DEVELOPING AN ADVANCED CLASSIFIER OF THREAT FOR SECURITY AGENT BEHAVIOR MODELS

The modern development of high technologies and computer technology has had a significant impact on the development of business process management systems, covering all areas of the state economic activity. However, in parallel with this, the era of high technologies has significantly expanded the range of threats aimed at the contour of business processes, and, first of all, on information resources that ensure the functioning of the business process circuit. At the same time, threats have acquired signs of hybridity and synergy. In these conditions, the urgent issue in the formation of the information security management system of the business process circuit is the timely detec-tion and subsequent analysis of modern threats. In order to generalize the approach of classifying hybrid cyber threats into security components: information security (IS), cybersecurity (CS), security of information (SI) of the business process circuit and their information resources, an advanced classifier of threats to the business process circuit and its information resources is proposed, including cost estimates of the threats implementation and estimates of losses associated with threats. The proposed extensions to the threat classifier allow to give probabilistic assessments of the implementation of certain threats. Based on the analysis of approaches, estimates of indicators of the intruders danger degree and the degree of protective measures implementation under the conditions of modern hybrid cyber threats are proposed.


Introduction
In modern conditions of mass accessibility of computer systems and telecommunications, increasing the turnover of electronic document management, and the transition to electronic commerce, the problems of cybersecurity at all levels of government are greatly exacerbated. As a result, losses from security breaches are becoming increasingly expensive for various companies, the state as a whole, and for individual citizens [1].
The analysis of international standards and standards of Ukraine [2] showed that the individual components of the methodology for assessing the security of information technologies based on a security modelensuring integrity, confidentiality and accessibility (ICA models) were considered. At the same time, there is no synergistic approach to the analysis of cyber threats, a unified methodology for assessing the security of information technologies in various sectors of the economy, which does not allow for the timely formation of relevant policies, new approaches and measures to ensure cyber security of the business processes of organizations.
Formulation of the problem. An integral part of building the security system business process circuit is the formation of a management system based on the classification of all components of a security system. An integral part of the problem of ensuring cybersecurity is the task of risk analysis. In fact, risk is an integral as-sessment of how effectively existing defenses are able to withstand attacks on the organization's business processes. Despite the fact that many mechanisms and means of information protection have been developed, today one of the priority tasks remains the task of assessing the effectiveness of the process of ensuring the safety of the business process circuit based on relevant metrics. As analysis [3][4][5][6][7][8][9][10][11] showed, among the most common safety metrics are their taxonomies such as: Vaughn-Hennig-Siraj, NIST STS822, OCIPEP, OC-TAVE, CISWG, Erkan Kahraman. Recently, most researchers are inclined to the idea that the social and behavioral characteristics of security processes play a major role [13][14]. Therefore, the existing and used threat classification schemes that underlie the processes for ensuring the security of the business process circuit must be substantially changed by adding cost indicators of the threat realization that determine the motivation for the behavior of attackers. Added indicators together with assessments of implementation risks will make it possible to formulate assessments which of the threats are most preferable and which resources should be directed first to protection.
The aim of the article. The aim of the article is to build an improved threat classifier based on a synergistic approach and assessing indicators of the attackersdanger degree and the degree of protective measures implementation, taking into account both the motivational elements of attackers, expressed in the probabilistic characteristics of the implementation of threats, and cost indicators of assessing the damage caused by the implementation of the respective threats.

