=Paper=
{{Paper
|id=Vol-3035/paper09
|storemode=property
|title=The Estimation of Probabilistic Risks for the Performance of System Human Resource Management Process
|pdfUrl=https://ceur-ws.org/Vol-3035/paper09.pdf
|volume=Vol-3035
|authors=Andrey I. Kostogryzov,Roman Yu. Avdonin,Andrey A. Nistratov
}}
==The Estimation of Probabilistic Risks for the Performance of System Human Resource Management Process ==
https://ceur-ws.org/Vol-3035/paper09.pdf
The Estimation of Probabilistic Risks for the Performance of
System Human Resource Management Process
Andrey I. Kostogryzov1, Roman Yu. Avdonin 1 and Andrey A. Nistratov 1
1
Federal Research Center “Computer Science and Control” of the Russian Academy of Sciences, 44/2 Vavilova
Street., Moscow, 119333, Russia
Abstract
The approach for estimation of probabilistic risks for the performance of system human
resource management process considering information security requirements is proposed.
The recommended models for risks prediction are described. The use of the proposed
approach helps to identify "bottlenecks", reduce risks in system human resource management
process, justify conditions and period, in which guarantees of risks retention within
admissible limits are maintained, taking into account the requirements for system information
security. The usability of the approach is illustrated by examples.
Keywords 1
Analysis, system information security, model, risk, human resource management process
1. Introduction
The main goal of the human resource management process is to equip the system with the
necessary specialists in a timely manner and maintain their competence at a level sufficient to ensure
the required quality of the system being created and the efficiency of its operation. In the conditions
of existing uncertainties, various risks can be associated with objective and subjective factors, with
the uncertainty of responsibility, as well as with deliberate deviation from the established norms and
rules of work. Despite many works on risk management for different application areas (see, for
example, [1-21]) the problems associated with the estimation of predicted risks, taking into account
the requirements for system information security, continue to be relevant. According to ISO Guide 73
risk is understood as effect of uncertainty on objectives considering consequences (an effect is a
deviation from the expected — positive and/or negative).
In this paper an universal approach to do the estimation of probabilistic risks for the performance
of system human resource management process considering information security requirements is
proposed. It includes a description of general propositions, review and recommendations for
probabilistic modeling (considering [1-21]), the approach to the estimation of integral risk, examples
connected with human resource management process in application to IEC 62508 “Guidance on
human aspects of dependability” and interpretation comments about a calculated probabilistic risks.
2. General propositions
In general, the main output of the human resource management process are information and non-
material results. The information results of management include plan for managing system human
resource and personnel selection plans, personnel database, employment contracts, plans and reports
on the implementation of projects. In turn, the non-material results include directly qualified and
motivated personnel assigned to the relevant positions, acquired skills, publicly available knowledge,
staff satisfaction with work, the level of staff turnover that meets the needs of the enterprise in
employees, an acceptable socio-psychological climate at the enterprise, the required level of safety,
BIT-2021: XI International Scientific and Technical Conference on Secure Information Technologies, April 6-7, 2021, Moscow, Russia
EMAIL: akostogr@gmail.com (A.1), ft.99@yandex.ru (A.2), andrey.nistratov@gmail.com (A.3)
ORCID: 0000-0002-0254-5202 (A.1), 0000-0002-5572-2727 (A.2), 0000-0002-0688-4156(A.3)
© 2021 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
76
�quality and efficiency of the system and the innovative potential of the enterprise (connected with
human resource) etc.
In the life cycle of systems, both the reliable performance of the human resource management
process itself and the system information security proper to this process should be ensured.
To predict proper risks the approach for modeling human resource management process is
proposed below.
3. The recommendations for modeling
To predict the risks for a given prognostic time 𝑇𝑇 it is proposed to use the following quantitative
probabilistic measures:
𝑅𝑅human (𝑇𝑇 ) − the probability of failure in reliable perform human resource management process
without consideration of system information security;
𝑅𝑅sec (𝑇𝑇 ) − the probability of violating system information security requirements;
𝑅𝑅int (𝑇𝑇 ) − the integral probability of failure in reliable perform human resource management
process considering system information security.
