3. Example of using models

Let us consider an information system, consisting of an X router and a file server under the management of the operating system Y. Users who are allowed to have an access connect to the router through a Wi-Fi connection and get an access to files according to the permitting access system.

In this information system, confidentiality, integrity, and availability are provided by means of a router and a server running the operating system Y.

It is possible to infringe the security of the information system by violating the performance of one of the components which are responsible for confidentiality, integrity, and availability.

As the experience of practical studies [12] has shown for 802.11 wireless networks in calculating the probability values of safety criteria, it is advisable to take noise immunity coding into account for the estimation of integrity. But it is necessary to take modulation efficiency and bandwidth usage technology into account for the estimation of availability, and it is important to take cryptographic strength of encryption into account for the estimation of confidentiality. Then the expression for the probability of ensuring the security of information takes the form (Eq. (28)):

$$p(\text{Sec}) = p(I) \cdot p(A/I) \cdot p(\text{C/IA}),\tag{28}$$

where

NaðÞ¼ <sup>t</sup> <sup>X</sup> 3

and faults will be estimated as (Eq. (23))

244 Probabilistic Modeling in System Engineering

logical conditions, as (Eq. (26))

where PSec ð Þt is estimated from Eq. (3).

m¼1

Nð Þ <sup>m</sup> <sup>a</sup> , Nð Þ <sup>m</sup>

<sup>a</sup> ðÞ¼ t

Nð Þ <sup>m</sup> <sup>a</sup> ðÞ¼ t

There is a probability of a number of vulnerabilities and faults (Eq. (24)):

Thus, the probability of the absence of vulnerabilities and faults is (Eq. (25))

Tm <sup>a</sup> e�<sup>t</sup>

Figure 5. Model of changes in the state of security of the information system, taking into account the staff activities.

When Eð Þ <sup>m</sup> is equal to zero of vulnerability and faults, the average number of vulnerabilities

ðt

<sup>λ</sup><sup>m</sup>ð Þ<sup>τ</sup> <sup>e</sup>

<sup>n</sup>! <sup>e</sup>

0

PnðÞ¼ <sup>t</sup> ½ � Nað Þ<sup>t</sup> <sup>n</sup>

P0ðÞ¼ t e

In general, based on the proposed models, it is proposed to estimate the security of the information system PISð Þt , taking into account the impact of staff qualifications and psycho-

<sup>E</sup>ð Þ <sup>m</sup> <sup>λ</sup><sup>m</sup>ð Þþ <sup>t</sup>

0 @ ðt

<sup>λ</sup><sup>m</sup>ð Þ<sup>τ</sup> <sup>e</sup>

<sup>τ</sup>dτ

1

<sup>τ</sup>dτ: (23)

�Nað Þ<sup>t</sup> : (24)

�Nað Þ<sup>t</sup> : (25)

PISðÞ¼ t PSec ð Þþ t P0ð Þt ð Þ 1 � PSec ð Þt , (26)

A: (22)

0

$$p(I) = p(\text{coding\\_immumity}),\tag{29}$$

$$p(A) = p(\text{Effect\\_of\\_modular\\_stack} \times \log \text{local\\_use\\_of\\_frequencies}),\tag{30}$$

$$p(\mathbb{C}) = p(\text{crypt} \text{begin\\_strength} \text{of\\_entropy}),\tag{31}$$

With a more detailed representation of the parameters (Eq. (32)):

$$p(I) = p(r, R). \tag{32}$$

$$p(A) = p(\mathcal{S}, \text{SNR}, V\_m, p\_{er}, parameter\\_t), \tag{33}$$

$$p(\mathbb{C}) = p\left(N, p\_{\text{vulnerability}}, \text{com}\right),\tag{34}$$

Let ObjA (object IPI) be the staff possessing such things as Sub<sup>1</sup> which is the relation to any facts, events, phenomena, and members of a society [11]; Sub<sup>2</sup> is a mental state [11]; Sub<sup>3</sup> is the physiological state of the staff [11]. Things such as Sub1, Sub2, and Sub<sup>3</sup> have intersecting sets of

Probabilistic Analysis of the Influence of Staff Qualification and Information-Psychological Conditions on…

http://dx.doi.org/10.5772/intechopen.75079

247

Using Eq. (14), this is proposed to estimate the reaction to the information-psychological impact. Depending on the characteristics of the staff, the reaction can be both sustainable (staff can do their duties; their effectiveness is defined as Eq. (19)) and unstable (staff is incapable). In the case of an unstable reaction, the graph of the reaction level of the staff is periodic; in the case of a stable reaction, the graph of the reaction level of the staff will not be periodic. Figure 6 presents examples of the dependence of the level of staff reaction on the information and

Let the staff in question have the following characteristics, obtained from the results of the psychological tests of Eysenck: F ¼ 16, F<sup>0</sup> ¼ 10, A ¼ 4, and R ¼ 9. Doing so, this is proposed to assume that the staff, being under the IPI, will not purposefully violate the technical and

Using Eq. (26), this is proposed to estimate the probability of the security of the information system. Figure 7a–c shows the probability of the security of the information system, depending on the coefficient of staff work and their state, for the first, second, and third cases.

