Security Rating Metrics for Distributed Wireless Systems

Pavlo Skladannyi; Volodymyr Buriachok; Volodymyr Sokolov

arxiv: 1906.10877 · v1 · pith:NZZKQYCCnew · submitted 2019-06-26 · 💻 cs.CR · cs.PF

Security Rating Metrics for Distributed Wireless Systems

Volodymyr Buriachok , Volodymyr Sokolov , Pavlo Skladannyi This is my paper

Pith reviewed 2026-05-25 16:04 UTC · model grok-4.3

classification 💻 cs.CR cs.PF

keywords security assessmentwireless systemsrisk analysisattack modelsnormalized metricsexpert evaluationinformation securityconcordance coefficient

0 comments

The pith

A normalized security assessment method using at least three characteristics enables direct comparison of heterogeneous distributed wireless systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper develops a quantitative way to rate security in wireless distribution systems by combining attack and breach models with five existing assessment methods. It introduces a normalized approach that works across multiple characteristics so that unlike systems can be ranked on the same scale. Improved formulas are given for two of the methods, functional-cost analysis is folded in to score protection, and a concordance coefficient checks consistency among expert judgments. The result is meant to support a unified countermeasure strategy for commercial and critical-infrastructure networks.

Core claim

The proposed normalized method for assessing the degree of security assurance operates with at least three characteristics, which allows comparatively analyze heterogeneous information systems. The improved calculating formulas have been proposed for two security assessment methods, and the elements of functional-cost analysis have been applied to calculate the degree of security. To check the results of the analysis, the coefficient of concordance was calculated, which gives opportunity to determine the quality of expert assessment. The simultaneous use of several models to describe attacks and the effectiveness of countering them allows us to create a comprehensive approach to countering現代

What carries the argument

The normalized method for assessing the degree of security assurance that incorporates at least three characteristics together with concordance checking of expert input.

If this is right

Heterogeneous wireless systems can be ranked on a common security scale.
Existing assessment methods receive improved calculation formulas that incorporate cost elements.
Multiple attack models can be used simultaneously to build a broader defense strategy.
Expert agreement can be quantified to gauge the reliability of the resulting security ratings.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The approach could be extended to include automated data feeds from network monitoring tools.
It may help regulators create baseline security thresholds for critical infrastructure.
Further work would be needed to test whether the three-characteristic minimum holds across additional system types.

Load-bearing premise

That the five security assessment methods and the new normalized approach can be combined and applied to real distributed wireless systems without requiring additional validation data or empirical testing details.

What would settle it

Applying the normalized method to two concrete wireless systems and obtaining either inconsistent rankings or a low concordance coefficient among experts would falsify the claim that the method enables reliable comparative analysis.

read the original abstract

The paper examines quantitative assessment of wireless distribution system security, as well as an assessment of risks from attacks and security violations. Furthermore, it describes typical security breach and formal attack models and five methods for assessing security. The proposed normalized method for assessing the degree of security assurance operates with at least three characteristics, which allows comparatively analyze heterogeneous information systems. The improved calculating formulas have been proposed for two security assessment methods, and the elements of functional-cost analysis have been applied to calculate the degree of security. To check the results of the analysis, the coefficient of concordance was calculated, which gives opportunity to determine the quality of expert assessment. The simultaneous use of several models to describe attacks and the effectiveness of countering them allows us to create a comprehensive approach to countering modern security threats to information networks at the commercial enterprises and critical infrastructure facilities.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper gives a normalized way to compare security across different wireless systems using multiple characteristics, but the details stay high-level with no visible tests or derivations.

