Influence of information integrity control of the unified model of the automated information system of commercial enterprises on conditional profit

Unified model of the automated information data system (AIS) at the commercial enterprises (UMAIS CE) as a protected AIS for the provision of the commercial activity of the enterprises with the common structure and configuration of equipment is examined in the article. Information integrity control (IIC) is an integral part of this model, and its functioning has an impact on the contingent profit of the commercial enterprise considered in the frameworks of UMAIS CE. Mathematical model of IIC UMAIS CE presented within this context, just as a number of computing experiment that allow determining of a strategy of the effective usage of IIC UMAIS CE and specified ways for increase of the contingent profit at the commercial enterprise.


Scope of the problem
Commercial enterprise (CE) is a juridical profit-seeking entity as a main objective of its activity and sharing it between its membersfounders and employees. In most cases the main kind of its activity is a sales of products and (or) services.
For the purposes of most efficient organization of its activity CE does actively apply automated information data system (AIS). AIS is a system consisting of the personnel and a complex of automation devices of its activity that are required for the execution of its functions with the use of the information technologies.
Security of the information that is processed in AIS CE is required because it may involve commercial classified information and/or personal data. Analysis of systemic and applied software employed in AIS CE demonstrated that in this software, as a rule, there are a lot of vulnerabilities. In this situation it is possible to get the presence of "zero day" vulnerabilities, and the information on these vulnerabilities is absent in the corresponding data bases, for example, in CVE data base. It is also characterized by the absence of non-declared facilities [1], thus stipulating a high probability of realization a number of threats to the information security directed as on the theft of information containing the data related to the commercial classified data as on the break of operation of software and hardware components. Main shortcomings of the typical utility intended for the integrity control of the considered AIS revealed during operation of the system comprise in the inability to counteract an attack (in fact, only the event of presence of such attack), the absence recovery means after unauthorized modification of the information and the absence of a convenient interface for the interaction of AIS administrator with the utility. With the account of the quantitative and qualitative growth of the number of threats for the information security of AIS CE it was proposed to develop the latter on the basis of the reference model of the protected automated system (RMPAS) which regulates security model (SM) providing flexible, convenient and secure differentiation of access to the data. RMPAS is presented in [2].
In RMPAS organization of the control for integrity of the information (CII) is different by initialization of the control checkout at each level of RMPAS for each discretion level thus reducing efficiency of the clients' service and thus, the contingent profit of CE. Therefore, for the adaptation of CII RMPAS its optimization is required directed at the increase of the contingent profit of CE under a sufficient control level.
In fact, for the adaptation of RMPAS to the specific features of AIS CW it is required to have also the development of the corresponding model of CII. To make this let us consider the unified model of the automated informational system of commercial enterprises (UMAIS CE) as a model of AIS CE as protected AIS CE with the generalized structure and configuration of equipment that provides versatility of the obtained results.
UMAIS CE is characterized by the presence of the control for information integrity (CII) which is the element of subsystem, providing integrity of the operational environment (software tools and processed data). CII is a tool for testing of the operational environment and it is intended for a periodical comparison of its current state with the reference one.
The aim of our work is to present the results of computing experiments based on mathematical model of CII UMAIS CE allowing determination of a strategy for the efficient use of CII UMAIS CE and certain ways to increase the contingent profit of a commercial enterprise.
In order to develop mathematical model of CII UMAIS CE let us use criteria for the quality of its functioning, allowing to perform optimization directed at the maximum profit earning of CE but under sufficient control. They were specially developed for the adaptation of CII RMPAS to specific features of CE. The main of them is comprised in a necessity to get contingent profit by CE. The aim of the control of CII service is the same for different AISsupport of a reasonable trade-off between meeting the claims to AIS concerning informational security and requirements according to its mission.
According to [2], the following characteristics are applied for CII RMPAS which are divided by the following criteria: Efficiency of CII means its ability to provide the control for the integrity of information to be checked-out. A criterion of this characteristic is functionality of CII ( D f ), that corresponds to the completeness of its set of functions from the viewpoint of using it as a software facility.
