Modifications of the Formal Risk Analysis and Assessment for the Information System Security

In the article, a modification of formal model of risk analysis (FoMRA) was proposed. The modified FoMRA1 method takes into account the guidelines of ISO/IEC 27001 and ISO/IEC 27005 standards. The applied modifica - tion and abstraction by resources and security controls (also called countermeasures) significantly shortened the time of risk weight calculation in comparison with the MEHARI method. An attempt was also made to further reduce the time of risk analysis using agents collecting information and data from various network nodes, from operating systems and devices, and additional agents containing information on reports on security procedures, security services, security management and organizational activities related to the information systems (mainte - nance, insurance, outsourcing contracts, etc.) and transfer it to the local FoMRA1 database. The obtained results indicate that the proposed method together with agents installed in various nodes enable a quick reaction to the system threats and prevention of their impacts (quasi-real-time security monitoring system).


INTRODUCTION
An analysis of the current state of knowledge shows that much work has been published in the area of risk management information systems [1][2][3].For several years, ISO/IEC has also been working intensively on the risk management process (analysis, assessment, management, risk monitoring and communication) [4][5][6].Simultaneously, with the development of new standards, various initiatives from governmental institutions and non-profit organizations have emerged, resulting in new methods of risk analysis and/or risk management [7][8][9].Most of these standards and methods have the same goal: to actively identify every source of risk, threats and vulnerabilities of the Information System (IS) in an organization and their impact on resources and to propose appropriate security controls [10][11][12].Commonly used standards and risk analysis methods are bottom-up methods [19,20,30].These are methods that only allow for an "a posteriori" approach to Information Systems (IS) security [13][14][15].These methods usually focus on well-defined steps and actions to be taken in order to achieve the best security level for the IS [16][17][18].The added value of these methods and standards is based on the fact that they contain the basis knowledge about the risk and the security requirements [32][33][34].The disadvantage of these methods is that they are: • time-consuming, e.g, require the knowledge and skills from an auditor of linking resources with vulnerabilities, threats, etc.; the input data are based on audit results -checklists and all these links are made by the auditor step by step, • rigorous, have closed sets of vulnerabilities, threats and risks, sets of ready-made security or configuration settings -therefore do not allow changes, adaptations, extensions, etc. and • final results generated by those methods, the templates and documents in the output are generally informal, most often expressed in natural language.
All these disadvantages lead to the lack of automation at the level of reasoning, evolution, monitoring or information evidence related to the information security risk management process.The "a priori" approach to IS security according to the author, e.g., at the project level, seems to be much better for a significant improvement of the organization security and acceleration of the risk analysis and assessment process [22,23].In various fields of science, and especially in information technologies, formal modelling is an important tool for studying the properties of complex structures, systems or algorithms [24,25].Often, only formal models exist that enable, for example, automatic or semi-automatic simulations or verification of the properties of very complex systems [49,50].The goal of this work is to find a method of risk analysis and assessment, after appropriate modification and optimization, that can be the answer to the problems that most risk analysis and assessment methods have to face, i.e.: • the fact that it is not rigorous, which means that it has an open knowledge base on threats, vulnerabilities and risks, that it is flexible, which means that it can be configured, developed and adapted to the variety of the requirements of standards and legal acts in Poland.• limiting the time of risk analysis and in combination with security information and event management (SIEM) solution tool, it is possible to react to various threats to information systems in quasi-real time.

MODIFICATION AND OPTIMIZATION OF THE RISK ANALYSIS METHOD (FOMRA)
Like all computational systems, risk analysis systems are constantly modified or improved and these changes can be divided into two groups.The first group consists of various calculation optimizations, including conceptual changes to the algorithms used, or their optimization, or even the practical application of different methods developed for the solution of any calculation task.The other is to increase the functionality of the system by additional options or completely new possibilities.This article presents such a modification and functional improvement of formalism (FoMRA) published previously in [35,36].

