Methodological Approaches to Assessing Enterprise Information Security Using a Process-Oriented Approach

Published Online on June 8, 2026 by MECS Press

As the complexity of information process automation tools increases, enterprises' reliance on the security of the information technologies they use is growing significantly [1]. Information security determines not only the reliability and effectiveness of internal business processes but also an enterprise's competitiveness in the global market [5, 7]. The effectiveness of management decisions directly depends on the quality of the information security infrastructure, which must meet modern requirements: the use of comprehensive cyber protection tools, the integration of intrusion detection and prevention systems, the use of cryptographic data protection, multi-level authentication, and cloud platforms to ensure the scalability and flexibility of protective mechanisms.

The current context of cyber threats is characterised by increasingly sophisticated attacks and an expanding scope of influence [1]. Artificial intelligence is increasingly being used by attackers to automate phishing, generate malicious scenarios and bypass traditional detection mechanisms. The mass migration of businesses to cloud environments increases the attack surface, creates new access points, and increases the risk of credential compromise. At the same time, the "ransomware economy" is developing, particularly the Ransomware-as-a-Service model, and the number of supply chain attacks is growing, with the compromise of one supplier leading to cascading incidents. In response, enterprises are moving to Zero Trust architectures [6-7], which require accurate, dynamic, and quantitatively sound risk assessment. It is this methodological gap that determines the relevance of this study.

An analysis of current work in the field of information security shows that several issues, in particular the scientific justification of the information protection system's structure and its alignment with business processes, remain unresolved [4, 7, 14]. In the context of digital transformation and the widespread adoption of cloud technologies, developing infrastructure to protect business processes and ensure the continuity and effectiveness of enterprise activities is particularly important [5, 11, 17]. Additional challenges arise from the regulatory framework, particularly the GDPR requirements in the European Union on confidentiality and personal data protection, which reinforce the need for transparent, reproducible, and quantitative approaches to risk assessment.

Despite significant research, most approaches to information security risk assessment remain static, rely on risk matrices or ISO/IEC 27005 tabular procedures, and are heavily dependent on expert judgement, lacking an inherent optimisation mechanism at the business process level [3, 7-8]. The combination of a process-oriented model with dynamic simulation of attack flows and the rational redistribution of protection resources under variable threat intensity remains insufficiently researched.

The aim of this work is to develop and validate a process-oriented simulation and optimisation model for assessing the information security of enterprise business processes that calculates the integrated security indicator Q , accounts for resource constraints, and demonstrates advantages in risk assessment accuracy and adaptability compared to classical approaches.

The scientific novelty of the research lies in the following: (1) a formalised multi-level system of mathematical models is proposed that translates semi-qualitative expert assessments into quantitative metrics suitable for automated analysis and optimisation in near real time; (2) a unified process-oriented simulation and optimisation model has been proposed, combining stochastic threat modelling, fuzzy assessments, resource optimisation, and the formation of an integral indicator Q, providing a dynamic assessment of the state of information security as opposed to static risk matrices; (3) a nonlinear power aggregation mechanism (model (12)) has been developed, which suppresses the dominance of individual indicators and ensures saturation of the integral metric near threshold values, more accurately reflecting the degradation of business processes under the influence of threats; (4) a hybrid optimisation module has been implemented, combining MILP formulation (3)-(9) with a gradient prioritisation procedure to balance global decision feasibility and local sensitivity of Q under variable attack intensity; (5) a business process-centric threat assessment environment based on Poisson attack flows and scenarios S1-S6 has been developed and validated, demonstrating a 12-27% increase in Q and optimal resource allocation.

Within the scope of the above issues, the following research questions (RQ) were formulated: (RQ1) how to combine process-oriented modelling of business processes with formal mathematical models for assessing information security to ensure automated analysis in near real time [6, 7, 8, 17]; (RQ2) how to use simulation modelling of attack flows and business processes to form an integral security indicator Q, taking into account resource constraints and variable threat intensity [21, 23]; (RQ3) what are the advantages of the proposed simulation and optimisation model compared to the Classical Risk Matrix, NIST SP 800-30, and ISO/IEC 27005 in terms of risk assessment accuracy, response speed, and adaptability to a dynamic cyber environment.

The main scientific contribution of this work lies in the development of a comprehensive, process-oriented methodology for assessing the information security of enterprise business processes. First, a conceptual model of the information security infrastructure for business processes is proposed, ensuring the consistency of security indicators and their linkage to key business functions [7]. Second, a multi-level system of mathematical models has been developed for formalised assessment, aggregation and optimisation, taking into account attack flows, uncertainties and resource constraints [4, 19-21]. Thirdly, a simulation model of the protection system has been built, capable of calculating the integral indicator Q in real time and analysing sensitivity to changes in key parameters. Fourth, a series of experiments (S1-S6) was performed and a comparative analysis with Classical Risk Matrix, NIST SP 800-30 and

ISO/IEC 27005 was conducted. The results confirmed a 12-27% increase in the Q and a 23% increase in resource efficiency, demonstrating the advantages of the proposed model over traditional risk-oriented approaches.