read the letter

The main thing here is a proposed normalized method that rates security assurance in distributed wireless systems by working with at least three characteristics. This is meant to let people compare heterogeneous setups directly. They also give improved formulas for two of the five existing assessment methods, fold in some functional-cost analysis, and run a concordance coefficient to check expert agreement. The overall goal is a combined approach using several attack models for commercial and critical infrastructure networks. That synthesis is the clearest practical step. It pulls together typical breach models and the five methods in one place, which could help someone who needs a single framework instead of juggling separate tools. The concordance check is a straightforward way to add some quality control on the expert side. The soft spots are the lack of concrete evidence. The abstract states the method exists and the formulas are improved, but there are no sample calculations, no error bounds, no real system data, and no comparison against prior results shown. Without those, it is hard to tell whether the normalization actually works across different wireless setups or just restates existing ideas in new terms. The claim that it enables comparative analysis is asserted rather than demonstrated with numbers. This paper is for security engineers or risk managers who deal with mixed wireless networks and want a rating tool they can apply across vendors. A reader hunting for new theory or rigorous proofs will not find much. It could still be worth a serious referee if the full text supplies the missing equations, worked examples, and any validation steps, because the underlying need for comparable metrics is real even if this version needs more grounding.

Referee Report

2 major / 0 minor

Summary. The paper examines quantitative assessment of wireless distribution system security and risks from attacks and violations. It describes typical breach and formal attack models along with five security assessment methods. The central contribution is a proposed normalized method for assessing the degree of security assurance that operates with at least three characteristics, enabling comparative analysis of heterogeneous information systems. Improved calculating formulas are proposed for two of the assessment methods; elements of functional-cost analysis are applied to calculate the degree of security; and the coefficient of concordance is used to evaluate the quality of expert assessments. The approach advocates simultaneous use of multiple models to create a comprehensive countermeasure framework for commercial enterprises and critical infrastructure.

Significance. If the normalized method and improved formulas are rigorously derived and shown to be consistent, the work could offer a practical synthesis for comparing security levels across heterogeneous wireless systems, which remains a challenge in distributed environments. The inclusion of concordance checks for expert input and functional-cost elements provides a modest step toward reproducibility in qualitative assessments. However, the absence of explicit derivations or empirical validation limits the immediate impact on the field of security metrics.

major comments (2)

[Abstract] Abstract: The claim that 'improved calculating formulas have been proposed for two security assessment methods' is central to the contribution, yet the manuscript supplies neither the original formulas, the revised versions, nor any derivation or justification for the changes. Without these, the improvement cannot be evaluated and the normalized method's claimed advantages remain unverified.
[Abstract] Abstract: The normalized method is asserted to 'operate with at least three characteristics' and to enable comparative analysis of heterogeneous systems, but no explicit definition of the characteristics, the normalization procedure, or any worked example is provided. This absence directly undermines the load-bearing claim that the method supports comparative analysis without additional validation data.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We address each major comment below and indicate the revisions that will be incorporated in the next version.

read point-by-point responses

Referee: [Abstract] Abstract: The claim that 'improved calculating formulas have been proposed for two security assessment methods' is central to the contribution, yet the manuscript supplies neither the original formulas, the revised versions, nor any derivation or justification for the changes. Without these, the improvement cannot be evaluated and the normalized method's claimed advantages remain unverified.

Authors: The referee correctly notes that the abstract does not display the original formulas, the revised versions, or their derivations. The body of the manuscript describes the five assessment methods and indicates improvements to two of them, but explicit side-by-side comparisons and step-by-step derivations are not presented. We will revise the manuscript to include the original formulas, the proposed improvements, and the justification for the changes in a dedicated subsection, with a brief reference added to the abstract. revision: yes
Referee: [Abstract] Abstract: The normalized method is asserted to 'operate with at least three characteristics' and to enable comparative analysis of heterogeneous systems, but no explicit definition of the characteristics, the normalization procedure, or any worked example is provided. This absence directly undermines the load-bearing claim that the method supports comparative analysis without additional validation data.