To calculate the risk measures, the entities under study can be considered as a system of simple or
complex structure. Models and methods for risks prediction use data obtained "upon the occurrence of
events", according to the identified prerequisites for the occurrence of events, and data collected and
accumulated statistics and possible conditions for their implementation of the process.
A simple structure system for modeling is a system consisting of a single element or a set of
elements logically combined for analysis as a single element. The analysis of a simple structure
system is carried out according to the «Black box" principle, when the inputs and outputs are known,
but the internal details of the system operation are unknown. A system of a complex structure for
modeling is represented as a set of interacting elements, each of which is represented as a «Black
box" operating under conditions of uncertainty.
The modeling is based on using concept of the probabilities of "success" and/or "unsuccess" (risk
of "failure" considering consequences) during the given prognostic time period. There are
recommended some «Black box” models for which probabilistic space (Ω, B, P) is created (see for
example [1, 3, 6, 8, 14, 16] etc.), where: Ω - is a limited space of elementary events; B – a class of all
subspace of Ω-space, satisfied to the properties of σ-algebra; P – is a probability measure on a space
of elementary events Ω. Because, Ω={ωk} is limited, there is enough to establish a reflection ωk→pk
=P(ωk) like that pk≥0 and ∑ p k = 1 . Using these probabilistic models the measures 𝑅𝑅human (𝑇𝑇 ) and
k
𝑅𝑅sec (𝑇𝑇 ) can be estimated considering uncertainty conditions, periodical diagnostics, monitoring
between diagnostics, recovery of the lost integrity for «Black box”.
Applicable models for predicting such different risks, including the ways for generating models for
complex system with parallel or serial structure in the part of system human resource management
process, see in [1, 3, 6, 8, 14, 16]. These models can be used for an estimation of the probabilistic
risks proposed.
4. Estimation of measures
From engineering point of view the modelled system may be presented as “Black box” an as
complex system composed from «Black box” elements. There may be two cases for estimating the
probability of failure in “successful” operation of the j-th composing element (j ≥ 1) during given
prognostic time: the case of observed repeatability and the case of assumed repeatability of random
events [1, 6, 8, 14, 16].
77
�4.1. The observed repeatability
According to observed repeatability the inputs for the calculations of 𝑅𝑅human 𝑗𝑗 (𝑇𝑇 ) and/or
𝑅𝑅sec 𝑗𝑗 (𝑇𝑇 ) (denoted below as 𝑅𝑅fai𝑙𝑙 𝑗𝑗 (𝑇𝑇𝑗𝑗 )) use statistical data. Failure to perform the necessary actions
of the j-th composing system is a threat of possible damage. From the point of view of the
composition of actions and/or the severity of possible damage, all varieties of the actions can be
divided into K groups, K ≥ 1 (if necessary). Based on the statistical data, the probability of failure to
perform the actions of the j-th composing system element for the k-th group for a given time (it also
may be related to 𝑅𝑅human 𝑗𝑗 (𝑇𝑇 ) or 𝑅𝑅sec 𝑗𝑗 (𝑇𝑇 ) ) may be calculated by the formula
𝑅𝑅act 𝑗𝑗𝑗𝑗 (𝑇𝑇 𝑗𝑗𝑗𝑗 ) = 𝐺𝐺failure 𝑗𝑗𝑗𝑗 (𝑇𝑇 𝒋𝒋𝒋𝒋 )/𝐺𝐺𝑗𝑗𝑗𝑗 (𝑇𝑇 𝒋𝒋𝒋𝒋 ), (1)
where 𝐺𝐺failure 𝑗𝑗𝑗𝑗 (𝑇𝑇 𝒋𝒋𝒋𝒋 ) , 𝐺𝐺𝑘𝑘 (𝑇𝑇𝒋𝒋𝒋𝒋 )- are accordingly, the number of cases of failures when performing
the necessary actions of the j-th composing system element and the total number of necessary actions
from the k-th group to be performed in a given time 𝑇𝑇 𝒋𝒋𝒋𝒋 .
