In the conditions of globalization, cooperation, and competition, not a single company (regardless of the field of activity) can function without a developed structure of information technologies and systems (hereinafter, respectively, IT and IS), which ensure the success and efficiency of both making individual management decisions and efficiency of company business processes as a whole. The dynamic growth of the IT infrastructure of companies has long overcome the first stage of the traditional expansion of the scale of hardware and software complexes used to automate the collection, storage, processing, transmission, and receipt of information. In modern conditions, the priority has become not so much the quantity and quality of IT and IS used in the business processes of business entities, but the reliability and completeness of the information that contributes to the adoption of optimal management decisions.

Traditional IS for large companies has been replaced by corporate IS (hereinafter referred to as CIS). However, the rapid development of IT and IS companies has given rise to such an acute problem as ensuring the information security (hereinafter referred to as IS) of companies and the safety of their Information Resources (hereinafter referred to as InR). The use by the attacking side of increasingly complex methods for implementing cyber-attack scenarios has led to the fact that any CIS already at the time of its operation requires the adoption of appropriate measures aimed at protecting corporate information. Consequently, each enterprise must ensure a high degree of protection of commercial information, and the integrity of its InR [ 1 ].

Continuous organizational and economic support of the company’s information security procedures can minimize business risks, maximize return on investment, facilitate business opportunities, and enhance the company’s commercial image and competitive advantages [ 1, 2, 33–36 ].

To ensure effective protection of InR and stable management of information security, companies must not only periodically assess information security, but also constantly analyze the processes for their CIS.

While the process of information security effectiveness measurement is recognized as an important element of an information security management system, many gaps and challenges remain. Since information security is a complex and multifaceted system with a large amount of data, specialists in the information security departments of companies are often overloaded with current work. And, therefore, they cannot develop effective processes for assessing the current state of the company’s information security.

As practice shows, information security specialists mainly focus on technical goals. At the same time, only a small part of them can perform a comprehensive assessment of the effectiveness of the company’s information security, including work on organizational and economic support for the effective protection of corporate information. World experience undeniably proves that a simple increase in the number of means and measures to protect information (hereinafter referred to as IS) does not always give a tangible effect [ 2 ].

Moreover, in several situations [ 3, 37 ], the implementation of such a scenario only increases the workload of the personnel involved in the information security of the company. Moreover, errors in the planning of resources allocated for ensuring the information security of companies lead to the fact that expensive protection of InR with little value or significance for business processes results in damage. Such damage may not always be financially obvious. In some cases, the extent of reputational damage is many times greater than the financial losses from the loss of information [ 4 ]. The same can be said about the insufficiently effective protection of valuable InR companies. For example, according to [ 5 ], the presence in a company of leaks of important internal information used in business processes in volumes >20% can lead to the fact that the company will become bankrupt with a probability of 60%. Moreover, according to [ 5, 6, 38–39 ], more than 90% of companies that were deprived of access to their own InR for periods of >10 days stopped their economic activities with a high degree of probability.

Summarizing the above, there is a certain contradiction. So, on the one hand, significant costs for the Information Security System (ISS) are an obligatory component of the costs of almost all business entities. On the other hand, it is just as necessary to solve the problem related to optimizing the costs of building an effective information security system and organizing efficient processes in CIS. The conclusions drawn predetermine the relevance of this study, aimed at improving the methods and models of organizational support for IT infrastructure management processes in the information security system of companies.

It is shown in [ 7, 8 ] that the increasing intensity and more complex scenarios of cyber-attacks make relevant not only the permanent improvement of the hardware and software systems of the information security system but also dictate the need to take other measures. Such measures, in particular, include measures aimed at improving the organizational and economic support for the effective protection of corporate information of business entities. According to [ 9, 10 ], it is necessary to provide the protection side with effective intelligent systems that can facilitate the rather routine work of managing the information security of companies.

The need for prompt decision-making related to organizational and economic support and management of corporate information protection has made promising research on the development of Decision Support Systems (DSS) [ 11, 12 ] in this area. In these works, as well as in [ 13, 14 ], it is shown that in the framework of the creation of such DSS, new methods, models, algorithms, and Application Software (AS) used to solve such problems are being developed accordingly. The authors of the considered works, however, do not give weighty arguments proving the effectiveness of the widespread use of such DSS for most business entities. The experience of using DSS in IS management tasks for individual companies is considered in [ 15, 16 ]. However, as noted in [ 16, 17 ], the existing commercial DSS in the tasks of providing information security to companies are of a closed nature. The authors state that the acquisition by individual small companies of this class of DSS is associated with significant financial costs. Non-commercial DSS existing on the application software market in IS tasks do not have sufficient functionality [ 17 ].

