DECISION SUPPORT FRAMEWORK FOR CRITICAL INFRASTRUCTURE CYBERSECURITY PLANNING
DOI:
https://doi.org/10.28925/2663-4023.2025.29.884Keywords:
decision support system; cybersecurity; critical infrastructure; systems approach; multi-criteria analysis; Zero Trust; Explainable AI; Cross-Impact Matrix; AHP.Abstract
The article addresses the challenge of making well-grounded architectural decisions in the field of cybersecurity for critical infrastructure facilities under increasing threats, limited resources, and complex interdisciplinary system structures. Modern approaches to building protection systems are analyzed, including the Zero Trust Architecture concept, Explainable AI methods, and risk-based models applied for threat detection and response in highly critical environments. It is identified that existing solutions lack sufficient adaptability and fail to account for the set of interrelated criteria that influence the effectiveness of the protection system architecture.
The aim of the research is to develop an integrated decision support system (DSS) that considers the multidimensional nature of cybersecurity tasks and enables the selection of optimal architectures taking into account technical, organizational, and economic factors. A multi-criteria approach based on AHP is proposed, complemented by a structural impact analysis module and a dynamic mechanism for updating criterion weights in accordance with evolving threats and risks. Evaluation criteria for protection architectures (MTTD, MTTR, threat detection rate, automation level, cost, policy compliance, etc.) are formalized with consideration of their functional characteristics and types of utility functions.
The practical implementation of the DSS is carried out using Python and the Streamlit library, which provides interactive user engagement, construction of comparison matrices, visualization of causal relationships, and generation of ranked solutions in a user-friendly format. The article presents the architecture of the software module, an example of system functionality based on three architectural models (classical, ZTA, cloud-based), and justifies the choice of an alternative in the context of critical infrastructure.
The proposed approach improves the justification and transparency of cybersecurity-related decisions and allows for system adaptation to real-world operational environments, ensuring resilience to complex multi-vector attacks. The results can be applied for the automated design of security architectures in sectors such as energy, transportation, telecommunications, and other critical domains.
Downloads
References
Adapa, V. R. K. (2024). Zero Trust Architecture Implementation in Critical Infrastructure: A Framework for Resilient Enterprise Security. International Journal of Advanced Research in Engineering and Technology (IJARET), 15(6), 76–89. https://doi.org/10.34218/IJARET_15_06_006
Martínez, A., & Thompson, C. (2025). Zero Trust Architecture – A Systematic Literature Review. arXiv preprint, arXiv:2503.11659. https://doi.org/10.48550/arXiv.2503.11659
Khan, N., Ahmad, K., & Kim, D.-S. (2024). Explainable AI based Intrusion Detection System for Industry 5.0: An Overview. arXiv preprint, arXiv:2408.03335. https://doi.org/10.48550/arXiv.2408.03335
Kenmogne, L. A., & Mocanu, S. (2024). Explainable AI for process aware attack detection in industrial control systems. In 2024 IEEE 10th International Conference on Network Softwarization (NetSoft) (pp. 363–368). IEEE. https://ieeexplore.ieee.org/document/10588940
Bhaskaran, D. (2025). Zero Trust Architecture: Securing America’s Critical Infrastructure. International Journal of Advances in Engineering and Management (IJAEM), 7(2), 157–164. https://www.researchgate.net/publication/388921125
Ilienko, A., Teliushchenko, V., & Dubchak, O. (2023). Suchasni kiberzahrozy krytychnoi infrastruktury Ukrainy ta svitu. Kiberbezpeka: osvita, nauka, tekhnika, 27, 150–164. https://doi.org/10.28925/2663-4023.2023.27.719
Murasov, R. K., & Melnyk, Ya. V. (2023). Otsiniuvannia zakhyshchenosti kiberprostoru obiektiv krytychnoi infrastruktury Ukrainy. Suchasni informatsiini tekhnolohii u sferi bezpeky ta oborony, 46(1), 41–44. https://doi.org/10.33099/2311-7249/2023-46-1-41-44
Mohale, V. Z., & Obagbuwa, I. C. (2025). Evaluating machine learning based intrusion detection systems with explainable AI: Enhancing transparency and interpretability. Frontiers in Computer Science, 7, Article 1520741. https://www.frontiersin.org/journals/computer-science/articles/10.3389/fcomp.2025.1520741/full
Murasov, R., Nikitin, A., & Meshcheriakov, I. (2024). Mathematical model of risk assessment of the operation of critical infrastructure objects based on the theory of fuzzy logic. Social Development and Security, 14(5), 166–174. https://doi.org/10.33445/sds.2024.14.5.17
Triantaphyllou, E. (2000). Multi Criteria Decision Making: A Comparative Study. Dordrecht, The Netherlands: Kluwer Academic Publishers (now Springer). ISBN 0 7923 6607 7. https://www.csc.lsu.edu/trianta/Books/DecisionMaking1/backup/Book_DM1.htm?utm_source=chatgpt.com
Shapovalova, O. O., & Burmenskyi, R. V. (2017). Rozrobka prohramnoho dodatka dlia realizatsii metodu analizu iierarkhii. Systemy obrobky informatsii, 3(149), 45 48. https://doi.org/10.30748/soi.2017.149.09
Mockor, J., & Hynar, D. (2021). On unification of methods in theories of fuzzy sets, hesitant fuzzy set, fuzzy soft sets and intuitionistic fuzzy sets. Mathematics, 9, 447. https://doi.org/10.3390/math9040447
Zakon Ukrainy «Pro osnovni zasady zabezpechennia kiberbezpeky Ukrainy» vid 05.10.2017 № 2163 VIII (v redaktsii 2025 r.). Vidomosti Verkhovnoi Rady Ukrainy, 2017(45), st. 403. https://zakon.rada.gov.ua/laws/show/2163-19#Text
ISO/IEC. (2022). ISO/IEC 27001:2022. Information security, cybersecurity and privacy protection – Information security management systems – Requirements. Geneva, ISO. https://www.iso.org/standard/27001
ISA/IEC. (2018). ISA/IEC 62443. Series of Standards for Industrial Automation and Control Systems Security. International Electrotechnical Commission. https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
NIST. (2024). NIST SP 800 82 Rev. 3. Guide to Operational Technology (OT) Security. Gaithersburg, MD: National Institute of Standards and Technology. https://csrc.nist.rip/external/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.ipd.pdf
Stevens, R. L., Aliyeva, S., Bornmalm, L., Calvache, C. D., & Ivanov, A. V. (2021, August 14–22). Tools for project scoping: Conceptual modeling of stakeholders, activities and goals. In Proceedings of the 21st SGEM International Multidisciplinary Scientific GeoConference (Vol. 2.1, pp. 193–200), Albena, Bulgaria. https://epslibrary.at/sgem_jresearch_publication_view.php?page=view&editid1=7877
Hendela, A., & Turoff, M. (2010). Cross impact security analysis using the HACKING Game. In Proceedings of the 7th International ISCRAM Conference, Seattle, USA, May 2010. ISCRAM. https://www.researchgate.net/publication/229049304_Cross_Impact_Security_Analysis_using_the_HACKING_Game
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Наталя Долгова, Олена Шаповалова, Ганна Солодовник
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
