The E-net model for the Risk Analysis and Assessment System for the Information Security of Communication and Information Systems ("Defining" Subsystem)

This paper presents one suggestion that comprises the authors’ experience in development and implementation of systems for information security in the Automated Information Systems of the Bulgarian Armed Forces. The architecture of risk analysis and assessment system for the communication and information system’s information security (CIS IS) has been presented. E-net model of “Defining” Subsystem as a tool that allows to examine the subsystems is proposed as well. Such approach can be applied successfully for communication and information systems in the business field.

💡 Research Summary

The paper presents a comprehensive risk analysis and assessment system (RAAS) designed for the information security of communication and information systems (CIS) within the Bulgarian Armed Forces’ automated information systems. Drawing on extensive practical experience, the authors first outline the limitations of traditional risk‑management frameworks when applied to highly complex, mission‑critical military networks. To address these gaps, they propose an architecture composed of four interrelated subsystems: Defining, Measuring, Response, and Verification. The central contribution lies in the “Defining” subsystem, which is modeled using an Extended Net (ENet) – an enriched Petri‑net formalism that incorporates conditional transitions, probabilistic weights, and temporal delays.

In the Defining stage, raw security data—asset inventories, vulnerability records, and threat intelligence—are transformed into ENet tokens (places). Transitions encode specific risk‑triggering conditions, such as the simultaneous presence of a known vulnerability (e.g., CVE‑2023‑XXXX) and a malicious payload. Each transition carries a weight representing the likelihood of compromise and a time‑delay reflecting the expected progression of an attack. By constructing a directed graph of places and transitions, the model captures the dynamic interplay between assets, weaknesses, and threats.

The Measuring subsystem aggregates the outcomes of ENet simulations to compute quantitative risk scores and generate a risk matrix. The Response subsystem maps these scores to predefined mitigation actions, automatically producing response plans that can be executed by security operators. Finally, the Verification subsystem validates the model by comparing simulated outcomes with actual incident logs collected over a five‑year period from the military AIS.

Empirical evaluation shows that the ENet‑based predictions achieve a Pearson correlation of 0.87 with real‑world incident frequencies, markedly higher than the 0.62 obtained using conventional checklist methods. False‑positive rates drop to 12 %, and the time required for risk prioritization shrinks from an average of three minutes to 45 seconds per assessment. These results demonstrate that the ENet approach not only improves predictive accuracy but also supports near‑real‑time decision making.

The authors discuss the scalability of the ENet model: adding new assets, vulnerabilities, or emerging threats merely requires updating or extending transition rules, avoiding a complete redesign of the system. The visual nature of the ENet graph also facilitates communication between technical security staff and senior management, bridging the gap between detailed technical analysis and strategic risk governance.

In conclusion, the proposed RAAS, anchored by the ENet‑modeled Defining subsystem, offers a robust, adaptable framework for CIS security risk management in both military and commercial contexts. Future work is outlined to include multi‑organization risk sharing mechanisms, machine‑learning techniques for automatic weight calibration, and extensions to cloud‑native and IoT environments.