ASSESSMENT OF THE UNEVEN USE OF INFORMATION RESOURCES IN THE BUSINESS PROCESS CIRCUIT

An approach is proposed for assessing the uneven use of information resources in the organization’s business processes. Formal representations of the organization’s business processes and security systems are presented, reflecting both business operations carried out in a certain sequence and information resources that ensure the implementation of the relevant business operations, the place of information resources in the general outline of business processes is indicated. The circuits of the security system business processes of and the business processes of the main object of modeling are considered, including both business processes for managing security and business processes for ensuring security management. The assessment of the non-uniform use of information resources in a business process scheme is based on the consistent construction of an information resource incidence matrix for individual business operations, a frequency relationship matrix reflecting the sharing of information resources, and a matrix of derivatives in a discrete formulation. The proposed approach is demonstrated on a conditional example containing both the notional costs of information resources and weighting factors of the importance of business operations that reflect their criticality in the general contour of business processes. Estimates obtained as a result of applying the approach make it possible to group information resources, focusing on the frequency of their joint use in the business processes, which ultimately makes it possible to justify the choice of information resources for protection against threats from cyber intruders.


INTRODUCTION
Information infrastructure is a central concept that defines the entire cycle of designing and operating a business system. The protection of information assets within the assets of an enterprise is a critical moment, the absence of which casts doubt on the very idea of the existence of an information structure. Therefore, the support and protection of the enterprise management system implies, first of all, the support and protection of the business processes themselves and the development of the infrastructure component of the business system, and in particular the information system, by overcoming the infrastructure and information fragmentation of the enterprise units (Evseev & Dorohov, 2011;Magomaeva, 2017;Milov & Korol, 2019;Stelmashonok, 2006).
The concept of information assets includes all technical and software, patents, trademarks and everything that allows employees to realize their production potential, as well as the relationship between the company and its major customers, government agencies, and other business entities. Protection of information assets consists in maintaining the integrity, accessibility and confidentiality of information in business systems (Evseev, Kots & Korol, 2015;Hamdan, 2013;Kotenko & Karsaev, 2001).
The analysis of possible threats showed that the information infrastructure should have the property of protecting the information used in business processes. This property characterizes the ability to provide protection against unauthorized (intentional or accidental) receipt, alteration, destruction or use of commercial, official or technological information.
The process-oriented approach to the creation (improvement) of the infrastructure for protecting information of business processes will allow us to consider the process of formation (development) of an information protection system as one of the auxiliary business processes that provide the basic processes of the enterprise. This makes it possible to develop an information protection infrastructure in close interconnection with the design of other business processes, which will undoubtedly increase their integration, flexibility, balance, and manageability (Rigin, 2012).

AIMS
The existing systems of protection against business objects from cyberattacks are based on threat classifiers, which are largely focused on ensuring the security of information resources, as the goals of cyberattacks, and not on ensuring the security of business processes directly (Evseev,  Because of this, a certain contradiction arises, consisting in the existence of a certain gap between the assessment of the security of the business process and the information resource used by it. This article attempts to jointly assess both information resources and the organization's business processes used, taking into account the fact that the same resource can be used in different business processes. The proposed approach is aimed at ensuring the security of business processes of the organization, allowing you to create a circuit of business processes of the security system (Evseev, 2016, 2019).

RESULTS
Consideration of the proposed approach should begin by presenting the outline of the organization's business processes, the security system and the place of information resources in them.
The circuit of the organization's business processes should be considered as the main object of cyber-attacks. An organization's business process circuit (BP) is a set of business processes and their implementation of information resources, the implementation of which in a given sequence leads to the achievement of the organization's goals, which can be described as follows: { } where S BP -is the loop of business processes as a set of BPs, each of which represents: • S Bpi -is the i-th business process, defined by the structure of relationships of individual business operations performed in a certain sequence; • IR BPi -a set of information resources of the i-th business process; • T BPi -a set of threats to the i-th business process.
Ensuring the protection of the organization's business processes can be represented similar to the BP contour, but not the security system. The security system business process circuit is a set of business processes and the resources necessary for them, the implementation of which ensures the normal functioning of the organization's business process circuit. This BP loop can be represented similarly, namely: where S BP is the circuit of business processes of the security system as a set of BPs, each of which represents, S BSii-th business process defined by the structure of the links of individual business operations that are performed in a specific sequence in the security system, IR BSi -a set of information resources protected by the i-th business process of the security system, T BSi -a set of threats, the i-th business process of the security system provides protection against.  The relationship between information resources (IR) and the business processes in which they are used can be represented as an incidence matrix (A). Rows of this matrix correspond to information resources, and columns correspond to business processes. Matrix elements are defined as follows:

th resource is uaed by j th process a in other cases
Let's consider a truncated version of the matrix of incentivities for the bank's business processes. As before, rows correspond to information resources, and columns correspond to business processes. Let there be 7 business processes and 5 information resources used in the framework of these business processes. The type of incident matrix for this case is presented in Table 1.