2.    Analysis of Literary Sources

Modern approaches to assessing enterprise information security are formed at the intersection of cloud technologies, process management, and risk-oriented methodologies. Systematic reviews of security issues during migration to cloud environments show that traditional matrix risk assessment methods and classic expert matrix approaches do not provide sufficient depth of analysis in a dynamic cyber environment and complex service-oriented infrastructure [1, 11, 26]. Works [1, 11] emphasise that for IaaS and cloud platforms, it is critical not only to identify threats and vulnerabilities but also to link risks to specific enterprise services and business functions, which requires more formalised, process-oriented models. A systematic review by Drissi et al. [1] shows that during the transition to cloud environments, traditional tabular and matrix risk models are unable to adequately reflect the dynamic nature of threats and the complex dependencies between service infrastructure components. The authors emphasise the need to move from a static list of assets to models that consider risk in the context of service and business process operations. Similar conclusions are reached in the work of Mejias et al. [11], which emphasises the importance of a formalised vulnerability awareness model that accounts for contextual variability and behavioural factors. Further development of process-oriented approaches to risk assessment is presented in the works of Sabri and Dahlan [2] and Yuan et al. [3]. In [2], a hierarchical decision-making model for risk assessment in cloud environments is proposed that links strategic security goals to the operational aspects of system functioning. In [3], a model for assessing information security based on intelligent algorithms is developed, in which the criticality of assets and risk are determined taking into account their role in the implementation of business functions, which effectively forms a transition from a resource-oriented to a process-oriented view of risk.

An important class of modern models uses fuzzy cognitive maps (FCM) to analyse complex cause-and-effect relationships in security systems. Karatzinis and Boutalis [4] provide a systematic review of the application of FCM to engineering problems, showing that such models effectively describe the nonlinear dynamics of the interactions among threats, vulnerabilities, and consequences under conditions of uncertainty. Similar approaches are used in the works of Shevchenko et al. [9] and Abbasian et al. [27], in which FCMs are employed as scenario tools to analyse the development of information security incidents and to assess the cumulative impact of interrelated risk factors.

Process-oriented analysis of network service security is discussed in Wang et al. [6], in which security is assessed by considering the inclusion of individual services in the overall service delivery chain. Rosado et al. [7] developed this approach by integrating security requirements directly into business process models (BPM) and analysing the impact of threats on the integrity and availability of business functions. Dedousis et al. [8] propose using process mining for semiautomated risk assessment based on real event logs, enabling the identification of critical process areas and potential high-risk points. At the same time, these approaches primarily focus on identifying and ranking risks and do not provide a single integrated security indicator across the entire set of business processes.

A separate area of current research concerns the use of ML/AI in risk assessment and incident management systems [1, 3, 24]. Neural network models (in particular, LSTM) and autoencoders are used to classify events, predict attack intensity, and detect atypical patterns in network traffic and SIEM logs, thereby increasing detection accuracy and response speed [16, 18, 29, 45]. At the same time, most ML-oriented approaches remain focused on the traffic/event level and do not account for the structure of business processes, resource constraints, or the need to aggregate results into a single integrated system resilience metric suitable for supporting management decisions [6-8, 17, 26]. Thus, the integration of neural network methods into a process-oriented multi-level model Q ( t ) remains an open task, which is addressed in this work.

Shevchenko et al. [9] demonstrate the use of fuzzy cognitive maps as a scenario-based approach to information security risk analysis, enabling modelling of different incident development trajectories depending on the selected countermeasures. In the work of Kostiuk et al. [10], cognitive modelling is used to assess the interdependencies between information system agents in risk management tasks, which is particularly important for multi-component and distributed information and communication systems. These studies confirm that cognitive models and fuzzy assessments are effective tools for scenario analysis and decision support, but they are not usually integrated into a full-fledged simulation and optimisation loop that computes a single business-process security indicator.

A separate group of solutions is represented by cloud security assessment platforms, such as AWS Security Hub and Microsoft Azure Sentinel. These platforms provide telemetry aggregation, event correlation, and compliance audit support, but, as noted in scientific publications [11, 24], they do not form a process-oriented risk model and do not link incidents to the functional chains of the enterprise's business processes.

A summary of the results of works [1-11, 21, 23, 26, 37] shows that, despite significant progress in the development of process-oriented, cognitive, and ML-based approaches, a methodological gap remains: there is no single multi-level simulation and optimisation model that would combine a process representation of business processes, stochastic modelling of cyberattack flows, fuzzy estimates, and optimisation of the distribution of protection resources within a formally defined integral security indicator.

Specifically, process-oriented works [6, 7, 8] identify and rank risks but produce no single integral stability metric across all business processes; ML/AI works [1, 3, 24] operate at the traffic and event level without connecting to business process structure or resource constraints; and cognitive/fuzzy works [9, 10] provide effective scenario analysis but are not integrated into a simulation-optimisation loop that outputs a single, time-dynamic resilience measure.

