INFORMATION SECURITY MANAGEMENT IN THE DIGITAL TRANSFORMATION PROCESS: MODELING BASED ON HETEROGENEOUS GRAPHS AND RISK METRICS
Abstract
This study is devoted to the critical problem of ensuring information security of organizations in the context of active digital transformation, which inevitably entails an increase in attack surfaces, the emergence of new vulnerabilities and risks of destabilization of security systems. The authors propose a process-oriented approach based on modeling business processes (BP) and the IT landscape using heterogeneous graphs. This model represents three key types of entities: operations, information systems (IS), and data as objects of protection, as well as attributed edges reflecting transmission channels and their security characteristics. This approach ensures the complete identification of CII objects in accordance with the requirements of the FSTEC and allows the analysis of complex relationships in the transitional states of CT. The study developed a set of key quantitative metrics for information security risk management: 1. Number of Critical Paths (CCPs): Reflects the change in the attack surface when adding/removing ICS and data routes. 2. Node Centrality Level (UCU): Defines the most critical for connectivity and vulnerable IP (risk concentration points). 3. Data Distribution Index (DDI): Characterizes the ratio of cloud and local data storage/processing nodes and the associated control and security risks. 4. Recovery Time (BB): Evaluates the stability of the PS to failures and attacks. 5. The level of Automation of Protection (UAZ): Shows the proportion of automated information security tasks for rapid response. Based on the model and metrics, a dynamic algorithm for managing the information security of the CT process is proposed. The algorithm provides: 1. Construction of graph models of BP "as it is" and "as it should be". 2. Continuous dynamic updating of the current state model during the CT. 3. Regular calculation of metrics for risk assessment in transition states. 4. Updating the list of risks and protective measures based on the analysis of metrics. The results include practical recommendations on: reducing the attack surface; prioritizing node protection with a high level of criticality; optimizing data distribution taking into account security and fault tolerance requirements. The proposed approach ensures transparency and manageability of information security at all stages of the IT process, increases the resilience of the IT landscape to threats and compliance with regulatory requirements.
References
1. Stefan Rass. Cyber-Security in Critical Infrastructures. Advanced Sciences and Technologies for Securi-ty Applications. Springer, 2020.
2. Ana-Marija Stjepić. Mastering digital transformation through business process management: Investigat-ing alignments, goals, orchestration, and roles. Available at: https://jemi.edu.pl/vol-16-issue-1-2020/mastering-digital-transformation-through-business-process-management-investigating-alignments-goals-orchestration-and-roles.
3. Balanov A.N. Tsifrovaya transformatsiya biznesa: uchebnoe posobie dlya VUZov [Digital transfor-mation of business: a textbook for universities]. Sait Petersburg: Lan', 2024.
4. Pasport natsional'noy programmy «Tsifrovaya ekonomika Rossiyskoy Federatsii», utverzhden prezidi-umom Soveta pri Prezidente Rossiyskoy Federatsii po strategicheskomu razvitiyu i natsional'nym proektam (protokol ot 24 dekabrya 2018 g. № 16) [Passport of the national program "Digital Economy of the Russian Federation", approved by the Presidium of the Council under the President of the Russian Federation for Strategic Development and National Projects (minutes of December 24, 2018, No. 16)].
5. Gribanov Yu.I. Faktory i usloviya tsifrovoy transformatsii sotsial'no-ekonomicheskikh sistem [Factors and conditions of digital transformation of socio-economic systems], Vestnik Altayskoy akademii ekonomiki i prava [Bulletin of the Altai Academy of Economics and Law], 2019, No. 2-2, pp. 253-259. Available at: https://vaael.ru/ru/article/view?id=320 (accessed 24 March 2025).
6. Revyakin P.I., Zinich A.V., Pomogaev V.M. Tsifrovaya transformatsiya universitetov: ugrozy infor-matsionnoy bezopasnosti i napravleniya snizheniya riskov [Digital transformation of universities: threats to information security and directions for risk reduction], Ekonomicheskaya bezopasnost' [Economic Se-curity], 2024, Vol. 7, No. 11, pp. 2753-2770. DOI: 10.18334/ecsec.7.11.122061.
7. Metodicheskie rekomendatsii po tsifrovoy transformatsii gosudarstvennykh korporatsiy i kompaniy s gosudarstvennym uchastiem [Methodological recommendations for the digital transformation of state corporations and companies with state participation]. Available at: https://digital.gov.ru/uploaded/ files/7metodicheskierekomendatsii06092022125913_TZmtVQB.pdf (accessed 21 March 2025).
8. Dozhdikov K.V. Modelirovanie biznes-protsessov s pomoshch'yu metagrafov [Modeling business pro-cesses using metagraphs], Problemy sovremennoy ekonomiki (Novosibirsk) [Problems of Modern Economy (Novosibirsk)], 2014, No. 22-2. Available at: https://cyberleninka.ru/article/n/ modelirovanie-biznes-protsessov-s-pomoschyu-metagrafov (accessed 23 March 2025).
