New approach for IT-Security assessment

1. The New “Hybrid” Approach for IT-Security
Assessment
Ilya Livshitz, Andrey Neklyudov
ITMO University
St. Petersburg, Russia
livshitz.il@yandex.ru, nav7ad@mail.ru
Pavel Lontsikh, Natalya Lontsikh, Elena Golovina
Irkutsk National Research Technical University
Irkutsk, Russia
palon@list.ru
Abstract—It is relevant to evolve processes of evaluation of
the IT security nowadays. Creating and application of the
common evaluation approaches for an IT component, which are
processed by the governmental and civil organizations, are still
not solving problem. It is suggested to create a more precise and
complex assessment tool for an IT security – the “hybrid” method
of the IT security evaluation for a particular object, which is
based on a range of adequate assessment tools.
I. INTRODUCTION
The processes of the evaluation of the IT-security are
relevant nowadays. Creation and application of the common
approaches to the IT component evaluation remain unsolved.
The main criteria for a suitability of the IT component were its
passing through a procedure of an independent adequate
security conformity assessment.
This is a fascinating procedure, because it fosters the fuller
comprehension of the IT evolution circumstances today and in
a long run. This research proposes performing for the precise
object the synthesis of the “hybrid” approach of the IT security
evaluation, based on the range of adequate and available
assessment tools.
II. THE PRECISION AS A TARGET
In order to prevent a new essence involvement without an
emergency, authors proposed an idea of an increasing the
IT-security evaluation precision by the synthesize the final
adequate assessment tool set on a base of the “hybrid” method,
adopted to a concrete IT object. IT evaluation precision defines
by the assessment tool and measuring techniques used.
But the most important thing, that experience shows up, is
that the adequate assessment tools shouldn't be too many and,
in conjunction, they should be combined in to a basis, that have
irrespective assessment lines within (this we can compare with
a liner vector independence).
III. THE EXPERTIZE
Almost in any domain all problems can be solved on a base
of these three, quit independent, expertize types:
 Experience (E) – the one, which is beard by the
individual himself.
 Requirements (R) – expertize, that is fixed on a data
carrier like a slightly formalized requirements.
 Calculation (C) - expertize, that is based on a
measurement and calculation.
Each type of expertize has its own merits and demerits. In
some cases a problem can be solved both with a one type of the
expertise or with a random combination. Moreover, as for the
historical background, everything starts with the E-type of
expertize. However, in ideal, it’s better to use all three types
together, in a harmonious interaction with each other.
Graphically it can be imagine as a triangle, where the
vertices are represent the “poles” of the expertise’s, and a
“body” of a triangle, beyond the vertices – some combination
of it, the contribution of each to the proportion is determine by
the closeness to the vertices corresponding (see Fig.1).
Fig.1. Expertize contribution in graphical image
The point A1 represents the expertize contribution before
the TCSEC publishing. The point A2 shows expertize
combination in a “rainbow series” era, when the security
specifications were firstly structured, slightly formalized and
were made accessible to a society. The point A3 corresponds to
an expertize combination in a Common Criteria (CC) period,
when security and assurance specifications were harmonized

2. with the IT evolution level, precisely structured and were
brought to a semi-formal style. Exactly at the time of CC, the
C expertise type contribution appeared in a expertize
proportion, at least because of the risk inclusion in a security
concepts list and their correlation investigation.
The aim of the “hybrid” method, as authors see, is the
increasing the C expertise type contribution to the level that
will ensure the A1 point in an optimal zone. This approach
requires that the IT-security evaluations have been done by the
calculation way, just like the reliability or resistance index of a
cryptographic primitive estimation execute.
IV. THE “HYBRID” METHOD OF EVALUATION
As an assessment tool for the “hybrid” method the ISO/IEC
27001 series [1], CC (ISO 15408 series substitution allows [2,
3, 4]) and the Data flow Diagram (DFD) are used. The last one
is chosen since, notwithstanding of the shifting the emphasis
from structural to object-oriented approach during the analysis
and designing the IS, structural notations are widely and
effective used both in business and system analysis. If desired,
DFD might be replace by another simulation tool, e.g. Unified
Modeling Language (UML).
