Cyber Security Risk Modeling in Distributed Information Systems

Abstract

This paper deals with problems of the development and security of distributed information systems. It explores the challenges of risk modeling in such systems and suggests a risk-modeling approach that is responsive to the requirements of complex, distributed, and large-scale systems. This article provides aggregate information on various risk assessment methodologies; such as quantitative, qualitative, and hybrid methods; a comparison of their advantages and disadvantages; as well as an analysis of the possibility of application in distributed information systems. It also presents research on a comprehensive, dynamic, and multilevel approach to cyber risk assessment and modeling in distributed information systems based on security metrics and techniques for their calculation, which provides sufficient accuracy and reliability of risk assessment and demonstrates an ability to solve problems of intelligent classification and risk assessment modeling for large arrays of distributed data. The paper considers the main issues and recommendations for using risk assessment techniques based on the suggested approach.

1. Introduction

Information security management has an increasingly important place in the operation of almost any organization that uses modern technologies for collecting, storing, and processing information [1]. This process is based on the periodic analysis of information risks, which allows for the identification of security threats and information system vulnerabilities and the implementation of appropriate measures to neutralize them. As a result, the state of information security in the organization is constantly monitored for new threats and vulnerabilities [2].

The information security (IS) risk management process should be continuous considering the external and internal circumstances of assessing the identified IS risks [3]. Classical approaches for assessing IS risks are based on statistical and expert assessment methods that do not fully provide the required accuracy and reliability for obtaining results, especially when used in complex multicomponent systems [4,5]. Due to the limitations of a quantitative approach to assessing IS risks, as a rule, a qualitative approach is applied based on ranking threats and associated IS risks according to their threat level [6,7]. Risk assessment allows us to identify possible threats and vulnerabilities, and accordingly determine the potential impact.

This study aims to explore the opportunities of using intelligent models for the assessment of IS risks. The paper proposes a complex method of IS risk assessment based on the analysis of metadata and metrics that characterize the distributed information system. The approach proposed in this paper is based on decision tree models [8] and solves the problem of intelligent events classification and modeling the assessment of IS risks for large data sets [9]. This allows for a comprehensive assessment of IS risks in any sized infrastructure or information assets without being tied to a specific information platform, network equipment, or software and hardware.

2. Literature Review and Problem Statement

2.1. Research Background

Every business is regularly exposed to the risk of unexpected, unpredictable information security events that can cause financial losses and significant damage to a company’s infrastructure or reputation. The risk management process reduces both the likelihood of potential security incidents and their impact on existing business processes. Effective risk management is aimed at optimizing the company’s success (including financial success) by minimizing threats [10,11,12,13].

According to the Deloitte research “Cyber risk reporting in the UK 2016”, 87% of companies consider cybersecurity risks a key factor in strategic business process planning (Figure 1). At the same time, the main areas today are the risks associated with cybercrime and information security threats (over 72% of respondents consider them a priority), data theft (33%), protection of confidential information (59%), and failure of IT infrastructure elements (71%) [14].

Literature review in this area has shown that risk assessment is one of the most difficult and urgent tasks in the process of information security management. There are no generally accepted approaches and methods for risk assessment [15,16,17,18]. Also, the risk assessment procedure is a time-consuming task. Performing the analysis manually, using office tools, is almost impossible due to the large amount of information for processing and the high probability of obtaining weak results.

Modern risk management techniques are based on the use of the probability of threats, damage, and vulnerabilities. However, in most cases, information security experts conduct the assessment in the form of verbal formulations and then associate them with numerical values, using their own experience. This method of obtaining risk assessments significantly limits the possibilities of the methodology in general, as risk factors (threat, vulnerability, and damage) are analyzed using heuristic methods, resulting in different data if the examination was conducted by different experts. Therefore, confidence in the expert’s assessment may be debatable [19].

On the other hand, most risk analysis methods today focus on calculating only technical vulnerabilities, which does not allow for adequately assessing the economic aspects of the impact (Figure 2) [20]. Marsh and Microsoft’s 2022 Global Cyber Risk study is currently underway [21].

