Information Security Risk Assessment in Critical Infrastructure: A Hybrid MCDM Approach

. The risk analysis has always been one of the essential procedures for any areas. The majority of security incidents occur because of ignoring risks or their inaccurate assessment. It is especially dangerous for critical infrastructures. Thus, the article is devoted to the description of the developed model of risk assessment for the essential infrastructures. The goal of the model is to provide a reliable method for multifaceted risk assessment of information infrastructure. The purpose of the article is to present a developed model based on integrated MCDM approaches that allow to correctly assess the risks of the critical information infrastructures


Introduction and Problem Statement
Nowadays, we often come up against a situation where companies use information infrastructures without due regard for their information security, reliability, fault tolerance, etc.The companies save time and do not spend financial resources on tools for risk analysis and experts.As a result, the number of information security incidents increases.Such dynamics are not acceptable for critical infrastructures due to the possible globalization of their incidents' consequences.
The rapid development of the IT sector leads to accelerated application and introduction of digital innovations, including blockchain technologies, open data, robotization and artificial intelligence, biometric authentication, crowdfunding, big data, etc.Digital technology development raises the need to increase the level of information security and reliability of implemented technologies (Boranbayev et al., 2018b).It is well known that modern society is becoming increasingly dependent on information technology, its continuous and trouble-free operation, respectively, on its reliability and security (Boranbayev et al., 2018a).At the same time, the amount of known/reported cybersecurity crimes keeps growing (Olifer et al., 2017).
Research aimed at risk assessment is becoming more widespread (Grabauskyte et al., 2018;Ijadi Maghsoodi et al., 2018).Risk assessment is an important aspect of decision making in industry, government, financial, environmental, and other sectors (Tamilselvi, 2018).It is widely used in considering various aspects of the operations and safety of large complex systems that can adversely affect the health and safety of society (Bell, 1989).So risk assessment has been identified as an essential element of effective decision-making, management, and development of information infrastructures but often it has been missed (Boehm, 1991).Some information and automated systems are responsible for the vital services of modern society.For example, the systems such as water management heating, and public transport depend on the proper functioning of information and automated systems that support their operations.These support infrastructures, usually called critical ones, are crucial elements for the functioning of the economy and society.
Information security, reliability and fault tolerance of the critical infrastructures are one of the primary and priority tasks of any country (Miao et al., 2010).Countries around the world are experiencing failures and incidents caused by different causes in the essential infrastructure sector (Yusta et al., 2011).For systems, risk analysis is an investment that will ensure future high quality and reliability of systems (Cagliano et al., 2015).Reducing operational risks and errors is the key to improving the security and accessibility of cloud services (Hu et al., 2017).To manage risks in the critical information infrastructures (CII), the decision support systems should integrate the multi-alternative design and multi-criteria decision-making approaches (Kaklauskas et al., 2018).
According to ISO 27005, the determining of risk level is based on indicators of its impact on infrastructure and the probability of risk realization.These indicators can be calculated by standard methods for small and medium-sized organizations.However, companies that provide critical services must accurately identify the dangerous risks and mitigate them promptly.Otherwise, the realization of undetected or incorrectly assessed risks can lead to catastrophic situations, significant financial and human losses, etc.The purpose of the article is to present a developed model based on integrated multi-criteria decisionmaking (MCDM) approach that allows to correctly evaluate the risks of the information infrastructures.

Risks
According to ISO 27005, the risk of information security is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the company.