As shown in [ 18–20 ], the issues of complex implementation of DSS in the tasks of organizational and economic support for the effective protection of corporate information in the context of information security management tasks have not been systematically considered.

More than half of all cyber-attacks are aimed at small companies and enterprises [ 21 ]. Despite such depressing statistics, as shown in [ 22 ], a significant part of the management of small and medium-sized companies continues to believe that information security is an extra cost item. This opinion should be partly based on the shortage of qualified human resources involved in information security. Thus, small companies experience more problems in monitoring the effectiveness of information security. As shown in [ 23, 24 ], the use of formal and complex procedures focused on anticipating and predicting information security incidents has become a common practice for such small companies.

Taking into account the conclusions made by the authors in [ 13, 15, 17–20, 24 ], the problem of systemic implementation of intelligent DSS in the tasks of organizational and economic support and information security management of companies remains unresolved. Mathematical-algorithmic and computer support of the decision-making procedure and qualitative expert assessment allow solving the problems of organizational and economic support of effective protection of corporate information in the context of information security management tasks in the most efficient way. Thus, conceptually innovative approaches can be based on the paradigm of the integrated implementation of DSS in the tasks of organizational and economic support for the effective protection of corporate information in the context of the tasks of IS management of companies.

The above reasons make the subject of our study relevant. In our opinion, it is advisable to focus on the implementation of such DSS in small companies, where the situation with information security seems to be the most critical.

The purpose of the work is to develop a model of organizational and economic support and management of information security companies.

To achieve the goal of the work, it is necessary to solve the following tasks: • to develop a model of organizational and economic support and IS management of companies, taking into account the minimization of risks associated with the lack of qualified IS experts. • to develop and test a DSS for the organizational, economic support, and management of information security of companies, which will allow the protection side to rationally use methods and information security.

It is noted in [ 25, 26 ] that in the context of the global digitalization of the economy, many companies are faced with a shortage of qualified cybersecurity specialists. And if most of the InR threats can be blocked by hardware and technical information protection systems, then the issues of organizational and economic support for the effective protection of corporate information still have to be solved by information security analysts. And here much depends on the qualifications and experience of the work of a particular specialist. In our opinion, the direction associated with the widespread introduction into practice of solving problems of organizational and economic support of corporate information protection systems of intelligent DSS may turn out to be quite effective, see Fig. 1.

Such systems are capable of performing rather routine and time-consuming computational and analytical tasks, for example, related to optimizing the resolution of individual information security facilities along the contours of the company’s information security. Also, this kind of DSS will allow you to quickly make decisions when redistributing information security in the face of dynamic confrontation with the attacking side [ 27, 28 ].

Threats to the information security of the company The information security service of the company

is developing

Company information security policy Requirements for the information security system in the company

Control object Informational resources

Hardware and software resources Corporate information protection systems

Organizational and human resources Performance monitoring

Information security management of a company based on DSS

DSS

Control actions

An approximate list of tasks that can be solved by the DSS: • optimal costs for the construction of the information security system of the company; • the optimal composition of hardware and software protection tools for the company's IS circuits; • dynamic redistribution of ISS in the context of targeted cyber attacks on the company's InR; • and etc.

A common practice in the Information Security Management System (hereinafter referred to as the ISMS) of companies is the delegation of some of the tasks that require sufficiently high qualifications to external experts.

However, external experts are usually auditors who evaluate information security metrics through document reviews, observations, and interviews with staff. This approach has a positive effect when it is required to assess the technical vulnerabilities of the CIS and risks (which auditors usually identify using penetration tests and analysis of information security events (incidents). At this stage, complex calculations and complex technical tests are not needed. At this stage, it may be sufficient to present the results of such tests and analyses to the management of the company. Based on such analysis and audit findings, management can assess the importance of specific measures to be taken to ensure the protection of corporate information. However, this approach becomes less effective when it comes to the need for technical and economic calculations in the tasks of providing enterprise information security.