Another problem that risk experts may face is the complexity and large infrastructures of modern organizations and the widespread implementation of distributed information systems. Even for a medium-sized company, the number of assets can reach tens of thousands. And this in turn creates problems associated with the analysis of information resources of the organization and data aggregation from different sources in conditions of data allocation and general functional distribution. Moreover, information systems have a distributed architecture consisting of a large number of components. Collection and analysis of metadata and metrics about their work significantly complicate the process of risk analysis. Modern techniques are slow and do not provide the desired result. The evaluation process takes a long time, which is accompanied by a rapid loss of relevance [22].

Research in the field of risk management was carried out by Ukrainian and Polish researchers A. Trihuba, T. Hutsol, M. Kubon et al. [23,24]. The study [23] concerns stakeholder risk management in integrated projects of the European Green Deal. The article substantiates the need to develop tools (models, methods, and algorithms) for quantitative risk assessment of each type of project (e.g., agricultural waste and their components and justification of risk response).

The article [24] is devoted to planning and risk analysis in projects for the procurement of agricultural raw materials for the production of environmentally friendly fuel.

Australian researchers [25] have proven that business improvement and the efficiency of project processes in various areas can be achieved by managing risks, costs, uncertainty, and requirements in the early stages of a project.

These studies have become important achievements that can be used as tools for managing technologically integrated projects, including modeling cybersecurity risks in distributed information systems for various applications.

Despite wide distribution and popularity, the state of development of this topic in world science remains quite low. Classical approaches to evaluation, which are covered in the relevant literature, do not provide the desired effect in the analysis of large data sets and are more conceptual in nature. At the same time, almost no attention is paid to modern techniques based on the application of the neural network approach and intelligent models of risk assessment. Today, more and more companies are resorting to implementing an approach to information security management using intelligent models combined with expert assessment methods, which demonstrates excellent results in the context of rapidly changing IT threats.

2.2. Distributed Information Systems Overview

According to Andrew S. Tanenbaum, there is no generally accepted and strict definition of a distributed system [26,27,28] The key parameter defining a distributed system is the separation of its functions among several computers. With this approach, distributed IS are geographically spread systems consisting of interacting computers and terminals connected by data transmission channels. A distributed system is much larger and more powerful than typical centralized systems due to the combined capabilities of distributed components. Examples of distributed systems include computer networks, distributed databases, real-time process control systems, and distributed information processing systems.

Key characteristics of distributed systems are as follows.

• Resource sharing
• Openness
• Transparency
• Concurrency
• Scalability
• High performance
• Reliability
• Fault Tolerance

At the same time, distributed systems have some disadvantages and weaknesses.

• Increased system response time
• Difficulty controlling remote elements
• Difficulty to develop, debug and use
• Additional efforts to ensure information security

Such systems are characterized by functioning under random factors, negative influences of various natures, active interaction with the external environment, and costly consequences of possible violations or errors in work. The organization of cybersecurity risk assessment in distributed systems involves solving a set of problems related to functional distribution and hierarchy, a high degree of parallelization of resources, and an almost complete absence of centralized management. Thus, the scientific and applied task of studying cybersecurity risk assessment models in DIS is relevant today and requires in-depth research.

Examples of practical implementation of distributed information systems in agriculture, energy, and financial sectors are described in many studies by Ukrainian researchers, e.g., N. Kiktev, V. Osypenko, V. Kraevsky et al. [29,30,31,32]. In [29], software was developed for a distributed information system for diagnosing the quality of electricity consumers using cloud technologies. The synchrophasor technology (ST) used is usually the use of input from the synchrophasor PMU for monitoring. Energy facilities are vulnerable to various cyber attacks, moreover, they often represent critical infrastructure. According to statistics, in just one month of 2021 in Ukraine, 19% of industrial systems were subjected to various types of attacks. Threats were primarily associated with network attacks and attacks on user workstations. In 2016, a successful attack was carried out on the Severnaya substation, then the entire control system went out of order and most of Kyiv was de-energized [33]. The most dangerous are attacks on nuclear facilities, including nuclear power plants. In 2009, the Stuxnet worm got into the network of one of the Iranian nuclear plants through a flash memory and modified the control software so that the calibrating program failed and the centrifuge went into resonance and went out of order, thus sabotaging the entire nuclear program [33].

