Algorithm for Conducting Information Security Audit in Organizations Based on a Multilevel Model Based on Graph Theory
Kholimtayeva Ikbol1, Shamshieva Barno Makhmudjanovna2, Muminova Sunbula Shakhzodovna3
1Kholimtayeva Ikbol Ubaydullayevna, Senior Lecturer, Department of Information Security, Tashkent University of Information Technologies named after Muhammad al-Khwarizmi, Tashkent, Uzbekistan.
2Shamshieva Barno Makhmudjanovna, Senior Lecturer, Department of Information Security, Tashkent University of Information Technologies named after Muhammad al-Khwarizmi, Tashkent, Uzbekistan.
3Muminova Sunbula Shakhzodovna, Senior Lecturer, Department of Information Security, Tashkent University of Information Technologies named after Muhammad al-Khwarizmi, Tashkent, Uzbekistan.
Manuscript Received on 25 July 2025 | First Revised Manuscript Received on 04 August 2025 | Second Revised Manuscript Received on 10 August 2025 | Manuscript Accepted on 15 September 2025 | Manuscript published on 30 September 2025 | PP: 1-10 | Volume-15 Issue-4, September 2025 | Retrieval Number: 100.1/ijsce.D368415040925 | DOI: 10.35940/ijsce.D3684.15040925
Open Access | Editorial and Publishing Policies | Cite | Zenodo | OJS | Indexing and Abstracting
© The Authors. Blue Eyes Intelligence Engineering and Sciences Publication (BEIESP). This is an open access article under the CC-BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Abstract: This paper presents a multi-level topological model for auditing information security of critical information infrastructure (CII) objects, developed using graph theory. The model accounts for resource costs, technical impacts (ITE), vulnerability levels, potential damage, and object elements. The proposed framework enables the identification of optimal testing scenarios based on an “efficiency/cost” criterion, supporting the formation of comprehensive test sets for thorough audit coverage. An algorithm was developed to implement the model, which includes graph construction across hierarchical layers and application of Dijkstra’s shortest path algorithm to determine the most cost-effective information-technical effects. Additionally, a software tool was created using C# to visualize the graph, manage input data, and dynamically calculate optimal audit paths and damage estimates. A comparative analysis highlights the strengths and limitations of the graph-based model in comparison to traditional audit methods, including compliance audits, risk assessments, penetration tests, and automated monitoring. The graph-based approach stands out for its flexibility, scientific foundation, and ability to prioritise critical vulnerabilities and efficiently audit resources in constrained environments.
Keywords: Graph Theory, Critical Information Infrastructure, Audit, IT Impacts, Penetration Testing, Damage, Vulnerabilities, Resource, IT Counter Test, Audit Resource Volume, Resource Level, Vulnerability Level.
Scope of the Article: Network Security