of information security are becoming more and more important for the state and business. Particular attention is beginning to be paid to the analysis of information security risks as a necessary component of an integrated approach to information security. As a result, a large number of standards and approaches, the basic concepts and definitions in this field are characterized by plurality.

threat to the detriment of the organization.” As follows from this definition, risk is a complex quantity defined as a function (or functional) of a number of other quantities. Difficulties in conducting risk analysis are directly related to difficulties and errors in the analysis of risk components.

 Obvious lack of information about the components of risk and their ambiguous properties.  Creating a model of information system.  The duration of the process and the rapid loss of relevance of the evaluation results.  Aggregation of data from various sources including statistics and expert assessments.  The need to involve specialists in risk analysis.

In this regard, the methods of continuous audit and analysis of information security risks, which are actively being developed, have acquired special relevance. Together with modern models of management of information systems, information security management systems, monitoring and security analysis, these methodologies allow to quickly and efficiently build and develop the organization’s information security system. The main types of audit of security in the preparation of terms of reference for the design and development of information protection system and - after its implementation - assessing the level of its effectiveness and the main stages of the audit are discussed in detail in the work [9].

The system of continuous dynamic audit and risk analysis allows specialists to conduct iterative risk assessment taking into account the available data on the business landscape, relevant information on technologies that are used or intended for implementation. A special role in the continuous risk analysis should be played by the function of forecasting information security risks. By automating the process of accounting for threats associated with the emergence of new vulnerabilities in the standard software, formalizing changes in the business landscape and information system, aggregation of data from different sources, an environment can ве created that allows professionals to make reports on the level of security of a particular information system, based on a series of consecutive reports compiled in a short period of time.

Processing the data using the methods of statistical forecasting will determine the optimal set of countermeasures taking into account “future risks” and thus increasing the efficiency of their implementation. Therefore, it is necessary to synthesize an approach to obtaining a quantitative estimate and information security risk management in an automated system, taking into account:  Possibility of aggregation of heterogeneous data.  The opportunity to learn in the process of work and refine the assessments obtained at previous stages.  The ability to work with deliberately inaccurate data.  The ability to automate most decision-making processes.

Analysis of recent research and publications. The issue of applying Bayesian approach to information security risk analysis is affected in a number of works by Ukrainian and foreign authors, among which we can highlight [ 4–6 ]. For example, in [ 4 ] an algorithm in decision - making in operational management of information security tools based on Bayesian networks of trust and the method of analysis of hierarchies are proposed, which allows to predict the state of protected resource and prevent the development of dangerous situations in a timely manner.

calculation of conditional probabilities the approach on the basis of trees of attack as Bayesian special networks is proposed . Bayesian networks provide an efficient way to combine historical quantitative data with qualitative ones. It is possible to use conditional probabilities to take into account the interdependence of vulnerabilities. Also the model of using Bayesian networks to assess the damage from information security events is suggested.

problem. The most common approach is to train neural network so that it implements the nonlinear function of discrimination, which provides a direct division of the observed input vectors into classes.

system were the posterior probabilities of belonging of input data to the set classes.

directly obtain estimates of the conditional probability p (| y). It is also possible to define methods of training of such networks and methods of evaluating the results obtained.

approach and the apparatus of Bayesian networks for the analysis of information security risks in the implementation of security breaches by exploitation of the greatest vulnerability.

= ∙ (1) where P is the probability of realization of the threat and S is the magnitude of the consequences.

of vulnerability to the probability of exploitation of this vulnerability. In this interpretation of the probability of a random event, the realization of the threat can be considered as a random variable.

need to assess the probability P for risk analysis tasks expertly or based on statistics on the frequency of implementation of this class of threats for a given type of automated systems at a given time interval.

methods of analysis of the statistical data used. In this regard it is expedient to study ways of solving this problem in terms of mathematical statistics.The tasks similar to information security risk analysis arise in different areas. Among them are risk analysis in the field of finance and management of software projects.

described in the works of Newman, Pearson, Fisher and others. A number of works offer alternative methods of analysis. Methods based on Bayesian approach are of particular interest.

mplementation implementation of threats that may be changed after receiving new expert assessments or as the result of observing relevant events related to assets that confirm or refute a prior information.

is based on Bayes’ theorem. Bayesian approach in the science of management is formulated in [1] as a scientific discipline, which is based on the principle of maximum use of available prior information, its regular review and revaluation taking into account the obtained sample data on the phenomenon or process being investigated. Such a review is interpreted as learning, and the process of management itself in the Bayesian approach is understood as a process of learning (adaptation).

The essence of Bayesian approach is that it considers the degrees of trust in the possible probabilistic models to obtain data. Degrees of trust are presented in the form of probabilities. After obtaining the information using Bayes’ theorem, probabilities are revalued, i.e. new values of probabilities are calculated, reflecting degrees of confidence in probabilistic models taking into account the newly obtained data. Probabilistic models are used in the analysis of information security risks of the studied systems.