Distributed intelligent information systems include multi-agent robotic systems described in studies by Russian [34,35,36], Ukrainian [37,38], and Malay [39] researchers. Robotic systems have their own information security risks. Nearly 50 vulnerabilities have been discovered in the code of industrial robots and cobots. These vulnerabilities can be used to harm employees or for espionage. The units can be controlled remotely by changing the configuration, for example, especially in the case of an installed camera and microphone. At the same time, industrial espionage and changing security settings are possible, allowing cobots to leave restricted areas and turn off sensors that might be turned off when it comes into contact with people.

Most modern technologies are connected via the Internet and can be controlled via phone. Therefore, they are easy to hack. It is believed that any device and software that is connected to the Internet is considered vulnerable to hacking.

2.3. Risk Assessment Process in Distributed Information Systems

Nowadays, any organization under the adopted information security policy must regularly assess the risks and threats to the data for which it is responsible.

According to the analysis, entrepreneurs can classify their systems (servers, endpoints, applications, etc.) according to the category of risk of potential security incidents. The risk assessment process involves an iterative approach and includes three main groups of activities—the collection of data and policies, risk assessment based on their analysis, and the stage of decision support (Figure 3) [40,41,42].

The main stages of risk analysis and management are as follows:

• defining the boundaries of the system and risk assessment methodology;
• identification and evaluation of information resources of the system;
• identification of threats and assessment of the probabilities of their implementation;
• risk identification and choice of remedies;
• and remedies applying and residual risk assessment.

The main purpose of risk management is to maintain the risks at an acceptable level for the organization. Many companies prefer to finance the prevention measures while neglecting risk assessment, processing, response planning, and other aspects of risk management.

The analysis of IS risks allows us to determine the necessary and sufficient set of information security tools, choose the appropariate methodology and organizational mechanisms to reduce IS risks, and, as a result, allows us to ensure the process of building the most effective information security management system (ISMS) [43].

2.4. Core Standards and Guidelines

Nowadays, each progressive country is developing several standards in the field of IS risk analysis and assessment.

These are primarily international and national standards for risk management—ISO/IEC 31000, COSO II, FERMA, KING II, information security assessment and management—ISO/IEC 27001, ISO/IEC 27005: 2018, ISO/IEC 17799, BS7799, NIST 800-30, BSI-Standard 200-3, ISO/IEC 15408, and auditing standards that reflect information security issues—COBIT, SAS 55/78, SAC, etc.

However, most standards are conceptual and provide recommendations without a clear explanation of how to implement security measures, which encourages companies to develop their methods and approaches to assessing IS risks (Figure 4) [44,45,46,47,48,49]. This is caused by the fact that the existing approaches and methods are general, based on statistical evaluation, and do not provide the desired result.

After reviewing modern approaches to risk assessment and management and analyzing the existing regulatory framework, we can conclude that the problem of analysis and assessment of information risks in distributed systems as an important part of the information security management system, serves as the main mechanism for security incident prevention and plays an important role in justifying decisions not only of a strategic nature but also at the stage of short-term planning.

2.5. Main Approaches to Risk Assessment

There are two main approaches to risk analysis—qualitative and quantitative [50,51,52].

• Quantitative risk analysis is a numeric estimate of the overall effect of risk on the project objectives, such as cost and schedule.
• Qualitative risk analysis prioritizes the identified project risks using a pre-defined rating scale and involves identifying threats and the potential impacts if they do.

The most attractive, at first glance, is a quantitative approach that allows comparing the security of different systems using numerical scale and mathematical representation of found values, but its implementation is complicated for a few reasons and limitations [53,54]

In this regard, a qualitative approach is currently used for risk analysis. It provides a simple ranking of threats and associated risks according to their severity. Probability data is not required and only estimated potential loss is used. Most qualitative risk analysis methodologies use several elements: vulnerabilities, threats, and controls. This is the most widely used approach to risk analysis in distributed systems nowadays [55]

The article [56] presents a systematic review of mapping (SMR) tools that automate the cybersecurity risk assessment step based on research published between 2012 and 2020. The paper provides an update on the automation of the risk assessment phase. In addition, variables are identified that are taken into account by models of international organizations: ISO, NIST, OWASP, etc. The model helps to assess risks, regardless of the size of the organization, and takes into account the opinions and improvements provided by cybersecurity experts. However, this paper does not present the other risk management steps (risk treatment, monitoring, and analysis) that will be needed to develop new cybersecurity risk management models.

