The modern concept of cybersecurity management involves its consideration as a process of implementing a set of measures and activities organized into projects. This approach makes it possible to use the mathematical apparatus developed in the theory of cybernetic systems and project management for developing managerial decisions in the cybersecurity field. Based on this concept, a mathematical model is built that allows to create a schedule for performing the cyberprotection measures, aimed at maximizing the profit of the organization in conditions of limited resources. It is shown that in the above statement, the task of planning the process for implementing cyberprotection measures may be transformed to the canonical form of combinatorial optimization problems with a linear structure belonging to the NP-class. For its solution, it is proposed to use an algorithm based on the improved method improved that implements the idea of directed search of variants. The directed search method uses sequential fragmentation of the full set of solutions to the problem, until either the optimal plan is found, or the fact of the incompatibility of the system of restrictions is established. The resulting new subsets of the variants are subjected to formal analysis aimed at minimization of the solution process duration. A further development of the described approach to planning cyberprotection activities can be transition to stochastic models in which all financial and time indicators that relate to the implementation of cyberprotection measures are random variables with predetermined distribution laws. The proposed method is optimization-focused, so its application can provide increased competitiveness, efficiency and financial performance of companies in the context of modern cyber threats.
1.1
Security of information systems and the information that is stored and processed in them from cyber threats requires application of a number of various measures and activities. Among these measures and activities there are the acquisition and deployment of hardware, the acquisition and deployment of operating systems, system and application software, including specialized software (firewalls, anti-rootkits, etc.); installing updates to operating systems and other software, acquiring and updating software licenses, updating anti-virus software databases, backing up information, measures for the physical protection of information infrastructure, measures for examining cables and equipment, conducting internal and/or external audits, testing for penetration, organizational measures, development and implementation of security policies, staff training, etc. For each of these measures, the optimal deadlines and the requirements for the frequency of use can be determined. Also, each of the measures is associated with certain costs and expences in terms of financial, material and labor resources. On the other hand, each of these measures and activities gives some return in terms of achieving and maintaining the necessary level of information security.
The current article is devoted to the description of the mathematical model of the task of planning activities to ensure cybersecurity and proposes a method for its solution, which determines the relevance of the research topic. 1.2
The purpose of the study is to create a mathematical method for the formation of a schedule plan of cyber threats protection measures in the organization’s information system, which is optimal according to the economic criterion, taking into account investments and returns on the implementation of planned measures. 1.3
The research method is based on construction of a mathematical model, which is a formal reflection of the statement of the problem of work planning. The structure of this model includes a criterion function, the values of which characterize the expected return from implementation of the planned measures, and a system of restrictions that reflects the requirement that at each time interval the difference between the organization’s income and expenses for the implementation of information protection measures should not be less than a specified level. It is proven that in the considered mathematical formulation the task of planning cybersecurity maintaining activities is reduced to the canonical form of combinatorial optimization problems. It is proposed to use for its solution the method of directed search of variants, adapted to the structure of the developed mathematical model. 2
Books [1-3] provide a systematic presentation of the current state of general project management methods. Since the end of the twentieth century, in the world of commercial practice, there has been a transition from managing the execution of individual jobs to project management. This approach allows to concentrate the existing potential in order to accelerate the achievement of the set goals, as well as to strengthen control over the expenditure of resources in the conditions of limited funding. In addition to this, structurization of the performed work makes it possible to engage specialists who have relevant and versatile knowledge and skills to create a creative team corresponding to the particular subject area.
The book [4] offers a unified methodology for organizing and managing all types of complex programs and projects in the field of high technologies.
The publication [5] investigates the relationship between efforts invested in project planning and project success. The authors consider the three aspects of planning (definition of requirements, development of technical specifications and processes and procedures for project management), and the three aspects of project success (points of view and interests of the end user, project manager and customer office).
The article [6] considers the features of project management in the activities of a security specialist, with the following objectives: to achieve competitiveness and success of the company, motivate employees, and successfully serve both internal and external clients. At the same time, the requirements of contracts and scheduling are taken into account; methods for managing the core competencies and core values of the organization are considered.