For an industrial automation, evaluation can be useful such
a tools like the IEC 61508 [5] or IEC 61511 [6], if it requires to
mutually tying up information and functional security
questions. All those assessment tools are uphold in a relevant
condition, which is adequate to the up-to-date IT evolution
level and consumers demands. Moreover, which is not of a
small account, these standards are widely used in practice for a
valuation, as DFD is used for a system simulation. In a modern
IT belief system, which is stated – “all is an object”, “hybrid”
method defines following types of an object:
 IT – a production method, in the context of our issue –
the way of the information processing.
 IT component – a part of the Information processing
method, which is, in turn, can be divided into a
component. When its needed to show that the IT
component is undivided, it is called the IT element. IT
and its components can be established both on a base of
a hardware and without it.
 Information Processing System (IPS) – a set of
hardware with the specified relations, which is used as a
base for IT or IT component establishment.
 IPS component – a part of IPS that, in a turn, also can be
divided on parts. When it is needed to show that the IPS
component is undivided, it's called IPS element.
V. THE MAIN IDEA OF THE “HYBRID” METHOD
A primary intent of suggested “hybrid” method of the IT-
security evaluation is a facility to make an a secure assessment
with a preset refinement level of the random object of
evaluation (OE), that can be any IT or its separate component.
This method “exclusivity” achieves due to a simple, but
effective solution – building a model of the operation system
and attention span to a security questions in a places that can
bring effective solution, with the limited number of trusted
boundaries points (TB) [7,8].
Exactly within the TB control realized by the security
functions or functional environment, specified in CC notation.
IT-Security management measures in the 27001 notation are
provided exactly for TB. Thus, IT-security evaluation quality in
a great extent will be determine by a validity of the OE model.
From the one hand, the need for a creation of an adequate IT
model for OE can cause some difficulties by the persons what
have not enough skills, but on the other hand, must be
mentioned, that it can't be satisfactory examined without IT in a
whole or its components models.
“Hybrid” method does not provide the development of a
united requirement list for the Security Target (ST), or for the
range of the ST, as it should be done if the CC doctrine is
followed dogmatically. However, at the same time, some
structure and forming procedures adopted partially from the
ST. In one sense, this is done not to involve a new essences
over existed, but in the other – to ensure “hybrid” method users
with sets of materials, compatible with the ST parts, which
might be useful to users if they will decide to develop ST and
certify the OE by the CC.
Operation sequence that is provided by the “hybrid”
method:
 IT structuring.
 Device space structuring.
 IPS modelling.
 Security issue defining.
 Security target identification.
 Short specification of the valuation object.
A. Step 1. IT structuring
All IT, that provides business process automation, are being
divided into a few realms. The number of realms and their
content determine as to be convenient and effective to work
with. The concentration of the IT that ensure automation of the
organization business processes, similar in some criteria, in one
area borders and attainability of the evaluation targets also have
an impact on the number of a realms and its content. The realm
can be both a composite and tiered hierarchical structure, which
contains nested realms.
B. Step 2. Device space structuring.
The device space, which is occupied by an organization, is
structured into a few locations (L). The number of it depends
on the actual position of the organization assets in a device
space, its working convenience and efficiency and attainability
of the evaluation targets. The location also can be both a
composite and tiered hierarchical structure, which contains a
nested location.
C. Step 3. IPS modelling
The IPS model patterning, which is the base for the IT, is
realized in terms of DFD. The number of a models patterned
defines as to be convenient to work with, to bear a
comprehensive picture with a detailed elaboration given and to
ensure the accomplishment of the evaluation targets. If it is
needed, it's possible to develop more than one model per
system, as well as it can be designed only one model for

3. several similar to each other systems [7,8]. You can see the IPS
model for a real object (from the author’s practical experience)
in a Fig.2.
L1
R2.1
P1
EE1
TB1
P2
TB2
TB5
P3
TB3
P4
TB4
TB6
EE2 EE3
R2.3
P
TB9
R1.4
P
TB10
Fig.2. IPS model for a real evaluation object
D. Step 4. Security issue defining
The security issue defining consists of a logical
determination of the IT-security threats, organization security
policy and assumptions for the operation environment. Keeping
in mind an Albert Einstein quotation, that “Everything should
be made as simple as possible, but not simpler” we try to avoid
extra detailed elaboration of the security threat information. In
authors’ opinion, it is necessary and enough to determine the
security threats information on the IPS model to get the optimal
detailed elaboration keep going from the DFD objects to its
realization tools – practically to the IPS components,
considering IPS components as a finite automaton.