Authors: We agree that the abstract provides only a high-level statement without defining the characteristics, detailing the normalization steps, or supplying a worked example. The full text introduces the method and states that it operates with at least three characteristics, yet a concrete illustration of the procedure and its use for cross-system comparison is missing. In the revision we will add an explicit definition of the characteristics, the normalization procedure, and a worked numerical example demonstrating comparative analysis of heterogeneous wireless systems. revision: yes

Circularity Check

0 steps flagged

No significant circularity identified

full rationale

The paper proposes a normalized security assessment method operating on at least three characteristics, improved formulas for two of five existing methods, and functional-cost analysis, with validation via expert concordance coefficient. No equations, derivations, or self-referential definitions appear in the provided abstract or described approach. The central claim is presented as a synthesis of models and expert checks rather than a mathematical chain that reduces to its own inputs by construction. No self-citations or uniqueness theorems are invoked as load-bearing elements. The derivation is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No free parameters, axioms, or invented entities are identifiable from the abstract alone; full manuscript text would be required to audit these elements.

pith-pipeline@v0.9.0 · 5672 in / 1027 out tokens · 36585 ms · 2026-05-25T16:04:01.024606+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

12 extracted references · 12 canonical work pages

[1]

Telecommun 5, 5–8 (2008)

Shvartsman, V.O.: Quantitative assessment of information security and communication net- works from unauthorized actions. Telecommun 5, 5–8 (2008). [Publication in Russian]

work page 2008
[2]

TUSURs Rep 1(19), 51–53 (2009)

Nechunaev, V.M.: Risk assessment of information security of a corporate information sys- tem. TUSURs Rep 1(19), 51–53 (2009). [Publication in Russian]

work page 2009
[3]

TUSURs Rep 2(18), 116–117 (2008)

Nechunaev, V.M.: A method for describing a corpor ate information system for an infor- mation security risk management procedure . TUSURs Rep 2(18), 116–117 (2008). [Publi- cation in Russian]

work page 2008
[4]

Methodology for creating security sys- tems

Domarev, V.V.: Security information technology. Methodology for creating security sys- tems. Kyiv, p. 688 (2001). [Publication in Russian]

work page 2001
[5]

Jet Inf Newsl 2(117), 9–13 (2003)

Simonov, S.V.: Technologies and tools for risk m anagement. Jet Inf Newsl 2(117), 9–13 (2003). [Publication in Russian]

work page 2003
[6]

News of Tomsk Polytech Univ 8, 126–129 (2006)

Davydov, I.V., Shelupanov, A.A.: Formalization of the model of cybercrime committed us- ing malicious codes. News of Tomsk Polytech Univ 8, 126–129 (2006). [Publication in Rus- sian]

work page 2006
[7]

Mod Def of Inf,

Buriachok, V.L.: Option of the mechanism of breaking information and telecommunication systems and their protection from extraneous cybernetic effects. Sc i and Tech J “Mod Def of Inf,” SUT 4, 76–84 (2011). [Publication in Ukrainian]

work page 2011
[8]

Modeling and Analysis of Safety and Risk in Complex Systems,

Kotenko, I.V., Stepashkin, M.V.: Assessment of the security level of computer networks based on the construction of an attack graph. In: News of International Scientific School “Modeling and Analysis of Safety and Risk in Complex Systems,” St. Petersburg, pp. 150– 154 (2006). [Publication in Russian]

work page 2006
[9]

V.P.: Basics of information se- curity

Meshcheryakov, R.V., Shelupanov, A.A., Belov, E.B., Los. V.P.: Basics of information se- curity. Moscow, Hot Line Telecommun, p. 350 (2006). [Publication in Russian]

work page 2006
[10]

Phys - Chem

Chipiga, A.F., Peleshenko, V.S.: Evaluation of the effectiveness of the protection of auto- mated systems from unauthorized access. Bul l of North Cauc State Tech Univ, Ser “Phys - Chem” 1(8), 40 (2004). [Publication in Russian]

work page 2004
[11]

(eds): Methodical instructions for t he implementation of the organiza- tional and economic section of diploma projects

Chernyavskii, A.T. (eds): Methodical instructions for t he implementation of the organiza- tional and economic section of diploma projects. Kyiv, NTUU “KPI,” p. 66 (1999). [Publi- cation in Ukrainian]

work page 1999
[12]