The probability 𝑅𝑅fai𝑙𝑙 𝑗𝑗 (𝑇𝑇𝑗𝑗 ) of failure in “successful” operation of the j-th composing system
element during a given prognostic period 𝑇𝑇𝑗𝑗 is proposed to be estimated for the option when only
those cases are taken into account for which the actions were not performed properly (they are the real
cause of the damage):
𝑅𝑅fai𝑙𝑙 𝑗𝑗 (𝑇𝑇𝑗𝑗 ) = 1 − ∑𝐾𝐾𝑘𝑘=1 𝑊𝑊𝑗𝑗𝑗𝑗 [1 − 𝑅𝑅𝑓𝑓𝑓𝑓𝑓𝑓𝑓𝑓 𝑗𝑗𝑗𝑗 (𝑇𝑇 𝑗𝑗𝑗𝑗 )] 𝐼𝐼 (α𝑘𝑘 )⁄∑𝐾𝐾𝑘𝑘=1 𝑊𝑊𝑗𝑗𝑗𝑗 , (2)
where 𝑇𝑇𝑗𝑗 is the maximum time for the j-th composing system element operation, including all
particular values 𝑇𝑇 𝑗𝑗𝑗𝑗 for the entire set of actions from different groups, taking into account their
overlaps;
𝑊𝑊𝑗𝑗𝑗𝑗 − is the quantity of actions for the j-th composing system element from the k-th group taken
into account for multiple performances of the actions.
For the k-th group the requirement to perform the actions using the indicator function 𝐼𝐼 (α𝑘𝑘 ) is
taken into account:
1, if condition α is peformed,
𝐼𝐼(α) = �
0, if condition α isn′ t peformed.
The condition α used in the indicator function is formed by the analysis of different specific
conditions, proper to the j-th composing system element operation (defined in terms of system quality,
safety, effectiveness etc.). It allows to take into account the consequences associated with the failure
to perform the necessary actions – see (1), (2). Condition α𝑘𝑘 means a set of conditions for all process
actions, subject to quality, safety, effectiveness etc. and time constraints within the given time 𝑇𝑇𝒌𝒌 for
performing the necessary actions from the k-th group.
4.2. The «Black box» formalization
As modelled system (concerning a formalization of human resource management process) there
are considered as «Black box” with virtual random events affecting system operation – for estimating
𝑹𝑹𝐡𝐡𝐡𝐡𝐡𝐡𝐡𝐡𝐡𝐡 (𝑻𝑻 ) and/or 𝑹𝑹𝐬𝐬𝐬𝐬𝐬𝐬 (𝑻𝑻 ) in modelled system, presented as one element.
In general case “successful” modelled system operation is connected with counteraction against
various dangerous influences on system integrity - these may be counteractions against human
failures or “human factors” events in actions on time line.
There are proposed the formalization for the general technology of counteraction against various
dangerous influences on system integrity. The technology is based on periodical diagnostics of system
integrity, that is carried out to detect danger sources penetration into a system or consequences of
negative influences (see Figure 1). The lost system integrity can be detected only as a result of
diagnostics, after which the system recovery is started. Dangerous influence on system is acted step-
by step: at first a danger source penetrates into the system and then after its activation begins to
influence. The system integrity can’t be lost before penetrated danger source is activated. A danger
78
�for “successful” operation is considered to be realized only after a danger source has influenced on the
modelled system.
Figure 1. Some accident events in modelled system (left – correct operation, right – a lose of integrity
during prognostic period Tgiven )
It is supposed that used diagnostic tools allow to provide necessary integrity recovery after
revealing danger sources penetration into modelled system or the consequences of influences. Using
the probabilistic models (described in details in [1, 6, 8, 14, 16] the measures can be estimated in
terms “success” or “failure” considering uncertainty conditions, periodical diagnostics, monitoring
between diagnostics, recovery of the lost integrity for «Black box”. The next universal input data for
probabilistic modeling are:
σ - frequency of the occurrences of potential threats (or mean time between the moments of the
occurrences of potential threats which equals to 1/frequency);
β - mean activation time of threats;
Tbetw - time between the end of diagnostics and the beginning of the next diagnostics;
Tdiag - diagnostics time;
Trecov - recovery time
T - given prognostic period.