Most existing methodologies, including ISO/IEC 27005 and NIST SP 800-30, focus on static assessments and expert judgements and do not model the temporal dynamics of attacks and the trade-offs between security levels and cyber defence costs [33]. It is the elimination of these limitations by forming an integrated metric of business process security Q ( t ), combined with a simulation-and-optimisation loop.

A summary of these limitations is presented in Table 1, which systematises the key shortcomings of existing methods and compares them with the capabilities of the proposed process-oriented simulation and optimisation model. The following designations are used below: BP1 - financial and accounting process, BP2 - CRM process for handling customer requests, BP3 - technological production process.

Table 1. Comparison of existing approaches with the developed model.

Approach	Key shortcomings	What the proposed model eliminates
ISO/IEC 27005	Static risk tables; lack of time dynamics in assessment; no scenario analysis of attacks; no integral stability metric	Dynamic simulation modelling of attack flows; calculation of an integral indicator ( Q ( t )) over time; scenario analysis S1-S6
NIST SP 800 30	Focus on manual expert assessments; lack of formal risk aggregation; lack of optimisation mechanisms	Automated calculation ( Q ( t ) ); MILP resource optimisation (3)-(7); gradient prioritisation procedure
Classical Risk Matrix	Coarse discretisation; subjectivity of categories; insensitivity to changes in threat parameters; lack of continuous integral metrics	Continuous integral function ( Q ( t )); sensitivity to attack intensity ( λ ), process weights, and budget constraints
ML-IDS / AI-based methods	Traffic and event-oriented; no connection to business processes; no integral metrics for stability and resource optimisation	Integration with BPM; consideration of business process criticality; local indicators ( q ); resource allocation optimisation
Classical Reliability Models	Focused on equipment failures; does not take into account cyber threats and business consequences; no process dynamics	Combination of risk analysis, threat scenarios and business process dynamics within a single model
Economic Security Models	Partially take economic losses into account; do not model attacks over time; lack an integrated resilience metric	Simulation of attack flows; calculation of losses and recovery dynamics; assessment of resilience through the Q ( t )
AWS Security Hub / Azure Sentinel	Operational event monitoring; no formally defined integrated metric ( Q ( t )); no process-oriented model and resource optimisation; attack time dynamics are not modelled	Process-oriented assessment of business processes BP1 -BP3; integral indicator ( Q(t )); MILP optimisation and gradient prioritisation; simulation dynamic model of attack flows

The comparison (see Table 1) shows that the proposed model is the only one among the approaches considered that combines a formally defined integral security metric Q ( t ), a process-oriented representation of business processes, stochastic modelling of cyberattack flows, and resource allocation optimisation within a single simulation and optimisation loop.

3.    Research Methods

The problem addressed by the study is that traditional approaches to information security assessment (ISO/IEC 27005, NIST SP 800-30, risk matrix) remain static, are largely based on expert assessments, and do not take into account the dynamics of attack flows and structural dependencies of business processes [26, 33]. In response to these limitations, the aim of the work is to develop a process-oriented simulation and optimisation model that forms an integrated security indicator Q taking into account the intensity of cyber attacks, business process parameters and resource constraints [8, 10]. The model is based on assumptions about the Poisson nature of attacks, exponential response time, varying criticality of business processes, and fixed budget limits [5, 39]. The Poisson assumption for attack arrivals is standard in the cybersecurity queueing literature and is consistent with empirical event-log statistics for background and medium-intensity attack conditions [39]. The exponential inter-event distribution is a tractable first-order approximation whose adequacy is confirmed here by the stability of results across 30 independent simulation runs per configuration. Fixed budget limits reflect the practical reality of enterprise security planning cycles and serve as a conservative baseline; sensitivity to this constraint is explicitly analysed in Section 5.3. The proposed approach covers the assessment of the security of business processes within the enterprise's ISI, without considering cryptanalysis, human factors, or legal aspects.

The solution to information security problems is based on integrating modern approaches, including information security theory, system analysis, and mathematical modelling, which enables the creation of accurate models of system functioning under real-world conditions [9, 19, 27-28]. Probability theory and mathematical statistics provide risk calculations and cyber threat forecasting, while game theory models attackers' behaviour and develops optimal defence strategies [12-14, 29, 31]. Fuzzy set theory allows decisions to be made with incomplete information, which is key in the context of cyber threats.

Within the proposed model, the ML/AI component acts as an adaptive amplifier that refines the parameters of the stochastic and optimisation subsystems. In particular, the forecast λ ( t ) obtained using LSTM-type recurrent neural networks is presented in models (1)-(2) to refine the intensity of attack flows in business processes. The autoencoderbased anomaly detection module generates corrective risk coefficients that affect the calculation of the r_i and R_k indicators. The incident classifier (XGBoost or DNN model) is used to rank threats and enhance the gradient procedure, to determine resource optimisation priorities. Thus, neural network models are integrated directly into the formation of local indicators, the simulation of events, and the optimisation loop, ensuring adaptability and increased accuracy of the integral indicator Q .