The articles [7-8] consider the decision making tasks regarding the company's investment in a subset of the security management tools chosen out of the many available ones as a resources distribution problem, taking into account conflicting goals and limitations of the task, in particular, the limited budget allocated for cyber defense. The authors have proposed several formulations of the problem of choosing a subset of security controls as the “portfolio optimization” problem known in financial management. Also, they propose approaches to solving this problem using existing methods of single-criterion and multi-criteria optimization.
The method proposed in this paper is based on a modification of the mathematical method, the development of which was begun in the book [9]. 3
The concept of managing cyber protection measures as projects and their elements allows us to represent the organization's cyberprotection activities as a controlled process that is implemented in a cybernetic system.
In any cybernetic system, the function of planning the development of a controlled process is performed via solving the so-called tasks of making managerial decisions, which, as a rule, are of a multivariate and, therefore, optimization nature. Therefore, when planning cyber protection actions, it is necessary to use special mathematical methods and computer technologies.
One of such methods consists in constructing a mathematical model of a managerial problem with the subsequent application of one or another optimization method to its solution [10].
In this regard, the task of planning activities to support the security of a computer system can be considered as the task of making managerial decisions inherent to organizational-type cybernetic systems. In this case, the task acquires a multivariate and, therefore, optimization character.
To solve the optimization problem, it is necessary to use numerical indicators of the cost and effectiveness of certain actions. The cost indicators for the problem under consideration are quite simple to formulate, for this it is enough to take into account the costs of material resources and human labor (which, as applied to the business environment, can also be easily estimated in monetary terms). When developing the method, it is necessary to take into account the fact that there is a cybersecurity funding item in the organization’s budget, and the amount of that funding can be changed by the management who takes into account the current economic performance of the company [11].
As indicators of the effectiveness of the measures under consideration, the estimated return (profit) from the implementation of specific protective measures, expected by the end of the planned planning period of time, can be used. Such estimated return can be calculated on the basis of an assessment of the probability of realization of a particular threat and the probable cost of the losses that its realization will entail. Generally speaking, this indicator is a fuzzy type value, and the value of its median can be taken as a first approximation.
The proposed concept, based on the presentation of the process of protecting information and information systems as the execution of a given set of activities, allows us to formulate the planning task in the following way.
By the beginning of the planning period, the administrative body making decisions in the field of cybersecurity has at its disposal a “portfolio” of cybersecurity control measures. Each of these measures, from the point of view of the administration, is characterized by the three groups of parameters: the acceptable range of implementation time, the amount of necessary financial investments at the stages of the specific measure implementation, the values of expected financial returns at each stage of the implementation of the measure. The “return” is understood as the part of the company's profit that appears due to the cyber security of the computer system [10-12]. This value is equal to the possible financial loss from unauthorized access to information resources, together with the costs of eliminating its consequences, taken with the opposite sign.
The governing body should choose and distribute in time the measures that are accepted for implementation in such a way that to achieve the best overall financial result of this activity, taking into account the initial and current available financial resources, which dynamically change over time. It is assumed that funding of measures chosen for implementation before the beginning of the current planning period continues until they are completed in the due time. 3.1
Formalization of the problem requires breaking down each period of time during which the cyber security measures can be applied, into equal half-open intervals, which play the role of conditional units of time. The time intervals and all cyberprotection measures are numbered with natural numbers.
Let k be the number of the interval, k 1, n ; i is the measure number, i 1, m ; m – the number of measures that are under consideration with the governing body at the time of making the decision. The length of this planned time period T is chosen in such a way that its upper limit is equal to maxtimax i ; i 1, m, where timax is the latest permissible start date for the implementation of the i -th measure; i is the duration of its performance in calendar units.
Let ni be the number of half-open time intervals during which the i -th project can be completed; i 1, m . This parameter is calculated as the result of rounding the value of the expression i n to the nearest larger integer.
