ANTIVIRUS SOFTWARE AND INDUSTRIAL CYBER SECURITY SYSTEM CERTIFICATION IN RUSSIA

The article is dedicated to issues in certification of antivirus software and industrial cyber security systems. It was shown that certification time in Russia is much longer than in the USA, European Union and Germany. The life time and the development time of products of this field were analyzed in the article. Each variable was specified for new products and for new versions of existing products. Some statistical methods were used in the article: Cronbach’s alfa, t-statistics, and median value similarity that are typical for the articles in quality management. As a result, it was found that certification time in Russia for industrial cyber security systems is significantly longer than in other analyzed countries, up to three-fold. Product development and life time are also longer. However, the most important result is that certification in Russia adds from 32.1 to 40 percent of time to the development of a new version or a new product, correspondingly, whereas in other investigated countries these numbers are about 17 percent. Reduction of certification time will increase new product development efficiency in the field of cyber security, which will improve positions of Russian products at the international market.


Introduction
O ne of the most important issues in the modern world is cybersecurity.Vast majority of population in developed countries are using different devices for work and in their everyday life.As a result, there are about 3 devices per person in the age of 12-65 years old in developed countries including Russia [1].Each of these devices can be probably attacked.As a result, they have been secured by relevant cyber secure systems and software.In this study, antivirus software means software products for personal computers, laptops and mobile phones, including smartphones, and industrial cyber security system means cyber security software and products for industrial objects, including SCADA, DCS and PLC.Undoubtedly, both of these software products are included into one class, whereas, according to the Russian legislation, there are substantially different procedures of registration and certification for these software products.
In the article, procedures of registration and certification of antivirus software and industrial cyber security systems in Russia will be analyzed.At present, a vast majority of the research in this field is dedicated to TQM accordance, including usability characteristics [2][3][4][5][6], specifics of this products' technical quality [7,8], laws in this field and their meaningfulness [9][10][11].Moreover, some studies in similar or close fields are dedicated to certification processes and such issues of standardization as reclamation activities [12].In this article, studies dedicated to technical innovations, procedures and other development issues of antivirus software and industrial cyber security systems will be not covered due to the fact that they are far from standardization topicality.
In modern standardization theory, branch standards and certificates are instruments of government regulation.Usually, government certification and accreditation of IT products aims to archive several goals [13]: • market regulation; • consumers defense; Antivirus software and industrial cyber security system certification in Russia • risk minimization; • social losses minimization; • providing of key industries stable functioning.Government certification is applied in key fields of public and scientific development.Cyber security is definitely one of them.Usually, certification and standardization are based on technical characteristics, applied methods, types of tasks and potential customers groups.Moreover, certification time is interdependent with the development cycle and life period of the product.In IT field it is usually dependent on several issues [13].The first of them is information product update and new version presenting.Ordinary product life cycle includes introduction, growth, maturity and decline.However, an IT product with new versions and updates has the possibility of renewal ( Antivirus software and industrial cyber security systems are similar in kind.Therefore, it is reasonable to assume that their certification and standardization should be similar too.However, certification of antivirus software and industrial cyber security systems have significant differences in Russia.
The aim of the article is to analyze the consistency of certification procedures for antivirus software and industrial cyber security systems with life time and development cycle of these products.It is assumed that current certification time in Russia is not efficient ant leads to market failures.Therefore, optimization and reduction of certification time can increase the efficiency of antivirus software and industrial cyber security systems.

Methods
The article compares development time for antivirus software and industrial cyber security systems, including the development of new versions of the products, with time for their certification.For valuable comparison, data from certification organizations of several countries are provided.The data cover time for discussible products certification.Moreover, information about product life time and development time is presented.The data are analyzed with the help M.A. Nazarenko, A.I. Gorobets, D.V. Miskov, V.V. Muravyev, A.S. Novikov of several statistical methods typical for this research field [14]: • Cronbach's alfa -for data internal reliability analysis; • t-statistics -for data stability estimation; • median value similarity.Data about certification time are based on open information of national certification agencies, including Federal Service for Technical and Export Control (Russia), National Institute of Standards and Technology (USA), Cyber and Information Security (EU), Federal Office for Information Security (Germany).