Automatic risk scenario process
The proposed modification of FoMRA in this section introduces a new functionality to the system, important from the point of view of conducting tests and simulation studies.Risk analysis simulation models should be developed and tested using risk knowledge bases applicable to the methods used in practice.These databases are fixed and static [11,13,17], i.e. they cannot be modified.From the point of view of testing and creating research simulation models about the properties of risk analysis calculation methods, this is not a comfortable situation because we are dealing only with a specific, finite and relatively small sets of data.In order to become independent from these knowledge bases and to be able to conduct simulations describing other variants of systems, a method has been developed which allows for automatic generation of risk scenarios.Therefore, the additional modifications of FoMRA1 method, which enable such automatic generation of scenarios will be proposed.First of all, the method is extended by parameters expressing the vulnerability environment and sources of threats.Secondly, the number of arrays determining the risk weight has been reduced.The introduced changes are also aimed at making it possible to reduce the model based on abstraction at the level of resources, scenarios and security controls.The following two sets of objects that characterize the information system have been added to the FoMRA1 method: is a set of internal and external factors affecting resource vulnerability, is a set of threat actors (sources of threat).
In addition, any subset of O factors we will call the environment of the resource.For further consideration, it is necessary to modify the vulnerability of the information system as follows (see Eqation 11).

Definition 1. Vulnerability of an information system should be any function of the type:
vul: A × 2^o → 2^V (3) The modification presented in definition 1 indicates that this time the vulnerability of a given resource to threats also depends on its environment (any subset of the set factors).
Therefore, the definition 2, which defines the general risks of the system, must also be modified.The threat will additionally depend on its sources, i.e. the so-called actors -users of the system: Definition 2. A general threat to the Information System should be any function of the type: ) , ( : ) , ( : where: ∀ ,∈ ( ⇒ ) Definition 5. Let  be the relation defined on the set  ̅̅̅̅   ̅̅̅ ( ⊆ DP ̅̅̅̅  DI ̅̅̅ × DP ̅̅̅̅  DI ̅̅̅ as follows: where the set ) , ( : ) , ( : where: ∀ ,∈ ( ⇒ ) Definition 5. Let  be the relation defined on the set  ̅̅̅̅   ̅̅̅ ( ⊆ DP ̅̅̅̅  DI ̅̅̅ × DP ̅̅̅̅  DI ̅̅̅ as follows: is a set of all three forms (a, v, X) from the Cartesian product A×V×2 P meeting the following condition: As can be seen from the above definition, the arguments of functions are three, where the first coordinate is the resource, the second is the vulnerability of this resource, and the third set are the threat factors.The values of the above function determine the threats to the resources from the set A depending on the vulnerability of the resources from the set V (and thus indirectly through the environment) and the threat factors T.
In accordance with the above modifications, it is also necessary to change the definition of the risk scenario, formulated in the definition 3: Definition 3. The general risk scenario of the information system will be referred to as a set of all the different four, where the third and fourth component is not an empty set, defined by the following relationship: where: ∀ ,∈ ( ⇒ ) ∀ ,∈ [(() = ()∀ ∈() (ℎ(, ) = ℎ(, )))  (6) Note that according to the above modifications, in the new model, the scenario depends on four parameters: resource, vulnerability, environment and threat factors.
The second modification of the FoMRA method consists in removing "recovery controls" from the formal model and algorithm, and thus from the calculations.It should be noted that the set of security controls (i.e. insurance of tangible and intangible resources, outsourcing, etc.) assigned has been transferred to "corrective controls".This was done because during the comparative studies of the risk assessment methods, MEHARI and CRAMM with the FoMRA already published in [31,36,48] the inclusion of security controls in the "recovery controls" in the process of risk estimation generates weight differences between those methods.Such approaches makes this method partially reactive (the security controls are planned as a reaction to possible risks, once they have occurred "post-factum risk").
Considering that most methods, including CRAMM, OCTAVE, etc., are dedicated to active risk analysis (the security controls are planned as a response to possible risks before they occur), the new modified structure of the arrays (remove the "recovery controls" array from the FoMRA model, etc.) determining the risk weight values W s for each scenario is presented below: ) , ( : ) , ( : where: ) , ( : ) , ( : where: where: ) , ( : ) , ( : where: -is a set of security controls reducing a potentiality.This set is assigned to deterrent and preventive controls [17,21,47], ) , ( : ) , ( : where: Definition 5. Let  be the relation defined on the set  ̅̅̅̅   ̅̅̅ ( ⊆ DP ̅̅̅ -is a set of security controls reducing an impact.This set is assigned to protective, corrective controls [17,21,47]. The above modification of the FoMRA method, called FoMRA1, has been tested on the appropriateness of removing "recovery controls" from the formal model and algorithm and its impact on the results of risk estimation.Table 1 with 12 scenarios assigned to 7 main groups of risk scenarios and 2 rosettes showing the results of FoMRA and FoMRA1 risk analysis are presented below.The results obtained for all scenarios presented in column 1 (Vs_FoMRA) assume the lack of implementation of security controls assigned to "recovery controls" by organizations and assumes their full implementation as shown in column 2. The same approach was applied to columns 3 and 4 (Vs_FoMRA1) but this set of security controls, as described above, was attached to the set of security controls assigned to "corrective controls".Algorithms, formulae and arrays for calculating weight values for potential and impact actions and risks are presented in [35,36].
As can be seen from Table 1 (Vs_FoMRAcolumn 2) and Figure 1 -(grey field) where the set of all security controls (i.e. insurance of tangible and intangible resources, etc.) for "recovery controls" are implemented, the risk value is acceptable for most scenarios.In some scenarios there are no security controls provided for "recovery controls" since for example in Poland it is impossible to insure oneself against some deliberate threats (e.g.undertaken by maintenance staff or disloyal employees).Results (column 2 and Figure 1 -grey field) confirm that FoMRA is a partially reactive method, which may present a misleading picture of the actual risk in the organization [26,29].The FoMRA method is not an isolated case because both MEHARI [17] and ISRM [27,28] methods are also partially reactive.Contrary to that, the assignment of the set of protections from "recovery controls" from FoMRA to the "corrective controls" in new FoMRA1 as indicated in Table 1 (Vs_FoMRA1 -column 4) and Figure 2 -(grey field) generated minimal changes for some scenarios.This is the effect of changes in the algorithm in FoMRA1 used to calculate "corrective controls" where the security controls transferred (i.e. insurance of tangible and intangible resources, etc.) are part of the security controls supporting an existing security controls (i.e.disaster recovery site or plan, system and data backups, high availability, etc.) in "corrective controls".Some results (reduced risk weight for some scenarios) in column 4 and Figure 2 are the result of lack of sufficient security controls (i.e.data backups, breakdown of

