Methods and Models for Assessing the Cybersecurity Level of State Infrastructure
https://doi.org/10.52821/2789-4401-2026-1-137-151
Abstract
The article examines the challenges of ensuring the cybersecurity of state infrastructure amid increasing digital risks and the growing sophistication of cyber threats.
Purpose: The study aims to develop an integrated cybersecurity architecture based on international standards — ISO/IEC 27001, NIST SP 800-53, FAIR, CMMI, and MITRE ATT&CK — adapted to the national context of Kazakhstan.
Methodology: The research employs a systemic and comparative analysis of existing cybersecurity assessment models, threat modeling in ICS/SCADA environments, and an examination of relevant regulatory frameworks and guidelines.
Originality/Value: The originality of the study lies in the development of a conceptual cybersecurity architecture that integrates technological, organizational, and analytical components. The proposed model facilitates a shift from fragmented protective measures to a holistic risk management system, thereby enhancing the cyber resilience of state infrastructure.
Findings: The findings demonstrate that integrating international frameworks significantly improves the cybersecurity and resilience of governmental systems and contributes to establishing an effective model for incident monitoring and response.
About the Authors
T. Sh. MirkassimovaKazakhstan
Almaty.
S. A. Adilzhanova
Kazakhstan
Almaty.
References
1. ISO/IEC 27001:2013. Information technology – Security techniques – Information security managementsystems – Requirements. Online Browsing Platform (OBP). URL: https://www.iso.org/obp/ui/#iso:std:isoiec:27001:ed-2:v1:en
2. National Institute of Standards and Technology. NIST Special Publication 800-53: Security and PrivacyControls for Information Systems and Organizations. 2020. URL: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
3. Device42 Freshworks Inc. (2025). NIST CSF Categories: Description, Examples, and Best Practices.URL: https://www.device42.com/compliance-standards/nist-csf-categories/
4. CMMI Institute. CMMI® for Development, Version 2.0. 2018. URL: https://cmmiinstitute.com/cmmi/dev
5. FAIR Institute. Factor Analysis of Information Risk (FAIR) Model. Standard Artifact | Version 3.0. 2025. All Rights Reserved.
6. MITRE Corporation. (2024). MITRE ATT&CK® – A Knowledge Base of Adversary Tactics andTechniques Based on Real-World Observations.
7. Palo Alto Networks. What Are the Differences Between OT, ICS, & SCADA Security? Cyberpedia/Network Security/OT and IoT Security. 2025. URL: https://www.paloaltonetworks.com/cyberpedia/ot-vs-icsvs-scada-security
8. Eurobyte Company Blog. (2025). What Do IDS and IPS Mean in Information Security? URL: https://eurobyte.ru/articles/chto-znachit-ids-i-ips-v-informaczionnoj-bezopasnosti/
9. European Commission. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. 2016.
10. Positive Technologies. (2024). Current Cyber Threats in CIS Countries 2023–2024. Leader in EffectiveCybersecurity. URL: https://ptsecurity.com/ru-ru/research/analytics/aktualnye-kiberugrozy-v-stranah-sng2023-2024/#id1
11. The White House. (2018). National Cyber Strategy of the United States of America.
12. Gordon, L. A., Loeb, M. P., & Zhou, L. (2020). The impact of information security breaches: Has therebeen a downward shift in costs? Journal of Computer Security, 10(3), 211–230.
13. Smith, R. (2021). Critical Infrastructure Protection: A Comprehensive Approach to Cybersecurity. Cybersecurity Journal.
