Algorithm for Conducting Information Security Audit in Organizations Based on a Multilevel Model Based on Graph Theory
Article Sidebar
Main Article Content
Abstract
This paper presents a multi-level topological model for auditing information security of critical information infrastructure (CII) objects, developed using graph theory. The model accounts for resource costs, technical impacts (ITE), vulnerability levels, potential damage, and object elements. The proposed framework enables the identification of optimal testing scenarios based on an "efficiency/cost" criterion, supporting the formation of comprehensive test sets for thorough audit coverage. An algorithm was developed to implement the model, which includes graph construction across hierarchical layers and application of Dijkstra’s shortest path algorithm to determine the most cost-effective information-technical effects. Additionally, a software tool was created using C# to visualize the graph, manage input data, and dynamically calculate optimal audit paths and damage estimates. A comparative analysis highlights the strengths and limitations of the graph-based model in comparison to traditional audit methods, including compliance audits, risk assessments, penetration tests, and automated monitoring. The graph-based approach stands out for its flexibility, scientific foundation, and ability to prioritise critical vulnerabilities and efficiently audit resources in constrained environments.
Downloads
Article Details
Section
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
How to Cite
References
Макаренко С.И.. Аудит безопасности критической инфраструктуры специальными информационными воздействиями. Монография. – СПб.: Наукоемкие технологии, 2018. – 122 с. https://www.researchgate.net/publication/340862431
Астахов А. Введение в аудит информационной безопасности [Доклад] // GlobalTrust Solutions [Электронный ресурс]. 2018. – URL: https://globaltrust.ru/ (дата обращения: 29.01.2018).
Irgasheva Durdona Yakubdjanovna, Nasrullayev Nurbek Bakhtiyarovich, Xolimtayeva Iqbol Ubaydullayevna. Implementation of intercorporate correlation of information security messages and audits.https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9351470
Макаренко С.И. Информационное противоборство и радиоэлектронная борьба в сетецентрических войнах начала XXI века. Монография. – СПб.: Наукоемкие технологии, 2017. – 546 с. https://www.researchgate.net/publication/340871849_Informacionnoe_protivoborstvo_i_radioelektronnaa_borba_v_setecentriceskih_vojnah_nacala_XXI_veka_Information_warfare_and_electronic_warfare_to_network-centric_wars_of_the_early_XXI_century
Makarenko S.I. Audit of Information Security - the Main Stages, Conceptual Framework, Classification of Types. Systems of Control, Communication and Security. 2018; 1:1-29 (in Russ.). DOI: https://doi.org/10.24411/2410-9916-2018-10101
Makarenko, S.I. Security Audit of Critical Infrastructure with Special Information Impacts. Monograph. Saint Petersburg: Naukoemkie tehnologii Publ.; 2018. 122 p. (in Russ.) https://www.researchgate.net/publication/340862431_Audit_bezopasnosti_kriticeskoj_infrastruktury_specialnymi_informacionnymi_vozdejstviami_Security_audit_of_critical_infrastructure_with_special_information_impacts
Skabtsov N. Security Audit of Information Systems. Saint Petersburg: Piter Publ.; 2018. 272 p. (in Russ.)https://itsecforu.ru/wp-content/uploads/2017/11/%D0%90%D1%83%D0%B4%D0%B8%D1%82_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D0%B8_%D0%B8.pdf
Makarenko S.I., Smirnov G.E. Analysis of Penetration Testing Standards and Methodologies. Systems of Control, Communication and Security. 2020;4:44‒72. (in Russ.). DOI: https://doi.org/10.24411/2410-9916-2020-10402
Begaev A.N., Begaev S.N., Fedotov V.A. Penetration testing. Saint Petersburg: Saint Petersburg National Research University of Information Technologies, Mechanics and Optics Publ.; 2018. 45 p. (in Russ.) https://www.researchgate.net/profile/Sergey-Makarenko-5/publication/350758773_Model_audita_zasisennosti_obekta_kriticeskoj_informacionnoj_infrastruktury_testovymi_informacionno-tehniceskimi_vozdejstviami_Model_of_Security_Audit_of_a_Critical_Information_Infrastructure_Object_wi/links/63087bff5eed5e4bd11dfbd3/Model-audita-zasisennosti-obekta-kriticeskoj-informacionnoj-infrastruktury-testovymi-informacionno-tehniceskimi-vozdejstviami-Model-of-Security-Audit-of-a-Critical-Information-Infrastructure-Object-wi.pdf
Umnitsyn M.Y. Approach to semi-natural security evaluation of information system. Izvestia VSTU. 2018;218(8): 112‒116 (in Russ.) https://www.researchgate.net/publication/350758773_Model_audita_zasisennosti_obekta_kriticeskoj_informacionnoj_infrastruktury_testovymi_informacionno-tehniceskimi_vozdejstviami_Model_of_Security_Audit_of_a_Critical_Information_Infrastructure_Object_wi
Borodin M.K., Borodina P.Ju. VGATE R2 Information Security Penetration Testing. Regional’naja informatika I informacionnaja bezopasnost [Regional Informatics and information security]. Saint Petersburg, 2017. p.264‒268 (in Russ.) https://cyberleninka.ru/article/n/analiz-standartov-i-metodik-testirovaniya-na-proniknovenie
Poltavtseva M.A., Pechenkin A.I. Data mining methods in penetration tests decision support system. Information Security Problems. Computer Systems. 2017; 3:62 69. (in Russ.).
DOI: https://doi.org/10.3103/S014641161708017X
Kadan A.M., Doronin A.K. Cloud infrastructure solutions for penetration testing. Uchenye zapiski ISGZ. 2016;14(1): 296‒302. (in Russ.) https://cyberleninka.ru/article/n/model-analiza-zaschischennosti-obekta-informatizatsii-zheleznodorozhnogo-transporta-i-metodika-obosnovaniya-nabora-testovyh/pdf
Eremenko N.N., Kokoulin A.N. Research of methods of penetration testing in information systems. Master's Journal. 2016; 2:181‒186 (in Russ.)
IT Security Audit Methodology – A Complete Guide. https://www.getastra.com/blog/security-audit/it-security-audit-methodology/
Information Security Audits: An Overview of Different Types. Johanson Group, LLP Audit Cybersecurity and IT, Oct 17 2024. https://www.johansonllp.com/blog/information-security-audits.