The article [57] considers the cyber risks of a critical transport infrastructure implemented using IoT technology, which can become a target for many threats due to its cyber-physical nature. The new approach uses decision scales and importance indices to help stakeholders assess the level of vulnerability, the source of the threat, and the physical impact. Monte Carlo simulation results have shown that IoT-enabled transport infrastructure is prone to cyber-physical attacks when a threat source can physically access IoT devices, resulting in high levels.

In the article [58], the authors present a generic configurable SCADA system dependency model that captures complex dependencies within a system and facilitates targeted risk assessment. The model was developed by collecting and analyzing dependencies in the SCADA system from 36 experts in the field. The authors demonstrated how dependency modeling can be used for risk assessment using the example of a SCADA system for water distribution. However, there is no comparison of SCADA DM with other emerging target models of the SCADA system.

2.6. Disadvantages of Classical Approaches

Classical approaches based on statistical or expert assessment methods do not provide sufficient accuracy and reliability in risk assessment.

The disadvantages of classical approaches are as follows:

• insufficient accuracy and reliability of the assessment;
• difficulty in assessing damage to intangible assets (reputation, the confidentiality of information, ideas, business plans, staff health, etc.);
• depreciation of the results of long-term quantitative risk assessment due to constant modification and reconfiguration of the automated system;
• difficulty in assessing indirect losses;
• and lack of reliable statistics in the rapidly changing IT world.

Moreover, if, for example, 20 years ago the problem of collecting and aggregating system metrics and metadata about information assets was acute due to the imperfection of existing methods and the lack of necessary logging mechanisms, today, with the growing popularity of SIEM systems, we face the problem of analyzing large distributed data sets promptly and actively responding to potential threats on information security. It is necessary to make operational decisions in conditions of rapidly changing technology and the emergence of new threats [59].

Risk assessment and prediction of potential threats in these conditions require a dynamic multifactor analysis of the system’s distributed metadata in real-time using an intelligent models approach.

3. The Aim and Objectives of the Study

Thanks to the methods of information theory it is possible to form and calculate fairly accurate parameters that reflect the degree of security of any object or system. However, a comprehensive assessment of the degree of protection often has to use expert methods to assess those parameters that cannot be calculated using a theoretical and informational approach. The necessary conditions for the use of intelligent models are uncertain due to the lack of information on the complexity of the system, as well as little available, quality information about the system [60].

This research aims to increase the efficiency of cybersecurity risk assessment in DIS by developing a methodology for determining the risk of critical information security incidents based on a dynamic multifactor analysis of distributed information system metadata using intelligent assessment models. To achieve this goal, the following research objectives are set:

• Analysis of existing methods and approaches to risk assessment and identification of their advantages and disadvantages.
• Analysis of the possibility of applying different methods of intelligent assessment for tasks related to determining the risk of critical information security incidents in distributed information systems.
• Simulation modeling of the process of calculating the level of IS risk based on the dynamic, multifactor analysis of distributed metadata and metrics of the information system.
• Creation of a scalable risk assessment methodology for any information assets without reference to a specific platform, network equipment, or software, which will conduct a comprehensive risk assessment for the infrastructure of any size, regardless of the number of information assets.
• Development of an analytical software module that provides a dynamic, comprehensive, and easily scalable approach to the evaluation of multifactor data of the information system and can be integrated into appropriate information security monitoring systems.

To achieve this, the authors used simulation methods for calculating the level of IS risk using intelligent assessment models, Decision Tree algorithm, and Scikit Learn library toolkit, and research of information system metadata and methods of their intelligent analysis.

4. Materials and Methods

Solving the problems of information security that exist in modern systems is not limited to a technological approach [61,62,63]. This process requires the creation of a structured assessment methodology for the implementation of preventive measures that will be effective in reducing risks regardless of the environment of the studied object [64,65,66].

4.1. Requirements for the Evaluation Method

The proposed method of risk analysis should provide a comprehensive approach to assessment based on a multifactor study of all distributed indicators and parameters that could potentially affect the security of the information system. It should include the analysis of metadata and system metrics of various kinds coming from all available data log sources and provide a dynamic calculation of the level of risk in real time for each network asset [61].

