PSI - Issue 22

Jerzy STANIK et al. / Procedia Structural Integrity 22 (2019) 322–333 "Author name" / Structural Integrity Procedia 00 (2019) 000 – 000 where: , – weighting factors for individual hazards that may generate dangers in relation to the b-th security attribute. Total real potential ( Δ ) can be determined as a weighted additive function of partial potentials, i.e.: Δ ∶ × Δ → ℕ , (24) where: – the function of transformation of potential to real vulnerabilities in the context of the b-th security attribute. 4. Normalization and evaluation of the IT risk vector Due to the fact that the components of the R u risk vector ⃗⃗⃗⃗⃗⃗ for the engineering infrastructure belong to different sets of values, it is necessary to introduce a function or set of functions uniquely reproducing these components to a uniform range of values [1, ..., N ]. The adoption of the range of values [1, ..., N ] results from pursuing the simplest form of functions reproducing the components of the presented model to a uniform range of values, while ensuring the readability of the results of the risk analysis. The exclusion of values smaller than 1 from this range, and in particular the value of 0, is associated with the concept of residual risk, according to which it is not possible to completely eliminate the risk, and therefore none of the risk components R u can be equal to zero. In order to transform the sizes of individual risk components in relation to the IT usefulness feature into a uniform range of values, we introduce the concept of the normalization function. The normalization function is the family of functions : ⟶ [1, 2, … , ] defined for the emphasized IT risk components. For example, for the security R component, the function can be specified as follows: ( ) = { 1, ℎ 0 ≤ ≤ 0.3 ℚ 2, ℎ 0.3 ℚ < ≤ 0.7 ℚ 3, ℎ 0.7 ℚ < ≤ ℚ ; (25) where: = – family of the normalization functions, ϵ ; whereby: ℚ = + + + . The sample forms of the standardization function for the emphasized IT usefulness features in relation to information security, business continuity and quality areas are shown in Table 1. Table 1. Sample forms of the standardization function A. For the area of Security of information availability ( ) = data confidentiality ( ) = compliance with the requirements of the Security Policy ( ) = safety monitoring ( ) = Form 331 10

of standardization function B { 1, ℎ of standardization function { 1, ℎ B. For the area Operational continuity Form

= 3 3, ℎ = 2 5, ℎ cost of unavailability ( ) = = 3 3, ℎ = 2 5, ℎ System significance ( ) =

1, ℎ = 3 3, ℎ = 2 5, ℎ maximum duration of unavailability (π S i ) = 1, ℎ π S i = 3 3, ℎ π S i = 2 5, ℎ π System elasticity ( ) =

100% ) − √ 2 3 100% ) − √ 2 3 , monitoring of continuity ( ) =

= 1 1 + ∗ ( 1 − S i = 1 1 + ∗ ( 1 −

= 1 { = 1 {

compliance with the requirements of the Business Continuity Policy ( ) = Compliance with the requirements of the quality policy ( ) =

C. For the area of SI GIS quality

Monitoring of quality ( ) =