System risk model of the IT system supporting the processing of documents at different levels of sensitivity

This study outlines the system risk model of IT system oriented at the safety of the processes of sensitive data processing. The model constitutes a multi-dimensional approach to the analysis of IT system risk and IT processes implemented therein. The presented approach includes various categories of risk factors, resulting from both the architecture of the very IT system, IT security elements and security of the continued operations. The model described in this article may constitute a starting point for the development of the method for IT system risk analysis and appropriate IT security policy, which may in turn constitute input values for the methodology of IT system risk management.


Introduction
When analyzing various models, methods and approaches to assessment of the risk level and proper handling of risks, a question arises whether a possibility of creating a complex and adequate IT system risk assessment model 1 , where the documents at different sensitivity levels are processed, and which includes various categories of risk factors allowing their combination so that it is possible to determine the risk level of sensitive documents, while maintaining practical usability of the proposed solution, does actually exist. This article is an attempt to answer the above question by outlining the system risk model of IT system supporting the processing of the documents different levels of sensitivity, which is -according to the authors -complete and consistent. The proposed risk model may be used at the stage of managing the IT system security and also developing the appropriate IT system security policy.
The risk related to IT systems may be considered in two different ways. Firstly, it is perceived as the design risk associated with other risks occurring at different stages of the IT system life cycle. Secondly, the approach consists in the analysis of the implemented processes of sensitive data processing to assess the risks related thereto and then in the management of the properly identified risks by accepting, transferring, avoiding or mitigating such risks. This study presents the IT system model of the office in such context. If the IT system risk level of the office is known, it is possible to efficiently