Kyiv, NTUU “KPI,” p

Chernyavskii, A.T., Shvets, L.V., Shudra, V.F., Maevskaya, L.S.: Guidelines for the use of FCA in the development of a software product. Kyiv, NTUU “KPI,” p. 69 (1990). [Publica- tion in Russian]

work page 1990

[1] [1]

Telecommun 5, 5–8 (2008)

Shvartsman, V.O.: Quantitative assessment of information security and communication net- works from unauthorized actions. Telecommun 5, 5–8 (2008). [Publication in Russian]

work page 2008

[2] [2]

TUSURs Rep 1(19), 51–53 (2009)

Nechunaev, V.M.: Risk assessment of information security of a corporate information sys- tem. TUSURs Rep 1(19), 51–53 (2009). [Publication in Russian]

work page 2009

[3] [3]

TUSURs Rep 2(18), 116–117 (2008)

Nechunaev, V.M.: A method for describing a corpor ate information system for an infor- mation security risk management procedure . TUSURs Rep 2(18), 116–117 (2008). [Publi- cation in Russian]

work page 2008

[4] [4]

Methodology for creating security sys- tems

Domarev, V.V.: Security information technology. Methodology for creating security sys- tems. Kyiv, p. 688 (2001). [Publication in Russian]

work page 2001

[5] [5]

Jet Inf Newsl 2(117), 9–13 (2003)

Simonov, S.V.: Technologies and tools for risk m anagement. Jet Inf Newsl 2(117), 9–13 (2003). [Publication in Russian]

work page 2003

[6] [6]

News of Tomsk Polytech Univ 8, 126–129 (2006)

Davydov, I.V., Shelupanov, A.A.: Formalization of the model of cybercrime committed us- ing malicious codes. News of Tomsk Polytech Univ 8, 126–129 (2006). [Publication in Rus- sian]

work page 2006

[7] [7]

Mod Def of Inf,

Buriachok, V.L.: Option of the mechanism of breaking information and telecommunication systems and their protection from extraneous cybernetic effects. Sc i and Tech J “Mod Def of Inf,” SUT 4, 76–84 (2011). [Publication in Ukrainian]

work page 2011

[8] [8]

Modeling and Analysis of Safety and Risk in Complex Systems,

Kotenko, I.V., Stepashkin, M.V.: Assessment of the security level of computer networks based on the construction of an attack graph. In: News of International Scientific School “Modeling and Analysis of Safety and Risk in Complex Systems,” St. Petersburg, pp. 150– 154 (2006). [Publication in Russian]

work page 2006

[9] [9]

V.P.: Basics of information se- curity

Meshcheryakov, R.V., Shelupanov, A.A., Belov, E.B., Los. V.P.: Basics of information se- curity. Moscow, Hot Line Telecommun, p. 350 (2006). [Publication in Russian]

work page 2006

[10] [10]

Phys - Chem

Chipiga, A.F., Peleshenko, V.S.: Evaluation of the effectiveness of the protection of auto- mated systems from unauthorized access. Bul l of North Cauc State Tech Univ, Ser “Phys - Chem” 1(8), 40 (2004). [Publication in Russian]

work page 2004

[11] [11]

(eds): Methodical instructions for t he implementation of the organiza- tional and economic section of diploma projects

Chernyavskii, A.T. (eds): Methodical instructions for t he implementation of the organiza- tional and economic section of diploma projects. Kyiv, NTUU “KPI,” p. 66 (1999). [Publi- cation in Ukrainian]

work page 1999

[12] [12]

Kyiv, NTUU “KPI,” p

Chernyavskii, A.T., Shvets, L.V., Shudra, V.F., Maevskaya, L.S.: Guidelines for the use of FCA in the development of a software product. Kyiv, NTUU “KPI,” p. 69 (1990). [Publica- tion in Russian]

work page 1990