Risk Management Description
Risk management is a significant, costly, not time-consuming, and straightforward process (Haimes, 1991).It often requires the involvement of experts, resources, etc. (Vrhovec et al., 2015).The advantages that it gives significantly outweigh the outlay cost and expended funds (Han, 2015).
Risk management involves taking measures aimed at reducing the frequency of threat implementation and reducing the damage from them (Boranbayev et al., 2018c).Depending on the received risk indicators, the owner of the information system must choose a risk management strategy.There are four main risk management strategies: 1) Risk acceptance; 2) Risk mitigation; 3) Risk avoidance; 4) Risk transfer to third parties.
The components of the risk management process for information systems are shown in Fig. 1.
The necessity and effectiveness of using the risk management process in the design and operation of the software are confirmed by many studies (Sangaiah et al., 2018).
As you can see from (Fig. 1), firstly the input data are installed.Further, the identification and assessment of risks are carried out.Based on them, a risk report is formed.Also, it is necessary to determine whether the handling is required for identified risks.If there are risks at the output that need modification to an acceptable level, then the handling phase of risks (mitigation) occurs (Caplinskas et al., 2012).It is possible that risk-handling will not immediately yield the result in an acceptable level of residual risk.
The primary purpose of the article is to present the developed model, which allows to evaluate risks in order to determine which should be neutralized firstly.
As part of the research to develop a risk assessment model for CII, the study was conducted on factors affecting their safe and reliable operation.
The topic of risk analysis in various sectors is the most important topic that many researchers are paying attention to these days (Navickiene et al., 2018).The goal of the model is to prevent or reduce the threats of negative financial and non-financial consequences associated with the use of information infrastructures, as well as external factors affecting information infrastructures.The model is aimed at minimizing risks in the organization's activities related to the violation of the integrity, confidentiality, and availability of information infrastructures arising from the deliberate destructive impact of employees or third parties.The model also takes into account the criticality of the checked information infrastructures, possible direct and indirect losses, as well as the probability of risk realization.
One of the essential steps to ensure the reliability and security of the information infrastructures is to take measures to mitigate the level of failures by identifying the most dangerous and harmful elements that pose a risk to the system and eliminate them (Lo and Liou, 2018).

Literature Review of Methods for Risk Assessment
Most organizations that specialize in solving information security problems offer various methods for assessing information risks.Known techniques can be divided into singlestage and multi-stage ones according to the type of decision-making procedure used in them.In a one-step methodology ("Risk Matrix"), risk assessment is performed using a one-time decisive procedure.In a multi-stage methodology (NIST, CRAMM), risk assessment is performed with a preliminary assessment of key parameters.The mechanism of risk assessment based on fuzzy logic is an expert system, in which certain rules form the knowledge base.For example, "table" logic or logic reflecting the relationships formed by "if, . . ., then" rules.The method for assessing the critical threats, assets and vulnerabilities OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a methodology based on strategic risk assessment (Bamakan and Dehghanimohammadabadi, 2015).
The analysis of the companies' choice of risk assessment tools and methods showed that the FMEA -Failure Modes and Effects Analysis (Baynal et al., 2018), FTA -Fault Tree Analysis (Giraud and Galy, 2018), Bow-Tie Analysis (Muniz et al., 2018), HAZOP -Hazards and Operability Studies (Taylor, 2017) and LOPA -Layer of Protection Analysis (Yan and Xu, 2018) are the most common tools used in the most significant and industrial organizations.These tools assess potential risks and try to keep them within acceptable limits (Yasseri and Mahani, 2013).
The issue of measuring according to some criteria is known as MCDM (Zolfani et al., 2013;Zavadskas et al., 2009;Medineckiene et al., 2015).Scientists used MCDM approaches previously in risk management.The processes using MCDM approaches for the issue of managing risks for a nuclear and radiation emergency were presented by (Papamichail and French, 2012).An overview of risk assessment using MCDM approaches was presented in the researches (Linkov et al., 2006) and (Ananda and Herath, 2009).Evaluating risk assessment approaches for solid waste management were reviewed in (Allesch and Brunner, 2014).Criteria such as safety and risk in the context of maintenance and reliability can be widely found among the criteria evaluated in MCDM approaches (de Almeida et al., 2015).Besides, MCDM methods were applied in different areas of activity (Zavadskas et al., 2013;Sivilevicius et al., 2008;Saparauskas et al., 2011;Turskis et al., 2015).Effective use of the MCDM method is presented in Zavadskas et al. (2012Zavadskas et al. ( , 2015aZavadskas et al. ( , 2015b)).
In our case, according to Saaty and Ergu (2015), the MCDM method was chosen.Hybrid MCDM approach was applied.Earlier hybrid MCDM methods were proposed to use in Zavadskas et al. (2016aZavadskas et al. ( , 2016b)).