Basic IT system risk elements
The starting point for constructing the IT system risk assessment model, as proposed in this article, reflecting systemness of the described solution, shall be the IT system security model for the office presented in Fig. 1.
The model presented in Fig. 1 covers the three following areas: security of data, security of the processes of sensitive data processing and security of the continued process operations, and is based on the following components: -Rules -strategy, policies and procedures defining the rules of procedure concerning the security of sensitive data, processes of their processing and continuity of operations, whose comprehensive implementation within the entire office means efficient office management. -Structures -a set of positions and organizational units within the organization and their correlations. For the purpose of this study, the following structures are of importance: risk management framework, security services, continued operations framework, quality and control management services. -Office processes and operations -the solutions ensuring proper operations of the office, security and quality of the information processed therein, (Stanik i Protasowicki, 2015), compliance with the requirements on the business continuity, responses to infringement of the policies and procedures as well as incidents related to a breach of security of sensitive data. -Security control and strategy -ongoing monitoring of the IT system operations, processes of sensitive data processing, verification of the level of compliance with safety rules as well as their consistency and adequacy, and solutions for residual risk reduction with respect to the assigned attributes of the security of the process of sensitive data processing and their business continuity. The following correlations occur between the particular pillars of the above-described model : the rules included in the policies and procedures define the operations of the security solutions together with the ways of monitoring their work, the operations of the security systems -securityensuring solutions -determine the occurrence of new security principles and affect the scope of the monitoring of the continued operations, whereas the quality of the processing processes determine the occurrence of new security principles and affect the scope of the monitoring and control, the events detected thanks to the security monitoring stimulate changes in the security solutions -security system as well as information security management system, and provide recommendations for the modifications of the existing solutions in terms of their security and creation of new security policies and procedures. The model defined in such a manner shows the areas that determine the level of IT system risks and ensure completeness of the approach, which was confirmed by wide application of the model [7,8]. The key element of the above-mentioned IT system security model is a set of basic IT security attributes, divided into the following subsets/areas: I. Information security area. Within the framework of this component, the following elements with special impact on the IT system risk level may be distinguished: 1. Confidentiality: Access to the information is limited to a group of authorized entities only. The data are protected against reading and copying by a person not authorized by the data owner. This type of security solution not only includes the protection of all data, but also of the individual elements thereof, which look "innocent", but may be used to breach the confidentiality of other information. 2. Data consistency: The point is to ensure that the information is not modified in an unauthorized manner and that all potential modifications are detected. The information is protected against its removal or any modifications made without the consent of its owner. The protected information also includes such elements as settlement system records, tapes with back-up copies, times of creating files and documents. 3. Data availability: The information may be accessed in any circumstances permitted by the information security policy. The offered services are protected against distortion and damage. If an authorized user needs to use the IT system, which is unavailable, the effect may be the same as in case of removing data from the system. 4. Data certainty: The party undertaking some actions using the software may not deny the fact the (s)he performed some operations with the use of the software. II. The area of the process of sensitive data processing. Within the framework of this component, the following elements with special impact on the IT system risk level may be distinguished: 1. Availability of the process of sensitive data processing -a possibility of making a certain action in office available for use at a certain time and upon request of an authorized entity. 2. Operating safety: The point is to ensure that the work of the IT system is in line with the users' expectations. If the IT system resources, e.g. hardware and software start operating significantly different than usually, especially after the software upgrade or removing hardware failure, a real disaster could happen (e.g. ls command, which starts removing files from time to time instead of displaying them). This type of protection may be considered a way of ensuring operating safety. 3. Process control: The objective is to control access to the core IT system process. Unknown or unauthorized persons (or programs) in the system may constitute a serious problem. It is essential to learn how they got into the system. To remove the effects of such incidents may require substantial contribution in terms of time and workload, for example, related to the necessity of redesigning and reinstalling the system as well as verifying whether any important component was changed or disclosed -even if nothing has actually happened. 4. Audit: The system is not only under threat from the unauthorized users. Sometimes authorized users make mistakes, commit offenses and even deliberately destroy things. In such case, it is important to check what was done, by whom and with what effects. One way to obtain such information is to use the damage-proof event records in the system, which allows identifying the offenders and their actions. In some critical applications, it is possible to undo certain operations, which may be helpful in the process of restoring proper condition of the system. III. The area of the process of safety of sensitive data processing. Within the framework of this component, the following elements with special impact on the IT system risk level may be distinguished: 1. Fulfillment of the requirements included in the policy referring to the process continuity of operations, 2. Business Continuity Plan -BCP 3. Disaster Recovery Plan -DRP. 4. Financial effects of suspension/interruption of the process implementation, 5. Non-financial effects of suspension/interruption of the process implementation, 6. Costs and time of the process unavailability. Among from the information security attributes, all of them were directly incorporated into the system risk model of IT system proposed in this article. The impact of confidentiality and availability on the IT system risk depends on the expected level of such attributes for a given system. If the expectations concerning availability or confidentiality of the IT system are high, a given attribute shall significantly affect the risk assessment process for such system. However, if the availability or confidentiality for a certain IT system is not a critical factor, then the impact of a given attribute on the risk of such IT system shall be marginal [12][13].
According to the authors, in case of attributes of the security of the processes of sensitive data processing, it is important to prevent the situations when the lack of integrity and continuity of business processes or information processed thereunder is knowingly accepted. Therefore, it may be assumed that the expectations for every process in terms of its integrity are comparable.
The Rules, presented in the model in Fig. 1, are characterized by the following elements having impact on the risk level of IT systems: · security policy, · security procedures, · -BCP (Business Continuity Plan) -DRP (Disaster Recovery Plan). Of these, the security policy and safe use procedures implemented in the office have key impact on the IT system risk. However, the manner of considering such factors in the presented model differs [9][10][11]. The security policy constitutes a direct component of the IT system risk in the proposed model, whereas the safe use procedures have only indirect impact on such risk. Since verification of the security procedures constitutes an integral part of the process of classifying IT systems and assigning them to appropriate safety classes, the impact of the security procedures on the IT system risk in the proposed model is expressed by assigning the IT system to a specific security class. The methodology proposed in this article does not include any evaluation of the BCP or DRP Plans. It is due to the fact that the BCP-related issues are more connected with business risk than IT system risk, whereas DRP is directly linked to the attribute of the IT system availability. Furthermore, practical experience has shown that IT systems not requiring high level of availability usually do not have any dedicated DRP Plans, which usually results from the economic account of profitability. Therefore, to include the IT system risk analysis in the method proposed herein, the DRP-related component, would raise the risk level of such systems. Another argument in favor of exclusion of the DRPrelated component from this methodology is close connection of the DRP Plans with the business needs of a given organization. According to the author, evaluation of such plans in isolation from the business needs of the organization would be an abuse and would undermine the objectivity of the methodology proposed herein.
The category Processes and Actions in the model presented in Fig. 1 includes the following elements, which may have impact on the risk level of IT systems: protection processes, change management process, control and security mechanisms. The impact of the protection processes on the IT system risk, in particular its process of sensitive data processing is shown in Fig. 2. The impact of the change management process on the IT system risk is visible in commonly applied international standards, such ITIL and COBIT (Control Objectives for Information and Related Technology), which is reflected in the fact that the change management process is included in the proposed model as a risk component.  Fig. 2. The place of the protection processes in the information security management system in the office.