4.3. The formalization for complex structure
For a complex system estimation with parallel or serial structure existing models can be developed
by usual methods of probability theory. For this purpose in analogy with reliability it is necessary to
know a mean time between losses of integrity for each element. Let's consider the elementary
structure from two independent series elements this means logic connection “AND” and for two
parallel elements this means logic connection “OR”. Let’s probability distribution function (PDF) of
time between losses of j-th element integrity is Вj(t) =Р (τj≤ t), and random values τ1, τ2 are
independent, then:
1) time between losses of integrity for system combined from series connected independent
elements is equal to a minimum from two times τj: failure of 1st or 2nd elements (i.e. the system goes
into a state of lost integrity when either 1st, or 2nd element integrity will be lost). For this case the
PDF of time between losses of system integrity is defined as
В(t) = Р(min (τ1,τ2)≤t)=1-Р(min (τ1,τ2)>t)= 1-Р(τ1>t)Р(τ2 > t)= 1 – [1-В1(t)] [1- В2(t)]. (3)
2) time between losses of integrity for system combined from parallel connected independent
elements (hot reservation) is equal to a maximum from two times τj: failure of 1st or 2nd elements
(i.e. the system goes into a state of lost integrity when both 1st and 2nd element integrity will be lost).
For this case the PDF of time between losses of system integrity is defined as
В(t)=Р(max (τ1,τ2)≤t)=Р(τ1 ≤ t)Р(τ2 ≤t)=В1(t)В2(t). (4)
Note. The same approach is developed also by Prof. E.Ventcel in 80th and by others researchers, see [1, 3, 6, 7, 8, 16] .
Thus, an adequacy of probabilistic models is reached by the consideration of real processes of
control, monitoring, element recovery for complex structure. Applying recurrently expressions (3) –
79
�(4), it is possible to receive PDF of time between losses of integrity for any complex modelled system
with series and/or parallel structure.
4.4. The integral measure
The integral probability of failure in reliable perform human resource management process
considering system information security 𝑅𝑅int (𝑇𝑇 ) for the period T is proposed to be calculated by the
formula:
𝑅𝑅int (𝑇𝑇) = 1 − [1 − 𝑅𝑅human (𝑇𝑇 )] · [1 − 𝑅𝑅sec (𝑇𝑇 )]. (5)
Here the probabilistic measure 𝑅𝑅human (𝑇𝑇 ) is probability of failure in reliable perform human
resource management process without consideration of system information security and 𝑅𝑅sec (𝑇𝑇 ) is
probability of violating system information security requirements. They are estimated according to
recommendations of section 3 and subsections 4.1-4.3 considering the possible damage.
Note. The condition of independence between the random time before failure in performing the human resource management process
and the random time before violating system information security requirements is supposed.
5. Examples
5.1. General
Without deviation from the general understanding of the proposed approach, the examples are
given with reference to the human resource management process in application to standard IEC 62508
“Guidance on human aspects of dependability”.
Let some enterprise implement a set of actions for human resource management. According to the
recommendations of IEC 62508, devoted to the analysis of the influence of the human factor on the
system dependability, the main actions of the enterprise should be: the formation of human resources;
the use of human resources; the development of human resources; the evaluation of efficiency related
to human resource management.
Without going into the details of the considered aspects, the structure of actions set for receiving
results of human resource management process is presented by Figure 2. For example 1 the actions set
of system human resource management process is considered as complex modelled system. The
approach of 4.3 is applied (because the approaches of 4.1, 4.2 are more simple, for them many aspects
of system human resource management process are not considered).
Figure 2. The formal structure of actions set for example 1
The elements of the modelled system are:
80
� 1st element (subsystem) - the actions of the formation of human resources;
2nd subsystem (elements 2.1 and 2.2) - the actions to use of human resources;
3rd element - the actions to the development of human resources;
4th element - the actions to the evaluation of efficiency related to human resource management.
Subsystem 2 is designated in the modelled system as two duplicate elements of the system -
elements 21 and 22. Duplication in practice means that actions are performed by more than one
performer, one of whom is a person, the functions of another performer can be performed either by
another person (for example, a boss) and/or supported by a robot and/or some artificial intelligence
system. From the point of view of elementary events, such interaction essentially means that actions
will be performed by subsystem 2 if " OR " element 2.1 "OR" element 2.2 will be in the elementary
state "The integrity of the element of the modeled system is retained".