The use of machine learning and artificial intelligence methods increases the effectiveness of threat modelling and monitoring, particularly through deep learning to detect anomalies in network traffic [16, 18, 45-46]. Big Data technologies enable the analysis of large amounts of information to identify patterns and develop effective protective measures [38-40]. Thus, the combination of traditional and innovative approaches contributes to the creation of adaptive and reliable solutions that address current challenges in information security.

Summarising the above methods, we propose a comprehensive methodological pipeline that sequentially combines all stages of business process security assessment. The first stage involves formalising the enterprise's business processes and decomposing them into individual business operations, along with the corresponding information assets and potential threats [22, 30]. Next, a system of local security indicators is established, reflecting the effectiveness of countering various types of attacks and the possible consequences, in particular unauthorised access, interception, destruction of information, and interference with business processes.

The next stage involves the use of probability theory, game theory, and fuzzy sets to assess the probabilities of threats materialising, determine residual risk, and interpret expert assessments in a fuzzy setting [19, 20, 31]. After that, the obtained local indicators are aggregated into an integral index of business process security Q according to mathematical models (1)-(2) and the nonlinear power-geometric aggregation formula (12), which provides a comprehensive assessment of the security level.

Next, optimisation problems (3)-(9) are solved, along with gradient-based prioritisation of security indicators, aimed at the rational redistribution of protection resources within the specified budget constraints and acceptable risk level [14, 33, 41, 43]. The final stage is the validation of the model through the simulation of attack flows and the evolution of business process states, thereby confirming the correctness and effectiveness of the proposed approach. This structure provides a logical and transparent transition from a qualitative description of threats and processes to quantitative metrics for automated support of management decisions in cybersecurity.

To ensure the reproducibility of results, the entire simulation model was implemented in Python using the NumPy, SciPy, and SimPy libraries, which support stochastic modelling of event flows and processing of large data arrays. A fixed initial value for the random number generator was used across all experiments, ensuring accurate repeatability of results regardless of the number of runs.

The optimisation sub-task (3)-(7) is formulated as a mixed integer programming (MILP) problem, which is NP-hard [5, 21, 23, 33]. This means that the complete enumeration of protection configurations grows exponentially with the number of controls and resource constraints. The gradient correction of the indicator Q, based on formula (12), has a complexity of O ( n ), where n is the number of local indicators. Simulation modelling of attack flows has a complexity of O ( T log log T ), where T is the number of events in the log, which is due to the need to sort and process timestamps [6, 39]. The model’s overall complexity ensures its suitability for real-time monitoring systems.

To increase the adaptability of the proposed system, a hybrid ML module was implemented, which includes components for predicting flow intensity λ(t), detecting anomalies, and assessing risk in near-real time. The predictive subsystem is based on LSTM-type recurrent neural networks [14, 24, 40], which model nonlinear time dynamics and reduce prediction error under concept drift.

For anomaly detection tasks, an autoencoder model with a reconstruction error is used, along with XGBoost for classifying complex incidents with high feature variability [24, 45].

To predict changes in attack intensity λ(t), an LSTM model was trained on synthetic attack time series generated from the Poisson flow model across all six scenarios S1-S6. The trained model is used as an input stage to the simulation module, enabling evaluation of the system's behaviour in a dynamic threat environment and verification of Q stability under predicted deviations.

4.    Presentation of the Main Material

A process-oriented approach integrates the information security system (ISS) into the enterprise's business architecture [11, 26, 37-38]. Implementing ISO/IEC 27001 standards and complying with GDPR requirements increases trust, prompting the integration of modern technologies to increase resilience against multifaceted cyber threats [16, 29,

• 35,    39, 47]. The conceptual model of Information Security Infrastructure (ISI) (Fig. 1) for business processes (Fig. 2) reveals core capabilities considering external influences [33].

  

  Fig. 1. Identification of the problem of improving the information security infrastructure (ISI) at an enterprise. Source: Developed by the author in the LibreOffice environment.

  
  
  

  Fig. 2. Conceptual model of ISI for business processes.

  
  

Mathematically, the generalised security indicator is:

я =∑ I ∈ n^ ^∙ n ,∑ I ∈ n^ =1,

where R is a generalised indicator of ISI quality assessment, which is a security coefficient and reflects the level of attack repulsion for the entire set of possible threats identified in the system, r_i is a private indicator of ISI quality assessment, which characterises the proportion of attacks of a specific type (i-type threats) that were successfully repelled, N is a set of private quality assessment indicators, which together form a generalised indicator R, w, i is the weight coefficient for each of the private indicators, which allows the significance of each individual indicator to be taken into account in the overall assessment.

This aligns with the full multi-level model system that specifies resource optimisation, threat assessment, and the formation of integral indicators [22, 26, 29, 37]. Specifically, models (1)-(2) specify the basic security indicators for individual threats and business processes; models (3)-(9) define MILP resource optimisation, balancing protection coverage against budget constraints; models (10)-(11) establish the acceptable security and cost boundary conditions; and model (12) defines the nonlinear power-geometric aggregation of local indicators into the integral metric Q, where a gradient correction procedure ensures Q sensitivity is optimised under variable attack intensity. Together, they provide a comprehensive formalisation of the cyber risk management process - from local metrics of individual threats to strategic decisions on security budget allocation [26, 37].

