Security Assessment Methodology Based on the Semantic Model of Metrics and Data

The purpose of the article: development of semantic model of metrics and data and technique for security assessment based on of this model to get objective scores of information system security. Research method: theoretical and system analysis of open security data sources and security metrics, semantic analysis and classification of security data, development of the security assessment technique based on the semantic model and methods of logical inference, functional testing of the developed technique. The result obtained: an approach based on the semantic model of metrics and data is proposed. The model is an ontology generated considering relations among the data sources, information system objects and data about them, primary metrics of information system objects and integral metrics and goals of assessment. The technique for metrics calculation and assessment of unspecified information systems security level in real-time using the proposed model is developed. The case study demonstrating applicability of the developed technique and ontology to answer security assessment questions is provided. The area of use of the proposed approach are security assessment components of information security monitoring and management systems aimed at increasing their efficiency.