Methods
In this article, the model for implementing the methodology for risk analysis (Fig. 2) is considered in more detail.Below are the main steps of information security risk analysis.
At the beginning of the process, the experts identified the main CII that require the risk assessment.Also, they determined threats affecting the risk implementation, and the characteristics of the threats, which allow identifying the degree of adverse impact of the threat realization on the CII (Fig. 3).To assess risks, an expert needs to work on identifying types of threats.The list of threats is based on existing threats that create conditions for the entire information system to malfunction related to information security attributes (C -confidentiality, I -integrity, A -accessibility).
In the proposed model Integrated Delphic-Eckenrode's Likert-Type Scale-Based Fuzzy Rating and AHP methods were applied.AHP method is one of the most popular ones among MDM methods (Saaty and Erdener, 1979).

Brief Review of Methodology of an Integrated Delphic-Eckenrode's Likert-Type
Scale-Based Fuzzy Rating (Turskis et al., 2019) The group decision-making processes are necessary to design and evaluate a set of different alternatives.One of the most important tasks is to reject those alternatives that do not meet lower bounds of the important criteria values.For a long time, a rigorous agreement was seen as a final group's opinion.In most cases, a group of experts who make real-life decisions have no strict and steady opinion about the same criteria and alternatives.An agreement of the group is reached when the most dominant players agree with the criteria ratings and performances of the considered alternatives.Real-life problems' modelling and solution lead the group of decision-makers to situations when models are based on vague logic.Besides, most often the models are based on the criteria rating in words.Such type of ratings cannot be replaced by the strict (crisp) numerical values.The fuzzy set theory allows decision takers to apply partially obtained information into the issue solving framework (Turskis et al., 2012).A fuzzy set is characterized by a membership (characteristic) function which assigns to each object a grade of membership ranging (Zadeh, 1965).Different types of membership functions are available.In this research, the most commonly used triangular membership function is used (Dubois and Prade, 1978).
A fuzzy triangular number will be denoted as (α, β, γ ) (α -lower value of the fuzzy number, β -modal value of the fuzzy number, γ -upper value of the fuzzy number).
It is required to identify the importance of the activities of the different process managers before starting to assess the critical challenges of workplace safety's management, efficiency level of safety solutions and quality improvement.In order to achieve this, experts can use weighting methods for criteria.There are a lot of different subjective approaches for assessing weights: SWARA (Kersuliene et al., 2010;Keshavarz-Ghorabaee et al., 2018), FARE (FActor RElationship) (Ginevicius, 2011), and others.
Nominal group technique Delphi (Linstone and Turoff, 2002) is a useful tool for solving complicated problems which need expert data.It is a group decision-making process and includes idea generation, problem description, data assessment, and generation of feasible alternatives.
Likert scales are known as a tool for the measurement and assessment of attitudes.The reason for this is that the Likert scale is a straightforward tool to use and can be analysed effectively as interval or fuzzy scales (Allen et al., 2017).Eckenrode (1965) presented seminal work on criteria weights elicitation.Rating is sufficient for personal assessment, and it is especially useful for group decision making.It works well because it forces the expert to get clarity on his criteria and create a shared set of criteria.Eckenrode's Rating method is selected and modified by applying the basics of fuzzy sets theory in this study.
Risk assessment for each information infrastructure and analysis of the adequacy of risk management measures are carried out by experts.