Information Security Management System
The control is the last of the main components of the IT system security model presented in Fig. 1. As part of this component, the following elements with special impact on the level of IT system risk may be distinguished: complexity of ICT environment, security monitoring system, physical and logical access control, impact of human factor. All of the above-mentioned elements are included in the method of IT system risk analysis proposed herein, however, the manner of their incorporation into the said method is different [ [14][15][16][17][18][19].

Components of the vector of IT system risk in the office
The system risk model of IT system for the office, presented herein, has been defined as the following vector ܴ ܵ ݅ ሬሬሬሬԦ: (1) defining the IT system risk level, which includes three reflecting the levels of IT system risks in terms of particular areas of risk factors. The selected coordinates of the risk vector represent individual risk areas ( Fig. 1), each of them including several risk factors, hereinafter referred to as the composition of partial vectors of IT system risk. The components of particular partial vectors used in this IT system risk model of the office are the following: I. Information security area -R S i B : 1. Data availability in the system -. The data availability in the IT system ܵ ݅ is a possibility of making a certain action in office available for use at a certain time and upon request of an authorized entity. The data availability in the IT system ܵ ݅ is expressed by assigning the system to a particular availability class ߣ ‫א‬ Ȧ, marked as ߣ ܲ ݅ . Set L = {I, II, III, IV, V} 2 containing the following elements is called the group of availability classes of the IT system: I -defines the IT system ܵ ݅ , in case of which the expected availability is 99.99% per year and its maximum one-time unavailability does not exceed 30 minutes, V -defines the IT system ܵ ݅ , in case of which the expected availability is 70% per year and its maximum one-time unavailability exceeds 3 weeks.
Every IT system ܵ ݅ Ԗܲ(ܱ) ݅߳{1, 2, … ܰ}belongs to one and only one availability class ߣ ‫א‬ Ȧ. The 2 While considering the subjectivity of interpretations of particular elements in the group of availability classes and limited number of pages in this articles, I have decided to include construction of only two extreme elements of the particular sets. described principle of assigning the IT system ܵ ݅ to a given availability class ensures explicitness of defining the availability of the IT system ܵ ݅ , which is significant for the model outlined in this article.