T
The input data necessary to solve the problem of optimal planning of cyberprotection activities is formally defined in the form of quantities and sets that satisfy the requirement of the minimum amount of information that is entered into the computer system (it is assumed that all financial indicators are measured in the same units):
Ni is a set of numbers of time intervals in which the implementation of the i -th project can be started; Ni 1, ..., n ni 1; i 1, m ;
M ic , M is are sets of sequence numbers of time intervals in which funding is required and return is expected for the i -th project, provided that its implementation begins in the first interval; M ic 1, ..., ni ; M is 1, ..., ni ; i 1, m ; cik is the volume of financial investments, planned for the i -th project in the k th time interval of the period of its implementation; i 1, m ; k M ic ; sik is the amount of return from the i - th project on the k th account of the time interval of the period of its implementation; i 1, m ; k M ic ;
ck is the total amount of financial investments made in the cyberprotection actions accepted for implementation prior to the beginning of considered planning period, at the k -th time interval; k M c ;
sk is the total amount of financial return from the implementation of the measures accepted for implementation prior to the beginning of this planning period, during the k -th time interval; k M s ;
ak is the minimum allowable difference between the incomes that accumulate over time, and the costs of performing the measures in the k -th interval; k 1, n ;
D is the value that characterizes the available financial resource of the research management system at the initial moment of the given period of planning time.
Taking into account the presence of initial capital D 0 , the constants ak , 1 k n , that are related to the initial values of the parameter k , may be negative, but the absolute value of the sum of such constants should not exceed the value of D .
The positive values of the constants ak , 1 k n , characterize the volume of the part of the accumulated profit, which is withdrawn from turnover in the k -th time interval and is spent for covering current expenses not directly related to the financing of cyberprotection.
To build a mathematical model of the problem of optimal planning of cyberprotection activities, based on the given input data, the sets that describe the linking of measures to the considered time periods are sequentially formed according to the procedure described in [9]. 3.2
A cybersecurity maintenance activity plan for a given period of time is determined by a vector of bivalent independent variable values x xik i 1, m; k Ni . Its components define the truthiness ( xik 1) or falseness ( xik 0 ) of the following statement: “The i -th project is accepted for implementation starting from the k -th time interval”.
For an information system functioning in an environment containing cyberthreats, the results of cybersecurity maintenance measures have a cost estimate of financial return based on an estimate of the cost of possible losses that could have occurred if cyberthreats were implemented in an unprotected system, and that the company avoided as a result of applying the measures of cybersecurity maintenance. Therefore, the criterion for the effectiveness of activities to ensure cybersecurity should be the estimated return from the implementation of these activities obtained during a given planned period of time:
m
f (x) bi xik ,
i1 kNi
(
Another approach allows existence of projects that are repeated more than once. In
such a case, the formula (
The system of restrictions for this problem is formed by two groups of inequalities. The first group of constraints them consists of expressions of a combinatorial nature, which reflect a restriction on the multiplicity of application of certain measures in given periods. There are two approaches to their formulation. These approaches differ in the way they describe the repeated jobs like doing information backups.
One approach is based on consideration of each instance of such a job as another
project. Thus, the constraints of the first group will be formulated as
xik 1 ; i 1, m .
kNi
xik i ; i 1, m ,
kNi
where is the vector of the corresponding constants specifying these constraints.
(
Each of the two approaches has its advantages and disadvantages. The second
approach allows to automate the task of input data description for repeated jobs; on the
other hands, the constraints (
The restrictions of the second group express the requirement that, at each time interval, the cumulative difference between returns and expenses should not be less than a given level:
S(x, k) C(x, k) A(k) D , k 1, n ,
(
In the given formal statement, the problem is reduced to the problem of finding a
vector of values of bivalent variables xik 0, 1; i 1, m ; k Ni , which provides
the maximum of the objective function (
The presented model (
If necessary, the initial system of restrictions (
i1 kNi
Another specific feature of the statement of the problem of optimal planning of
cybersecurity maintenance activities is that the volumes of the costs of implementing
cyberprotection measures and the amounts of returns generated from them can
parametrically depend on the moment when their implementation has started. In such a
case, the objective function (
m
f (x) bi (k) xik ,
i1 kNi
(
sik (k ) kMis (k )
cik (k ) ; i 1, m ; k Ni .
kMic (k)
The constraints (
The constraint (
The considered variants of the optimal planning of cybersecurity maintenance
activities, which are represented by mathematical models (
In the canonical form, an extreme combinatorial problem with a linear structure is
formulated as the problem of maximization of the criterial function
f (z) c j z j (
jJ0 subject to restrictions aij z j bi ; i 1, m , jJ j where z is the vector of the desired variables: z (z j j 1, n) ; z j 0, 1; j 1, n ; J0 and J j are the sets of numbers of independent variables included in the criterion function and the i -th constraint of the problem, respectively; aij , bi , c j are real numbers.