Probability p Sec ð Þ Availability Confidentiality Integrity For Case 1 0.85 0.88 0.86 For Case 2 0.74 0.85 0.9 For Case 3 0.91 0.82 0.64

Ta Availability Confidentiality Integrity For Case 1 0.019 0.016 0.023 For Case 2 0.04 0.021 0.3 For Case 3 0.01 0.001 0.03

λ Availability Confidentiality Integrity For Case 1 0.00366 0.002 0.0077 For Case 2 0.001 0.0047 0.01781 For Case 3 0.00146 0.0023 0.00724

Table 3. Statistics of the intensity of vulnerability and fault detection for components of the information system.

properties (concentration, fatigue, understanding, emotionality, etc.).

psychological impact.

software components of the information system.

Table 1. Probabilities of ensuring integrity, availability, and confidentiality.

Table 2. Average time and speed of vulnerability and malfunction elimination.

where R is coding rate, r is relative redundancy of coding, S is spectral efficiency, SNR is a signal-to-noise ratio, Vm is modulation rate, C is the real throughput, per is the probability of a bit error, parametr\_t is a parameter that estimates the effectiveness of the selected technology for the use of the frequency band, N is the number of possible combinations with the selected encryption (coding), pvuln erability is probability of the protocol's vulnerability, and com is password complexity. This makes it possible to choose the most flexible algorithm for modeling an information system with the required level of security [9].

Thus, perhaps there are five more options for writing and using the applied expression for multiplying dependent probabilities. Perhaps, because of the complexity of accounting for modeling the network with a great number of parameters in the above expressions, experts believe that in the proposed formula for calculating security, the probability of availability should be put on the first place, the second one should be given to the conditional probability of confidentiality, and then the conditional probability of integrity comes.

If it is possible to ensure security while ensuring integrity and confidentiality considering integrity and availability in the context of integrity and confidentiality, the expression for the probability of network security will take the following form (Eq. (35)):

$$p(\text{Sec}\,) = p(I) \cdot p(\text{C/I}) \cdot p(A/\text{IC}),\tag{35}$$

and so on.

Different variants of writing these expressions are fair to use then; it is more advantageous to calculate safety when taking into account the corresponding described conditions. For different networks, the probabilities of security criteria will be described by different physical expressions and different number of parameters in these physical expressions [5, 12].

For different information systems at different stages of the technological process that they implement, it may be expedient to differentiate the priority of providing information security criteria (integrity, availability, confidentiality), including the exclusion of some of them. For example, in information retrieval systems that provide users with a legislative basis or a database of threats, it is primarily necessary to ensure the integrity and availability of information, while ensuring confidentiality is not required, since information is publicly available.

Obtaining probability values is a separate research area and requires a separate assessment technique [12]. Values of the probability of ensuring integrity, availability, and confidentiality for various information systems are given in Table 1. These values are obtained on the basis of practical experience [21].

Table 2 shows the average time to resolve vulnerabilities and faults for components of various information systems.

Table 3 provides statistics on the intensity of vulnerability and fault detection for components of various information systems.

Let ObjA (object IPI) be the staff possessing such things as Sub<sup>1</sup> which is the relation to any facts, events, phenomena, and members of a society [11]; Sub<sup>2</sup> is a mental state [11]; Sub<sup>3</sup> is the physiological state of the staff [11]. Things such as Sub1, Sub2, and Sub<sup>3</sup> have intersecting sets of properties (concentration, fatigue, understanding, emotionality, etc.).

Using Eq. (14), this is proposed to estimate the reaction to the information-psychological impact. Depending on the characteristics of the staff, the reaction can be both sustainable (staff can do their duties; their effectiveness is defined as Eq. (19)) and unstable (staff is incapable). In the case of an unstable reaction, the graph of the reaction level of the staff is periodic; in the case of a stable reaction, the graph of the reaction level of the staff will not be periodic. Figure 6 presents examples of the dependence of the level of staff reaction on the information and psychological impact.

Let the staff in question have the following characteristics, obtained from the results of the psychological tests of Eysenck: F ¼ 16, F<sup>0</sup> ¼ 10, A ¼ 4, and R ¼ 9. Doing so, this is proposed to assume that the staff, being under the IPI, will not purposefully violate the technical and software components of the information system.