The developed method should solve the following tasks:

• Provide a scalable solution for comprehensive risk assessment of infrastructure of any size, regardless of the number of network assets.
• Conduct a dynamic, multifactorial, and holistic analysis of distributed metadata and metrics of the information system, which will solve the problem of incomplete information about the components of risk and the studied system in general.
• Ensure unification and standardization of the analysis process for the valuation of any network information assets without reference to a specific platform, network equipment, or software.
• Maintain the relevance of the analysis results by reducing the duration of the evaluation process.
• Solve the problem of data aggregation from different sources.
• Rely on intellectual evaluation for continuous improvement of results, rapid adaptation, and identification of new risk vectors.

4.2. Criteria for Risk Criticality

The following criteria for risk criticality can be identified.

Low-risk level

• The system processes and/or stores public data that is shared.
• The system is easily restored and reproduced.
• The system provides a non-critical information service.

Moderate-risk level

• The system processes and/or stores non-public data or data with limited access.
• The system is internally trusted by other network systems.
• The system provides a normal or important information service.

High-risk level

• The system processes and/or stores confidential information.
• The system provides a critical information service or information service of a comprehensive nature.

4.3. Choosing the Method of Intellectual Evaluation

A comparative analysis of cyber risk assessment methods is given in [67]. The authors tested the same data set with different methods using different classifiers (naive bayes, logistic, multilevel perceptron, SMO, Ibk, AB, OneR, PART, J48, and random forest). The results obtained in this work show that tree-based machine learning methods may be suitable for the task of thread-based intrusion detection, showing better classification speeds than other more complex algorithms, and requiring less execution time (allowing several hundred thousand threads/s for processing). In this regard, the Decision Tree method was chosen to solve our problem and assess security risks.

Decision trees are a decision support tool widely used in data mining, mathematical statistics, and machine learning. This is a complex algorithm suitable for regression and classification problems. It is considered to be one of the most useful machine learning algorithms of supervised learning, as it can be used to solve a variety of problems. It is easy to understand, fast (because it uses only one function per node to share data), and unlike other machine learning algorithms, works effectively with nonlinear data, which is ideal for the multifactor analysis of distributed metadata (Figure 5).

Also, decision trees can process both numerical and categorical data and do not require pre-processing. The algorithm allows for assessing the reliability of the model and easily explaining the result using simple boolean logic, as well as easily visualizing the results. But one of the most important advantages is the ability to work with a large amount of information without special training procedures, which is perfect for analyzing metrics of distributed systems.

4.4. Development of Assessment Methodology

To make the right and balanced decision, information system risks must be correctly identified and assessed in terms of the damage they can cause and the probability of their occurrence. The loss analysis determines the degree of risk impact on the company’s IT assets and the business processes they support. The assessment may be based on the identification and analysis of vulnerabilities inherent in IT assets and threats that can be implemented through the exploitation of these vulnerabilities. Thus, risk assessment includes the identification of assets, vulnerabilities, threats, their probabilities, and consequences.

The developed assessment methodology is presented as a diagram in Figure 6.

A threat and vulnerability assessment must be performed for each network asset.

Threat identification (Figure 6, block 1) is a process of finding all the factors that can damage the assets of the organization. Threats can be accidental or intentional in nature and have a natural or human origin. After identifying the source of the threat and the objects to which it applies, it is necessary to assess its probability on a quantitative or qualitative scale (high, medium, or low probability) [68,69,70,71].

Within the proposed approach threat assessment is performed using the Classification Decision Tree algorithm (Figure 6, block A) and correlated to the global knowledge base of adversary tactics, techniques, and procedures—MITRE ATT&CK Matrix (Figure 6, block B).

$$T=f_1\left(x_1,x_2,\dots x_n\right),$$

(1)

where $x_i$—distributed metadata and metrics of the information system, i = 1, and n—Suspected Threat Number.

Identification of vulnerabilities (Figure 6, block 3) includes the identification of weaknesses in the protection system that can be used by the source of threat to damage assets. Vulnerabilities can be both technical (hardware, software, system configuration, communication equipment, physical environment, etc.) and organizational (management; personnel, business processes, and procedures). The vulnerability itself does not cause harm, as it requires a threat that can exploit it. The result of this step should be a list of vulnerabilities with an assessment of the ease of use of each vulnerability on a quantitative or qualitative scale.

