A mathematical model of information security for a mining company

The relationship between the concepts of information and economic security in terms of their use in assessing the efficiency of business planning in a company using standard efficiency indicators (NPV) is discussed in the article. The necessity of using optimization models and methods for solving problems of information and economic security in a company is substantiated. A mathematical model has been developed to minimize the information security risks of a cost-effective company in the form of a two-objective linear optimal control problem. The conclusion is drawn about the possibility of using a mathematical model of information and economic security, as a component in the analysis of the investment attractiveness of economic systems and, in particular, small and medium- sized businesses.


Introduction
Companies today are part of the sector of the economy that is most susceptible to technological, information, and business innovation. Meanwhile, many companies, operating in the information environment, do not pay attention to various kinds of threats to which their information system is exposed, increasing the risks of their financial losses and, thereby, reducing their economic efficiency. Information security (IS) is currently becoming one of the most important aspects of the overall economic security (ES) of the activities of a modern company, characterizing its business environment security. Information protection is a special activity to prevent information leakage, unauthorized changes in its flows and other impacts that negatively affect the stable operation of the a company and its associated economic agents (customers, equipment suppliers, investors, the state, etc.). In this regard, timely, prompt and correct assessment of the impact of the risks of a decrease or complete loss of information security, as well as its impact on economic security, is an urgent problem in the activities of any company today (including mining companies).
The company's economic security structure should provide an optimal ratio of resources taking into account the long-term development and the influence of individual factors (external and internal) and possible risks of adverse events. In a broad sense, the economic security of a company is associated with its sustainable development strategy, determined by the performance (return on assets, profitability) of fixed assets, the efficiency (profitability, stability) of production itself, the presence and balance of long-term and short-term sources of financing activities and the demand for products (market size), and the information security of a company -with hardware, software, and system failures due to various reasons, including insufficient skills of employees, managers, etc.
The following types of activity risks are characteristic for innovation-based companies: -organizational (management failure, unskilled workers, delayed implementation stages); -scientific and engineering (lack of design solutions, capacity reserves, equipment wear); -financial and economic (operational and marketing risks, financing, inflation risks, interest, tax and other risks).

Materials and Methods
An important task in making investment decisions is the task of assessing the investment attractiveness of an economic system, the solution of which requires consideration of its twofold nature. On the one hand, this is the task of assessing economic potential (which entails the need to use optimization approaches and analysis methods [1]), on the other hand, it is a task that requires taking into account the investment loss risks associated with the threats of consumer, commercial, financial, and managerial, information, environmental, social, political nature. In [2], a mathematical model is proposed for assessing the investment attractiveness of a region, as a set expressed in a single cost measurement of assessing a region's investment potential and risks assessed through the region's activity cost analysis. The mathematical model considered below contains a similar concept of the interaction of economic efficiency with the political, financial, information, ecological [3] and other risks affecting it, only in terms of information security of a manufacturing company. To ensure the information security of a company, a number of conditions are required.
Firstly, it is necessary to build flexible models of the company's information system, its complex description taking into account software, hardware resources, internal and external threats and vulnerabilities that can be configured in accordance with the characteristics of a particular company.
Secondly, taking into account a significant number of risk factors, a mathematical model for assessing information security should allow the development of efficient numerical algorithms for processing information in models.
Thirdly, the risk assessment technique should be extremely transparent so that the information owner can adequately assess the efficiency and applicability of the technique to a specific information system.
Note that, at first glance, the task of assessing the information security of a company relates to the problem of evaluating IT projects. Indeed, to assess the economic component of the efficiency of IT projects in practice, the following key indicators are often used in practice: return on investment (ROI), net present value (NPV), internal rate of return (IRR), Payback Period, extra value added (EVA), balanced scorecard (BSC), total cost of ownership (TCO) and some others. Criticism of the positive and negative properties of each of these indicators in terms of evaluating IT-projects can be found, for example, in [4]. Despite this, this article proposes the use of a bi-objective approach, the essence of which can be expressed as follows. The economic efficiency of a company is evaluated as an economic project of its development, for which it is possible to use, inter alia, ROI, NPV, IRR, Payback Period, EVA methods. While the information security of a company can be taken into account in the form of the expert assessment of the costs of avoiding the information risks of its activities. Despite the fact that the introduction of information technology in a company is sometimes infeasible due to the cost of relevant activities, the goal of introducing such projects is often to directly increase profits by saving costs, for example, of remuneration of employees engaged in the operational and financial activities of a company. We define information risk as "the probability of losses due to an incorrectly set or unachieved strategic goal" [5] in the field of information security. Then, when characterizing the risks of system failure due to a specific reason (including those of information nature), it is advisable to use an indicator such as the expenses (in material or cost terms) to recover it if the threat is materialized.
Thus, based on expertly determined data on the probabilities of risks of threats and information vulnerabilities, as well as on the costs of resources to avoid them, it is possible to build a cybernetic model of threats and vulnerabilities relevant to the company's information system, which consists in identifying subsystems that are subject to threats and risks with a description of the financial costs of the safe data flows in them. Then, the analysis of information security of an efficiently functioning economic system (organization) can be considered as a bi-objective task of maximizing the economic potential of a company, from the point of view of one or more of the economic indicators listed above, and an objective of minimizing information security risks through the estimation of the costs of their avoidance.

