The article addresses the problem of estimating the expected losses of a bank when information security threats to functioning computer systems materialize. A scenario approach to solving the problem is developed based on multi-criteria decision-making methods, taking into account quantitative and qualitative indicators and expert assessment, and applying the analytic hierarchy process for comprehensive assessment of expected losses in probabilistic terms. That allows to take into account different levels of the hierarchy of criteria and the weight of their impact on the calculated results. The process of estimating the probability of materialization of various threats under accepted standards and situational conditions, the actions of the attacker and the consequences on the bank's functioning is formalized. Expert assessments are grouped with control over the sufficiency of the degree of logic and dispersion of opinions of each expert, compliance with the established requirements for the degree of consistency of opinions of the group of experts, assessment and formalized consideration of the degree of their competence. The process of assessing expected losses is presented as a daily business process of the functioning of the bank's security system.
BT - Information & Security: An International Journal DA - 12/2020 DO - https://doi.org/10.11610/isij.4506 LA - eng N2 -The article addresses the problem of estimating the expected losses of a bank when information security threats to functioning computer systems materialize. A scenario approach to solving the problem is developed based on multi-criteria decision-making methods, taking into account quantitative and qualitative indicators and expert assessment, and applying the analytic hierarchy process for comprehensive assessment of expected losses in probabilistic terms. That allows to take into account different levels of the hierarchy of criteria and the weight of their impact on the calculated results. The process of estimating the probability of materialization of various threats under accepted standards and situational conditions, the actions of the attacker and the consequences on the bank's functioning is formalized. Expert assessments are grouped with control over the sufficiency of the degree of logic and dispersion of opinions of each expert, compliance with the established requirements for the degree of consistency of opinions of the group of experts, assessment and formalized consideration of the degree of their competence. The process of assessing expected losses is presented as a daily business process of the functioning of the bank's security system.
PY - 2020 SE - 89 SP - 89 EP - 118 T2 - Information & Security: An International Journal TI - Assessing the Variety of Expected Losses upon the Materialisation of Threats to Banking Information Systems VL - 45 ER -