2.
Data confidentiality -ߙ ܲ ݅ The property of data non-disclosure to any unauthorized parties ܵ ݅ is the IT system data confidentiality. The confidentiality of data processed by the IT system ܵ ݅ is expressed by assigning the system to a particular data confidentiality class, ߙ߳Ȝ and marked as ߙ ܲ ݅ . Every IT system ܵ ݅ Ԗܲ(ܱ) ݅߳{1, 2, … ܰ} belongs to one and only one availability class of confidentiality of the business process data ߙ ‫א‬ . The set of confidentiality classes of data processed by the IT system ܵ ݅ is called A = {A, B, C, D, E}, composed of the following elements: A -defines the IT system and processes secret data, whose disclosure may pose threat to human life or health, E -defines the IT system, used for processing of public data. 0 -means that the requirement is inaccurate for the IT system ܵ ݅ , 5 -means that the requirement is maximally significant for the system ܵ ݅ . The values from 1 to 5 are numerical expressions of the following: minimum, low, medium, high and maximum level of significance of the requirement in terms of a given IT system. To allow 0 value in the set of values ‫‬ ܵ ݅ ݉ means to respond to the situations, when the requirement has nothing to do with the analyzed IT system. Therefore, in case of each IT system ܵ ݅ ߳ܲ(ܱ), there is the following set: ܹ ܵ ݅ ‫ܤ‬ such as that: ‫ܤ‬ belongs to ܹ ܵ ݅ ‫ܤ‬ when and only when ‫‬ ܲ ݅ ݉ ് 0.
The fulfillment of the requirement ‫ݓ‬ ݉ ܹ߳ ܲ(ܱ) ‫ܤ‬ of the where 0% -means that the requirement has not been met in terms of the process ܲ ݅ , 100% -means that the requirement has been fully met in terms of the process ܲ ݅ . The fulfillment of the requirements where: The efficiency of the system monitoring of the data for the IT system ܵ ݅ is in the form of the following product: (3) where: j -the number of the next criterion for assessing efficiency of the security monitoring system, ߜ ܵ ݅ ݉ -priority of the j-th criterion for assessing efficiency of the system security monitoring systemS ݅ , -value of the j-th criterion for assessing efficiency of the system security monitoring systemܵ ݅ , ݇ ݆ -materiality of the j-th criterion for assessing efficiency of the system security monitoring system, ݀ ‫ܯܵ‬ ‫ܤ‬ (ܵ ݅ )multiplier of the inclusion of the IT system ܵ ݅ in the security monitoring system, whereas: ݀ ‫ܯܵ‬ ‫ܤ‬ (ܵ ݅ ) = ൞ 1, ݅f the IT system is covered by a monitoring system to monitor the information system 0, if the IT system is not covered by a monitoring systemto monitor the information system If the IT system ܵ ݅ is under various monitoring systems, it is essential to define the number of criteria for assessing efficiency of such monitoring systems, e.g. in the form of tables [ Table 1]. Source: own elaboration.
Otherwise, in compliance with the above definitions, the efficiency of the monitoring system selected for the IT system ܵ ݅ would be zero and further determination of its parameters -unjustified. The criteria presented in Table 1 with respect to assessment of the monitoring system efficiency, materiality values and priorities of particular criteria as well as sets of their available values are not obligatory and may be customized. They should be considered sample data. The point of the abovedescribed method for assessing efficiency of the security monitoring systems is to describe, in a quantitative manner, the quality rate of a given system that would allow direct comparison of the security monitoring systems from different supplier and characterized by different qualitative, functional and operational parameters. 0 -means that the requirement is inaccurate for the IT system ܵ ݅ , 5 -means that the requirement is maximally significant for the system ܵ ݅ . The values from 1 to 5 are numerical expressions of the following: minimum, low, medium, high and maximum level of significance of the requirement in terms of a given IT system. To allow 0 value in the set of values ‫‬ ܵ ݅ ݉ means to respond to the situations, when the requirement has nothing to do with the analyzed IT system. Therefore, in case of each IT system ܵ ݅ ߳ܲ(ܱ), there is the following set: where 0% -means that the requirement has not been met in terms of the process ܲ ݅ , 100% -means that the requirement has been fully met in terms of the process ܲ ݅ . The fulfillment of the requirements in the business continuity management policy of the IT system ܵ ݅ is the following percentage value: where: The efficiency of the system monitoring the business continuity of the IT system ܵ ݅ is in the form of the following product: where: j -the number of the next criterion for assessing efficiency of the system monitoring the business continuity, ߜ ܵ ݅ ݉ -priority of the j-th criterion for assessing efficiency of the system security monitoring the system's business continuity S ݅ , -value of the j-th criterion for assessing efficiency of the system security monitoring the system's business continuity ܵ ݅ , ݇ ݆ -materiality of the j-th criterion for assessing efficiency of the system monitoring the business continuity, ݀ ‫ܯܵ‬ ‫ܥ‬ (ܵ ݅ )multiplier of the inclusion of the IT system ܵ ݅ in the system monitoring the business continuity, whereas: ݀ ‫ܯܵ‬ ‫ܥ‬ (ܵ ݅ ) = ൞ 1, ݅f the IT system is covered by a monitoring system to monitor the information system 0, if the IT system is not covered by a monitoring systemto monitor the information system BCP (Business Continuity Plan) and DRP (Disaster Recovery Plan). The model proposed in this article does not include any evaluation of the BCP or DRP Plans. It is due to the fact that the BCP-related issues are more connected with business risk than IT system risk, whereas DRP is directly linked to the attribute of the IT system availability. Furthermore, practical experience has shown that the IT systems implemented in the office, i.e. RFID, which do not require high level of availability, usually do not have any dedicated DRP Plans, which usually results from the economic account of profitability. Therefore, to include the IT system risk in the model proposed herein, the DRP-related component, would raise the risk level of such systems. Another argument in favor of exclusion of the DRP-related component from this model is close connection of the DRP Plans with the business needs of a given organization. According to the author, evaluation of such plans in isolation from the business needs of the organization would be an abuse and would undermine the objectivity of the methodology proposed herein.
3. Cost of the IT system unavailability -ߢ ܵ ݅ The costs related to unavailability of the IT system include all expenses connected with the performance of a given portion of actions, i.e. the operations that constitute a specific information process. To estimate the costs of the IT system unavailability, it was assumed that the event causing interruption of the information processing may occur at the worst possible moment. The cost of the IT system unavailability ܵ ݅ is the measure consisting of financial effects of the interrupted process and non-financial effects of suspended information processing. The financial effects of the interrupted process of sensitive data processing shall be deemed to mean maximum potential financial losses that the Office would incur due to the suspension of such process for a definite time. The financial effects may be as follows: loss of profits, contractual damages, penalty interest, fines, potentially additional costs of running the office. The nonfinancial costs of suspending the processes are the consequences of the suspended processed, which may not be expressed by the volume of losses. The materiality of the non-financial effects of the suspended process for a definite time is estimated by choosing one of the following levels: insignificant effects -unnoticeable effects or no effects, noticeable effects -visible effects, in case of which no actions are required, serious effects -effects requiring certain actions to be undertaken for the purpose of their removal, very serious effects -effects requiring certain actions to be undertaken for the purpose of preventing discontinuance of business operations of the whole company, catastrophic effects -effects that may directly lead to the company's fall. The non-financial effects are as follows: potential loss of trust on the market, e.g. loss of partners' trust, loss of the office's goodwill, dissatisfaction of clients, loss of clients, potential legal consequences (other than financial), e.g. restraint of liberty, potential dissatisfaction of the company's owners, potential dissatisfaction of individual clients, potential impediment to the activities of business, e.g. inability or problematic implementation of another process in the office. The cost of unavailability of the process of information processing is expressed by assigning the process to a particular unavailability cost class ߢ ‫א‬ ȥ, marked as ߢ ܵ ݅ . Set K = {I, II, III, IV, V, VI} containing the following elements is called the group of unavailability classes of the business processes: I -defines the process of sensitive data processing, in case of which the level of financial costs does not exceed 5% of the office's financial fluidity ratio, e.g. 1 000, whereas the level of the non-financial costs is insignificant; VI -defines the process of sensitive data processing, in case of which the level of financial costs exceeds 50% of the office's financial fluidity ratio, e.g. 1 000 000, whereas the level of non-financial costs is catastrophic. Every process of sensitive data processing ܲ ݅ Ԗܲ(ܱ) ݅߳{1, 2, … ܰ}belongs to one and only one unavailability cost class. ߢ ‫א‬ ȥ. The proposed scale is not obligatory, may be customized.