Results
First of all, it is important to underline that antivirus software and industrial cyber security system certification are regulated differently in Russia.Antivirus software has no government certification.However, the industrial cyber security system has extremely strong standards.Whereas, in other countries, especially, in the USA, the difference between these two IT products is significantly less.In foreign countries the basic of regulation in this field is licensing and patterns.In Russia the key difference is the object of the defense.In foreign countries responsibility for the choice of industrial cyber security system is on the customer [9].However, the government can restrict or even forbid the usage of some foreign products [10].In Russia, the question is presented in an opposite way.Each cyber security system for an industrial object should be firstly certificated (not to be confused with licensed) by a government organization, and only then it can be purchased at the market [9].Therefore, for providing comparable data, this study analyzes industrial cyber security system certification.
In table 1  As shown in table 1, in the USA, European Union and Germany as a separated country certification and licensing procedures take rather similar time.In contrast, in Russia there are no cases of new product version certification and just one for new product.Therefore, Antivirus software and industrial cyber security system certification in Russia no statistical calculations are available for Federal Service for Technical and Export Control.For National Institute of Standards and Technology median values are usually a little bit higher than average.It means that distribution is shifted to the right.In other words, there are cases with significantly less than average certification time, whereas vast majority of the companies are forced to face a bit longer certification time.For Cyber and information security and Federal Office for Information Security the opposite statement is true.Moreover, it is important to add that in Cyber and Information Security certification time is slightly less than in Federal Office for Information Security, whereas is National Institute of Standards and Technology certification time for new products is more for new products and less for new versions.
According to the research question, data about product life cycle and product development time should be presented (Tables 2 and 3).The presented data are based on previous studies [12,15].Thus, according to the data in tables 2 and 3, product life cycle is significantly longer in Russia than in the USA and the European countries.It is true both for new products and new versions of existing products.For new versions the difference in life time period is about 4.9 months, and for new products even more: 10.1 months.New products here are understood to be products that have no other versions.Simultaneously, there are quite similar values for the USA, European Union and Germany.Thus, it can be concluded that Russia is far from this group of the countries in product life time.
Characterizing product development time, it should be highlighted that time for new product development for Russia and other countries mentioned in the research is more or less equal.In Russia it is longer than in the USA by 4.1 months (14.7%),European Union by 2.2 (7.9%) and Germany by 2.5 (9%), whereas, for new version development the difference is significantly more.For comparison, it is 5.5 months (32.5%) longer than in the USA, 5.2 months (30.8%) longer than in European Union and 4.1 months (24.3%) longer than in Germany.For tables 1-3 all analyzed variables were stable enough according to the t-statistics and reliable enough according to the Cronbach's alfa analysis.However, reliability for foreign countries is higher than for Russia due to the fact of a bigger sample.
According to tables 1-3 data about median values can be put into one massive to compare average certification time, life time and development time for new products and new product versions.Comparison data are presented in table 4. The data presented in table 4 show that certification time in Russia is about 40% of product life and development time for new products.In contrast, in the USA it is about 24% and 17.2% correspondingly, in European Union -18.5% and 13.2%, in Germany -19.3% and 13.3%.Thus, it can be concluded that in Russia the measured variables are significantly higher than in other investigated countries.
For Russia there are no data about certification time for new product versions.However, average coefficient of difference between certification time for a new product and a new product version is 1.8.This variable can be reasonably extended for the certification process in Russia.So, certification time in Russia should be about 6.1 months.This time is 32.1% of new product version life time and 36.1% of new product version development time.For the other investigated countries the following results were calculated: for the USA 13.7% and 16.7%, respectively, for European Union 14% and 17.1%, for Germany 15.6% and 17.2%.Thus, it should be concluded that in Russia average certification time for any process of product creation in the field of industrial cyber security systems is significantly longer in absolute and relative figures than in the USA and Europe.

Discussion
In the research data on product certification time, life and development time for industrial cyber security systems were analyzed.As a result, percentage of certification time in the key process of the IT products in cyber security was found.Previous studies do not cover such kind of statistics.Instead of this they analyze procedures [4][5][6] and TQM in the field of cyber security [12,15], specifics of products' technical quality [7,8], laws in this field and their meaningfulness [9][10][11].
The key result of the study is that the certification process in absolute and relative measure in Russia is significantly longer than in other investigated countries.This leads to additional slowdown of the new products development in cyber security field.At present, processes of software development in this field are longer than in the USA by 6 months or 1.5 times, and certification procedures take almost 3 times more.Moreover, certification time in the USA is just about 17% of development time both for a new product version and a new product development, whereas in Russia it is 32.1 and 40%, correspondingly.
Antivirus software and industrial cyber security system certification in Russia

Conclusion
Both antivirus software and industrial cyber security systems are important for Russia development and security as a country.Moreover, these products can be sold (and are even being sold at present) abroad.At present certification in this field is significantly longer than in other developed countries, which leads to a slowdown in the development of new products and their versions and creates situations where companies are not interested in proper certification of each version.In other words, the certification procedure as a whole for industrial cyber security systems is inefficient.For antivirus software there is no procedure at all, i.e., it is not efficient either.As a result of the article, it can be concluded that reduction of certification time for industrial cyber security system will increase the certification procedure efficiency in product development in this field in Russia.
Moreover, it is important to add that antivirus software and industrial cyber security system are international products.Many countries purchase products that have been created abroad.Therefore, simplification, especially certification process time reduction will lead to extension of Russian cyber security information products abroad.
Fig.).Thus, certification should be significantly shorter in time than product life time.They should be more or less equal to the product introduction time.The second issue is time for new version development.Certification time should be significantly less than time required for developing a new version of the product [18].IT product life cycle.

Table 1 .
key figures about efficiency and certification time for 4 cyber security agencies are presented: Federal Service for Technical and Export Control, National Institute of Standards and Technology, Cyber and Information Security, Federal Office for Information Security.For each agency data about average and median certification time in months, Cronbach's alfa and t-statistics are presented.Efficiency and certification time

Table 2 .
Product life time (consumption)

Table 3 .
Product development time

Table 4 .
Certification time, product life and development time