01-3
Breakdown of an important auxiliary equipment: (airconditioning, etc) leading to unavailability of (host) system the network equipment).The reduced risk weight for the exemplary scenario of 07-2 is the result of partial activation of the transferred security control (insurance of intangible resources) from "recovery controls".Weighted CMs,j [37][38][39] for "corrective controls" = Min (CMs, di2=insurance of intangible resources; CMs, di2=data backups) = 4.As can be seen from Table 1 (Vs_FoMRA -column 4) such a state is not a common phenomenon as in the case of FoMRA where the security controls assigned to "recovery control" can have a large impact on the final risk weight.Thanks to the modifications described above and the results obtained in Table 1 it can be assumed that FoMRA1 is an active method such as CRAMM or OCTAVE.Since 2015, FoMRA1 has been continuously and efficiently applied in audits of several enterprises and organizations in Poland of different activity profiles (GUS -Statistics Poland, Bank PKO S.A -Unicredit, Systemics Poland Co. Ltd., The 4 Investment Group Co. Ltd.).In 2016, for the certification process to comply with ISO/IEC 27001 requirements, an additional risk treatment and Statement of Applicability module was developed to enable full risk management of the Certum -Poland, the global registry services information system.Figure 3 below shows the risk treatment module and the effect of the introduced changes on the final risk management module (Fig. 4).
Risk treatment is very important, it will enable to implement the security controls (measures) to reduce the gravity of the selected scenarios.FoM-RA1 use an algorithm according to four ways (Retain, Avoid, Share, Modify) suggested by ISO 27001 to treat unacceptable risks.In this module (Fig. 3) the auditor, using the "drag and drop" function, can again raise these questions about the security measures (e.g.08F02 = 2) for which a negative answer (no implemented security) was originally given (during the audit).If an organization wants to implement these security controls for a given service (e.g.08F02 = 4), the built-in algorithm will recalculate the final values for all