Using Eq. (26), this is proposed to estimate the probability of the security of the information system. Figure 7a–c shows the probability of the security of the information system, depending on the coefficient of staff work and their state, for the first, second, and third cases.


Table 1. Probabilities of ensuring integrity, availability, and confidentiality.

p Cð Þ¼ p N; pvuln erability; com

where R is coding rate, r is relative redundancy of coding, S is spectral efficiency, SNR is a signal-to-noise ratio, Vm is modulation rate, C is the real throughput, per is the probability of a bit error, parametr\_t is a parameter that estimates the effectiveness of the selected technology for the use of the frequency band, N is the number of possible combinations with the selected encryption (coding), pvuln erability is probability of the protocol's vulnerability, and com is password complexity. This makes it possible to choose the most flexible algorithm for modeling an

Thus, perhaps there are five more options for writing and using the applied expression for multiplying dependent probabilities. Perhaps, because of the complexity of accounting for modeling the network with a great number of parameters in the above expressions, experts believe that in the proposed formula for calculating security, the probability of availability should be put on the first place, the second one should be given to the conditional probability

If it is possible to ensure security while ensuring integrity and confidentiality considering integrity and availability in the context of integrity and confidentiality, the expression for the

Different variants of writing these expressions are fair to use then; it is more advantageous to calculate safety when taking into account the corresponding described conditions. For different networks, the probabilities of security criteria will be described by different physical

For different information systems at different stages of the technological process that they implement, it may be expedient to differentiate the priority of providing information security criteria (integrity, availability, confidentiality), including the exclusion of some of them. For example, in information retrieval systems that provide users with a legislative basis or a database of threats, it is primarily necessary to ensure the integrity and availability of information, while

Obtaining probability values is a separate research area and requires a separate assessment technique [12]. Values of the probability of ensuring integrity, availability, and confidentiality for various information systems are given in Table 1. These values are obtained on the basis of

Table 2 shows the average time to resolve vulnerabilities and faults for components of various

Table 3 provides statistics on the intensity of vulnerability and fault detection for components

expressions and different number of parameters in these physical expressions [5, 12].

ensuring confidentiality is not required, since information is publicly available.

p Sec ð Þ¼ p Ið Þ� p Cð Þ� =I p Að Þ =IC , (35)

information system with the required level of security [9].

246 Probabilistic Modeling in System Engineering

of confidentiality, and then the conditional probability of integrity comes.

probability of network security will take the following form (Eq. (35)):

and so on.

practical experience [21].

of various information systems.

information systems.

, (34)


Table 2. Average time and speed of vulnerability and malfunction elimination.


Table 3. Statistics of the intensity of vulnerability and fault detection for components of the information system.

Figure 6. The level of the subject's reaction to information and psychological impact.

At first, the results of IPI on staff are not apparent, so the graphics are depicted from 1 hour of

Figure 8. Probability of the information system security at the level of staff qualification is equal to 1, depending on the condition of the staff [(1) optimal condition, (2) state of fatigue, (3) state of tense activity, (4) stressful condition (impact on

Probabilistic Analysis of the Influence of Staff Qualification and Information-Psychological Conditions on…

http://dx.doi.org/10.5772/intechopen.75079

249

It can be seen from the graph that upgrading the skills of staff leads to an increase in the probability of security of the information system. Thus, the high qualification of the staff can compensate the information and psychological effects on the staff and their fatigue from

Figure 8a–c shows the probability of security of the information system for the first, second, and third cases, respectively, if a staff qualification level is equal to one, depending on the condition of staff. Figure 8d shows the probability of the security of the information system for

the operation of the information system.

prolonged activities.

staff)].

Figure 7. Probability of the information system security, depending on the employees' workload and their condition [(1) optimal condition, (2) fatigue status, (3) state of stressful activity, (4) stressful condition (impact on staff)].

Probabilistic Analysis of the Influence of Staff Qualification and Information-Psychological Conditions on… http://dx.doi.org/10.5772/intechopen.75079 249

Figure 6. The level of the subject's reaction to information and psychological impact.

248 Probabilistic Modeling in System Engineering

Figure 7. Probability of the information system security, depending on the employees' workload and their condition [(1)

optimal condition, (2) fatigue status, (3) state of stressful activity, (4) stressful condition (impact on staff)].

Figure 8. Probability of the information system security at the level of staff qualification is equal to 1, depending on the condition of the staff [(1) optimal condition, (2) state of fatigue, (3) state of tense activity, (4) stressful condition (impact on staff)].