For example, such tasks include multicriteria optimization tasks related to the search: • optimal costs for the construction of the information security system of the company. • the optimal composition of hardware and software protection tools for the company’s IS circuits. dynamic redistribution of information security in the context of targeted cyber-attacks on the company’s InR, etc.

In such situations, in our opinion, it is advisable to shift routine calculations and the search for mathematical solutions to these optimization problems to the DSS. With this approach, the processes of analyzing information security audit data and the results of mathematical and economic modeling using DSS, and in some cases risk forecasting, are presented to the company’s management. Based on this data, management decides on the necessary corrective actions aimed at achieving the desired target level of information security. Moreover, we note that the results of mathematical and economic modeling and risk forecasting when using DSS are devoid of a subjective component, and are not tied to the qualifications of both internal and external auditors. In this case, we fully follow the wellestablished plan-do-check-act approach. The use of DSS makes this approach more flexible, operational, and continuous.

As the number and complexity of attack scenarios grow, information security becomes one of the main management tasks of company management. This is because we have to consider the management of a complex system. Moreover, wrong decisions regarding the information security of a company can lead to a decrease in the performance of all business processes. When the company’s information security specialists are competent and able to provide a high level of information security and protection, in most cases they act effectively in solving the problems of planning and investment activities in information security. Thus, the overall efficiency of a company’s business processes most often depends on the consistency between information security planning and business planning.

Solving problems related to the optimization of the information security system of a company includes the following steps [ 14, 28 ]: 1. determine the parameters of organizational management of IT infrastructure and information security. 2. to minimize the cost of building ISS. 3. choose the optimal amount of investment in the company’s information security. 4. eliminate (or minimize) the possibility of information leaks in the company.

The computational core of the DSS can take on all the calculations for the search for local or global extrema of the objective functions.

For example, when searching for a solution to the problem of minimizing financial costs for information security, you can use a function of the form:

n m n С = Cij  ij +Ci   i → min,

i=1 j=1 i=1 where is i = 1, n; j = 1, m (1) (2) n i=1 n m i=1 j=1   s j  mij  ij  PLdc,  ij = 1, j  J , where Cij is the number of costs for protecting the jth resource with the help of the ith ISS; Ci is the number of costs for the set of InR with the help of the ith ISS; I = i1,...,in; J = j1,..., jm− accordingly, the set of information security in the company and the set of InR, which are subject to protection; mij assessment of the effectiveness of protecting the jth resource with the help of the ith ISS; sj is the factor of the importance of the jth resource in the complex assessment of the information security system of the company;  ij − a binary value, if  ij = 1 else ith ISS is selected to protect the jth resource,  ij = 0 then ith ISS is used to protect only against potential threats;  i − binary value, if  i = 1 then ith ISS can be used, if i = 0 , then not; PLcd is the level of protection at the cost of information security in the amount of ( С ) and threats ( D ).

If we are talking about the need to maximize the degree of protection of the company’s InR, then we can use the following objective function:

n m PLc =   s j  mij  ij → max, (3)

i =1 j =1 subject to the following boundary conditions:

n m n C =   Cij  ij + Ci   i  Cd , i =1 j =1 i =1 (4) n  ij = 1, j  J , i =1 where  ij  0;1,  ij  0;1.

The high dynamics of changes in the landscape of cyber threats and the external environment for modern companies that build many of their business processes on the use of IT and IS dictates its characteristics in the formation of a personnel policy for information security specialists. The purpose of this study is not a detailed study of the problem of the effectiveness of the use of human resources for information security in companies.

We just want to emphasize that this is still little studied and requires the close attention of company leaders.

In general, the set that formalizes the shortage of human resources in the field of information security of the company can be represented as follows:

PE = J , Pr,M , D (5) where J is the set of InR of the company that requires attention from the staff in the context of information security; Pr− a set of properties that an employee dealing with information security issues for a specific InR should possess; M is motivation to constantly improve the level of their professional qualifications; D is set of threats that require the response of a highly qualified employee.

Of course, this formalization of the model does not take into account all aspects of the problem of the shortage of staff of IS specialists in companies, but it illustrates the importance of the task of including intelligent DSS in the business process loop, ready to take on some of the rather routine work that person has to perform in the daily practice of providing IS in a company.

