Multidimensional classification matrix for information security risk assessment
DOI:
https://doi.org/10.31649/1999-9941-2024-60-2-91-106Keywords:
dynamic information classification, visualization of critical resources, multidimensional classification matrix, classification stack, integral risk assessmentsAbstract
Abstract. In this study, we address one of the key challenges related to a comprehensive risk assessment system for information security concerning personnel during access delineation to company information resources. The relevance of this research is confirmed by numerous instances of information leaks, which highlight the insufficient effectiveness of traditional classification and access control methods. The research aims to analyze existing classification strategies for company information resources and develop an additional method based on continuous access analysis and dynamic adjustment of resource classification. To achieve this goal, we employed methods such as analyzing current information classification strategies, combining various classification techniques, and implementing a graphical method that combines traditional resource classification with a dynamic component using a multidimensional matrix. The main results of the study involve the development of an enhanced method that allows continuous analysis of personnel access to company information resources and dynamic adjustments to resource classification based on access delineation rules. The proposed approach allows for the inclusion of any number of indicators in a graph as a set of vectors, subsequently calculating overall risk assessments based on the sum or difference of these vectors. The practical value of this work lies in its ability to fully utilize modern access control technologies and serve as a foundation for further research, such as automated information classification using neural network training. Additionally, within this study, we conducted a detailed review of existing risk assessment methods for company information resources, identifying key limitations inherent in traditional approaches. Specifically, we analyzed methods based on fixed access levels and the use of static rules for access control. It became evident that such methods are inadequate in responding to dynamic changes in user behavior and the evolving importance of information resources. Thus, the proposed approach allows for more flexible and adaptive access control to information resources, achieved through continuous access monitoring and automatic adjustments based on behavioral user data and contextual changes in resource utilization.
References
Al Qahtani, E., Story, P., & Shehab, M. (2024). The impact of risk appeal approaches on users’ sharing confidential information. In Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI '24) (Article 579, pp. 1–21). Association for Computing Machinery. https://doi.org/10.1145/3613904.3642524
Alotibi, G. (2024). A cybersecurity awareness model for the protection of Saudi students from social media attacks. Engineering, Technology & Applied Science Research, 14(2), 13787-13795.
Arora, S., Lewis, P., Fan, A., Kahn, J., & Ré, C. (2023). Reasoning over public and private data in retrieval-based systems. Transactions of the Association for Computational Linguistics. Retrieved from https://transacl.org/index.php/tacl/article/view/4705
Arslan, M., & Cruz, C. (2024). Business text classification with imbalanced data and moderately large label spaces for digital transformation. Applied Network Science, 9, 11. https://doi.org/10.1007/s41109-024-00623-5
Barnawi, A., Kumar, K., Kumar, N., & Alzahrani, B., & Almansour, A. (2024). A deep learning approach for landmines detection based on airborne magnetometry imaging and edge computing. Computer Modeling in Engineering & Sciences, 139(2), 2117-2137. https://doi.org/10.32604/cmes.2023.044184
Emmanuel, I., Sun, Y., & Wang, Z. (2024). A machine learning-based credit risk prediction engine system using a stacked classifier and a filter-based feature selection method. Journal of Big Data, 11, 23. https://doi.org/10.1186/s40537-024-00882-0
Gambarelli, G., Gangemi, A., & Tripodi, R. (2023). Is your model sensitive? SPEDAC: A new resource for the automatic classification of sensitive personal data. IEEE Access, 11, 10864-10880. https://doi.org/10.1109/ACCESS.2023.3240089
Irwin, L. (2022, August 30). What is ISO 27001 information classification? IT Governance. Retrieved from https://www.itgovernance.co.uk/blog/what-is-information-classification-and-how-is-it-relevant-to-iso-27001