14. Kaspersky Lab. (2014). Stuxnet: The First Victims.
15. Kaspersky Lab. (2021). Dark Chronicles: The Consequences of the Colonial Pipeline Attack.
16. Investopedia. (n.d.). Risk Analysis: Definition, Types, Limitations, and Examples. Retrieved from https://www.investopedia.com/terms/r/risk-analysis.asp
17. SecurityScorecard. (n.d.). Qualitative vs. Quantitative Cybersecurity Risk Assessment: What's theDifference? Retrieved from https://securityscorecard.com/blog/qualitative-vs-quantitative-risk-assessment
18. ISACA. (2021). Risk Assessment and Analysis Methods. ISACA Journal, 2021(2). Retrieved from https://www.isaca.org/resources/isaca-journal/issues/2021/volume-2/risk-assessment-and-analysis-methods
19. Riskaware. (n.d.). How to Measure Cybersecurity Risk: Key Metrics and Best Practices. Retrieved from https://riskaware.io/how-to-measure-cybersecurity-risk/
20. Amirkhanov, B., Amirkhanova, G., Kunelbayev, M., Adilzhanova, S., & Tokhtassyn, M. (2025). Evaluating HTTP, MQTT over TCP and MQTT over WEBSOCKET for digital twin applications: A comparative analysis on latency, stability, and integration. International Journal of Innovative Research and Scientific Studies (IJIRSS), 8(1), 679–694. https://doi.org/10.53894/ijirss.v8i1.4414
21. Adilzhanova, S., Kunelbayev, M., Amirkhanova, G., Zhussupov, Y., & Tortay, A. (2025). Developmentof a data collection and storage system for remote monitoring and detection of security threats in the enterprise. International Journal of Innovative Research and Scientific Studies, 8(2), 176–196. https://doi.org/10.53894/ijirss.v8i2.5136
22. Zeeshan Ali & Miin-Shen Yang. (2024). Improving Risk Assessment Model for Cybersecurity UsingRobust Aggregation Operators for Bipolar Complex Fuzzy Soft Inference Systems. Mathematics (MDPI). https://doi.org/10.3390/math12040582
23. Lakhno, V., Bereke, M., Adilzhanova, S., et al. (2022). Genetic algorithm for solving the problem of scalinga cloud-oriented object of informatization. Journal of Theoretical and Applied Information Technology, 100(6).
24. Mirkassimova, T., Adilzhanova, S., Astaubaeva, G., & Mukhamedzhanova, G. (2025). Methods ofinformation security risk analysis and assessment. KazATK, 138(3). https://vestnik.alt.edu.kz/index.php/journal/article/view/2675
25. Uandykova, M., Mirkasimova, T., Astaubaeva, G., Mukhamedzhanova, G., & Eleukulova, A. (2024). The advantages and necessity of integrating the Jira course into the educational program. KazATK, 133(4), 235–253. https://doi.org/10.52167/1609-1817-2024-133-4-235-253
26. Adilzhanova, S., Igilmanov, A., Tyulepberdinova, G., Salmanova, A., & Amirkhanova, G. (2024). Theuse of log analysis to identify DoS attacks and determine user behavior during the development of a digital twin of a food industry enterprise. KazATK, 136(1), 96–107. https://doi.org/10.52167/1609-1817-2025-1361-96-107
27. Uandykova, M. K., Astaubayeva, G. N., Mukhamejanova, G. S., & Mirkassimova, T. S. (2025). Innovative methods for developing decision support systems (DSS) in economic development management. Bulletin of “Turan” University, (1), 55–70. (In Kazakh). https://doi.org/10.46914/1562-2959-2025-1-1-55-70
28. Uandykova, M., Baitenova, L., Mukhamejanova, G., Yeleukulova, A., & Mirkassimova, T. (2024). Java coding using artificial intelligence. Frontiers in Computer Science, 6, 1473870. https://doi.org/10.3389/fcomp.2024.1473870
29. Uandykova, M., Baitenova, L., Astaubaeva, G., Mirkassimova, T., & Mukhamedzhanova, G. (2024). Model of Innovation-Based Economy Within the New Paradigm During the Relevant Economic Transformation. In Modeling and Simulation of Social-Behavioral Phenomena in Creative Societies (MSBC 2024), Communications in Computer and Information Science, vol. 2211. Springer, Cham. https://doi.org/10.1007/978-3-031-72260-8_12
Review
For citations:
Mirkassimova T.Sh., Adilzhanova S.A. Methods and Models for Assessing the Cybersecurity Level of State Infrastructure. Central Asian Economic Review. 2026;1(1):137-151. (In Kazakh) https://doi.org/10.52821/2789-4401-2026-1-137-151
JATS XML