The procedure for considering actual threats and risks associated with the implementation of these threats also requires separate modeling and assessment. 5. DSS Software Product “DSS

Investing in Cybersecurity”

The models described above have been implemented in several software products. For example, in the DSS “DSS investing in cybersecurity” [ 29, 30 ].

DSS “DSS investing in cybersecurity” is intended for the online selection of optimal strategies for investing in the company’s information security tools. This task is solved in the context of improving the security of corporate information systems with the help of innovative technologies based on the use of intelligent decision support systems in the protection circuits of CIS.

The interface for experts to work with DSS “DSS investing in cybersecurity” was developed on ASP.NET Core MVC, see Figs. 2–4.

For example, Figs. 2 and 3 show the results of solving the optimization problem described by the objective (1) and boundary conditions (2). In addition to graphical output, the DSS also generates textual output, shown at the top of the screen.

In Fig. 2 Curve line 2 (shown in yellow) shows the trajectory of the distribution of financial resources with a clear optimum. The extreme value on the curve corresponds to the size of the company’s financial resources, which will be sufficient to minimize IS threats.

Since the calculations are iterative, in the following figure (see Fig. 3) you can see the number of steps that were required to find the optimum, for example, when using the solution method based on the genetic algorithm [ 31, 32 ]. DSS. This solution was obtained using a modified hierarchy analysis method. Fig. 4 shows the results of a comparative analysis using three types of antivirus software as an example: Avast, ESET NOD32, and Windows Defender. Software is compared on three parameters—cost efficiency complexity. The DSS investing in cybersecurity DSS relieves the evaluation and selection procedure of subjectivity, based only on a clear algorithmic comparison of all advantages and disadvantages. Similar procedures can be performed concerning other types of hardware and software systems of information security systems—firewalls, intrusion detection systems, access control systems, etc.

Without prioritizing the development of a set of models for solving multi-criteria optimization problems related to ensuring the company’s information security as a priority of this study, we note that these tasks can be effective only based on a synergistic combination of expert experience and cybernetic modeling. Which together ensures prompt decision-making regarding the provision of information security for the company.

If the DSS is entrusted with solving problems related to the optimization of information security, then information security specialists within the company can focus on solving organizational problems.

Such tasks include, for example, data backup activities; isolation of information systems most sensitive to threats; safe and secure destruction of devices and data; centralized system management and configuration management, etc.

We also note that it is much easier for information security specialists in the company itself than for external specialists to track personnel who have malicious motives. The assistance of the DSS is also not required in solving problems related to the motivation and readiness of employees to participate in IS training processes.

DSS can also be effective in risk analysis and assessment, business continuity plans, and incident response, as well as to increase the efficiency of CIS recovery procedures.

The data of mathematical and economic modeling with the help of DSS are transferred to the company’s management for decision-making at the strategic level of information security management. The main task of management in such a situation is to ensure a reasonable approach to the formation of an information security policy. Successful implementation of the information security policy requires continuous vertical and horizontal communication and coordination of the needs of all stakeholders—information security specialists, network administrators, management, etc.

Thus, organizational and economic support for the effective protection of corporate information becomes an integral part of information security management procedures. Such a synergistic approach demonstrates an adequate level of the company’s information security maturity. The use of DSS can be identified and developed as a separate IS business function. Moreover, this business function, in conjunction with traditional approaches, will allow you to more quickly identify the weak links in the company’s information security.

The model that describes the procedure for formalizing the task of optimizing the ISS of a business entity (company) has been further developed.

Unlike existing approaches, the focus of this study is on the mathematical-algorithmic and computer support of the decision-making procedure in matters of organizational and economic support for the effective protection of corporate information in the context of the tasks of IS management of companies.

The proposed approach enables the defense side to most effectively determine the parameters of organizational management of the company’s information security infrastructure.

The contour of the DSS in the process of developing the company’s information security infrastructure is considered. In the context of a shortage of qualified experts in the field of information security of companies, additions to existing mathematical models are proposed. The proposed additions make it possible to take into account the impact of the human resources of experts in information security issues on the management of the company’s information security infrastructure. Recommendations are offered and the corresponding application software—DSS is described. The use of this DSS will help minimize the risks associated with the lack of qualified IS experts in many companies.