Reduction of the risk analysis model
One of the popular methods of improving the efficiency of calculations carried out in the computational system or its formal model is to introduce appropriate abstractions in the model.Such reductions are made by applying certain equivalence relationships in the model, which combine many elements of the system into one representative set that can replace all its elements in the calculations.This is a popular technique in many formal modelling applications, which sometimes makes it possible to significantly reduce the size of constructed and tested models, even infinite models, and thus makes it possible to perform effective calculations.
The bi-argument relation defined on the Cartesian product A×A (which is its subset: (δ⊆A×A) for a given set A) we term as an equivalence relationship if it meets the following three properties: • maneuverability, and therefore the condition is fulfilled when each element of the set is in relation to each other, formally: ) , ( : ) , ( : where: • symmetricality, i.e. the relation between the elements of the set in one direction enforces the relation in the other direction: ) , ( : ) , ( : where: ∀ ,∈ ( ⇒ ) ∀ ,,∈ (   ⇒ ) ∀ ,∈ [  (() = ()∀ ∈() (ℎ(, ) = ℎ(, )) ∀ ,∈ (() = ()∀ ∈() (ℎ(, ) = ℎ(, ))) • transitivity, i.e. it is fulfilled: ) , ( : ) , ( : where: ∀ ,∈ ( ⇒ ) ∀ ,,∈ (   ⇒ ) (12) ∀ ,∈ (() = ()∀ ∈() (ℎ(, ) = ℎ(, ))) In the following considerations, relations defined by the equality will be used.Reductions of the model, and thus calculations, seem to be a simple task.Even a well-defined formulation of a condition for a given relation can be very complicated and requires from the defining person a perfect knowledge of the system/model.However, even a very good and accurate definition of the relation, which provides a substantial reduction, is not a sufficient condition to achieve the intended goal, i.e., to reduce the number of calculations.Another problem is to indicate a suitably fast method, algorithm of checking whether the data of the state/object of the model are really in relation with each other.It may happen that acceleration of calculations for a well-chosen relation will not be possible to be achieved.The reason may be too much computational complexity of the algorithm of testing the fulfilment of relations between two objects of the model or that it has to make too many comparisons between successive pairs of objects.In the proposed next modification of the model (FOMRA1), the resources and security controls have been abstracted.

Abstraction by security controls
It often happens in the system that the same security controls reducing the potentiality and impact should be taken for different risk scenarios.It is therefore possible at the right time not to recalculate the parameters for the calculation graph.Such a relationship is a theoretical justification for this case and is defined below.Definition 5. Let ξ be the relation defined on the set (12) () (ℎ(, ) = ℎ(, ))) ( 14) defined on the set  ̅̅̅̅   ̅̅̅ ( ⊆ DP ̅̅̅̅  DI ̅̅̅ × DP ̅̅̅̅  DI ̅̅̅ as follows: as follows: ) , ( : ) , ( : where: ∀ ,∈ (() = ()∀ ∈() (ℎ(, ) = ℎ(, ))) Definition 5. Let  be the relation defined on the set  ̅̅̅̅   ̅̅̅ ( ⊆ DP ̅̅̅̅  DI ̅̅̅ × DP ̅̅̅̅  DI ̅̅̅ as follows: (16) The above relation is also defined in terms of equality, i.e., it is a relation of equivalence.When performing the algorithm calculating the risk weight, it is checked in constant time that the relevant pairs consisting of the scenario and the security controls reducing the potentiality or impact have the same activity (effect).This reduction justifies the following modification of the risk weighting algorithm.When creating a calculation graph and when considering the next pair consisting of scenario and action, the condition defining the relation x with already calculated pairs of this type is checked first.If it is fulfilled for one of them, the values already counted for this case are taken into account in the final phase of the risk weight calculation.
Situations fulfilling this condition are more common than in the previous case, and one can count on a greater acceleration of the calculations.
As before, the discussed optimization is one of several proposed above and as a component of the full process of risk weight calculation optimization it plays an important role.