The maximum time of unavailability of the processes of sensitive data processing -ߨ ܵ ݅
Maximum time of the process unavailability is the time during which the process execution must be restored to prevent any significant financial or nonfinancial effects. The maximum time of unavailability of the processes of information processing is expressed by assigning the process to a particular unavailability time class ߨ ‫א‬ Ȳ and is marked as ߨ ܵ ݅ . The group of unavailability time classes of the process of sensitive data processing is set N = {0,1,2,3,4,5}, where: 0 -less than 1 hour; 1 -4 hours; 2 -1 day; 3 -1 week, 4 -more than 1 week, 5 -1 month and more. Every process of sensitive data processing ܲ ݅ Ԗܲ(ܱ), ݅߳{1, 2, … Ȯ}, belongs to one and only one cost class of the process of sensitive data processing. ߨ ‫א‬ Ȳ . The proposed scale is not obligatory, may be customized.
III. Processing security area -R S i T : 1. Fulfillment of the requirements defined in the processing security policy -ߟ ܵ ݅ ܶ The set of requirements in the O's office processing security policy is a finite and countable set, ܹ ܲ(ܱ) ܶ = ൛‫ݓ‬ 1, ‫ݓ‬ 2, … ‫ݓ‬ m, … w M ܶ ൟ, where: ‫ܯ‬ ܶ it is the number of requirements of the security policy with respect to the processing processes ܲ ݆ ߳ ܵ ݅ ‫א‬ ܲ(ܱ). In case of each requirement, ‫ݓ‬ ݉ ܹ߳ ܲ(ܱ) ܶ we define the priority of the requirement in terms of a given IT system ܵ ݅ . The requirement priority ‫ݓ‬ ݉ ܹ߳ ܲ(ܱ) ܶ in terms of the IT system ܵ ݅ is the number ‫‬ ܵ ݅ ݉ ‫א‬ {0,1, … 5}, where: 0 -means that the requirement is inaccurate for the IT system ; ܵ ݅ , 5 -means that the requirement is maximally significant for the system ܵ ݅ . The values from 1 to 5 are numerical expressions of the following: minimum, low, medium, high and maximum level of significance of the requirement in terms of a given IT system. To allow 0 value in the set of values ‫‬ ܵ ݅ ݉ means to respond to the situations, when the requirement has nothing to do with the analyzed IT system. Therefore, in case of each IT system ܵ ݅ ߳ܲ(ܱ), there is the following set: ܹ ܵ ݅ ܶ such as that: belongs to ܹ ܵ ݅ ܶ when and only when ‫‬ ܲ ݅ ݉ ് 0.
The fulfillment of the requirement ‫ݓ‬ ݉ ܹ߳ ܲ(ܱ) ܶ of the IT system ܵ ݅ is the number, ‫ݏ‬ ܲ ݅ ݉ ‫א‬ [0%, … , 100%], where 0% -means that the requirement has not been met in terms of the process ܲ ݅ , 100% -means that the requirement has been fully met in terms of the process ܲ ݅ . The fulfillment of the requirements in the business continuity management policy of the IT system ܵ ݅ is the following percentage value: where: -ܹ ܵ ݅ ܶ -the set of business continuity requirements of the system S i , Efficiency of the quality monitoring system െ ȕ S i T The efficiency of the quality monitoring system for the IT system ܵ ݅ is in the form of the following product: (7) where: j -the number of the next criterion for assessing efficiency of the quality monitoring system, ߜ ܵ ݅ ݉ -priority of the j-th criterion for assessing efficiency of the quality monitoring systemS ݅ , ߭ ܵ ݅ ݇ ݆ -value of the j-th criterion for assessing efficiency of the quality monitoring systemܵ ݅ , ݇ ݆ -materiality of the j-th criterion for assessing efficiency of the quality monitoring system, ݀ ‫ܯܵ‬ ܶ (ܵ ݅ )multiplier of the inclusion of the IT system ܵ ݅ in the quality monitoring system, whereas: ݀ ‫ܯܵ‬ ܶ (ܵ ݅ ) = ൞ 1, ݅f the IT system is covered by a monitoring system to monitor the information system 0, if the IT system is not covered by a monitoring systemto monitor the information system