Lipps, C., & Schotten, H. D. (2022). Physical layer security: About humans, machines and the transmission channel. In Proceedings of the 21st European Conference on Cyber Warfare and Security (Vol. 21, No. 1, pp. 161-169). Academic Conferences International Limited. https://doi.org/10.34190/eccws.21.1.403. Retrieved from https://papers.academic-conferences.org/index.php/eccws/article/view/403/357
Malchiodi, D., Raimondi, D., Fumagalli, G., et al. (2024). The role of classifiers and data complexity in learned Bloom filters: Insights and recommendations. Journal of Big Data, 11, 45. https://doi.org/10.1186/s40537-024-00906-9
Mazzola, L., et al. (2021). Security rules identification and validation: The role of explainable clustering and information visualisation. In Stephanidis, C., Antona, M., & Ntoa, S. (Eds.), HCI International 2021 - Posters. HCII 2021. Communications in Computer and Information Science, vol 1420. Springer. https://doi.org/10.1007/978-3-030-78642-7_58
Mikuletič, S., Vrhovec, S., Skela-Savič, B., & Žvanut, B. (2024). Security and privacy oriented information security culture (ISC): Explaining unauthorized access to healthcare data by nursing employees. Computers & Security, 136, 103489. https://doi.org/10.1016/j.cose.2023.103489
New Zealand Protective Security Requirements. (2024, May 10). Applying business impact levels. Retrieved from https://nzism.gcsb.govt.nz/assets/Previous-versions/v3-2/NZISM-Part-One-v3.2-December-2018.pdf
Oseghale, O. (2023). Digital information literacy skills and use of electronic resources by humanities graduate students at Kenneth Dike Library, University of Ibadan, Nigeria. Digital Library Perspectives, 39(2), 181-204. https://doi.org/10.1108/DLP-09-2022-0071
Pitafi, S., Anwar, T., Widia, I. D. M., & Yimwadsana, B. (2023). Revolutionizing perimeter intrusion detection: A machine learning-driven approach with curated dataset generation for enhanced security. IEEE Access, 11, 106954-106966. https://doi.org/10.1109/ACCESS.2023.3318600
Queensland Government. (2024, May 10). Information security classification framework (QGISCF) – Queensland Government guidelines. Retrieved from https://www.forgov.qld.gov.au/information-and-communication-technology/qgea-policies-standards-and-guidelines/information-security-classification-framework-qgiscf
Ramamurthy, A., Sathya, V., Rochman, M. I., & Ghosh, M. (2022). ML-based classification of device environment using Wi-Fi and cellular signal measurements. IEEE Access, 10, 29461-29472. https://doi.org/10.1109/ACCESS.2022.3158056
Robinson, P. (2024). Data classification? Definition, levels & examples – Lepide data security. Lepide. Retrieved from https://www.lepide.com/blog/what-is-data-classification-and-how-to-do-it/
Shmatko, O., Balakireva, S., Vlasov, A., Zagorodna, N., Korol, O., Milov, O., Petrov, O., Pohasii, S., Rzayev, K., & Khvostenko, V. (2020). Development of methodological foundations for designing a classifier of threats to cyberphysical systems. Eastern-European Journal of Enterprise Technologies, 3(9), 6-19. https://doi.org/10.15587/1729-4061.2020.205702
Song, X., Liu, Z., & Jiang, B. (2024). Adaptive boosting with fairness-aware reweighting technique for fair classification. Expert Systems with Applications, 250, 123916. https://doi.org/10.1016/j.eswa.2024.123916
Velmurugan, S., Prakash, M., Neelakandan, S., et al. (2024). Provably secure data selective sharing scheme with cloud-based decentralized trust management systems. Journal of Cloud Computing, 13, 86. https://doi.org/10.1186/s13677-024-00634-8
Venn, B., Leifeld, T., Zhang, P., et al. (2024). Temporal classification of short time series data. BMC Bioinformatics, 25, 30. https://doi.org/10.1186/s12859-024-05636-6
Wang, G., & Gu, Y. (2024). Multi-task scenario encrypted traffic classification and parameter analysis. Sensors, 24(10), 3078. https://doi.org/10.3390/s24103078
Wiedemann, N., Janowicz, K., Raubal, M., et al. (2024). Where you go is who you are: A study on machine learning based semantic privacy attacks. Journal of Big Data, 11, 39. https://doi.org/10.1186/s40537-024-00888-8
Wood, P. (2013, January). Business priorities: What to protect, monitor and test. Computer Weekly. Retrieved from https://www.computerweekly.com/feature/Business-priorities-what-to-protect-monitor-and-test
Xu, A., Gao, J., Sui, X., Wang, C., & Shi, Z. (2024). LiDAR dynamic target detection based on multidimensional features. Sensors, 24(5), 1369. https://doi.org/10.3390/s24051369
Zhang, Y., Deng, Q., Liang, W., & Zou, X. (2018). An efficient feature selection strategy based on multiple support vector machine technology with gene expression data. BioMed Research International, 2018. https://doi.org/10.1155/2018/1234567
Downloads
-
PDF (Українська)
Downloads: 3