EXPERIMENTAL RESULTS
In order to verify the correct operation of the FoMRA1 model after modification and abstraction, experimental studies were carried out.Results were obtained on the basis of a specially written for this purpose program.
The results show different possibilities of carrying out time calculations when determining the risk weighting for 100 scenarios within one business process (mortgage applications) of a large organization in Poland (Bank PKO SA -Unicredit) and independently for 10 business processes analyzed simultaneously (mortgage applications, payment default, sales and marketing, intersales, FX transaction and liquidity management applications, etc.) with the same number of scenarios which justifies the possibility of generalizing the results.The results are presented sequentially using the FoMRA1 and MEHARI methods (the only publicly available knowledge base of the Mehari method, which was programmed in the same environment as FoMRA1).The choice of MEHARI as a reference method is dictated by its compliance with ISO/IEC 27005 guidelines and can be additionally programmed for comparison purposes.The results presented in Figures 5-10 are related only to the calculation time of the risk weighting for 100 scenarios, with answers given to all questions.As can be seen from Figures 5-7 for one business process, better results of calculations were obtained for abstraction by security controls (Fig. 5).This result is related to the repeatability of security controls for a larger number of scenarios.The introduction of abstraction by security controls means that those security controls that appears as elements of various scenarios are included in the calculation only once.Calculation results are transferred (value from the stored cache) to the next calculation sequences without the need to perform recalculations for the same security controls.
In the case of abstraction by resources (Fig. 6), we obtained a longer calculation time than in the case of abstraction by security controls.Such result could have been expected, as the similarity of resources with the same risks and vulnerabilities within a single business process is very small.Visible changes in calculations could only be expected if there were several dozen business processes under consideration (respondents), where the actual similarity relations between resources can be repeated more often than in the case of one business process.The above thesis is confirmed in Figure 9. Taking into account the percentage difference in time between Figure 6 (55.75%) and Figure 9 (57%), a reduction in calculation time proportional to the number of business processes studied between MEHARI and FoMRA1 can be seen.An analogous situation occurs in the case of abstraction by security controls, Figure 7 (66%) and Figure 10 (79%), show a significant reduction in calculation time between MEHARI and FoM-RA1.As described in [48], optimistically it can take up to several days to perform one analysis for one business process in a large organization.This depends on various factors: identification and classification of resources, threats and vulnerabilities, allocation of ownership of resources to the personnel of the organization, association of resources with threats, vulnerabilities, to generate audit questionnaires and to conduct audits.
Most of the available methods are automated (Mehari, Octave, IT-Grundschutz, CRAMM, etc. are supported by commercial software), but require the intervention of an auditor in each of the above-mentioned activities.The process of calculating and assessing the risk after entering the answers from audit questionnaires into the system depends on the abundance of the knowledge base of a given method (e.g. the number of scenarios assigned to a given resource, security, etc.).From the available literature [37,38,40] it can be concluded that the methods are largely similar to each other, which allows to assume that the calculation time of risk weighting for the other methods (CRAMM, OCTAVE, IT-Grundschutz) is similar to the MEHARI method.
In the case of using FoMRA1, thanks to associating all risk parameters, auditor intervention is limited.The auditor should only introduce two values to the model (resource and risk) -the other actions are done automatically, until the audit In this case, an attempt was made, to adjust FoMRA1 for the network with agents collecting data from various network nodes, operating systems, hardware and from other agents (in the form of micro service), containing information about completed security procedures, management and organization activities, resulting from implementation of security policy for the system (service, outsourcing, insurance agreements etc.). Figure 11 shows a schematic of the infrastructure model, that is collecting data from the ASSECO Poland company systems.Risk analysis system is made up of three main components: 1) System monitoring module; 2) SIEM module, which is responsible for collecting and processing data, preliminary analysis and contains mechanism that notifies system administrators about malfunctions; 3) Risk analysis -FoMRA1.
There were services launched that are subjected to monitoring in the defined model: Open-LDAP (used as a mechanism of authentication in the role of a domain controller for other services or as a centralized authentication system that serves as a replacement for /etc/passwd), Open-VPN (user authentication using keys, certificates or username and password in the point to point connections), ClamAV (antivirus tool set).Original services that are responsible for connecting with existing AC management system (for example LG, Hitachi), SSH service, Fail2ban as a framework that works as a security controls against brute-force attacks (scanning security logs and automatically updating firewall rules) and other services that are critical to system security are listed in Table 2.
Zabbix-agent [39][40][41] is responsible for monitoring parameters of the launched services.Configuration of the services is also protected by auditing services and tools that are responsible for monitoring the integrity of files and their permissions -AIDE [42][43][44], which assumes the role of IDS.Communication with SIEM system takes place using Zabbix-agent.Zabbix-agent has been extended using shell scripts, that are being launched on demand at defined time intervals (using Zabbix server).To monitor services defined by the administrator, integration with systemd has been provided (systemd unit), to ensure that service basic parameters can be read (start/stop, enabled/disabled) -parameter type: e.g., "Zabbix agent." Zabbix-agent is responsible for monitoring parameters of IT systems: • Servers -available disk space, memory usage, system load.• Workstations -antivirus status, installed security updates status.• Network devices -response time, current load of the device, etc.