Problem Solution: Fuzzy Group Multi-Criteria Method in Assessing the Impact of Threat Implementation on the CII and Threat Probability
To ensure sustainable functioning of CII, stakeholders should implement risk management processes.An integrated method of determination of criteria significance is developed to achieve the goals as mentioned earlier.The problem could be solved based on the survey of experts' data.There was formed a team of five experts, who have a university degree in IT and information security as well as actively work with risk management.The standard seven-stage Delphi procedure is applied in the case research.Firstly, a facilitator describes to the participants the purpose and the procedure of the issue.Secondly, members of the group silently explain their opinion about the solution (criteria), with a short explanation in writing, not consulting or discussing their ideas with other participants.It ensures that all participants get an opportunity to make an equal contribution.Thirdly, a facilitator encourages a sharing and a discussion of reasons for the choices made (criteria) by each group member to identify common ground.Fourthly, participants verbally explain in details all presented ideas which are not clear for all participants of the groups or further details about any of the ideas that colleagues have produced and which may not be apparent to them.Fifthly, a facilitator eliminates duplicate solutions (criteria) from the list of all solutions, and the members proceed to rank the solutions starting from the most important to the least important.Sixthly, a facilitator includes a prioritizing procedure of the recorded ideas concerning the original problem.Following the voting and ranking process, a facilitator asks participants who have a different opinion about ranks from average criteria ranking some questions.Seventhly, a final ranking and rating of criteria should be done (Turskis et al., 2019).

Selection of Criteria and Sub-Criteria
When solving problems by the MCDM method, first of all, a set of possible alternatives is formed, consisting of the CII.Next step is the selection of criteria and sub-criteria.
Criteria for risk assessment can be different.They depend on the infrastructure for which the risk is determined.In this case, the threats were taken as criteria.The experts determine the choice of threats aimed at the information infrastructure according to the Delphi method.The participants of the experts form a group, based on Sherwood et al. (2005).Then experts ranked and rated the impact of threats and probability of threats in the prevention of accidents at work.Based on the results, the following five threats that are most associated with cybersecurity were identified as criteria: 1) Health and safety threat (T1) -the threat to the personal health and safety of staff, customers and members of the population.
2) Technology threat (T2) -the threat of failure to plan, manage and monitor the performance of technology-related projects, product, services, processes, staff and delivery channels.
3) Information security threat (T3) -the threat of unauthorized disclosure or modification to information, or loss of availability of information, or inappropriate use of information.
4) Legal and regulatory compliance threat (T4) -the threat of failure to comply with the laws of the states in which business operations are carried out, or failure to comply with any regulatory, reporting, and taxation standards, or failure to comply with contracts, or failure of contracts to protect business interests.
5) Climate and weather threat (T5) -the threat of loss or damage caused by unusual climate conditions, including drought, heat, flood, cold, storm, and winds.
Each of the threats has its characteristics.According to Kosseff (2018), it is necessary to promote "identification, confidentiality, and integrality of public and private information, systems, and networks".Mena et al. (2018) focused on IoT inherent vulnerabilities and their implications to the fundamental information security challenges in confidentiality, integrity, and availability.
In this paper, the characteristics of the threats were taken as sub-criteria.It was proposed to choose sub-criteria, which focus on almost every aspect of security, i.e. protection of data from beginning to end.This work focuses on major six aspects of security, i.e. confidentiality, availability, integrity, direct losses, indirect losses, and criticality.
Thus, the following sub-criteria were chosen to solve the MCDM problem: 1) Loss of availability.Availability is the property of being accessible and usable upon demand by an authorized entity.Loss of availability can conclude performance degradation, short-term/long-term interruption, total loss (destruction).
2) Loss of confidentiality.Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.Confidentiality refers to keeping information secret from unauthorized entities (Sherman et al., 2018).Loss of confidentiality can lead to internal disclosure, external disclosure of information, and others.
3) Loss of integrity.Integrity is the property of protecting the accuracy and completeness of assets.Loss of integrity can conclude accidental modification, deliberate modification, incorrect results, incomplete results, etc.
4) Direct losses are losses arising naturally, according to the usual course of things, from the breach of contract itself, and are therefore foreseeable and recoverable.Often these include financial costs.
5) Indirect losses are losses that arise from a particular circumstance of the case.Indirect losses, often referred to as "consequential losses", are not inflicted by the peril itself but describe losses which were suffered as a result or consequence of the direct loss.For example, reputational risks.6) Criticality is the quality, state, or degree of being of the highest importance.In RCM terms, criticality is based on the consequence of failure.It is an essential criterion for information infrastructures provided critical services.