The definition of security problems for complex industrial
facilities (CIF) is the sequential definition of IT-Security
threats, organizations IT-Security policies and assumptions IT-
Security environment. We need to focus on the fact that threats
to CIF determined by using the risks, as is customary in the
international practice in the world ([9], [10], [11], [12], [13,
[14], [15]). In accordance with Appendix C of ISO/IEC 27005
is taken into account a list of typical threats (see Table I).
From the list on the basis of preliminary surveys real CIF
selected applicable threats, which then will be ranked
according to the degree of impact on risks of IT-Security
according to ISO/IEC 27001.
TABLE I. THE LIST OF IT-SECURITY THREATS
Type of Threats Name of Threat Applicable
Physical
Fire Yes
The water damage
Pollution
Major accident Yes
Destruction of equipment or media
Compromise of
information
Disclosure
Data from untrusted sources
Criminal use of hardware Yes
Criminal use of the software Yes
Technical fault
Saturation of the information system
Equipment failure Yes
Malfunction of the software
Breach of information system support Yes
Compromise
functions
Falsification of the rights
The abuse of rights Yes
The denial of action Yes
Violation from personnel Yes
Threats that must confront the object of evaluation are
determined by the risk register (for example, in order of
severity). Example of defining of risk measure in ascending
order of severity (ranking) threats the following Table II. In
accordance with Annex C of ISO/IEC 27005 for example, CIF
made the ranking of applicable threats by defining measures of
risk. The probability and size of impact are determined by the
rank scale in ascending order from 1 (minimal) to 5
(maximum).
TABLE II. DEFINITION A MEASURE OF RISK AND RANKING OF APPLICABLE
IT-SECURITY THREATS
Name of Threat
Size of
impact
Probability
Risk
size
Treatment
risk
Fire 5 1 5 Yes
Major accident 5 1 5 Yes
Disclosure 2 1 2
Criminal use of hardware 2 1 2
Criminal use of the
software
2 1 2
Equipment failure 1 1 1
Breach of information
system support
2 1 2
The abuse of rights 1 1 1
The denial of action 1 2 2
Violation of health
personnel
2 1 2
The above IT-Security threats without type specification of
the source of threats (this may be staff, natural phenomena or
technology catastrophes), are a carrier of the two main types of
threats ISO/IEC 15408 series. The results of the risk
assessment for concrete CIF identified the following threats:

4.  T.LA2DF – an external entity by means of logical
access may affect the availability, confidentiality and
integrity of transmitted messages.
 T.LA2CoIT – an external entity through the logical
access to the target component of IPS can disrupt the
availability and integrity of the configuration and the
target component of IPS, as well as the availability,
confidentiality and integrity of information processed by
the target component of IPS.
The risk register for CIF formed on the base of IPS model
or use an existing one. In the practice of completed projects [6],
as a rule, a good starting point is the analysis of the result of
audits, for example compliance with ISO/IEC 27001 series.
Table III shows an example of compliance evaluation some IPS
for real CIF requirements (selected several items from each
section of the requirements).
TABLE III. COMPLIANCE WITH ISO/IEC 27001
Point Requirement Compliance
Non-
conformance
А.6.1.3
Responsibilities for
IT-Security provisioning
Not fully defined
in the job
descriptions
А.7.1.1
Inventory of organization
assets
Yes
А.10.2.2
Monitoring and analysis of
services provided by third
parties and/or organizations
Not fully defined
(in respect of
foreign affiliates)
А.11.3.2
Equipment user without
sufficient supervision
Yes
А.12.4.1 Control of the software Yes
А.15.1.3
Protection the organization
account
Yes
The necessity appears cause, the one of the assessment
tools, which are used in a CC evaluation, keeps security
specifications that practically appear in a semi-formal style, but
it is needed to use formal ones indeed for a height level of
confidence. One must note, that the real height levels of the
EAL, from 5 and higher, mean that all possible controls with
the mathematical methods are done. For example, Integrity-
178B RTOS, the EAL6+ level system is a military operation
system (which was used for the fighting machine automation
control and for the NASA space shuttle). To do the CC usage,
as an assessment tool, more efficient it is reasonable to apply it
to a pretty formalized items, the IPS model, undoubtedly, is the
formal one.