Research results
The main object of cyberattacks should be considered the outline of the organization's business processes. An organization's business process (BP)contour is a set of business processes and their implementation of information resources, the implementation of which in a given sequence leads to the achievement of the organization's goals, which can be described as follows: where S BP -the contour of business processes as a set of BP, each of which represents: S Bpi -i-th business process, defined by the relationship structure of individual business operations performed in a specific sequence; IR BPi -set of information resources of the i-th business process; T BPi -set of threats to the i-th business process.
Ensuring the protection of the organization's business processes can be represented similar to the BP contour, but the security system. The security system business process circuit is a set of business processes and the resources necessary for them, the implementation of which ensures the normal functioning of the organization's business process circuit. This BP loop can be represented similarly, namely: where S BP -the contour of business processes of the security system as a set of BP, each of which represents: S BSi -i-th business process defined by the structure of the links of individual business operations performed in a specific sequence in the security system; IR BSi -set of information resources protected by the i-th business process of the security system; T BSi -a set of threats that the i-th business process of the security system provides protection against.
The interaction of the presented circuits in the process of functioning is shown in Fig. 1.
The basis of the functioning of the BP contour of a security system is the set of threats presented in the classifier, for the description of which appropriate metrics must be defined. To construct threat metrics based on the synergistic approach proposed in [15], we will use the approach to construct a threat classifier based on the information-analytical model of the double triples method proposed in [16][17][18][19][20]. In contrast to the classifier known in the construction of the classifier, the substantive part of each of the four platforms includes a number of components, respectively.
The first platform is the classification of threats according to the security components of the business process information resources: information security (IS) (01), security of information (SI) (02), cybersecurity (CS) (03). We introduce the following definitions. Definition 1. Security of the business process contour -the state of security of business processes and their information resources, characterized by the ability of performers, technical means and information technologies to ensure the confidentiality, integrity, authenticity and availability of resources required for the implementation of business processes in the circuit of the corresponding level.
Definition 2. Resource security of the business process contour (RSBPC) is the state of security of the KBP resource environment, which ensures its formation, use and development in the interests of business process owners.
Definition 3.Cybersecurity of the business process circuit -a set of tools, strategies, security principles, security guarantees, risk management approaches, actions, training, insurance and technologies that are used to protect the cyber environment of the business process contour, resources and users of business processes.
The second platform is the classification of threats according to the nature of their orientation: regulatory (01), organizational (02), engineering (03).
The third platform is the classification of threats in accordance with the main features of information: confidentiality (01), integrity (02), accessibility (03), authenticity (04).
The fourth platform is a classification of threats according to the hierarchy levels of the business process circuit infrastructure: PL -physical layer (01), NLnetwork layer (02), OSL -layer of operating systems (OS) (03), DBL -layer of database management systems (04), BL -layer of technological applications and services (05).
The use of the proposed classifier is implemented as a sequence of the following steps.
Step 1. Formation of metric coefficients for risk factors by security services experts. Let j will be security services for the resources of business processes. The main security services are C -confidentiality, I -integrity, A -availability, Au -authenticity. Then the classifier for the four security services is described by an expression of the form j = {C, I, A, Au}.
Lets evaluate the weighting coefficients of the manifestation of each of the N threats presented in the classifier. K experts participate in determining the weighting factors for the manifestation of each threat to resource security services. In addition, to determine the potential damage, each threat is classified according to the criterion of criticality of causing damage to the business processes of the organization as a whole.
According to the ISO / IEC15408 standard, experts choose a quality level of damage: critical, high, medium, low. Using risk assessment techniques CRAMM or FAIR, you can evaluate the qualitative level in quantitative terms. The average expert rating of all threats for a particular security service can be recorded as: where -value of the metric coefficient set by the kth expert for the i-th threat of the j-th security service; N -number of threats; K -number of experts.
j ik w Step 2. he formation of threat identifiers by the components of the classifier. At this stage, the experts form the digital value (code) of the threat identifier according to the corresponding components of the classifier.
Step 3. The choice of weight coefficients a i , that determine the conditions for the manifestation of the i-th threat (Tabl. 1) [21][22].
Step 4. Determining the implementation of each ith threat, taking into account the probability of an attack (its occurrence) is carried out according to:     -security service weights: confidentiality, integrity, accessibility, authenticity of attack manifestation and i-th threat.
Step 5. Determining the implementation of the occurrence of several threats for the selected service is calculated as follows: where M -the number of several threats that are selected by the information security expert from the set   M i i , which is a subset of the entire set of classifier threats, i.e. M N  . When determining the implementation of the occurrence of several threats for the selected service, the indicator with the highest value among all is selected.
When forming metric coefficients, it is believed that the results obtained are related to independent threats, in case of their dependence, it is necessary to use the expression for determining the total probability of dependent events: Statistical processing of the results of the assessment of the possibility of the influence of the i-th threat on the security service by experts is carried out according to the method described in [23]. The final assessment of the i-th threat is averaged over the number of experts in accordance with the expression: where x k -assessment of the impact of the i-th threat given by the k-th expert; k k -competency level of the k-th expert; K -number of experts. A measure of the consistency of expert opinions is considered to be the variance calculated in accordance with the expression: The statistical significance of the results with probability 1 i   , makes up: where the value x i distributed according to normal law centered at x i and dispersion 2 x  . Then ∆ defined as the value of an expression: where t -value obeying student distribution for K-1 degrees of freedom; K -number of experts.
Step. 6. The definition of the total threat by security components, taking into account expression (3), is calculated: When determining the implementation of the occurrence of several threats for the selected service, an indicator α i is selected with the highest value among all.
Step 7. Determination of the generalized synergetic threat to the business process circuit: It is proposed to introduce a new platform into the threat classifier -the platform of attack cost indicators. This will allow to evaluate threats from the point of view of economic efficiency of their use and counteraction to them.
Improving the classifier of threats through the introduction of cost indicators of threats allows implementing an algorithm for constructing a rating of potential threats and the importance of information resources to be protected, is presented in Fig. 2.
The proposed algorithm implements the following actions. Both sides of the attack are determined by the importance (rating) of the attacks that are economically feasible.
1st step. Those attacks are determined whose effect of the implementation exceeds the costs of their implementation.  3rd step. The importance factors for attackers are defined as the share of the winnings of the total winnings, which can be obtained potentially when implementing the whole complex of threats for attackers:

Conclusions
The proposed model allows to determine the most likely threats aimed at violating the security of information resources and, as a result, economically justify the distribution of limited funds between various information resources requiring protection. In the absence of statistics, cost estimates of threats can be obtained by expert methods, as described above.
The model for determining the most probable threat makes it possible to organize the effective distribution of limited funds to protect the resources of the business process circuit based on the use of the results of modeling the behavior of cooperative antagonistic agents to determine and calculate the probability of a threat. It should be noted that the proposed additions to the classification of threats are a reflection of the behav-ior of all parties to the conflict under the conditions of synergy and hybridity of threats and can explain the motivation of behavior of all parties to the conflict.