The Importance of Threat Impact on CII
According to the analysis of severity (Lough et al., 2008), the importance of severity can be divided into five categories: insignificant (the client noticed a very slight failure), low (slight irritation of the client), medium (causes customer dissatisfaction, customer is annoyed), high (product does not work, client evils) and very high (the client is at risk, the safety rules are violated).
At the same time, some methods of risk analysis apply a 10-point scale for ranking the severity of risks (Table 1).The 10-level scale has more exact results of calculations.The weight depending on their importance determines further criteria.More critical criteria get higher weight values.
Based on the scale proposed in Table 1, the Likert-type scale is presented (Table 2, Fig. 4).
Rating: The raw rating assigned by the judge to each criterion, taking into account the sub-criteria, against the scale of 0 to 10 (10 most valuable) is treated as follows (Tables 3-4): where w cj -weight computed for criterion c from the rating given by judge j , p cj -rating given by judge j to criterion c, and w c is calculated as follows: (2) where w j α = min k y j k , j = 1, n, k = 1, p, is minimum possible value of j -th criterion, is the most possible value of j -th criterion and w j γ = max k y j k , j = 1, n, k = 1, p, is the maximal possible value of j -th criterion.
A defuzzification should be applied before final decisions are made.The defuzzification is a process of producing a quantifiable result in crisp logic, given fuzzy logic, and corresponding membership degrees.A common and useful defuzzification technique is a centre of gravity.This method is selected in the case study (Turskis et al., 2019).
The experts were requested to rate the main threats according to linguistic significance scale.Finally, linguistic variables are converted to fuzzy numbers and ranks determined (Tables 3-4, Fig. 5).
The last stage is a calculation of a relative impact index (RI ) of each considered threat (Fig. 6): (5)

Results and Discussions
As a result of the calculations, components that are necessary to calculate risk were obtained (Fig. 10).AHP approach was used to compare each criteria taking into account the sub-criteria.As mentioned above, the Likert-type scale was used.Also, the questionnaire about expert's evaluation level toward threat choice was applied.It consists of 10 various levels.Table 5 Weight ranking scale for the probability of the threats.

Rating Description Definition 4
The probability is very high Incidents were previously registered, and measures to prevent them have not been taken.Statistical data, the experience of other organizations, and world practice show the growth trend of these threats and their relevance for a given period.There is a great interest in the realization of this threat among intruders or competitors.There are a lot of critical vulnerabilities to implement the threats, or there is no check for vulnerabilities. 3 The probability is high Incidents were previously registered, and measures to prevent them have not been fully implemented.Statistical data, the experience of other organizations, and world practice show the growth trend of these threats.
There is an interest in the realization of this threat from intruders or competitors.There are critical vulnerabilities to implement the threat, or a vulnerability check has not been carried out.

2
The probability is medium Incidents were previously registered, but measures to prevent them have been taken in full.Statistical data, the experience of other organizations, and world practice show no significant increase in the trend of the threats.
There is little interest in the realization of this threat among intruders or competitors.There are no critical vulnerabilities to implement the threat. 1 The probability is low Preventive incident prevention measures are taken regularly.Statistics, the experience of other organizations, and world practice shows a low growth trend of the threats.The interest in realizing this threat among intruders or competitors is low.There are minor vulnerabilities to the threat.The experts determine criteria weights.Table 9 presents the experts' integrated results for sub-criterion "Loss of availability".The priority weight vector describes the significance level of the criteria in the decision matrix.After getting the significance level of criteria, next calculations were used to assess the risk index of information infrastructures.
Thus, other matrices were created for all sub-criteria by five experts.(Table 10).
The probability level of threat implementation was also determined by the AHP method (Table 11).
Thus, other matrices were created according to the results of the five experts' answers (Table 12).
Normalized weight for impact and probability indexes is presented in Table 13.Integrating two methods.
The previously normalized results of the weights of the criteria and the threat probability were integrated according to Hwang and Yoon (1981): where j = 1, n.
The results of calculations by the equation ( 6) are given in Table 14.
According to OHSAS 18001, the risk for information infrastructure R is calculated as: where I -impact of the threat implementation on information infrastructure, P -probability of implementation of the threats.The risk was calculated according to equation ( 7), and the following results were obtained (Table 15, Fig. 11).
Thus, the most dangerous risk for CII is Health and safety risk.Technology as well as Information security risks are less significant risks.The lowest risks are Climate and weather as well as Legal and regulatory compliance risks.
The results of the study show what risks of threat realization must be mitigated initially.

