RECOVERY OF THE INFORMATION SECURITY INCIDENT RESPONSE TEAM IN THE CONTEXT OF INCREASING CYBER ATTACKS

Abstract

The purpose of the article is to develop a model to describe the functioning of information security incident response teams (ISIRT) in terms of increasing the intensity of cyber attacks, and the resumption of its work in the process. The queuing system model is used to describe the work of ISIRT within the Markov process, where cyber attacks are represented by a stream of requests at random times, and the response team is considered as a channel for their service. The process of restoring the effective work of ISIRT is also random, as it depends on many random characteristics (for example, the specifics of communication in the group, access to relevant information, etc.).

The article obtained quantitative results for the dynamics of the number of served (when countering cyber attacks) and lost (when countering could not be carried out) applications. It is shown that the corresponding characteristics nonlinearly depend on the characteristics of the model: the intensity of cyber attacks, their increase and the characteristics of the restoration of effective ISIRT.

The proposed model proposes to carry out two-factor optimization of ISIRT operation in real time. Optimization can be carried out on the effectiveness of the ISIRT in relation to the maximum effectiveness of serviced or lost responses to cyber attacks or its elements. This allows you to respond quickly to changes in the specifics of cyber attacks (or a set of cyber attacks), and the requirements of management on the need for increased attention to serviced or lost cyber attacks or their elements. The developed model can be used to optimize the management of ISIRT depending on the characteristics of cyber attacks and the resumption of the response team.