By definition, the reliable performance of human resource management process in the modelled
system is considered to be ensured during a given prognostic period, if during this period the "AND"
actions of the process for the formation of human resources (according to element 1), "AND" for the
use of human resources (according to element 2.1 "AND"/"OR" element 2.2), "AND" for the
development of human resources (according to element 4), "AND" for the evaluation of efficiency
(according to element 4) are reliably performed. The prognostic period itself for an individual element
can be interpreted as referring to the stage of creation (for threats inherent in this stage), and to the
stage of operation in the future (for potentially possible threats), modeling the acceptability of
solutions and confirming guarantees that acceptable risks are not exceeded.
5.2. Example 1
The risk of violating the reliability of the process performance without taking into account the
requirements for system information security is estimated for modelled structure of Figure 1. Many
possible threats affecting the each of the structural elements of the modelled system have been
identified. At the same time, not only health threats and the possibility of human errors are taken into
account, but also hypothetical threats associated with the possible consequences of these errors at the
stage of enterprise operation. The generated input data for modeling, which cover each of the
composite elements, are presented in Table 1.
Table 1
Example 1 input for modeling complex structure (see models in [1, 6, 8, 14, 16])
Input
Elements Values and comments
for the model
σ - frequency of the occurrences of 1st element 1 time in 5 years (because of lost qualifications or
potential threats knowledge for solving problems)
Element 2.1 2 times in a year (because of insufficient
qualifications or knowledge to solve problems or
due to health problems of the staff)
Element 2.2 The same as for element 2.1
3rd element 1 time in 5 years (because of the violation of the
necessary terms of professional training and
advanced training)
4th element 1 time in a year (because of the violation of the
necessary deadlines or the quality of the periodic
evaluation of the effectiveness of the process
performance)
β - mean activation time of threats 1st element 3 months up to possible damage
Element 2.1 2 months up to possible damage
Element 2.2 2 months up to possible damage
3rd element 6 months up to possible damage
4th element 6 months up to possible damage
81
�Tbetw - time between the end of For all elements 1 time in a week
diagnostics and the beginning of
the next diagnostics
Tdiag - diagnostics time 1st element 1 hour - this average time is required to monitor
the performance of functions related to
determining the requirements for the recruited
staff and drawing up plans
Element 2.1 15 minutes (a time of medical examination before
work)
Element 2.2 The same as for element 2.1
3rd element 8 hours
4th element 8 hours
Trecov - recovery time 1st element 1 day
Element 2.1 1 hour (this is the mean time to replace a person
with a stand-in)
Element 2.2 The same as for element 2.1
3rd element 1 week - this is the time to correct mistakes in
providing professional development, organizing
mentoring and consulting staff
4th element 3 days - this is the time to correct mistakes in
ensuring a timely and qualitative estimation of the
effectiveness of the process performance and the
organization operation
T - given prognostic period For all elements From 1 to 4 years
(to estimate such a period during which the
guarantees of retaining risks within admissible
limits are maintained)
The analysis of the calculation results showed that in probabilistic terms, the risk of failure in reliable
perform human resource management process without consideration of system information security
for 2 years will be about 0.02 for the entire set of actions (see Figure 2). With an increase in the
prognostic period from 1 year to 4 years (see Figure 3), the risk increases from 0.043 to 0.241. For an
acceptable risk at the level of 0.05, a period of up to 14 months is justified, in which guarantees are
maintained that the acceptable risk is not exceeded in the conditions of the example from Table 1.
Figure 2. The probability of failure in reliable Figure 3. Dependence 𝑅𝑅human (𝑇𝑇 ) on the
perform human resource management process prognostic period 𝑇𝑇 lasting from 1 to 4 years
during 2 years without consideration of system
information security - 𝑅𝑅human 𝑖𝑖 (𝑇𝑇 = 2 years )
82
� The" bottleneck", the characteristics of which it makes sense to analyze for risk reduction, is only
subsystem 2 – this is a set of actions for the use of human resources related to functional support,
estimation and control. The identification of this "bottleneck" forces an additional analysis to identify
ways to reduce the risk. The simplest option is to combine efforts in the use of human resources.