The business process security coefficient is defined as:

Rk=1-∑b∈BPb ∑i∈N^ ^tb ^b(1-n)/∑b∈BPb ∑I∈N^ ^ib^b, where Nb is the number of the most probable information threats to the j-th business operation, ri is the security coefficient against the l-th threat, λib is the intensity of the flow of attacks of the i-th type of threats on the j-th business operation, tb is the execution time of the business operation, N is the number of business operations in the business process, Pb is the probability of executing the business operation in the business process. Dynamic parameters, aided by machine learning [17, 31, 45-46], improve adaptability.

The optimisation block (MILP) minimises costs (3):

S=∑i∈I∑j∈J S[jX[j +∑i∈iSiVi → min,(3)

subject to a number of constraints:

∑i∈I∑j∈ J Uj T[ j Xi j ≥ Ra,∑i∈1*1]=1,∀j∈J ,(4)

У1 ={1, if ∑1∈iXij >0

• 0,    ot ℎ erwise

Хц ∈{0;1},(6)

Accordingly, the following designations are used in models (3)-(6): S_ij - costs of protecting the j -th information asset i by the S_i -th means, - total costs of protecting all information assets i by the I -th means, - set of information protection means, J - set of protected information assets, r_ij - assessment of the quality of protection i - t h by the j -th means information asset, a_j - weight coefficient j -th information asset in the overall assessment of the ISI, where ∑ _{ϳ ∈ Ϳ} ɑ_ϳ =1, R_a - acceptable level of ISI quality in general, y - binary variable that takes the value "1" if i -th information protection tool can be used in the system, and "0" - otherwise, where i -th protection tool in the system can be used only once. Constraint (5) guarantees the mandatory protection of each j -th information asset.

A dual model (7)-(9) maximizes protection level subject to cost constraints [18, 26, 37].

R =∑ i ∈ i ∑ i ∈ J UjTijX[j → max ,

where R is the level of ISS quality to be maximised, y_i are binary variables indicating the use of information asset protection measures.

^∑ t ∈ iXij ≥1, ∀ j ^∈ J ^,

where J is the set of information assets, and I is the set of information protection measures. Thus, it is necessary to maximise the quality level of the ISS when:

S =∑ i ∈ i ^∑ i ∈ J SijX[j +∑ I ∈ iSiVi ≤ Sa

where S_a is the acceptable cost of the information security system, S_ij is the cost of protecting an information asset of type j using a means of type i , and S_i is the total cost of a means of type i . The binary variables y take the following values: y =1 if i means of protection can be used in the system; y =0 if the means are not used. Adaptive models integrate AI for prediction and cloud solutions for scaling [16, 38-39, 42].

Simulation of attacks operates as discrete transactions targeting information resources (accounting, planning, networking) [21, 33, 39, 47]. Transactions create incoming flows characterized by source types and arrival times. The model establishes a compromise between "required security" and "available resources," balancing optimal protection [35].

R ≥ Rmp , S → min ,                                       (10)

R → max , S ≤ S_a ,                                            (11)

where R is a comprehensive indicator of information security, Rmp is an indicator of information security according to the level of requirements, S is resources for information protection.

The optimal allocation of limited financial resources approximates necessary security requirements in stages.

Protection block evaluation uses probabilistic methods [3, 11] and fuzzy set theories for incomplete data [19-20, 31]. Defuzzification converts fuzzy intervals estimating interception probability into precise numerical values.

Assessment of protection against information destruction utilizes probabilities surrounding system failures and successful restorations [21, 43].

Regarding unauthorized interference, game theory models optimal strategies under uncertainty since intruders act with full access [23-24, 41].

Game theory models delineate best guaranteed outcomes for the system against an attacker's choice.

Aggregation of local indicators into the integral metric Q uses a nonlinear power-geometric convolution avoiding imbalance [34, 43]:

S ^' 0 = ^R _K ⁰ = _N ¹ ∑ i^N = ^k 1 ri 0 = _N ¹ ∑ i^N = ^k 1 2 ^{N -} k ^{12 p} √∏ t^N = ^k 1 rt ^{2 p} ,                                       (12)

where N is the number of partial indicators of the lower level of the hierarchy, K_i is the weight coefficient of the indicator i , N_k is the number of indicators in a particular subdivision or group, r_{j 0} is the value of the indicator at the base (initial) level, r_i - local value of risk or security assessment, p - parameter determining the degree of influence of the indicator in the power convolution.

Corrective factors adjust for specific dynamics and time degradation [15, 18, 36]. For decision-makers (CISO), these equations transition fragmentary assessments into holistic views of process stability. Geometric convolution prevents any single indicator from dominating [34, 36, 43].