The “Vulnerabilities” metric is used to assess vulnerabilities within the proposed approach. It shows the number of vulnerabilities found for a given network asset. The information is retrieved from the QRadar Vulnerability Manager (Figure 6, block E) and generated based on the results of the OpenVAS scanner (Open Vulnerability Assessment System).

$$V=f_2\left(x_v\right),$$

(2)

where $x_v$—“Vulnerabilities” metric.

Asset identification (Figure 6, block 2) is a process related to the inventory of all resources of the organization, the determination of the value of these assets, and the assessment of their impact. At this step, the assets are classified by priority in terms of their importance for the company’s business objectives and the cost of recovery.

At the stage of asset valuation, it is necessary to normalize the structure of the network and select the most important segments with a greater weight coefficient (where the level of potential losses (Figure 6, block D) during threat implementation is higher). The main parameter that allows assessing the criticality of the asset for the infrastructure is the metric “Type”,

$$A=f_3\left({\displaystyle \sum }_{i=1}^7{a}_i\right),$$

(3)

where

$a_1$—criticality;

$a_2$—sensitivity;

$a_3$—fault tolerance;

$a_4$—reproducibility;

$a_5$—quantity;

$a_6$—quality;

$a_7$—economic value

Primary importance for companies has such assets as servers, POS terminals, and other critical infrastructure listed in

Table 1. Assets types.

Asset Type	Explanation	The Level of Criticality
EXT	External servers	High
PC	Workstations/personal computers	Low
MB	Monoblocks	Moderate
NB	Laptops	Low
TC	Thin customers	Moderate
TAB	Tablets	Low
NET	Network equipment	High
PRN	Printers/scanners	Low
POS	Payment terminal	High
CASH	Cash register	High
SRV	Servers	High
SRC	Virtual machine	Low

.

At this stage, it is necessary to develop a scale measuring the importance of information resources (Figure 6, block C), which will take into account the weighting factor that reflects the potential loss in the case of a threat implementation for a particular information asset.

The calculation must be performed for each network asset. It should be noted that when assessing the resulting level of risk, the scales for different assets will differ [ [63,72,73]. This step involves the construction of risk matrices for each type of resource, according to which the assessment of risk level will take place (Figure 7).

When all input parameters are collected and analyzed, an assessment of the resulting risk score R is performed. It is calculated as a function of the input parameters and is the sum of the expected adverse effects that may occur provided that the threat will be realized due to the exploitation of the existing asset vulnerability:

$$R=\mathrm{F}\left(T,V,A\right),$$

(4)

where

$R$—risk level;

$T$—threat assessment;

$V$—vulnerability assessment;

$A$—asset valuation.

4.5. Model Input

The input data of the model is a set of distributed metadata and metrics of information systems from IBM QRadar SIEM and additional monitoring resources (

Table 2. Example of distributed metadata and asset metrics.

Metrics Name	Description	Impact on Final Risk Score	Example of Value
Type	Device type	High	PC/NB/TAB/SRV/SRD
Last scan	Date-time of the last scan or mapping	High	20 April 2020 22:02
AV Type	Type of antivirus	High	McAfee/WinDefender
Last logon	Date-time of the last login	Low	15 April 2020 19:40
OS Type	Operating system type	High	Windows Server 2008 R2 Enterprise
OS Version	Operating system version	Moderate	6.1
OS Build Number	Operating system build version	Moderate	7600
Blocked in AD	Lock status in Active Directory	Moderate	Yes/No
Last Asset Update	Last update date of the asset	Low	8 November 2019 9:02
Vulnerabilities	Number of found vulnerabilities	High	3
Critical VLAN	Does the network belong to critical	High	Yes/No
Wireless	Is the network wireless	Moderate	Yes/No
Last Event	Date-time of the last event in QRadar	High	22 April 2020 16:22
Backup Status	Is the backup performed	High	Yes/No
Defender Last Update	Time of last Windows Defender update	High	23 April 2020 0:02
McAfee Version	McAfee Agent version	Moderate	5.6.1.157

):

QRadar API-Reference Set;

QRadar API-Reference Map;

QRadar API-Reference Table;

QRadar API-Reference Map of Sets;

QRadar API-Vulnerability Manager;

QRadar API-Network hierarchy;

QRadar API-User Behavior Analytics (UBA);

QRadar API-Searches;

QRadar API-Offences;

QRadar API-Log Sources;

Active Directory-QRadar Reference Table with LDAP exported content (using the «Reference Data Import—LDAP» app);

McAfee ePolicy Orchestrator;

CMDB sync;

DNS.