Duration of information processing -ߜ ܵ ݅
It is the average time of all operations related to the information processing. The duration mainly depends on the organizational level of the implemented procedures and value added level. The time of the sensitive information processing is expressed by assigning the process to a particular execution time class ߜ ‫א‬ ǻ, marked as ߜ ܵ ݅ . The group of execution time classes of the process of data processing is set ȟ = {0,1,2,3}, where: 0insignificant; 1 -medium organizational level of the implemented procedures and low value added; 2medium organizational level of the implemented procedures and average value added; 3 -high organizational level of the implemented procedures and high value added. Every process of sensitive data processing ܲ ݅ ‫א‬ ܲ(ܱ), ݅߳{1, 2, … L}, belongs to one and only one cost class of the process of sensitive data processing. ߜ ‫א‬ ǻ . The proposed scale is not obligatory, may be customized.

Processing flexibility in the IT system -ߴ ܵ ݅
The processing flexibility in the IT system S i means the process ability to change, update, change order of the performed actions, merge operations, etc. It S i is also determined on the basis of the process susceptibility to the transformation of the used resources as well as the speed rate of responding to the clients' requests. To introduce the definition of the processing flexibility scales in the IT system, S i the following definitions have been adopted. The group of the processing flexibility scale classes S i constitutes set E = {0,1,..,9}, whose elements discretize the processing flexibility scale in the IT system S i , where: 0 -no processing flexibility in the IT system S i , 9 -processing flexibility in the IT system S i , with maximum reach, but at variance with the scope of requirements adopted in the security and business continuity policies. The proposed scale is not obligatory, may be customized. The level of the distribution and multiplicity of the IT system architecture components is called the scale of the processing process in the IT systemS i . The scale of the processing flexibility in the IT system S i is expressed by assigning the system to a particular flexibility scale class Ԃ ‫א‬ Ĭ, marked as Ԃ P i .