Finally, the gradient ascent method prioritises security indicators for optimisation [34, 45]. The gradient of the security function determines which changes yield the largest security increment [21, 36, 39]. Optimisation ends when increments fall below an acceptable threshold. The resulting structure models real-time integral indicators supporting management decisions through SIEM/SOAR platforms.

5.    Experimental Studies and Practical Implementation of the Simulation Model

A series of experiments was conducted based on the proposed simulation model with the aim of quantitatively determining the integral security indicator (formulas (1)-(12)) across cyberattack scenarios S1-S6. To ensure reproducibility, a hybrid dataset was used: depersonalised event logs from three real enterprises were combined with synthetically generated attack scenarios. The combined event log contains 150,000 records, of which approximately 110,000 correspond to real monitoring events (after anonymisation and normalisation) and approximately 40,000 were generated to replicate rare or critical scenarios (DoS, Insider, combined attacks). For each parameter configuration - one of the scenarios S1-S6, attack intensity λ, number of protection measures, and budget constraints - at least 30 independent simulation runs were performed, with results aggregated by mean and standard deviation of Q, and 95% confidence intervals evaluated for statistical stability. All processing was performed on a standard user-class workstation without specialised hardware accelerators, confirming that the model can be integrated into a typical corporate monitoring stack without elevated resource requirements [35].

• 5.1.    Real-life Implementation Cases at Enterprises

• 5.2.    Simulation Study Scenarios

E1 (manufacturing): Assessed BP3 against DoS/Data Tampering. Reallocated infrastructure budget to production nodes increased Q by 15-19% (S2-S4) and reduced undetected intrusions by 21%.

E2 (financial): Protected BP1-BP2 payment transactions. Removing subjective risk assessment biases improved Q by 12-16% and reduced residual risk by 18% optimally.

E3 (SaaS provider): Evaluated peak API loads (S3, S6). Adaptive resource reallocation increased Q by 20-27%, decreased MTTD to 1.2s, and reduced false negatives by 23%.

All cases produced actionable CISO recommendations without baseline architecture alterations.

Six attack scenarios evaluated variable threat dynamics:

• •   S1: Low threat (lambda 0.1-0.4), single attack type, normal operations.

• •   S2: Medium threat (lambda 0.7-1.2), three attack types.

• •   S3: High threat (lambda 1.5-2.5), burst events, six attack types.

• •   S4: APT campaign (lambda 0.9-1.4), lateral movements, highly critical.

• •   S5: Supply Chain Attack (lambda 0.4-1.1), compromised CI/CD pipelines impacting BP1.

• •   S6: Extreme multivector crisis (lambda 2.0-3.0), targeted attacks up to eight types simultaneously.

• 5.3.    Methodology and Parametric Analysis

A heatmap (Fig. 3) outlined operational loads prior to executing parametric model validations.

Fig. 3. Heat map of operational loads prior to executing parametric model validations.

Simulations utilized Poisson processes and exponential inter-event distributions. Thirty independent runs of 10,000 events evaluated statistical stability [39].

Parametric sensitivity analysis demonstrated (Fig.4) that Q decreases as attack intensity (lambda) grows, stabilizing near lambda > 1.4. Weight dependencies behaved predictably due to geometric convolutions [39, 45-46]. Micro-validations via ±15% parameter variations confirmed robustness without system degradation [29, 35].

Optimisation drastically improved Q at all lambda values. At lambda=2.3 (peak), optimization boosted Q from 0.48 to 0.75, representing a comprehensive 12-27% protection increase [39-40]. A residual risk heat map displayed targeted process criticality (Fig. 5). Weight coefficient analyses spotlighted NSD defence, MITM resistance, and recovery speed as critical factors. Multi-layered infrastructural implementations (increasing from three to five mechanisms) enhanced security by up to 28% in severe threats. Budget constraints indicated high sensitivity: a 30% budget hike improved Q by 18%, while a 20% cut decreased it by 29%.

Residual Risk Reduction AR

о

CL

W 1Л 0) _c ‘in co

Attack Scenarios

0.250

0.225

0-200 Q,

0.175 ro >

0.150 §

0.125

0.100

Fig. 5. Heat map of residual risk.

To ensure a fair comparison, all approaches - the proposed simulation model, Classical Risk Matrix, NIST SP 80030, and ISO/IEC 27005 - were applied to the same simulated event logs and the same set of scenarios S1-S6. The parameters of each baseline methodology were adjusted in accordance with its own risk-classification recommendations, and the integral indicators of accuracy, response time, and adaptability were calculated within a single experimental environment.

Classical approaches provided static outcomes with low testing accuracy (0.63) [24] or slow response times (NIST: 4.5s) [17, 33]. The proposed model achieved an accuracy of 0.87, response time of 1.2s, and high adaptability [6-7, 24].

While platforms like AWS Security Hub focus on log-level telemetry, this model creates integral, process-oriented resilience calculations [6-7, 17, 23, 26, 37-38].