At this stage, the most important parameters that characterize each of the elements of a distributed system are identified and their relationship is analyzed.

4.6. Model Training

The practical implementation of the analytical module is based on the Scikit Learn library toolkit. The result of the simulation is the construction of a mathematical model that can predict the level of threats to a particular information asset based on various network metrics [74,75].

A dataset with 13,520 records was used to train the neural network component. The initial number of analyzed metrics is 235. Using principal component analysis, 67 informative parameters were identified. These are the predictors based on which the target attribute is calculated.

The initial dataset was divided into a data set for training (75% of the initial) and a data set for testing (25%). The piloting data is a numerical matrix of dimension m × (n + 1), in which the number of rows m corresponds to the size of the training sample, the first n columns—the value of the input variables of the model, and the last—the value of the output variable.

Although there are no formal recommendations for the number of rows of the test sample matrix, it is assumed that the quality of learning of the neural network and, consequently, the accuracy of the results obtained is proportional to the size of the training sample. As for the number of columns, in our case, for the analysis of the level of threats, it is 68 at the initial stage and changes dynamically depending on the number of categorical metrics, the number of which increases proportionally with an increasing volume of the training set.

A fragment of the test (or pilot) sample is shown in

Table 3. Fragment of the training dataset.

Type	OS Type	Last Scan	Vulnerabilities	Critical VLAN	Wireless	AV Type	Environment	Backup Status	…	Threats Level
PC	Windows Pro	17 February 2020 10:11	1	Yes	Yes	McAfee	Pre- production	No	…	Medium
SRV	Windows Server 2019 Std	20 April 2020 20:43	−1	Yes	No	Windows Defender	Production	Yes	…	Low
SRV	Windows Server 2012 R2 Std	21 October 2019 15:39	3	Yes	No	Windows Defender	Production	Yes	…	High
NB	Windows 10 Enterprise	14 April 2020 7:51	−1	No	No	McAfee	Testing	No	...	Low
TAB	Windows 8.1 Pro	20 April 2020 21:44	−1	No	Yes	Windows Defender	Development	No	…	Low

.

For some informative parameters, it is necessary to carry out post-processing and their presentation for model learning because the Scikit Learn toolkit for building neural networks cannot accept input of categorical (text) format and further process them. Most metrics are categorical, so at this stage they need vectorization.

4.7. Solution Adequacy Check

To confirm the adequacy of the proposed solution, we calculated the accuracy score of the neural network component and constructed the confusion matrix to visualize the performance and efficiency of the classification algorithm (Figure 8).

The confusion matrix, when classified into 3 classes (Low, Medium, and High) has a dimension of 3 × 3. The expected and actual results are the same in such cases: Low/Low—16 times, Medium/Medium—3 times, and High/High—1 time. False classification is observed in such cases: Low/Medium—4 times and Medium/High—1 time; other options are not observed in this example.

The model accuracy score is calculated based on the ratio of correct results to the total number: (16 + 3 + 1)/25 ∗ 100% = 80%.

It can be concluded that the model is well suited to describe real processes occurring in the system, as its accuracy is 80%.

It was found that the depth of the constructed decision tree is 6, and the number of possible end nodes is 11 (Figure 9).

After analyzing the graph, it is possible to estimate which metrics of the distributed system are the most informative and have the largest contribution to the indicator of threats level indicator and as a result the associated value of the level of risk. To conclude, the most important attributes for determining the resulting score are such metrics as the last login date, operating system type, and last scan or mapping date.

5. Results

This paper contains a structured comprehensive overview of existing approaches and modern methods of risk assessment, a description of the risk management process, as well as a review of international standards and methodologies in this field.

