CYBER SECURITY CULTURE LEVEL ASSESSMENT MODEL IN THE INFORMATION SYSTEM

Abstract

The paper sets the task of formalizing the processes of assessing the culture of cybersecurity of the information system of the organization. The basis is a comprehensive model that takes into account the technical and organizational parameters of the information system and the risks associated with them. The level of security culture of the information system is assessed on the basis of building an additive model. The model includes the characteristics of system state clusters. Clusters are formed on the basis of arrays of factors that correspond to different classes of information security culture. Classes are formed on the basis of sets of factors. Their impact is assessed using the severity of the consequences for the level of cybersecurity of the information system. In addition, the probability of manifestation of this factor in a particular information system is determined. The value of coefficients and probability distributions for each cluster and set of factors is estimated by expert methods and on the basis of a survey. A feature of the formation of arrays of factors is the inclusion in each cluster of a factor that reflects the passive behavior of the user to negative factors. Thus, the model introduces the probability of rejection of negative factors and the probability of ideal behavior for the formation of the appropriate class of threats. It is proposed to determine the average weights of the factors of the level of influence on the cybersecurity of the information system on the basis of the weighted average indicator. A method of estimating weights based on the equally probable distribution of negative factors within the cluster