Results and discussion
In practice, in the face of numerous security risks, it is not possible to make a numerical assessment of information security without using mathematical modeling methods. Consider a description of the problem of the socio-economic system functioning, taking into account the issues of its information security.
Let in the socio-economic system the dependencies ri=f(xi) of the risks ri of the system's failure on the costs xi of their avoidance (exclusion, reduction) in the i-th security activity (i=1,…,L) be given (found); L being the number of these activities. The function f is obviously non-increasing. Thus, the level of expenses (in material or value terms) on the system recovery if it fails in one or several activities will be considered by us as a measure to minimize security risks.
Suppose that f(xi)=ai-bi xi, that is, they are linear functions of xi with negative slope ratio. The coefficients ai can be interpreted as the expenses that the system can incur if there are no IS costs or, otherwise, as the maximum costs for organizing a crisis-free operation of the system in the i-th security activity, and bi coefficients as weight coefficients reflecting the relative value of the i-th security activity.
Let n be the number of types of products manufactured by the company (goods and/or services) and, in accordance with the principle of "pure industries", sets of fixed assets (FA), xk -the optimal amounts of investment in the k-type FA, xn+k -the optimal revenue from the sale of the k-type products (k=1,…,n), x2n+1 -the optimal amount of loans, x2n+2the optimal amount of subsidies on the current activities of the company, x2n+2+l (l=1,…,L) -the optimal cost of preventing the l-th risk of the company, L -the number of risks of the company associated with ensuring its information security (hardware, software, system failures due to insufficient skills of employees, managers, etc.); al -the maximum expenses incurred by the company in the absence of costs of the l-th risk of its information security; bl -the expert-defined coefficients used for assessing the value of the effect of the costs of the k-th risk direction of its information security; ck, Vk, Tk -cost, productivity, useful life of the k-th set of FA; Pk, qk -the market price of a unit of production and the cost demand for the k-th type products, zk -the current costs for the production of the k-th type products; δk -return on assets (production capacity) of a set of k-th type FA; DS 0 -own initial funds of the company; T -the project time bucket; r -the annual discount rate of the investment project, taking into account inflation, the level of requirements of the investor (bank) and  -additional costs (AC) of the company, depending on the volume of production (for example, mineral extraction tax); αi, i=1,…,5 -respectively, the rates of VAT, PT, IT, SSC and AC; Cr -the optimal flow of lending to the current activities of the company, including information security costs; r0 -the rate of loan to finance the current activities of the company, T0 -the term of loan for financing the current activities of the company, Crmax -the maximum possible amount of the annual loan taken to finance the current activities of the company, Dotmax -the maximum possible amount of annual subsidies to the company, Imax -the maximum possible amount of investment of the company, Lmax -the maximum amount of costs of avoidance (elimination) of all identified risks of information security of the company.
Below is a brief description of the stages of the algorithm for solving the described problem. At the first stage, the most important areas of activity of the company are identified that determine (from the point of view of its managers) the level of information security. At the second stage, according to the selected areas of the company's activity, on the basis of experts' assessment of the probability of the IS threat materialization, the value of each threat is calculated. The most important step is the assessment by experts of the level of costs in monetary terms for system recovery during each threat materializing.
The total risk of system failure is calculated as the sum of the risks for each of the areas of activity of the company. The result of solving the company's IS assessment problem is the distribution of the company's financial resources at which its economic (according to the chosen criterion) effectiveness is maximized while maximizing the costs of eliminating the identified IS risks within the allocated budget of the company's financial resources and its ability to finance the current costs of ensuring its activities.
Using the algorithms for calculating the income and expenses flows of a company that have a linear dependence on the sought variables of the model, we formulate the following mathematical model of information security of a cost-effective company in the form of a linear programming problem: xm ≥0 (m=1,…,2n+2+L), In the above model (1) -the objective of economic efficiency of the company, which is the balance of the profit amount and the property valuation discounted at the rate rэ, as well as investments made within the considered planning time bucket; (2) -the objective of maximizing total costs (minimizing risks) to avoid threats to the information security of the company; (3) -the condition of the limited maximum investment of the company; (4) -the condition of limited revenue from the sale of products by return on fixed assets; (5) -the condition of the limited revenue from the sale of products by the demand for products, (6)the condition of the non-negativeness of the company's own funds to guarantee its solvency over the entire planning time bucket; (7) -the conditions of the limitation, respectively, of maximum annual loans and maximum annual subsidies; (8) -the condition of limited total costs to avoid the risks for the company; (9) -the conditions of non-negativeness of the values of the desired model variables. The presence of two objectives in problem (1)-(9) makes it possible to increase the stability of the functioning of a cost-effective company due to the redistribution of funds in favor of its information security or, otherwise, take into account the risks of information threats. At the same time, the condition of the company's ability to discharge its obligations (6) narrows the scope of acceptable plans, which, obviously, reduces the absolute value of the company's added value.

Conclusion
Model (1)-(9) is a two-criteria multi-objective linear optimal control problem. Given the limited values of all the variables of the problem and the non-rigidity of the constraints, it can be argued that the admissible set of its solutions is nonempty (since it contains a trivial solution), bounded set. The presence of a nontrivial solution on model data is shown using the package [6]. Therefore, this problem can be solved using the J.Danzig simplex method, which allows considering almost unlimited number of threats to information security by means of modern computers. Given the linearity of the model, it can be analyzed by conversion to an equivalent single-objective problem with a convex weighted battery: J=μJ1+(1-μ)J2, μϵ(0;1), where μ is the expert weight coefficient of significance of the criteria of the company's information and economic security. At the same time, decisionmaking on managing the company's information and economic security is based on an analysis of the resulting Pareto set of the model, the automated tools of which also contain in a package [6]. The mathematical model of information and economic security of the company can be used as a component in the analysis of the investment attractiveness of any economic systems, and in particular, small and medium-sized businesses, including IT companies. The approach described in the work can be used to analyze territorial economic systems (regional, cluster, municipal, etc.), interpreting their attractiveness from the point of view of the interaction of their economic potential and the avoidance of development (political, social, environmental and others) risks by assessing level of costs of the totality of relevant activities.