E. Step 5. Security target identification
Security targets are the brief and abstract statement of the
assumed solution of the issue, already appointed. They have
three roles:
 To present a height -level issue solution description.
 To divide this solution into two pieces (one for the
evaluation object and the second for a function
environment), reflects that each essence solve its own
part of an issue.
 To show that all these parts arrange in absolute problem
solving.
Defining the security targets is processed as it's
recommended in CC. The conclusion is made, on a base of a
security targets and their substantiation that if all security
targets are reached, that means that security issue, appointed
earlier, is solved. That, in its turn, means that all threats are
well reacted and the security assumptions are executed.
F. Step 6. Short specification of the valuation object
In this short description OE user can find the information about
how is the certain object meets all security function, assurance
and IT management specifications. The correspondence
between the IPS model and the real respective system describes
by a natural language. Each DFD notation in a model fits to a
certain IPS component, data channel, TB implement means.
Therewith, following points are considered for each TB:
 TB implement means;
 Security function and assurance specifications in a CC
notation;
 IT management specifications in ISO/IEC 27001
notation.
Actually, on this stage security issue consideration for each TB
is held and that’s exactly that provides height security
assessment precision of such a complicated OE as IT.
VI. IT-SECURITY RISK ASSESSMENT
For the interfacing the risk assessment procedure with the
“hybrid” method of IT-security evaluation one can take the IPS
model, validity of which is approved with the IT-security
evaluation, as a base for the risk assessment, and estimate the
threat impact probability. In addition, in the process, the
probability of a successful impact of a definite threat to a
concrete object in the IPS model calculated as a multiplication
of a probability of data flow (DF) occurrence by the threat
source, between itself and a target object, to a probability of a
DF overcoming each TB along its way.
It is need to be mentioned, that all threat impact
probabilities, calculated by the method given below, are
probability a priori, so the assessment of an apprehended
damage by the threat impact is also a priori. For that reason, the
risks, which are calculated as a multiplication of the a priory
probability to the a priori assessment of damages still a priory
themselves. However, as practice is a truth criterion, authors
believe that it is useful to repeat evaluation of posterior risks
with some intervals, using posterior (actual) damage
assessment that fits these incidents. For the security posterior
incident probability calculation authors recommend to use a
calculation formula of a recovered object failure probability,
applied while the reliability calculation.
VII. EXAMPLE OF THE HYBRID METHOD IMPLEMENTATION
Authors have an experience in comparison of the real IT-
security assessments, received in 2016-2017 years by different
methods for the unique CIF [7, 8]. To ensure a scale identity
the IT security assessment was shown as a risk measure. We
have used the following formula for the calculation of a new
“hybrid” methodology:
𝑅 𝑎𝑝𝑟 [𝑅𝑖] =
𝑉𝑖
𝑘
∗ 𝑆𝑖
𝑛
𝑉 𝑚𝑎𝑥 ∗ 𝑆 𝑚𝑎𝑥
∗ 𝑄𝑖 (1)

5. Where:
Rapr – assessment of a priori risk for Ri Realm in CIF
Ri – research Ri (Realm) for CIF
V
(k)
i – a priori probability of realization of threats
S
(n)
i – a priori the value of damage
V
max
– The maximum a priori probability of realization of
threats
S
max
– The maximum amount of damages if the threat is
credible
Q – Maximum value of the scale of risk assessment
k – Maximum value of the probability (taken 1)
n – The maximum value of the damage (taken 3)
The limitations in the calculation for the new “hybrid”
method by the formula (1) shown below:
0 ≤ Rapr ≤ 10
Q ≤ 10
V
(k)
i ≤ k
S
(n)
i ≤ n
V
max
≤ 1
S
max
≤ 3
In order to bring to ten-to-one scale, risk figures multiplied
with a normalized factor (risk measures are from 1 to 10), the
loss of risk is 0. Table 1 shows a result of a priory risks
comparison based on different methods.
