

The analysis shows that the existing methods have a list of disadvantages, including unsubstantiated indicators, which are needed to develop metrics, complex modeling of the given systems, the need to use a complex mathematical tools, statistical resources involvement, which is needed for further analysis and creation of the cybersecurity metrics. Given the need to assess the cybersecurity level of a CII sector, a method for determining the cybersecurity level of the state’s CII sector needs to be developed. This issue will be a main target of this work.

The main part of the study

Proposed method descryption According to [ 3 ] the method of determining the cybersecurity level of the CII sector is implemented in the following 3 stages: 1. Determination of metrics and cybersecurity index of a CII sector; 2. Determination of the ICT development and implementation metrics of a CII sector;

3. Calculation of quantitative parameters, that describe the cybersecurity level of a CII sector.

Input data: information regarding critical infrastructure, cybersecurity methods and tools, ICT implementation.

Output data: quantitative parameters, that describe the security of a particular industry or the state’s CII in general. Namely, cybersecurity metrics, ICT development and implementation metrics, also a relevant cybersecurity index.

Consider in details each of the stage of the proposed method by itself. Stage 1. Determination of the metrics and the cybersecurity index of a CII sector Step 1.1. Formalization of the cybersecurity metrics i1 mi j1 Pi  {

Pij }  {Pi.1, Pi.2 ,, Pi.mi }, P1

P2 ...

Pn /

The set Pi can be represented as a subset system: where Pij (i = 1, n, j = 1, mi ) is metrics list of the i parameter (the metric’s range value is determined according to appropriate standards and recommended practices for each CII sector), mi is a number of metrics in i parameter.

Taking into account (2), the set (1) can be represented as follows:

n n mi P  {

Pi }  { i1

{ i1 j1

Pij }}  {{P1.1, P1.2 ,..., P1.m1 }, {P2.1, P2.2 , ..., P2.m2 },...,{Pn.1, Pn.2 ,..., Pn.mn }}, (i  1, n, j  1, mi ). head

tail where  mPijax is the sum of the maximum possible values of Pij metric.

Stage 2. Determination of the ICT development and implementation metrics of a CII sector

Step 2.1. Formalization of the ICT development and implementation metrics, that describe the ICT readiness and availability

Step 1.2. The value calculation of the index, that describes the CII sector cybersecurity level

The index of the CII sector cybersecurity level is calculated according to (1-3) considering (4): n mi   Pij ×100% ICS = i=1 j=1  mPijax ,  mPijax  0, M set.

head tail

M1

M2 ...

Mn / The set Mk can be represented as a subset system:

Mk  {

M kr }  {M k.1, M k.2 ,, M k. pi }, where Mkr (k = 1, q, r = 1, pi ) are metrics of the set k , pi is metric’s number of the k M  {

Mk }  {M1, M2 ,, Mq }, where Mk  M (k = 1, q) is the subset of the ICT development and implementation metrics, q is a number of the metric’s subsets. Similarly, taking into account [ 12-13 ], the set (5) was represented as a linked list as it shown in Fig. 3.

implementation: metrics set

q (5) (6) (7) (8) Similarly, taking into account (6), the set (5) can be represented as:

q q pi M  { ,  mPijax  0, mMakxr  0, q  0. (9) According to [3. 10, 11], an example of the developed method usage for the civil aviation (CA) is showed below (Fig. 4). This sector includes to transportation and it is a part of CI for most of states (Table 2). {PBASS ,PESEV ,PEIDN ,PCIIP},{PCIRC ,PCRIS ,PCRIM ,PMIL },{PINT }} , (i = 1,n, j = 1,mi ).

Step 1.2. The value calculation of index, that describes the CII sector cybersecurity level

According to (4): ICS = (PPLC + PTHR + PEDU + PBASS + PESEV + PEIDN + PCIIP + PCIRC + PCRIS + PCRIM + PMIL + PINT )100  35%.

PPmLaCx + PTmHaRx + PEmDaUx + PBmAaSxS + PEmSaExV + PEmIDaxN + PCmIIaPx + PCmIRaCx + PCmRaISx + PCmRaIMx + PMmIaLx + PINmTax + + + + + + + + + .i n m d a c i l b u P + + + + + + + + + + + + + +

Stage 3. Calculation of the quantitative parameters, that describe the cybersecurity level of CA

Based on the results in Step 1.2, Step 2.2 and considering (9), quantitate parameters, that describe the cybersecurity level of CA can be calculated as follows:

Iratio = ICS - IDDL  35 %  62, 5 %  27, 5 %.

The difference between ICS and IDDL indicators shows the correlation between the cybersecurity level and ICT development and implementation index. A positive result shows that cybersecurity level meets a sufficient level of ICT index for CA (or even overcame it), on the other hand, a negative result shows that cybersecurity level is not sufficient for current ICT index. The obtained result Iratio = 27, 5 % for CA shows that cybersecurity level should be improved. 4

Conclusion and future research study Consequently, in this paper the modern methods, tools for assessing the cybersecurity level and their supporting instruments were analyzed. The research found that currently there are no comprehensive, flexible methods that can quantify the cybersecurity level of the CII sector. A method for determining the cybersecurity level has been developed. This method provides the sets of cybersecurity level and ICT development and implementation metrics in a linked lists view, also helps to calculate its relevant metrics. It allows to determine quantitative parameters, that describe the cybersecurity level of a particular industry or the state’s CII in general. The developed method can be used to analyze a particular state’s CII, determine the cybersecurity level, identify critical systems, which need to be protected from external and internal threats. For example, the proposed method can be applied for comparing the cybersecurity level before and after the implementation of certain ICT security measures.