Importance of the IT system -ȗ S i
The importance of the IT systemS i is the measure consisting of the consumer and recipient satisfaction levels, amounts of revenue generated by the system, strength of relationships between the system and clients. The importance of the IT system S ݅ is expressed by assigning the system to the importance class ߞ ‫א‬ ǽ and marked ȗ S i . Set ZN = {I, II, III, IV, V,VI}S ݅ containing the following elements is called the group of the IT system importance classes: Idefines the IT system S ݅ , in case of which the consumer satisfaction level is below 50% and the amount of revenue generated by the system is low, VI -defines the IT system S ݅ , in case of which the consumer satisfaction level is over 90% and the amount of revenue generated by the system is very high. Every IT system S ݅ ‫א‬ P(O) i ‫א‬ {1, 2, … Z} belongs to one and only one IT system importance class. ߞ ‫א‬ ǽ .

Efficiency of the change management process -߮ ܲ ݅
The efficiency of the change management process is the level of compliance of such process in the IT system ܵ ݅ with the best practices in that respect. The efficiency of the change management process in the IT system ܵ ݅ is expressed by way of the percentage compliance of such process ܵ ݅ with the ITIL or other standards in that respect. The efficiency of the change management process in the IT system ܵ ݅ is marked as ߮ ܲ ݅ .  N] and maintain appropriate proportions of their impact on total IT system risk, including the set ܺ of all specialized risk factors divided into subsets ܺ ‫ܤ‬ , ܺ ܶ , ܺ ‫ܥ‬ representing the elected areas/aspects: information security, processing security and business continuity regarding the processing of sensitive information. Another limitation is to express the numbers ‫ܮ‬ ‫ܤ‬ , ‫ܮ‬ ܶ , ‫ܮ‬ ‫ܥ‬ of the selected standardization function from the family બ as a product of two natural numbers larger than 1 is another limitation, i.e.: The proposed ranges are not obligatory, may be customized. Such value ranges are aimed at creating the simplest possible shape of the functions that would transpose particular coordinates of the vector ܴ ܵ ݅ ሬሬሬሬሬԦ and components of the described model into uniform value ranges, additionally ensuring legibility of the risk analysis results. The exclusion of the values lower than 1, in particular 0 values, from such range is associated with the concept of a residual risk, (Hash, 2002), according to which it is impossible to completely eliminate the risk, thus, none of its components presented in the IT system risk model may have zero value. To transpose the values of the individual IT system risk components into the uniform value ranges, we have introduced the concept of the standardization function.

Normalized components of the IT system risk vector
When considering the above assumption and limitations, the standardization functions ߦ߳Ȅ shall be as follows: A. in case of a subset of the functions ߦ߳બ B characterized by the information security: 1. for the data availability component, it is defined in the following manner: 2. for the data confidentiality component, it is defined in the following manner: 3. for the component concerning the fulfillment of the requirements of the information security policy, it is defined in the following manner: 4. for the information security monitoring component, it is defined in the following manner: B. in case of a subset of the functions ߦ߳બ C characterized by the business continuity security of the process of sensitive data processing: 1. for the component concerning the fulfillment of the requirements of the business continuity security of the process of sensitive data processing, it is defined in the following manner: 2. for the component concerning the business continuity security of the process of sensitive data processing in the IT system, it is defined in the following manner: C. in case of a subset of the functions ߦ߳બ T characterized by the security of the processes of sensitive data processing: 1. for the component concerning the fulfillment of the requirements of the information processing security policy, it is defined in the following manner: ߟ ܵ ݅ ܶ , 2. for the component concerning the monitoring of the security of the processing processes in the IT system, it is defined in the following manner: ȕ S i T , ቁ . (20) The form of the above-mentioned standardization functions from the family Ȅ was defined, for the purpose of the model presented herein, in such a manner so that they transpose their values into appropriate ranges and maintain correct proportions of their impact on the IT system risk.