During the research, we developed a complex scalable method for determining the risk of critical information security incidents based on dynamic multifactorial analysis of distributed information system metadata and metrics. The proposed approach uses an intelligent assessment model based on the Decision Tree classification algorithm and provides a dynamic assessment methodology for any information assets without reference to a specific platform, network equipment, or software, which allows for conducting a comprehensive risk assessment for the infrastructure of any size, regardless of the number of information assets.

In the paper, we compare and analyze the strengths and weaknesses of existing risk assessment approaches and propose a new risk assessment model that sufficiently addresses all the characteristics of distributed information systems, which did not appear in the existing models. The developed solution provides a multifactorial and holistic analysis of distributed metadata and metrics from different log sources, which will solve the problem of incomplete information about the components of risk. Moreover, it relies on intellectual evaluation for continuous improvement of results, rapid adaptation, and identification of new risk vectors.

The proposed algorithm is simple in structure and easy to implement. It provides information security analysts with objective information to make informed decisions in the context of ensuring the security of distributed information systems.

6. Discussion of Results

The developed analytical software module can be integrated into the relevant information security systems and recommended for use in corporate networks for basic analysis of IS risks, as well as for assessing the effectiveness of the information protection system.

The scope of further research includes the improvement of the developed algorithm to improve the accuracy of forecasting, the use of Tree Pruning methods to eliminate the effect of overfitting and reduce the size and complexity of the constructed model, as well as the use of intelligent risk assessment models for the developed methodology.

To prepare for a potential attack, organizations must constantly assess their risk profile, make recommended corrections, and actively improve their defense system [76].

Conducting regular assessments allows us to identify cybersecurity risks on time and act to process, manage, and respond to identified threats [77].

However, this process is complicated by the functional distribution and complexity of distributed information systems. Risk assessment and prediction of potential threats in these conditions can be performed using dynamic multi-factor analysis of the system’s distributed metadata with an intelligent models approach.

Note that this study is one of the possible options for assessing cyber risks in information systems. In the literature of recent years, there are projects implemented using other methodologies for risk assessment—the Monte Carlo method [78], Bayesian networks [79] etc. Since the tasks being solved in those works are different, comparing their results to our work does not make sense. In subsequent works, we plan to carry out a risk assessment for one data set using various methods in information and control systems for various purposes [80,81,82] and analyze the result.

7. Conclusions

The theoretical result of the study is to prove the effectiveness of the Classification Decision Tree algorithm in the tasks of dynamic, multivariate analysis of distributed metadata systems using the evaluation of intelligent models. The practical result is the implementation of the developed assessment methodology in the form of a software module, achieving an integrated and multi-level approach to modeling cyber risks in distributed environments and having a number of significant benefits compared to classical approaches.

The result of the study include the following:

• Existing methods and approaches to risk assessment are analyzed, and their advantages and disadvantages are identified.
• The possibilities of using various methods of intellectual assessment for tasks related to determining the risk of critical information security incidents in distributed information systems are analyzed.
• Simulation modeling of the process of calculating the level of IS risk based on a dynamic, multivariate analysis of distributed metadata and information system metrics was performed.
• A scalable methodology for risk assessment of any information assets has been created without being tied to a specific platform, network equipment, or software, which will allow for a comprehensive risk assessment for the infrastructure of any size, regardless of the number of information assets.
• An analytical software module has been developed that provides a dynamic, comprehensive, and easily scalable approach to assessing the multi-factor data of an information system and can be integrated into relevant information security monitoring systems

The effectiveness of the proposed solution is 80%, which demonstrates a high level of accuracy of the model in the tasks of intelligent evaluation and classification. In addition, it takes into account a wide range of metrics (67 informative parameters for a dataset with 13,520 records), which allows us to fully assess the state of security of information assets in view of ensuring the main properties of information (confidentiality, integrity, and availability), has correlation to MITRE ATT&CK and CVE, and has full compliance with core standards and guidelines in the field of IS risk analysis and assessment (ISO/IEC 27001, ISO/IEC 27005: 2018, NIST 800-30, etc.).

Despite the heterogeneous nature of the input data, the work results demonstrate excellent performance indicators and can be recommended for use in operating conditions in distributed systems, for learning and modeling purposes in further research, and also implemented in information protection systems of the corporate segment for basic risk evaluation and assessment.