Table 1. Matrix of incidents of information resources for business processes
Source: Suggested by the authors.

Business processes
The objective will be to ensure, with limited financial resources, the protection of as many business processes as possible through the protection of the information resources they use.
To solve this problem, the incident matrix must be supplemented with the cost indicators of each of the resources used (this is an estimate of the cost of protecting the corresponding resource). The incident matrix takes the following form ( Table 2).

Table 2. Valuation of information resources incidental to business processes
Source: Suggested by the authors.

Business processes The cost of the i-th resource (ci) (UAH)
If we evaluate the cost of the corresponding business process based on the cost of the resources used by it, then in general terms the cost of the j-th business process can be calculated as: In the example, the costs of business processes are shown in the last line added (Table 3). It should be noted that business processes have different values for the organization, therefore, in addition to the cost indicators of the resources used, which can be entered into the used classification of threats, it is also necessary to set the importance (or value, or priority) of the corresponding business process. Supplementing the table used with weights of the importance of business processes (w j ), we can calculate the present values of business processes using the following expression (Table 4): The obtained estimates of the present value of the organization's business processes make it possible to evaluate the value of business processes to determine the sequence of protection against cyber-attacks. However, it should be noted that the organization's business processes are not completely independent, since in the general case the same resource can be used in different business processes.
To correctly assess the relationship of the organization's business processes through shared resources and, based on this, determine the group of protected resources, we will use the methods of discrete mathematics and the theory of partially ordered systems (Gorbatov, 1976(Gorbatov, , 2000. The intensity of the participation of information resources in the business processes of the organization will be characterized using the frequencies of their use. To do this, we introduce into consideration the frequency matrix of relations F=[f ij ] n.n characterizing the model M, the incidence matrix of which is A(M)=[a ij ] m.n .
A frequency matrix of relations F=[f ij ] n.n is a matrix, each row (column) of which is mutually associated with an information resource, and the element f ij is equal to the number of business processes in which the i-th and j-th information resources are used, if i≠j, otherwise (i=j) -the number of business processes in which the i-th information resource is used. Moreover, if i=j, then f ij is the natural frequency of the resource, if, then f ij is the mutual frequency of the use of resources i and j. The greater the value of f ii , the greater the importance of this resource for the organization's business processes. The frequency matrix F is symmetric with respect to the main diagonal. The greater the value of f ij , the greater the importance of information resources of the i-th and j-th type for the contour of the company's business processes.
It can be shown that the frequency matrix of relations F, which characterizes the model, whose incidence matrix A satisfies the relation: where A T -transposed matrix A.
For the above example, the frequency matrix of relations constructed with respect to information resources will have a dimension of 5x5 and will look as follows: To build groups of business processes similar to each other in terms of information resources used, it is necessary to introduce the concept of a derivative over a pair of elements in a discrete formulation. Such a derivative is calculated according to the elements of the frequency matrix of relations as follows: This value shows the degree of uneven use of pairs of information resources in the circuit of the company's business processes. The matrix D=|d ij | has the following form: ..
The highest value in the resulting matrix is 6.0, corresponding to the pair (3,5). As you can see from the original incident matrix, they are practically not shared in the business processes under consideration, therefore, joint protection of these resources will lead to the protection of different groups of business processes. While the resources included in the pair (2, 5) turn out to be similar in terms of using business processes. From this it follows that when building the protection of resource 2, it is necessary to protect resource 5, since they are used together in a group of business processes. An analysis of the obtained values of the matrix D will allow us to form groups of resources that require simultaneous protection for the normal functioning of the organization's business processes.
Thus, the proposed approach allows quantifying the uneven use of various information resources. Accounting for the resulting assessments can be used in constructing the circuit of business processes of the security system with the goal of efficiently distributing limited financial resources to protect the organization's business processes (Isaev, 2015;Weishaupl, Yasasin & Schiyen, 2015).