The article is devoted to the solution of the scientific problem of the development of theoretical foundations and technology of substantiation of quantitative requirements (rules) for software information security (PSI). The basis of the modern theory of information security is a classification approach. When using the classification approach, the requirements for PSSS are defined as a set of functional requirements necessary for implementation for a certain class of security. At the same time, the concept of "effectiveness of information protection" is not considered. The contradiction between the qualitative classification approach in the formation of requirements for PSI and the need to use their quantitative characteristics in the development of automated systems (as) in protected execution required the development of a new normative approach to substantiate the requirements for information protection. Normative approach based on the systematic consideration of problems in which the analysis of interaction of elements as each other and the influence of PSSI on the AU in General and the analysis of the goals of security of information (BI). The information structure of the system is constructed on the basis of the analysis of the AU topology, internal and external relations and information flows. At the same time, the normative method considers the full set of BI threats. BI threats are stochastic, multi-stage and multi-variant. In turn, the NSCI in implementing protection functions neutralizes BI threats with some probability (there are residual risks) and length in time. The presence of a variety of BI threats, characterized by different time of implementation, probabilistic characteristics of overcoming PSI and destructive capabilities, require the finding of BI norms by optimization methods, based on the requirements of minimizing the impact on the efficiency of the automated system.

information security, automated system, information security system, system effectiveness, unauthorized access, information security, FSTEC

1. FSTEHK RF. Rukovodyashchij dokument. Koncepciya zashchity sredstv vychislitel'noj tekhniki i avtomatizirovannyh sistem ot nesankcionirovannogo dostupa k informacii [FSTEC RF. Guidance document. The concept of protection of computer equipment and automated systems from unauthorized access to information]. Available at: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114spetsialnye-norma-tivnye-dokumenty/385rukovodyashchij-dokument-reshenie-predsedatelya-gostekhkomissii-rossii-ot30marta1992g2 (in Russian)

2. FSTEHK RF. Rukovodyashchij dokument. Sredstva vychislitel'noj tekhniki. Zashchita ot nesankcionirovannogo dostupa k informacii. Pokazateli zashchishchennosti ot nesankcionirovannogo dostupa k informaci [FSTEC RF. Guidance document. Computing facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information]. Available at: https://fstec.ru/ tekhnicheskaya-zashchita-informatsii/dokumenty/114spetsialnye-normativnye-dokumenty/384rukovodyashchij-dokument-reshenie-predsedatelya-gostekhkomissii-rossii-ot30marta1992g (in Russian)

3. FSTEHK RF. Rukovodyashchij dokument. Avtomatizirovannye sistemy. Zashchita ot nesankcionirovannogo dostupa k informacii. Klassifikaciya avtomatizirovannyh sistem i trebovaniya po zashchite informacii [FSTEC RF. Guidance document. Automated systems. Protection against unauthorized access to information. Classification of automated systems and information security requirements]. Available at: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/doku-menty/114spetsialnye-normativnye-dokumenty/384rukovo-dyashchij-dokument-reshenie-predsedatelya-gostekhkomissii-rossii-ot30marta1992g (in Russian)

4. FSTEHK RF. Rukovodyashchij dokument. Bezopasnost' informacionnyh tekhnologij. Kriterii ocenki bezopasnosti informacionnyh tekhnologij [FSTEC RF. Guidance document. Security information technology. Criteria for assessing the security of information technology]. Available at: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114spetsialnye-normativnye-dokumenty/381rukovodyashchij-dokument (in Russian)

5. Makarov O.Yu., Hvostov V.A., Hvostova N.V. Methodology of rationing requirements for information security of automated systems. Vestnik Voronezhskogo gosudarstvennogo tekhnicheskogo universiteta [Bulletin of the Voronezh State Technical University]. 2010. vol. 6. no. 11. pp. 47–51. (in Russian)

6. Baldin K.V., Vorob'ev S.N., Utkin V.B. Upravlencheskie resheniya [Management decisions]. Moscow, Dashkov i K, 2012.496 p. (in Russian)

7. Voloshin G.Ya. Metody optimizacii v ehkonomike [Optimization methods in economics]. Moscow, Publishing "Business and Service", 2004. 320 p. (in Russian)

8. Vorob'ev S.N. Upravlencheskie resheniya: teoriya i tekhnologii prinyatiya [Management decisions: theory and technology adoption]. Moscow, Project, 2004. 495 p. (in Russian)

9. Makarov O.Yu., Hvostov V.A., Hvostova N.V. The method of constructing formal models for the implementation of threats to information security of automated systems. Vestnik Voronezhskogo gosudarstvennogo tekhnicheskogo universiteta [Bulletin of the Voronezh State Technical University]. 2010. vol.6. no. 11. pp. 22–24. (in Russian)