Aggressivity of CII is its ability to support the needed level of efficiency for UMAIS SE relative to its mission. The criteria of this characteristic are: resource aggressivity of CII ( D ра ) meaning an additional consumption of the hardware resources and functional aggressivity of CII ( D fа )compatibility of CII with the technology of the information in UMAIS CE system.
An ease of using CII ( D у )ae the efforts of the personnel required for support of its functioning..
Two new criteria different by their scientific novelty are presented below. They are described in details in [3].
Contingent profit ( D п ) is a criterion demonstrating an average profit from the received order of a customer. It allows to control the effect of additional time consumption resource for the contingent profit of CII. It is involved in the aggressiveness of CII characteristic. Sufficiency of the control for integrity ( D dkc )a criterion that corresponds to the ability of CII UMAIS CE to perform the execution of the specified CII functions. It is involved in the characteristics of CII efficiency.
The first four criteria are named as statistical ones. They possess Boolean values: «1» is an acceptable quality control, while «0» is an unacceptable one. These new criteria are called dynamical ones. Their results do always take positive values. The greater value of anyone among them is usually interpreted as a best quality of CII by the given criterion. Therefore, the problem of optimization for CII UMAIS CE can be written as follows: Probabilistic model is then considered that is intended for the analysis of dynamic criteria of CII UMAIS CE that will be an absorbing CEE. It will be associated with the transitions between UMAIS CE levels where the resources are shared under hierarchical restructuring [4] that is regulated by RMPAS. Initial state of CEE corresponds to the start of CII after authorization of a discretion accessdwelling at the identification level. Final state implies getting access to the datadwelling at the informational level. For details see [5].
Let us introduce a criterion of dynamic efficiency of CII that can be used for expression of the dynamic criteria: Below the following definitions are given. s Пexpectation value of the profit from the regular incoming order in case of its practical ordering calculated on the basis of data on the sale for the previous periods of time.
() t ddrandom value of the total time of CII proceeding during the common discretionary access of the certain order. max t пmaximum permissible limit of the time for II proceeding in the process of the common discretional access for a certain order. It is a random value with the exponential distribution having mean value of mп t and it means maximal time of the client expectation after which the order will be removed. 2). Next, we specify inhomogeneous distribution of the information amount when 1 0.86 3). Then, we specify the4 distribution of the information amount in accordance with its assumed distribution over RMPAS levels.
The , that is quite foreseeable: when the amount of information intended for the immutability check-up increases the ability of access to this information is reduced.
Results of the experiment that have a practical significance are formulated as conclusions: 1) If max K is increased then criterion of the dynamic efficiency diminishes (an increase of sufficiency for the integrity criterion IC dkc D and decrease of criterion contingent profit п D ), since under increase of the information amount checked-up for immutability the probability of concealment of its integrity breaking is reduced while the time required for this check-up increases.   Experiment 3: now we define the ways for increasing the value of criterion «Contingent profit» for CII UMAIS CE and then we elucidate how one can considerably increase the value of this criterion and, hence, the actual profit of CE while an insignificant loss of immunity takes place.
The value of criterion ( ) tdkc Dt is regulated by parameter max K . With the use of above-mentioned program on the simulation of the control for CII UMAIS CE let us consider a contingent profit of CE without the application of optimization procedure, i.e. for max K =1 and with its application, i.e. for max 01 K  for one working day. Let us apply the following formulas: where з Пis the expectation value of profit from the regular incoming order (this order can be drawn or removed); s Пis the expectation value of profit from the regular incoming order, in case of its practical ordering calculated on the basis of data on the sale for the previous periods of time; Пdexpectation value of the profit per one working day of CE; з Nexpectation value of the number of incoming orders per one working day of commercial enterprise, calculated on the basis of data on the sale for the previous periods of time.