The IT system risk vector
The following vector ܴ S ݅ ሬሬሬሬሬԦ is considered the IT system risk model: (21) where: -M m×n -matrix size: m x n, ሬሬሬሬሬԦ that characterizes an aspect of the security of the processes of sensitive data processing in the IT system S i , , which constitutes a linear combination of the IT system risk elements S i within the linear space (M 2×3 , R, +,ή).
(M m×n , R, +,ή) -Vector space defined as a set of matrices M mxn with an option of adding matrices + external operatorή constitutes vector space over the body of real numbers R . whereas: On the basis of the above linear combination of such formulas, it is evident that the impact of all of the selected dimensions/factors ቀܴ ܵ ݅ ‫ܤ‬ ሬሬሬሬሬԦ , ܴ ܵ ݅ ‫ܥ‬ ሬሬሬሬሬԦ , ܴ ܵ ݅ ܶ ሬሬሬሬሬԦ ቁ of the IT system risk analysis particular risk vector coordinates ܴ ܵ ݅ ሬሬሬሬሬԦ is the same. To clarify the estimated IT system risk level, it may be necessary to determine the impact of the particular vector coordinates and risk components on the final IT system risk level as well as to modify such coordinates ܴ ܵ ݅ ሬሬሬሬሬԦ ‫א‬ ‫ܯ‬ m×n × ‫ܯ‬ m×n × ‫ܯ‬ m×n by referring to the said impact. This article does not tackle this issue.

Magnitude of the IT system risk
Once the IT system risk vector is defined and its coordinates determined according to algebra [20], ‫ܯ(‬ m×n , , +, , ۪) when we want to determine total risks for the IT system, S ݅ it is necessary to first set the magnitude ܴ ܵ ݅ ‫ܤ‬ ; ܴ ܵ ݅ ‫ܥ‬ ; ܴ ܵ ݅ ܶ and then the value ܴ ܵ ݅ . The above-mentioned value ranges were determined on the basis of the practical use of the model presented herein. The volume of the IT system risks may be defined as the vector module หܴ ܵ ݅ ሬሬሬሬԦห (Fig. 3):

Fig. 3.
Vector ሬሬሬሬሬሬԦ of IT system risk in the coordinates configuration ; ;

Evaluation of the IT system risk
Evaluation of the IT system risk consists in the comparison of the results of risk analysis, including the adopted criteria to qualify the risk into the right category (acceptable, tolerable, intolerable risk levels, Fig. 4).

Acceptable Risk Level
Tolerable Risk Intorelable Risk Level

Fig. 4. Map of the IT system risk
The main objective is to provide data that constitute grounds for making a decision on further risk management (whether to process the risk or abandon it, and if the decision is to process the risk -determine to what extent). The risk evaluation process is a summary of the present activities (identification and analysis) and indication which risk or group of risks should be processed further and which may be handled using current control measures.
The risk evaluation has also significant impact on the decision making process. The results of the risk analysis help to decide which risks and to what extent make it necessary for the office to implement a special algorithm for processing such risks and to determine priorities of their processing. The determined risk levels should be then compared with their criteria, including the context agreed at the beginning. In this case, the evaluation shall allow to define the manner of processing a certain risk [21][22]. During the risk assessment process, each risk has to be classified and compared with its tolerable and acceptable level. However, prior to that, it is necessary to adopt certain criteria that would help to explicitly identify significant risks, requiring resolute actions. This is a step in defining the risk that needs special attention. The risk records to be made as a result of the risk assessment shall be helpful in streamlining the risk management process, and hence -crisis management.

Summary
The IT system risk model of the office, described in this article, which includes the process of sensitive data processing, is characterized by high complexity due to the mathematical apparatus applied. Therefore, due to the fact that a number of factors affecting the IT system risk level and its processes were taken into consideration, it is almost impossible to determine the risk of the process of sensitive data processing in terms of time and costs or to manage such risk in a traditional manner, without applying any IT solutions or computer techniques.
Due to a variety of different factors and broad spectrum of their impact on the processes of sensitive data processing, the application of the risk analysis should constitute an integral part of the decision-making process as well as the planning of different variants of the operations of every office unit. The knowledge of the risks associated in the sensitive data processing allows to shape such processes so that their security levels are acceptable (Fig. 4). When analyzing the risk sources and categories in the processes of sensitive data processing, their characteristics, IT system architecture and life cycles should be mainly taken into account. Such knowledge, in combination with the statistics concerning the security and architecture of the system for sensitive data processing, seems to be the key to risk mitigation in all its aspects -human, environmental, security-related, qualitative and economic. The considerations outlined herein are of mainly cognitive importance, thus, formal descriptions of certain issues were omitted. The objective of the article was to show the concept which differs from the traditional view on the issues related to risk quantification.