These efforts imply mutual assistance, including mutual control of activities, and from the point of
view of modeling in the structure, instead of element 2.2 with characteristics identical to element 2.1,
the use of element 2.2, for which the frequency of occurrence of sources of threats associated with
ineffective functional support, evaluation and control of actions (σ) will not be 2 times a year (as in
Table 1 for medium-qualified personnel), but 1 time every 2 years, i.e. 4 times less often. This is quite
achievable due to the performance of functions by a more highly qualified human performer and/or a
robot and/or with the support of some kind of artificial intelligence system. All other input for
modeling are the same as shown in Table 1.
As a result of additional modeling, it was found that due to the measures taken, the risk of failure
in reliable perform human resource management process without consideration of system information
security was reduced to the level of 0.076 (i.e. by 34.2%) and an increase from 14 to 16 months of the
period for which guarantees of non-excess of acceptable risks are retained (see Figure 4). In practice,
it is these measures (combining the efforts of several persons in the parallel solution of one task with
mutual control of the prepared solutions) that lead to success. The example shows only a quantitative
estimation of the results of applying such measures.
Figure 4. The risk of failure in reliable perform human resource management process (without
consideration of system information security) is decreased (left), and guarantees of risk retention
within admissible limits (≤0.05) are increased (right)
5.3. Example 2
Continuing Example 1, the prediction of the risk of violation of information security requirements
is illustrated for a set of actions according to the recommendations of ISO/IEC 27002 (Section 8) in
terms of ensuring the safety of personnel (see Figure 5). The actions set is considered as complex
modelled system. Still the approach of 4.3 is applied (because the approaches of 4.1, 4.2 are more
simple for modeling in the example).
83
� Figure 5. The formal structure of actions set for example 2
The input for each of the 3 constituent elements are presented in Table 2.
Table 2
Example 2 input for modeling complex structure by the model (see models in [1, 6, 8, 14, 16])
Input Values and comments
for the model for 1st element for 2nd element for 3rd element
σ - frequency of the 1 time in 5 years 1 time in a year 2 times in a year (these are
occurrences of (these are threats related (these are threats of threats of damage caused
potential threats to to subjective factors damage during the by previous mistakes or
information security before employment) employment of personnel) due to dissatisfaction of
dismissed personnel)
β - mean activation 2 weeks (this is 1 day (it is assumed that 1 day (it is assumed that
time of threats up to commensurate with the due to masking, the due to masking, the
violation of time of using sources of threats are not sources of threats are not
information security vulnerabilities in the part activated immediately, but activated immediately, but
of information security) with a certain delay of at with a certain delay of at
least 1 day) least 1 day)
Tbetw - time between 1 week 1 hour 1 hour
the end of (this time is determined by (this time is determined by (this time is determined by
diagnostics and the the regulations for the regulations for the regulations for
beginning of the next monitoring assets related monitoring assets related monitoring assets related
diagnostics, to recruited staff) to staff) to staff)
connected with
information security
Tdiag - diagnostics 30 seconds/30 seconds 30 seconds/30 seconds 30 seconds/30 seconds
time (automatic control (automatic control (automatic control
information security information security information security
conditions) conditions) conditions)
Trecov - recovery time 5 minutes / 5 minutes 5 minutes / 5 minutes 5 minutes / 5 minutes
after information (including system (including system (including system
security violation reinstallation) reinstallation) reinstallation)
T - given prognostic From 1 to 4 years (to estimate such a period during which the guarantees of retaining
period risks within admissible limits are maintained)
84
� Analysis of the calculation results showed that in probabilistic terms, the risk of violating the
requirements for information security within two years will be about 0.130 for the entire set of
actions, amounting to 0.014 for the 1st element, 0.041 for the 2nd element, 0.080 for the 3rd element
("bottleneck"). With an increase in the prognostic period from a year to 4 years, the risk increases
from 0.067 to 0.243. For an acceptable risk at the level of 0.050, a period of up to 8 months is
justified, in which guarantees are maintained that the acceptable risk is not exceeded in the selected
set of actions characterized by the conditions of the example from Table 2.