For conversion of the mathematical models (
а) associate with each variable xik , i 1, m , k Ni the variable z j , j 1, n , where z is the vector of the searched variables;
b) replace the designation of constants in expressions (
The directed search method uses sequential fragmentation of the full set G of solutions to the problem, until either the optimal plan is found, or the fact of the incompatibility of the system of restrictions is established. The resulting new subsets of the variants are subjected to formal analysis in order to reduce the amount of processed information, to reduce the number of algorithm steps leading to the desired result, and, therefore, to minimize the duration of the solution process.
Let us suppose that at the beginning of a certain stage of solving the problem (
The properties of the k -th ( k 1, ) subset of the variants of solutions to the
problem (
Statement 1. The subset Gk does not contain admissible plans, if, for some constraint i Ik the condition i(k2) bik is satisfied.
Statement 2. The constraint i Ik is not active with respect to the plans of the subset Gk , if for it the condition i(k3) bik is satisfied.
If
Ji2k and for some
2 j J jk the condition i(k2) bik i(k2) aij holds, then of the complementary plans of the subset Gk only those ones can be admissible in which [j Ji2k ( j)](z j 1) .
If
J i3k and for some
3 j Jik the i(k2) bik i(k2) aij holds, then of the complementary plans of the subset Gk only those ones can be admissible in which [j Ji3k ( j)](z j 0) .
Here i(k2) is the sum of the negative coefficients of the i -th constraint of the combinatorial optimization problem; i(k3) is the sum of the positive coefficients of the i -th constraint of the combinatorial optimization problem.
J i2k and Ji3k are the sets of numbers of independent variables that are present in
the i -th constraint of the system (
Ji2k j Jik : aij 0 ; Ji3k j Jik : aij 0 ;
Ji2k ( j) are the sets of numbers of independent variables that are present in the
i -th constraint of the system (
Ji2k ( j) j j Ji2k : aij aij;
Ji3k ( j) are the sets of numbers of independent variables that are present in the
i -th constraint of the system (
Ji3k ( j) j j Ji3k : aij aij .
The algorithm of directed search of variants provides for the performance of the
following sequence of actions at each stage of solving the problem (
For further partitioning, a subset is selected that corresponds to the maximum estimate of the criterion function: where (G * ) max{ (Gk ); k 1, } ,
k (Gk ) jJ01k c j jJo3k c j . 2) Selection of a variable the values of which are to be fixed.
The variable, which is included in the criterion function with the maximum coefficient, should be selected for this purpose.
3) Partitioning a subset of options into two disjoint subsets.
f (z*) max { (Gk ), k 1, } .
It is advisable to start the solution with an analysis of the full set of options G . In
certain cases, this allows us to establish a priori the fact of incompatibility of the
system of restrictions (
The modern concept of cybersecurity management involves its consideration as a process of performing a set of cyberprotection activities organized into projects. This approach makes it possible to use the mathematical apparatus for making managerial decisions developed in the theory of cybernetic systems and project management.
Based on this concept, a mathematical model is built that allows you to create a calendar plan for cyberprotection measures aimed at maximizing the profit of a company in conditions of limited resources.
It is shown that in the above statement, the task of planning the process for implementing cyberprotection measures may be transformed into the canonical form of combinatorial optimization problems with a linear structure related to the NP-class. For its solution, it is proposed to use an algorithm based on the improved method that implements the idea of directional search of variants.
Despite the completeness of the proposed algorithm, the solutions that are developed on the basis of the above models are approximate in nature due to the artificial transition from continuous to discrete time. However, one has to put up with this, since a constructive formalization of a given problem in continuous time, which could make it possible to find its exact optimal solution taking into account all the real limitations, is not possible.
A further development of the described approach to cyberprotection activities planning can be the transition to stochastic models in which all financial and time indicators that relate to the implementation of cyberprotection measures are presented with random variables with predetermined distribution laws.
The optimization focus of the proposed method can provide increased competitiveness, efficiency and financial performance of companies in the context of contemporary cyber threats.