Conclusions
This article describes a new model developed to analyse the risks of critical information infrastructures.
As described above, any failure in the information infrastructure, especially in the critical infrastructure, can lead not only to the disruption or termination of its functioning, but also to more global consequences in the form of large-scale monetary loss, its irreversible harmful destruction or a significant decrease in the level of public safety for an extended period of time.The possibility of disruption of such the infrastructures raises the risks that are associated with these technologies.In turn, the existence of risks leads to the need to find effective methods for evaluating them.
An important issue for each country is to prevent accidents and the suspension of production at CII.The introduction of the necessary measures to prevent the most probable and dangerous risks begins with their identification.However, risk identification is only one of the first steps in the risk management process.It is necessary to determine the importance of risks and their probability to start mitigating the most dangerous ones.
The best solutions to solve the issue can be achieved by applying scientific methods involving a large amount of information and calculations.
Experts present the initial data in similar group decision-making approaches in words.Each of the experts has his/her own opinion about criteria values.The significance of expert estimations was assessed with the help of the modified fuzzy group Eckenrode's rating method and the AHP method.The proposed approach is superior to conventional techniques because the proposed method can make group decisions in two environments.Therefore, it is a powerful tool to solve such problems.
Regular checking for risks using effective MCDM methods allows to prevent consequences that could suspend or damage the system.Risk assessment should be based on expert knowledge, which makes it possible to determine the frequency of occurrences of failures and their consequences to predict potential failures in the information infrastructures.Information about the risks realized, and the incidents that have occurred should be correctly collected, as inaccurate information can lead to severe losses.Thus, it is a very important and relevant topic for both Lithuania and other countries of the world.
The proposed model is aimed to solve the problem of calculating risks of the information infrastructures by applying the MCDM approach.Six main criteria were defined: "Loss of availability" and "Loss of confidentiality"; "Loss of integrity", "Direct losses", "Indirect losses" and "Criticality".
The study shows that the most important and possible risks rank as follows: Health and safety threat (rates as 0.4), Technology threat and Information security threat (rates from 0.21 to 0.27), Legal and regulatory compliance threat and Climate and weather threat (rates 0.06 and 0.063, respectively).The model presented in this study is suitable for determining the probability of risk and its impact, or for determining the importance of criteria in the multi-criteria utility function.
This model is proposed to be used further to calculate the risks of critical information infrastructures.

Fig. 1 .
Fig. 1.Components of the risk management process for information systems.

Fig. 2 .
Fig. 2. The proposed framework for the risk assessment process.

Fig. 4 .
Fig. 4. Likert-type scale to determine the threat impact on CII.

Fig. 5 .
Fig. 5. Assessment of the threat impact on CII.

Fig. 6 .
Fig. 6.RI-relative importance of the threat impact on CII.

Fig. 7 .
Fig. 7. Likert-type scale to determine the probability of the threats.

Fig. 10 .
Fig. 10.Assessment of the threat impact on CII and probability of threat values.

Table 3
Impact of the threats on CII lexical evaluation based on Likert-type scale.

Table 4
Impact of the threats on CII expressed by fuzzy triangular numbers corresponding to the linguistic scale.

Table 6
Weight ranking scale for the probability of the threats.

Table 7
Probability of the threats lexical evaluation based on Likert-type scale.

Table 8
Probability level expressed by triangular fuzzy numbers corresponding to the linguistic scale.

Table 15
Risks indicators and their ranking.
Fig. 11.Relative assessment of risk indicators for the proposed threats.