Zabbix-agent is also responsible for responding to these events in the shortest possible time.Communication between Zabbix server (SIEM) and the system that is being currently monitored takes place using Zabbix-proxy, which allows to combine multiple network segments and systems that are currently operational in these networks (network devices, hosts and services).SIEM mechanism is implemented using launched Zabbix server.Zabbix server contains: REST API [45], HTTP management, Zabbix trapper [46].REST API allows integration between Zabbix and existing systems that are currently operational in the organization.HTTP Management is a part of Zabbix and allows its configuration.It provides a convenient way of managing systems that are being monitored and managing applications (schematics that are defining the range of the monitored parameters).Zabbix trapper allows to send data about events using the autonomous processing agents by the Zabbix server.In the built model it is being given the handlers role allowing receiving data from the defined agents, which in this case allows convenient integration with the existing agent system.Data collected via the passive check mechanism (Simple check, Zabbix agent and data collected by the Zabbix trapper mechanism) is playing the test role -simplified collection of the elements that are describing real system features that are being monitored.Later they can be assigned to questions in the form.A list of the elements (for which time measures were taken) is shown in the Table 2.An example agent system is the Records Service (Fig. 12) which allows interaction between the user and the system that provides the information containing reports from completed security procedures, security services, and management actions related to the IS.
The logic of the registration system agent uses the system library which allows to use defined handlers (trappers).In the case of parameter extraction (for example getting a specific answer related to the information about reports from completed security procedures), a value is sent by API (or the Zabbix-sender) to the Zabbix server, where it is assigned to the questions in the forms.Data, which is collected and maintained by the Zabbix system, is stored in the external, relational database where it is subjected to analysis (trend, history).Modules that are used for risk analysis (Table 3) contain the Data selector, which provides communication with the Zabbix server using shared API.Parameter values required to complete analysis (itemd, clock, value, ns) are serialized and forwarded to the module responsible for creating criteria (Data adapter).Below is an example of collected data from the Zabbix server using the API: {'itemid': '28409', 'clock': '1531523669', 'value': '1', 'ns': '854693995'} At this stage, analysis module uses defined schematics that are prepared by the auditor who uses criteria choice (Table 4) and correlates them with questions included in the FoMRA1 scenarios.
The process of risk analysis takes place in a loop in a quasi-real time.Therefore, monitored parameters are updated frequently by the Zabbix server at defined time intervals, which could directly affect the analysis.Results are presented in various forms (diagrams, descriptions, times) that are presented in real time by the result presenting module.Analysis results are shown below (for the random actions of stopping and restarting services, done periodically depending on the defined parameter sampling times using Table 2): Table 5 shows a correlation between execution of real action and time when this action was noticed by the SIEM mechanism.For example: Open-LDAP service launched on the serv-001 server has been shut down at 01:01:00 and this event has been registered by SIEM at 01:01:17, therefore time to react by the risk analysis system equals 17 seconds (this is the time that has passed since the event of shut down of the service, to the parameter value update by SIEM system).
Results of an event taking place and SIEM update of the event are shown in Table 6 (for four servers with five services installed).As shown in Table 6, there are four servers that provide exactly the same services.The time, between an event and SIEM update, has been analysed for every service.As shown, time for the event detection for most services (start-stop) is close to zero.
Based on these data, a statement can be made, that decentralization of the servers has a significant impact on event detection in quasi-real time.Considering additional results, from completed procedures, reports and security policies and correlating them with system events, we can obtain complete information about valid or invalid operations of the IS.
Figures (13)(14)(15) show that we can see the risk factor changing depending on event and procedure completions.As shown on the first rosette (Fig. 13), risk level is acceptable after the implementation of the procedures and starting the services.The second rosette (Fig. 14) represents the risk level, which is critical for one scenario when the services are stopped.The third rosette (Fig. 15) represents the level of risk for most scenarios, when all procedures are not implemented and all services are started.Example of the shown architecture (Fig. 11) and the obtained results (Table 5 and Table 6 and Figs.(13)(14)(15)), which are only a part of the system information (12 risk scenarios and 5 services) tells us that the idea of speeding up risk analysis process is right.When configuring such working agents, the FoMRA1 method could serve as an IS security monitoring method, providing information in a very short time about all risks for the IS security.The obtained results both, qualitatively and quantitatively are identical as in the case of FoMRA1 version, without automatic downloading of data to the questionnaire.In this way, the response time to the emerging threat is much shorter (the average time of collecting answers to the questionnaire entered in manual mode takes several hours).