A "bottleneck" has been identified – it is the preservation of the ability of a person who has
stopped or changed his duties to use the information received (element 3). At the same time, the cause
of the "bottleneck" is a violator who is able (according to the accepted information security model) to
use this hypothetical vulnerability during a day - see Table 2, the value for β - mean activation time
of threats up to violation of information security.
5.4. Example 3
In continuation of Examples 1 and 2, the integral probability 𝑹𝑹𝐢𝐢𝐢𝐢𝐢𝐢 (𝑻𝑻 ) of failure in reliable perform
human resource management process considering system information security is calculated using the
recommendations of section 4. Considering that 𝑹𝑹𝐡𝐡𝐡𝐡𝐡𝐡𝐡𝐡𝐡𝐡 (𝑻𝑻 = 𝟐𝟐 𝐲𝐲𝐲𝐲𝐲𝐲𝐲𝐲𝐲𝐲 ) = 0.076 and
𝑹𝑹𝐬𝐬𝐬𝐬𝐬𝐬 (𝑻𝑻 = 𝟐𝟐 𝐲𝐲𝐲𝐲𝐲𝐲𝐲𝐲𝐲𝐲 ) = 0.130, by formula (5)
𝑹𝑹𝐢𝐢𝐢𝐢𝐢𝐢 (𝑻𝑻 = 𝟐𝟐 𝐲𝐲𝐲𝐲𝐲𝐲𝐲𝐲𝐲𝐲 ) = 1 ─ (1─0.076)·(1─0.130) ≈ 0.196.
For commensurate damages in resulting value of integral risk 0.196 the risk of violating system
information security requirements (0.130) is 1.7 times higher than the risk of failure to reliable
perform human resource management process without consideration of system information security.
Comparing with the admissible level of 0.05, we can state that the calculated risks exceed the
acceptable risk (in probability value). It means the rationale that the system decisions are not balanced
and the improvement of human resource management process is needed. And the main goal is to
reduce the risk of violating information security requirements.
Thus, the examples 1-3 demonstrated a usability of the approach.
6. Conclusion
The proposed approach allows to estimate probabilistic risks for the performance of system human
resource management process considering information security requirements. It uses the measure for
uncertainty conditions – the integral probability of failure in reliable perform human resource
management process considering system information security. Considering system information
security the approach application helps to identify "bottlenecks" and the ways to reduce risks in
human resource management process, and justify conditions and period, in which guarantees of risks
retention within admissible limits are maintained, taking into account the requirements for system
information security.
7. References
[1] A. Kostogryzov, G.Nistratov and A.Nistratov. Some Applicable Methods to Analyze and
Optimize System Processes in Quality Management. Total Quality Management and Six Sigma,
InTech, 2012: 127-196. DOI: 10.5772/46106
[2] A. Barabanov, A. Markov, V. Tsirlov. Methodological Framework for Analysis and Synthesis of
a Set of Secure Software Development Controls, Journal of Theoretical and Applied Information
Technology, 2016, vol. 88, No 1, pp. 77-88
85
�[3] M. Eid, and V. Rosato. Critical Infrastructure Disruption Scenarios Analyses via Simulation.
Managing the Complexity of Critical Infrastructures. A Modelling and Simulation Approach,
SpringerOpen, 2016: 43-62.
[4] A. Markov, A. Fadin, V. Tsirlov. Multilevel Metamodel for Heuristic Search of Vulnerabilities in
the Software Source Code, International Journal of Control Theory and Applications, 2016, vol.
9, No 30, pp. 313-320.
[5] Zegzhda, P., Zegzhda, D., Pavlenko, E., Dremov, A. Detecting Android application malicious
behaviors based on the analysis of control flows and data flows. ACM International Conference
Proceeding Series, 2017, pp. 280-286. DOI: 10.1145/3136825.3140583.
[6] Kostogryzov A., Stepanov P., Nistratov A., Nistratov G., Klimov S., Grigoriev L. (2017). The
method of rational dispatching a sequence of heterogeneous repair works. Energetica. Vol.63, 4,
154-162. www.lmaleidyka.lt/ojs/index.php/energetika/index
[7] V. Artemyev, Ju. Rudenko, G. Nistratov. Probabilistic modeling in system engineering.