The integral indicator Q is normalised on the scale [0, 1], where Q = 1 represents complete repulsion of all attack types across all business processes and Q = 0 represents total compromise. Its value is derived through nonlinear powergeometric aggregation of local security indicators (formula (12), ensuring that no single indicator dominates and that the metric saturates correctly near threshold boundaries. For the Chief Information Security Officer (CISO), Q serves as a direct management input: it quantifies the current security posture, supports budget redistribution decisions, and provides a baseline for evaluating the effectiveness of any change in security policy.

Q > 0.85: Stable business process security.

0.7 <= Q < 0.85: Satisfactory stability.

0.5 <= Q < 0.7: Unstable acceptability.

Q < 0.5: Critical state [5, 14, 23-24, 35, 40].

Analysis demonstrated Q optimization from 0.71 to 0.84 (financial), 0.68 to 0.82 (CRM), and 0.59 to 0.78 (production), significantly lowering residual risk matrices [33, 35].

Key operational metrics included: Accuracy (0.87), MTTD (1.2s), MTTR (3.8s), Q-avg (0.84), Resource Efficiency Ratio (RER +23%) [23, 45-46].

Computations scaled linearly, with MILP completing in <1.8s for real-time viability [23, 45]. Without isolating BP1-BP3 process decompositions, overall risks were significantly miscalculated.

• 5.4.    Validation of the Simulation Model and Threats to Validity

• 5.5.    Limitations

6.    Discussion

Internal validity relies on the formal mathematical specification of stochastic attack flows, local indicators, and integral metrics [23, 39]. Fixed initial parameters and repeated simulations guaranteed result reproducible consistency, matching analytical models.

External validity is upheld by cross-evaluating the differing scenarios against Classical Risk Matrices, NIST SP 800-30, and ISO/IEC 27005 [14, 40]. The process-oriented structure ensures the indicator Q can adapt to alternate enterprises and environments.

Validity threats originate from several sources. First, the Poisson flow simplification and exponential inter-event assumption may not fully capture the burst structure and correlated behaviour of real APT campaigns (S4-S6); this is partially offset by the robustness check showing that ±15% parameter variation does not change the relative ranking of scenarios and that the efficiency gain from the optimisation module does not fall below 9% [29, 35]. Second, weight coefficients are assigned by expert judgement and treated as fixed during each experiment; in practice, these weights vary with business context and regulatory requirements over time, which may cause Q to overestimate or underestimate resilience in contexts where criticality profiles differ significantly from those assumed. Third, the synthetic nature of scenarios S1-S6 limits direct generalisation to specific corporate environments: the model has been applied to three real-enterprise cases (E1-E3), but full external validation on diverse, large-scale real event logs remains a priority for future work [11, 14]. Finally, abstractions of human security factors (insider psychology, social engineering susceptibility) and legal-organisational aspects are not modelled, which constrains applicability in contexts where these factors dominate.

Practical modeling encounters limitations. Synthetic simulations (S1-S6), while realistic, cannot cover every attacker behavior in corporate networks. Furthermore, fixed weight coefficients vary over time according to business contexts and regulatory requirements. Finally, Poisson attack assumptions and exponential inter-event distributions inadequately reflect complex multi-vector APT campaigns [40]. Models remain consistent nonetheless.

Future research expansions require testing real corporate logs, incorporating behavioral attack scenarios, and integrating with SIEM tools [26, 33, 39] to strengthen external validity in industrial applications.

The process-oriented methodology provides a quantifiable, model-driven advancement in enterprise information security assessment. Security infrastructure is intrinsically tied to business resilience, meaning the index (Q) acts as an impact barometer for key functional chains. This aligns with and enhances ISO/IEC 27001, ISO/IEC 27005, and NIST SP 800-30 standards by introducing automated dynamic mathematical dependencies.

Optimization modules produced a 12-27% increase in the integral indicator under peak scenarios (S1-S6), critical for stringent business stability. Comparing this to classical risk matrices and NIST SP 800-30 highlighted static, expertdependent weaknesses. This model, conversely, predicts shifts in risk levels resulting from executive budget reallocation and security architecture changes.

Applications as SIEM and SOAR add-ons enable CISOs and risk managers to prioritize metrics accurately against business process resilience rather than intuitive assessment [18, 29, 32].

Mathematical apparatus use (probability theory, fuzzy sets, gradient optimization [18-21, 29-38]) uniquely quantified subjective expert assessments. Synthetic logs (S1-S6) created necessary initial validations before adopting genuine SIEM data environments [9-10, 19-20, 31].

However, restrictions include Poisson attack flow constraints, static weight coefficients unable to account for seasonality, and centralized optimization limiting massive scalability.

Promising future iterations include non-Poisson traffic models, machine/reinforcement learning for autonomous coefficient updates [16-18, 28, 39], and multi-agent optimization for decentralized microservice architectures. The framework provides a quantifiable advancement in business process security assessment and decision-making support.

7.    Conclusions

Ensuring information security is a critical factor for the stable functioning of modern enterprises in a digital environment, where the effectiveness of protection systems is directly related to the continuity of business processes and competitiveness. The relevance of a process-oriented approach is growing amid digital transformation, the spread of cloud technologies, and stricter data protection regulations.

