A method for assessing risk with accounting for the structure of threat and vulnerability relationships in a complex system

Abstract

The article presents a novel approach to risk assessment in complex information systems, which takes into account the structural relationships between threats, vulnerabilities, and system components. The primary focus is on developing a formalized model that enables the construction of a simplicial complex of dependencies among potential threats and vulnerabilities, as well as identifying their impact pathways on the integrity, availability, and confidentiality of the system. The use of a simplicial complex model is proposed to represent these interconnections and to determine critical nodes that are most vulnerable to compound attacks. The methodology allows for quantitative risk evaluation by calculating threat levels, the probabilities of vulnerability exploitation, and their impact on the system. A key feature of the approach is the consideration of not only individual vulnerabilities but also their interactions, which significantly enhances the accuracy of risk assessment. The results of modeling and applied analysis confirm the effectiveness of the proposed method in identifying the most critical security elements and in justifying protection priorities under limited resource conditions. The proposed method can be integrated into information security management systems to improve the protection level of complex technical infrastructures.