Probabilistic methods and technologies of risks prediction and rationale of preventive measures
by using “smart systems”. Applications to coal branch for increasing Industrial safety of
enterprises. IntechOpen, 2018: 23-51.
[8] V. Kershenbaum, L. Grigoriev, P. Kanygin, A. Nistratov. Probabilistic modeling in system
engineering. Probabilistic modeling processes for oil and gas systems. IntechOpen, 2018: 55-79.
[9] A. Markov, A. Barabanov and V. Tsirlov. Probabilistic modeling in system engineering. Periodic
Monitoring and Recovery of Resources in Information Systems. IntechOpen, 2018: Chapter 10.
URL: http://www.intechopen.com/books/probabilistic-modeling-in-system-engineering
[10] I. Goncharov, N. Goncharov, S. Kochedykov and P. Parinov. Probabilistic modeling in system
engineering. Probabilistic analysis of the influence of staff qualification and information-
psychological conditions on the level of systems information security. IntechOpen, 2018: Chapter
11. URL: http://www.intechopen.com/books/probabilistic-modeling-in-system-engineering
[11] A. Barabanov, A. Markov, V. Tsirlov. Information Security Controls Against Cross-Site Request
Forgery Attacks on Software Application of Automated Systems. Journal of Physics: Conference
Series. 2018. V. 1015. P. 042034. DOI :10.1088/1742- 6596/1015/4/04203.
[12] A. Berdyugin, P. Revenkov. Approaches to measuring the risk of cyberattacks in remote banking
services of Russia. 2019. Vol-2603. P. 23-38. URL: http://ceur-ws.org/Vol-2603/short2.pdf
[13] N. Korneev, V. Merkulov. Intellectual analysis and basic modeling of complex threats. 2019. Vol-
2603. P. 23-38. URL: http://ceur-ws.org/Vol-2603/paper6.pdf
[14] A. Kostogryzov. Risks Prediction for Artificial Intelligence Systems Using Monitoring Data.
2019. Vol-2603. P. 29-33. URL: http://ceur-ws.org/Vol-2603/short7.pdf
[15] V. Varenitca, A. Markov, V. Savchenko. Recommended Practices for the Analysis of Web
Application Vulnerabilities. 2019. Vol-2603. P. 75-78. URL: http://ceur-ws.org/Vol-
2603/short16.pdf
[16] A. Kostogryzov, V. Korolev. Probabilistic methods for cognitive solving some problems of
artificial intelligence systems. Probability, combinatorics and control. IntechOpen, 2020, pp. 3-34.
URL: https://www.intechopen.com/books/probability-combinatorics-and-control
[17] V.A. Nadein, N.A. Makhutov, V.I. Osipov, G.I. Shmal’, P.A. Truskov Hybrid modelling of
offshore platforms’ stress-deformed and limit states with taking into account probabilistic
parameters. Probability, combinatorics and control. IntechOpen, 2020, pp. 73-116. URL:
https://www.intechopen.com/books/probability-combinatorics-and-control
[18] I. Sinitsyn, A. Shalamov Probabilistic analysis, modeling and estimation in CALS technologies.
Probability, combinatorics and control. IntechOpen, 2020, pp. 117-142. URL:
https://www.intechopen.com/books/probability-combinatorics-and-control
[19] D. Neganov., N. Makhutov. Combined calculated, experimental and determinated and probable
justification for strength of trunk oil pipelines. Probability, combinatorics and control.
IntechOpen, 2020, pp. 143-164. URL: https://www.intechopen.com/books/probability-
combinatorics-and-control
[20] N. Makhutov, M. Gadenin, Yu. Dragunov, S. Evropin, V. Pimenov Probability modeling taking
into account nonlinear processes of a deformation and fracture for the equipment of nuclear
86
� power plants. Probability, combinatorics and control. IntechOpen, 2020, pp. 191-220. URL:
https://www.intechopen.com/books/probability-combinatorics-and-control
[21] I. Goncharov, N. Goncharov, P. Parinov, S. Kochedykov, A. Dushkin Modelling the
information-psychological impact in social networks. Probability, combinatorics and control.
IntechOpen, 2020, pp. 293-308. URL: https://www.intechopen.com/books/probability-
combinatorics-and-control
87