The paper shows that integrating probability theory, game theory, simulation modelling, and optimisation algorithms enables the development of an adaptive information security assessment model that accounts for the temporal dynamics of attacks, the structure of business processes, and resource constraints. The process-oriented approach treats the protection system as a component of the enterprise's business architecture, thereby providing more accurate risk ranking and increasing the validity of management decisions.

The proposed simulation and optimisation model enables the quantitative assessment of the integrated security indicator Q across various cyberattack scenarios and the formulation of recommendations for the redistribution of security resources. The results of the experiments confirm that integrating the optimisation module yields a 12-27% increase in the integral security indicator for business processes and an average 23% improvement in resource efficiency compared to classical approaches to risk management.

The study provided answers to all the research questions formulated: RQ1- by formally combining process-oriented business process models with a multi-level system of mathematical models; RQ2- through the development of a simulation and optimisation loop that takes into account the dynamics of attack flows and resource constraints; RQ3-based on a quantitative comparative analysis with Classical Risk Matrix, NIST SP 800-30 and ISO/IEC 27005.

Thus, the study makes three key scientific and practical contributions: a process-oriented multi-level model for assessing information security is proposed, combining risk-oriented analysis, simulation modelling and resource optimisation; it proves the effectiveness of the optimisation mechanism for increasing the resilience of business processes in dynamic threat conditions; it demonstrates the practical applicability of the model for enterprises of various profiles, which creates the prerequisites for its integration into corporate incident monitoring and management systems.

Despite the results obtained, the proposed approach has several limitations. First, the model does not fully account for the human factor, in particular, the behaviour of insider threats with full access to cryptographic mechanisms and key infrastructure. Second, the accuracy of the integrated indicator Q depends significantly on the quality, completeness, and correctness of the event logs received from SIEM/SOAR systems. Third, some organisational and social aspects of security have been abstracted to formalise the model, which may limit its application in certain industry contexts.

Further research should focus on expanding the model's functionality by automating security management processes in SOC environments, integrating with enterprise digital twins for scenario analysis and forecasting, and investigating cross-enterprise risk propagation in supply chains and cloud ecosystems. A separate promising direction is the validation of the model on real-world event logs from large enterprises and the development of decentralised multiagent mechanisms for adaptive optimisation of protection parameters.

All the Declarations and StatementsAuthor Contributions Statement

Conceptualisation: Kostiuk Y., Sokolov V. - conceptualisation of the research problem, development of the process-oriented approach for security evaluation of business processes.

Methodology: Kostiuk Y., Skladannyi P. - formulation of multi-level mathematical models (Eqs. (1)–38), definition of overall system architecture, and design of the optimisation-simulation framework.

Formal Analysis: Khorolska K., Kostiuk Y. - analytical investigation of model properties, complexity assessment, and sensitivity analysis of the integral security measure Q.

Software: Skladannyi P., Sokolov V. - implementation of simulation models and optimisation routines in Python, integration of machine learning modules (LSTM, autoencoder, XGBoost).

Data Curation: Sokolov V. - preparation and curation of the hybrid dataset, anonymisation of event logs, generation of synthetic attack scenarios, and ensuring reproducibility of experiments.

Investigation: Skladannyi P., Sokolov V. - conducting simulation experiments, scenario execution for BP1–BP3, and comparative analysis with Classical Risk Matrix, NIST SP 800-30, and ISO/IEC 27005.

Validation: Skladannyi P., Sokolov V. - verification and validation of experimental results, robustness checks, and cross-validation of findings.

Visualisation: Skladannyi P., Khorolska K. - development of figures, heatmaps, and conceptual diagrams for the manuscript.

Writing - Original Draft: Kostiuk Y., Sokolov V. - drafting the main manuscript sections (Introduction, Methods, Results).

Supervision: Kostiuk Y. - overall supervision of the research project and coordination of author contributions

All authors have read and agreed to the published version of the manuscript.

Conflict of Interest Statement

The authors declare no conflicts of interest.

Funding Declaration

Not applicable.

Data Availability Statement

Not applicable.

Ethical Declarations

None.

Acknowledgments

Not applicable.

Declaration of Generative AI in Scholarly Writing

During the preparation of this manuscript, the authors used AI-assisted technologies solely for language improvement purposes. The DeepL tool was used to verify the accuracy and quality of the English translation, while Grammarly was used to correct grammar, syntax, and spelling. These tools were applied solely to improve the manuscript's linguistic quality. All scientific content, analysis, interpretations, and conclusions were created and reviewed by the authors. The authors take full responsibility for the content of the publication.

Abbreviations

The following abbreviations are used in this manuscript:

FCM – Fuzzy Cognitive Maps

BPM – Business Process Model

ML/AL – Machine Learning / Artificial Intelligence

LSTM – Long Short-Term Memory

ISS – Information Security System

ISI - Information Security Infrastructure

Appendix

Not applicable.