CONCLUSIONS
The proposed modifications of the formal risk analysis method and assessment clearly show that it is possible to implement new features to FoM-RA, which are important from the auditor's point of view, and allow automation of the risk analysis and assessment process.This solution is unique today, as none of the current methods together with the supporting tools are characterized by automation of the processes, limiting themselves only to manual control.
As a result of modification and abstraction by resources and security controls, the calculation time was significantly shortened.Introduced modifications and abstraction are a good starting point for monitoring the security status of the IS (shortening the calculation time by one second is very important for the security of the IS).Additionally, by using properly configured agents, the modified FoMRA1 gives the auditors information about any security threats to the organization's information system in quasi-real time.
A further study will focus on comparing as many methods as possible for speed of risk assessment and estimation.This will include monitoring a larger number of risk scenarios and most importantly, the automated risk treatment using deep agent learning.

2 07- 2 1 1
Deliberate erroneous data input by a staff member usurping an authorized user's identity 3 2 Manipulation of data files by an unauthorized third party usurping an authorized user'Repeated copy of application data files, by an unauthorized third party connecting from outside to an open port for network remote Repeated copy of application data files, by unauthorized third party connecting from outside to an open port for network Massive erasure of archive data files by operational personnel Massive destruction or pollution of business data files and backups, due to a deliberate logical operation by a system admin or operator 2 2 2

Figure 5 .Figure 6 .Figure 7 .Figure 8 .
Figure 5.Time dependence of risk weight calculations for modified FOMRA1 and MEHARI with reference to the number of scenarios

Figure 10 .Figure 9 .Figure 11 .
Figure 10.Time dependence of risk weight calculations after modification and abstraction by security controls for FOMRA1 and MEHARI with reference to the number of business process

Figure 12 .
Figure 12.An example of user interface used to define security insurance status

Figure 13 .Figure 14 .Figure 15 .
Figure 13.Risk assessment weight with implemented and including 5 started services

Table 1 .
Risk estimation values by FoMRA and FoMRA1 measures (the module assumes that these security controls are implemented and the answer to "yes" is changed for one or more questions) and then indirectly recalculates the final risk (Fig4).The module can also calculate the costs of the implemented security controls.The results obtained by

Table 2 .
Examples of selected criteria assigned to risk scenarios

Table 3 .
Example source code of a function that retrieves criteria values from the serv-001

Table 4 .
A set of criteria used in the automatic risk analysis process

Table 5 .
Reaction time to the status service changes (on/off service)

Table 6 .
Reaction time to the status service changes (on/off service) in dispersed architecture