Purpose. An applied information security risk assessment system using CVSS values (versions 2.0 and 3.0) of indicators presented in the relevant databases (as an alternative to expert assessments) allows for monitoring and assessing information system risks, including in real time, without involving experts in the relevant subject area.
Scope. The applied system can be used to build information security management systems, integrated information protection systems, etc.
Advantages. Today, there is a wide range of risk assessment (RA) tools, represented by methodological, software and other support. When selecting and developing them, specialists face a number of questions related to determining the initial values for RA, the mathematical apparatus embedded in the system, the cyber environment in which the assessment is carried out, time limits for implementing RA, the ability to adapt the system to user requirements, etc. The specified tools, as a rule, include the use of statistical data on incidents related to the violation of the security of information system resources. But it should be noted that the national regulatory framework at the state level does not facilitate enterprises and institutions to ensure an effective process for collecting such data. This limits the possibilities of using the relevant available OR tools. Also, in practice, situations often arise in which it is necessary to implement operational OR in real time without involving the specified experts, and the available methods and assessment methods do not provide such an opportunity. The developed system can implement calculations in the global network client mode, using the values of the threat and vulnerability indicators of the NVD database during OR. It should be noted that the presented OR system can, for example, be used as an expander of the functionality of the relevant computing tools in the form of the software tool “RISK_CALCULATOR” for functioning in real time using the Internet.
Description. This is an applied software model of a risk assessment system that achieves high integration of functionality, adaptability, flexibility and ease of use for effectively solving the relevant risk assessment problems both in a deterministic and in a fuzzy, weakly formalized environment with the ability to function in real time due to the use of the database.