9. Pravila kategorirovaniya ob"ektov kriticheskoy informatsionnoy infrastruktury Rossiyskoy Federatsii, a takzhe perechnya pokazateley kriteriev znachimosti ob"ektov kriticheskoy informatsionnoy infra-struktury Rossiyskoy Federatsii i ikh znacheniy, utverzhdennykh postanovleniem Pravitel'stva ot 8 fevralya 2018 g. № 127 [Rules for categorizing objects of critical information infrastructure of the Rus-sian Federation, as well as a list of indicators of criteria for the significance of objects of critical infor-mation infrastructure of the Russian Federation and their values, approved by Government Resolution No. 127 of February 8, 2018].
10. Ob utverzhdenii trebovaniy po obespecheniyu bezopasnosti znachimykh ob"ektov kriticheskoy infor-matsionnoy infrastruktury Rossiyskoy Federatsii: Prikaz FSTEK Rossii ot 25 dekabrya 2017 g.
№ 239 (v red. Prikazov FSTEK Rossii ot 9 avgusta 2018 g. N 138, ot 26 marta 2019 g. N 60, ot
20 fevralya 2020 g. N 35) [On approval of requirements for ensuring the security of significant objects of critical information infrastructure of the Russian Federation: Order of the FSTEC of Russia dated De-cember 25, 2017 No. 239 (as amended by Orders of the FSTEC of Russia dated August 9, 2018
No. 138, dated March 26, 2019 No. 60, dated February 20, 2020 No. 35)].
11. Federal'nyy zakon «O bezopasnosti kriticheskoy informatsionnoy infrastruktury Rossiyskoy Federatsii» ot 26 iyulya 2017 g. № 187-FZ (poslednyaya redaktsiya) [Federal Law "On the Security of Critical In-formation Infrastructure of the Russian Federation" dated July 26, 2017 No. 187-FZ (latest revision)].
12. Kontseptsiya tsifrovaya transformatsiya 2030 [Concept of Digital Transformation 2030]. Available at: https://www.rossetivolga.ru/i/files/2019/2/7/kontseptsiya_tsifrovaya_transformatsiya_2030.pdf (ac-cessed 21 March 2025).
13. Metod kriticheskogo puti v upravlenii proektami [The critical path method in project managemen]. Avail-able at:https://skillbox.ru/media/management/kak-zavershit-proekt-v-srok-s-pomoshchyu-metoda- kriticheskogo-puti-rasskazyvaem-na-primere/ (accessed 24 March 2025).
14. Podrobnoe rukovodstvo po metodu kriticheskogo puti [A detailed guide to the critical path method]. Available at:https://ru.smartsheet.com/critical-path-method (accessed 24 March 2025).
15. Pal'chevskiy E.V. Prognozirovanie ugroz v slozhnykh raspredelennykh sistemakh na osnove intel-lektual'nogo analiza bol'shikh dannykh avtomatizirovannykh sredstv monitoringa [Forecasting threats in complex distributed systems based on intelligent analysis of big data of automated monitoring tools], Programmnye produkty i sistemy [Software Products and Systems], 2021, No. 2, pp. 230-236. Availa-ble at: https://swsys.ru/index.php?page=article&id=4811&ysclid=m8k65v2fsd994246327.
16. Informatsionnaya bezopasnost' i tsifrovaya transformatsiya. Bezopasnost' funktsionirovaniya infor-matsionnykh resursov. Otchet PAO «RusGidro» [Information security and digital transformation. Secu-rity of functioning of information resources. Report of PJSC RusHydro]. Available at:https://ar2023.rushydro.ru/strategic-review/information-security.html (accessed 24 March 2025).
17. Rol' bezopasnosti v tsifrovoy transformatsii biznesa [The role of security in digital business transfor-mation]. Available at: https://infars.ru/blog/rol-bezopasnosti-v-tsifrovoy-transformatsii-biznesa/ (ac-cessed 24 March 2025).
18. Tekhnologii informatsionnoy bezopasnosti, vazhnye dlya tsifrovoy transformatsii krupnogo biznesa [Information security technologies important for the digital transformation of large businesses]. Availa-ble at: https://www.nic.ru/help/tehnologii-informacionnoj-bezopasnosti-vazhnye-dlya-cifrovoj-transformacii-krupnogo-biznesa_14011.html.
19. Lobkova E.V., Ki-Yuan A.A. Tsifrovaya transformatsiya sistem obespecheniya bezopasnosti [Digital transformation of security systems], Gosudarstvennoe i munitsipal'noe upravlenie. Uchenye zapiski [State and Municipal Administration. Scientific Notes], 2023, No. 2, pp. 115-127. Available at: https://doi.org/10.22394/2079-1690-2023-1-2-115-127.
20. Tsifrovaya transformatsiya, strategiya i protsessy IT [.Available at: https://kept.ru/services/tsifrovaya-transformatsiya-strategiya-i-protsessy-it [Digital transformation, strategy and IT processes] (accessed 24 March 2025).
21. Kiberbezopasnost' i tsifrovaya transformatsiya: 3 glavnykh tendentsii zashchity dannykh [Cybersecurity and digital transformation: 3 main trends in data protection]. Available at: https://cloudnetworks.ru/analitika/kiberbezopasnost-i-tsifrovaya-transformatsiya-3-glavnyh-tendentsii-zashhity-dannyh/ (accessed 24 March 2025).