10. FSTEHK RF. Rukovodyashchij dokument. Ba-zovaya model' ugroz bezopasnosti personal'nyh dannyh pri ih obrabotke v informacionnyh sis-temah personal'nyh dannyh (vypiska). FSTEHK Rossii, 2008 god [FSTEС RF. Guidance document. The basic model of threats to the security of personal data when they are processed in personal data information systems (extract). FSTEC of Russia, 2008]. Available at: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114spetsialnye-norma-tivnye-dokumenty/379bazovaya-model-ugroz-bezopasnosti-personalnykh-dannykh-pri-ikh-obrabotke-v-informatsionnykh-sistemakh-personalnykh-dannykh-vypiska-fstek-rossii2008god (in Russian)

11. FSTEHK RF. Rukovodyashchij dokument. Me-todika opredeleniya aktual'nyh ugroz bezopasnosti personal'nyh dannyh pri ih obrabotke v informacionnyh sistemah personal'nyh dannyh. FSTEHK Rossii, 2008 god [FSTEС RF. Guidance document. The method of determining the actual threats to the security of personal data during their processing in personal data information systems. FSTEC of Russia, 2008]. Available at: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/doku-menty/114spetsialnye-normativnye-dokumenty/380metodika-opredeleniya-aktualnykh-ugroz-bezopasnosti-personalnykh-dannykh-pri-ikh-obrabotke-v-informatsionnykh-sistemakh-personalnykh-dannykh-fstek-rossii2008god (in Russian)

12. Zima V.M., Kotuhov M.M., Lomako A.G., Markov A.S. et al. Razrabotka system informacionno-komp'yuternoj bezopasnosti [Development of information and computer security systems]. St. Petersburg, Military Space Academy. A.F. Mozhaisky, 2003. 327 p. (in Russian)

13. Gudkov S.N., Gudkova O.I., Hvostov V.A. Model of a complete set of implementations of information security threats in ITKS. Vestnik Voronezhskogo gosudarstvennogo tekhnicheskogo universiteta [Bulletin of the Voronezh State Technical University]. 2011. vol.7. no. 6. pp. 126–130. (in Russian)

14. Mel'nikov V. Zashchita informacii v komp'yuternyh sistemah [Information security in computer systems]. Moscow, Finance and Statistics, 1997. 368 p. (in Russian)

15. Druzhinin V.V, Kontorov D.S. Vvedenie v teoriyu konflikta [Introduction to the theory of conflict]. Moscow, Radio and communication, 1989. 288 p. (in Russian)

16. Kislyak A.A., Makarov O.Yu., Rogozin E.A., Hvostov V.A. About one way to formalize the concept of the durability of the security function of GOST ISO/MEK 15408. Vestnik Voronezhskogo gosudarstvennogo tekhnicheskogo universiteta [Bulletin of the Voronezh State Technical University]. 2009. no. 2. pp. 94–98. (in Russian)

17. Kislyak A.A., Makarov O.YU., Rogozin E.A., Hvostov V.A. Methodology for estimating the probability of unauthorized access to automated systems. Informaciya i bezopasnost' [Information and security]. 2009. no. 2. pp. 285–288. (in Russian)

18. Klimov S.M. Metody I modeli protivodejstviya komp'yuternym atakam [Methods and models of countering computer attacks]. Lyubercy, KATALIT, 2008. 316 p. (in Russian)

19. Yang J., Zhou C., Yang Sh., Xu H. et al. Anomaly detection based on zone partition for security protection of industrial cyber-physical systems. IEEE Transactions on Industrial Electronics. 2018. vol. 65. no. 5. pp. 4257–4267.

20. Makarov O.Yu., Rogozin E.A., Hvostov V.A., Korobkin D.I. et al. The method of constructing the information structure of an automated system when rationing the requirements for information security. Vestnik voronezhskogo tekhnicheskogo universiteta [Bulletin of the Voronezh Technical University]. 2011. No. 9. pp. 61–64. (in Russian)

21. Makarov O.Yu., Rogozin E.A., Hvostov V.A., Korobkin D.I. et al. The function of communication of information security indicators of elements of a typical multi-level architecture of a web site with its performance indicators. Vestnik voronezhskogo tekhnicheskogo universiteta [Bulletin of the Voronezh Technical University]. 2011. no. 9. pp. 29–32. (in Russian)

22. Agentstvo peredovyh oboronnyh issle-dovatel'skih proektov Ministerstva oborony SSHA [Agency of Advanced Defense Research Projects of the US Department of Defense]. Available at: https://www.fbo.gov/index? s=opportunity&mode=form&id=4ebb7ba441be3ed21322ac135e528a3e&tab=core&_cview=0 (in Russian)

23. Saltzer J.H., Schroeder M.D. Theprotection of information in computer systems. Proceedings of the IEEE. 1975. vol. 63. no. 9.

24. Yang Z., Cheng P., Chen J. Differential-privacy preserving optimal power flow in smart grid. IET Generation, Transmission & Distribution. 2017. vol. 11. no. 15. pp. 3853–3861.

25. Valdevies F. A Single platform approach for the management of emergency in complex environments such as large events, digital cities, and networked regions. Internet of Things and Data Analytics Handbook. 2017. pp. 643–664.

26. Guizani S. Internet-of-things (IoT) feasibility applications in information Centric Networking System. 13th International Wireless Communications and Mobile Computing Conference. 2017. pp. 2192–2197. doi: 10.1109/IWCMC.2017.7986623

27.