The results of the calculation by the formula (1) a new
“hybrid” method is presented in Table IV (for all set of
Realms Ri for real CIF objects).
TABLE IV. THE CALCULATION OF A PRIORI RISK ON ” HYBRID” TECHNIQUE
FOR CIF OBJECT
IT Realm
V(k)
i
(0, 1)
S(n)
i
(0, 1, 2, 3)
Rapr
(0, 10)
Realm R1.*
Realm R1.1 0,25 3,00 2,50
Realm R1.2 0,25 3,00 2,50
Realm R1.3 0,25 3,00 2,50
Realm R1.4 0,25 3,00 2,50
Realm R2.*
Realm R2.1 – Confidential Storage 0,25 2,00 1,67
Realm R2.2 – ERP System 0,25 2,00 1,67
Realm R2.3 – Internet access 0,25 1,00 0,83
Realm R3.*
Realm R3.1.1 0,25 3,00 2,50
Realm R3.1.2 0,25 3,00 2,50
Realm R3.1.3 0,25 3,00 2,50
Realm R3.1.4 0,25 3,00 2,50
Realm R3.2 – control system for R3.1 0,25 3,00 2,50
Realm R3.3 – control system for R1.* 0,25 3,00 2,50
Note that not all of IT Realms for real CIF can be covered,
for example, by a specific regulatory document by Order
FSTEC Russia N 31 (in contrast to the proposed method) or
NIST SP 800-53 (USA National Regulation). In particular, the
region R2.3 – access to resources on the Internet workstations
cannot be estimated from the position, for example, of the
Order FSTEC Russia N 31 or NIST SP 800-53 (USA), as it
relates to IT-Security control systems. For this reason, in Table
V reflect only the portion that applies only to those areas of IT,
that fall under the requirements of a particular order of FSTEC
Russia or NIST SP 800 (USA).
TABLE V. THE CALCULATION OF A PRIORI RISK ON “HYBRID” TECHNIQUE FOR
CIF OBJECT IN ACCORDANCE ORDER FSTEC N 31
IT Realm
V(k)
i
(0, 1)
S(n)
i
(0, 1, 2, 3)
Rapr
(0, 10)
Realm R3.*
Realm R3.1.1 1,00 3,00 10,00
Realm R3.1.2 1,00 3,00 10,00
Realm R3.1.3 1,00 3,00 10,00
Realm R3.1.4 1,00 3,00 10,00
Realm R3.2 – control system for R3.1 1,00 3,00 10,00
Realm R3.3 – control system for R1.* 1,00 3,00 10,00
Based on formula (1) can be performed calculations for
other Standards and recommendations in a particular industry
(for example, based on R STO Gazprom for oil and gas
industry regulation). All results of calculations for all IT
Realms are summarized in Table VI.
TABLE VI. THE RESULTS OF THE COMPARISON OF A PRIORI RISK ON
DIFFERENT METHODOLOGICAL BASES
IT
Realm
Hybrid
method
Order
FSTEC
31
Order
FSTEC
21
STO
Gazprom
4.2.2-01
STO
Gazprom
4.2.2-02
STO
Gazprom
4.2.2-03
R1.*
R1.1 2,50
R1.2 2,50
R1.3 2,50
R1.4 2,50
R2.*
R2.1 1,67 3,33 6,67 6,67
R2.2 1,67 3,33 6,67 6,67
R2.3 0,83
R3.*
R3.1.1 2,50 10,00 10,00 10,00
R3.1.2 2,50 10,00 10,00 10,00
R3.1.3 2,50 10,00 10,00 10,00
R3.1.4 2,50 10,00 10,00 10,00
R3.2 2,50 10,00 10,00 10,00
R3.3 2,50 10,00 10,00 10,00
The results of the comparison of a priori risk on a scale
(Q = 10) for different methods is shown in Fig. 3 in 3D
respectively. It should be noted the “hybrid” technique gives
the estimated a priori risk is significantly closer to the actual
values of posterior risk than other existing methods of
assessment.

6. Fig.3. The results of the comparison of a priori risk on different
methodological bases in 3D
VIII.CONCLUSION
Nowadays, IT components with the security features that
meet the civil society demands are available. All these
components were evaluated by their competence and are
suitable for building security capacity.
