Pylypenko D. Institutional model of information security management and method of information security culture evaluation

Subject of research is institutional management as phenomenon. The purpose of research is development of ontology models of information security institute and information security culture subject domain, institutional management model of security activities and method of information security culture evaluation, which in aggregate allow decreasing the likelihood of information security risks occurrence, which are caused by information security subjects' activities by means of increasing control actions efficiency. The methods of research are: ontology modeling - for development of ontology models of information security institute and information security culture subject domain; game theory methods and elements of organizational systems control theory - for development of institutional management model of security activities; mathematical apparatus of linguistic variable - for formalization of qualitative properties of evaluation object; methods of graph theory - for design of complex evaluation tree. Equipment - personal computer. Theoretical and practical results of the research - the received result in aggregate allow solving the urgent theoretical and practical scientific problem, which relates to decreasing the likelihood of information security risks occurrence, which are caused by personnel activities, by means of development institutional management model of security activities and method of information security culture evaluation; the developed software tool as a decision support system allows increasing decision making speed, decreases the likelihood of mistakes by means of partial automation of convolution matrices procedure and effective visualization of final results. Scientific novelty of research - new ontology models of information security institute and information security culture subject domain are proposed, which are based on results of content-analysis, which allows to form a terminological field of subject domain and link information security subjects with components of ISC model; generalized model of information security activities received further development, which in contrast to existing models reveals the properties of control actions development by security center with consideration of hypothesis of the rational behavior of security agent, which allows to formalize decision making process by security center and security agent by means of modeling information security management in terms of institutional management; new method of information security culture evaluation is proposed, which is based on convolution matrices and allows to perform a complex evaluation of information security culture level by means of improvements made to evaluation mechanism based on convolution matrices and proposed approach to development of information security metrics set. The results of dissertation research has found industrial application within organizations close corporation "IIT" and close corporation "VEMARA" (Vilnius, Lithuania), and also applied within lectures of "Fundamentals of information security management" discipline in Kharkiv National University of Radio Electronics (Kharkiv, Ukraine). Theoretical and practical results of dissertation research may be used by organizations of different specialization with purpose of decreasing the likelihood of information security incident occurrence, which are caused by personnel activities or behaviour.