At first, the results of IPI on staff are not apparent, so the graphics are depicted from 1 hour of the operation of the information system.

It can be seen from the graph that upgrading the skills of staff leads to an increase in the probability of security of the information system. Thus, the high qualification of the staff can compensate the information and psychological effects on the staff and their fatigue from prolonged activities.

Figure 8a–c shows the probability of security of the information system for the first, second, and third cases, respectively, if a staff qualification level is equal to one, depending on the condition of staff. Figure 8d shows the probability of the security of the information system for

characteristics. Their permanent use in system life cycle helps to increase information security

Probabilistic Analysis of the Influence of Staff Qualification and Information-Psychological Conditions on…

, Pavel Parinov<sup>1</sup>

[1] Cyber-Attack Against Ukrainian Critical Infrastructure. Available form: https://ics-cert.

[2] Deev V. Methods of modulation and coding in modern communication systems. SPb:

[3] Fress P, Piaget J. Experimental Psychology (Ed.-Comp.) Moscow: Progress; 1975. pp. 120-125 [4] Feer K. Methods of Modulation and Spreading the Spectrum. Moscow: Radio and Com-

[5] Gnedenko B. Course of the theory of Probability. Moscow: Editorial URSS; 2007. 448 p

Technical Conference. Voronezh: Publishing house VSU; 2009. p. 168-174

[6] Goncharov I, Demyanenko N, Khachumov A, Nozdrachev S. Analysis of the possibilities and systematization of technical means characterizing the construction of a channel for information and psychological impact. In: Proceedings of the Russian Scientific and

[7] Goncharov I, Demyanenko N, Mishina Y. Formalization of the Process of Informationpsychological Influence. Vestnik VGU, System Analysis and Information Technologies.

[8] Goncharov I, Demyanenko N, Mishina Y. Possibility of modeling the process of information-psychological impact with the help of neural networks. In: XIII International Scientific-methodical Conference "Informatics: Problems, Methodology, Technologies".

[9] Goncharov I, Gerasimenko V, Vorobyova E, Dmitriev Y. Technical Means of Ensuring

[10] Goncharov I, Mishina Y. Description of the approach to the representation of the states of objects and subjects of the process of information-psychological impact with the help of

2 Voronezh Institute of the Federal Penitentiary Service of Russia, Voronezh, Russia

, Sergey Kochedykov<sup>2</sup> and

http://dx.doi.org/10.5772/intechopen.75079

251

and decrease a potential danger of "human factor."

\*, Nikita Goncharov<sup>1</sup>

\*Address all correspondence to: goncharov@infobez.org

1 JSC "NGO" Infosecurity, Voronezh, Russia

us-cert.gov/alerts/IR-ALERT-H-16-056-01

Voronezh: Publishing house VSU; 2012;2(36):41

Voronezh: Publishing house VSU; 2013

Information Security. Voronezh: VSTU; 2004

Author details

Igor Goncharov<sup>1</sup>

References

Science. 2007. 207 p

munication; 2000. 518 p

Alexander Dushkin2

Figure 9. Time diagram of exemplary actions of cyber malefactors and psychological conditions of staff.

the third case, taking into account the recess for recovery. However, the time for the restoration process itself was not taken into account. Figure 8e shows an enlarged transition fragment after recovery for Figure 8d. A time interval equal to the average working day was taken for consideration.

At the initial stage of operation with a stressed state, the probability of ensuring the security of the information system is higher than at the optimal state, but this is a temporary effect; as it can be seen from Figure 8a with prolonged operation in the stressed state, the probability of the information system safety is lower than at the optimal state. With an optimal state, the probability of ensuring the security of the information system is higher than if staff are in a state of fatigue or under the influence of IPI in a stressful state. Figure 8d shows that if the staff use the break to restore their original characteristics, the probability of the information system safety increases.

For example, on December 23, 2015 [1], Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine. The outages experienced on December 23, 2015, were caused by external cyber attackers. After extensive reconnaissance of the victim networks, the telephone tdos attack was conducted on staff. As a result staff did not notice that substations disconnected in time. Exemplary actions of cyber malefactors and psychological conditions of staff are shown in the time diagram of Figure 9.

The received results coincide with the data obtained in the course of practical activity by interviewing the staff and owners of information systems, so it confirms the effectiveness of the proposed model for estimating the level of systems information security based on probabilistic analysis of the impact of their staff qualifications and psychological state.

Thus, to ensure the security of the information system, it is essential to take into account the abilities of staff. It is necessary to take into account the qualification of staff, which can change the probability of security of the information system characterized by technical and functional construction according to Eq. (1), from values p Sec ð Þ to 1, to monitor the condition of the staff, keeping them in in an optimal working condition with breaks.