A new method was suggested to create a more precise IT-
security evaluation tool for the particular object – the “hybrid'
method of IT-security assessment on a base of the set of
adequate assessment tools.
The new "Hybrid" method differs that the appropriate level
of accuracy can be applied for evaluation the IT object of any
scale, including for Complex Industrial Facilities. The
evaluation process is strictly based-on the applicable field of
standards and suitable recommendations corresponding to the
current IT developer level in the world.
The comparison of the results of the IT-Security risk
assessment determined that the use of “hybrid” methods as a
methodological basis for estimating a priori risks allows
getting closest to the reality (a posteriori risk) result. The
accuracy of risk assessment in the use of “hybrid” methods
will increase with the detail. We need a sufficiently large
number of cases to judge on statistical accuracy, possibly.
The assessment IT-Security report for CIF is objective
evidence generated in the measured values and based on a
system of public Standards: NIST, ISO/IEC, NECR, etc. It
allows creating on the basis of “hybrid” methods for the
assessment of the safety of various CIF within both national
and foreign jurisdictions.
REFERENCES
[1] ISO/IEC 27001:2013. Information technology. Security techniques.
Information security management systems. Requirements,
International Organization for Standardization. 2013.
[2] ISO/IEC 15408-1:2009 Information technology - Security techniques
- Evaluation criteria for IT security - Part 1: Introduction and
general model. International Organization for Standardization. 2009.
[3] ISO/IEC 15408-2:2008 Information technology - Security techniques
- Evaluation criteria for IT security - Part 2: Security functional
components. International Organization for Standardization. 2008
[4] ISO/IEC 15408-3:2008 Information technology - Security techniques
- Evaluation criteria for IT security - Part 3: Security assurance
components. International Organization for Standardization. 2008
[5] IEC 61508-1:2010 Functional safety of electrical, electronic,
programmable electronic safety-related systems — Part 1: General
requirements.
[6] IEC 61511-1:2003 Functional safety — Safety instrumented systems
for the process industry sector — Part 1: Framework, definitions,
system, hardware and software requirements.
[7] Livshitz I. Approaches to the Application of the Integrated
Management System Model for Carrying out Audits for Complex
Industrial Objects – Airport Facilities. SPIIRAS Proceedings. 2014.
Vol. 6, pp. 72–94. (In Russ).
[8] Livshitz I. The Methods of optimization audit program for Integrated
Management Systems. SPIIRAS Proceedings. 2016. Vol. 5, pp. 52–
68. https://dx.doi.org/10.15622/sp.48.3. (In Russ).
[9] Martin, Nathaniel F.G. & England, James W. Mathematical Theory
of Entropy. — Cambridge University Press, 2011. — ISBN 978-0-
521-17738-2
[10] European Conference on Modelling and Simulation, May 26-29,
Albena (Varna), Bulgaria, Proceedings, 2015, Albena (Varna), 843
pp.
[11] Li B. S. X., Wan B., Wang C., Zhou X., Chen X. Definitions of
predictability for cyber physical systems//J. of Systems Architecture.
2016 DOI: 10.1016/j.sysarc.2016.01.007
[12] Merlino G., Arkoulis S., Distefano S., Papagianni C., Puliafito A.,
Papavassiliou S. Mobile crowdsensing as a service: A platform for
applications on top of sensing Clouds//Future Generation Computer
Systems. 2016. Vol. 56. P. 623-639
DOI: 10.1016/j.future.2015.09.017
[13] Ganti R., Ye F., Lei H. Mobile crowdsensing: current state and future
challenges//IEEE Communications Magazine. 2011. N 49(11). P. 32-
39 DOI: 10.1007/978-3-319-26401-1_25
[14] Hahn A., Ashok A., Sridhar S., Govindarasu M. Cyber-physical
security testbeds: Architecture, application, and evaluation for smart
grid//IEEE Transact. of Smart Grid. 2013. N 4(2). P. 847-855
DOI: 10.1109/TSG.2012.2226919
[15] Gonga L., Yanga W., Zhoub Z., Mana D., Caic H., Zhoud X., Yange
Z. An adaptive wireless passive human detection via fine-grained
physical layer information//Ad Hoc Networks. 2016. Vol. 38. P. 38-
50 DOI: 10.1016/j.adhoc.2015.09.005