Their essence is that the probabilistic space of events is determined in the field of information security and in probabilistic space a probabilistic measure is set by one or other method. In the conditions of probabilistic models the observed parameter of information security system can be considered as a random variable Yc with the density of probability P (y |). Based on these observations, a conclusion is made about the probability distribution of random variable. Then according to Bayesian formula: or ( | )= ( | ()∙)( ) ( | )= (

)∙ ( ) ( ) (2) (3)

Bayesian approach has found application in many areas, including cryptographic analysis, in the field of risk analysis in various modern systems of artificial intelligence designed to work in conditions of uncertainty. The most obvious is the use of this approach when using the apparatus of Bayesian networks. The probabilistic model, called Bayesian network, is built using many variables and their probability dependences, which are presented in the form of directional acyclic graph. The vertices of the graph are variables or hypotheses, and the edges represent conditional dependence of variables or hypotheses. There are effective methods [ 2, 3 ] of creation (calculation) and Bayesian network training.

detail. In [ 10 ] it is shown that the model of security violator, which is constantly adjusted on the basis of new knowledge gained about the capabilities of the violator, and changes in the protection system based on the analysis of the causes of violations that have occurred, will influence these causes and more precisely determine the requirements for the information security system.

security threat an attacker develops an attack script that uses one vulnerability. In this case, the security breach occurs through the exploitation of the largest vulnerability. If several vulnerabilities are equivalent, one of them is chosen arbitrarily. Let’s consider the following Bayesian network. Its interpretation in terms of risk analysis can be next.

successful implementation of the threat—as p(T), the existing vulnerabilities—as U1, ..., Un, and the probability of successful exploitation of vulnerabilities—p(U1), ..., p(Un) respectively. The conditional “attack potential” value is denoted by A. The variable A[0,1] is a random variable with distribution f(A).

p(Ui). For ease of writing, we denote as Ui the fact of exploitation of the vulnerability, and Ui is the absence of the fact of exploitation of the vulnerability. As part of the analysis of risks it is important to consider the likelihood of threats being realized through the exploitation of the relevant vulnerabilities.

( , ( 1, … , ), )= ( |( 1, … , )) ( )∏ =1 ( | )

( )= ∫ ( |( 1, … , )) [∫∏ =1 ( | ) ( ) )] ( 1, … , ) From the dichotomous nature of variables and conditions (6) it follows that

≤ ( )⇒ ( )= 0 and > ( )⇒ ( )= 1 ( )= 0 if ≤ ( )and ( )= 1 if > ( ) ( )= 0 if ≤ ( )and ( )= 1 if > ( )

=1 ∫ ∏ ( | ) ( ) = min(1 − 1, … , 1 − )(8) ∫ (¬ )∏ (

) ( ) = (0, − ∑ ) (9) ≠ ≠ (4) (5) (6) (7)

Substituting these expressions in (6) we obtain an estimate of the probability of implementation of threats to information security. This conclusion can be applied to practical tasks of information security risk assessment. Let’s consider the solution of this expression in the case of uniform distribution of f(A) for two threats.

∫ ( 1| ) ( 2| ) ( )

= min(1 − 1, 1 − 2 ) (10) ∫ ( 1| ) (¬ 2| ) ( )

= max(0, 2 − 1 )= = max(0, (1 − 1)+ (1 − (1 − 2))− 1)(11) ∫ (¬ 1| ) ( 2| ) ( )

= max(0, 2 − 1 )= = max(0, (1 − (1 − 1))+ (1 − 2)− 1)(12)

( )= ( | 1, 2)min(1 − 1, 1 − 2)+ + ( | 1, ¬ 2)max(0, 2 − 1)+ ( |¬ 1, 2)max(0, 1 − 2)(13)

( )= ( | 1, ¬ 2)(1 − 1)+ ( |¬ 1, 2)(1 − 2)+ +( ( | 1, 2)− ( |¬ 1, 2)− ( | 1, ¬ 2))× × (1 − 1, 1 − 2). (14)

the prior values that can take risk parameters of information security. An important feature is that in the presence of a large volume of statistics, the wrong choice of prior probability distribution will not essentially affect the posterior probability. However, what is especially true for solving problems of analysis of information security risks, in the absence of such data it is advisable to choose distribution that minimally affects the posterior distribution (so-called non-informative distribution).

be very useful for solving the problem of their iterative dynamic analysis.

The use of artificial neural networks to solve the assigned problem allows us to provide a number of important properties of the system as well, including provision of the ability to teach the system in the process of functioning and its adaptation to different conditions of functioning. When using them, there is also no need for the previous detailed modeling of the automated system. The direction of further research is aimed at the use of approximate estimates of a posterior probability of realization of events.