Application of Markov decision process in developing an information security strategy

The relevance of this study is driven by the growing number and complexity of cyberattacks, in particular the need to continually improve organizations' security levels, as well as the ongoing planning and modeling of security strategies in the face of limited resources. This work aims to develop a model for developing an information security strategy for a given organization, taking into account economic indicators. The primary research methods are modeling, comparative analysis, and synthesis. The paper contains the characteristics of the simulated organizations, the formulas and algorithms used in the prototype, as well as numerical indicators of criteria and parameters. The relationships between the model parameters are presented. As a result, the model's performance on the simulated organizations was demonstrated: optimal strategies were obtained for each of them, correlating with generally accepted approaches to developing strategies in real companies. The resulting graphs of the system states are demonstrated. For all organizations, integrated strategies proved to be the most optimal. In the short term, the use of a Markov decision process allows for the successful optimization of management decisions, regardless of the company's maturity level. Allocating a large budget for information security has a significant impact on efficiency only for companies with a low maturity level. The results of the work are of practical value to information security specialists and managers, providing a tool for developing an optimal information security strategy within a given budget.

1. Zavodtsev I.V., Borisov M.A., Bondarenko N.N., Meleshko V.A. Modeling Information Security Threats and Determination of Their Relevance for Information Systems of Informatization Objects of Federal Executive Authorities. Computational Nanotechnology. 2022;9(1):106–114. (In Russ.). https://doi.org/10.33693/2313-223X-2022-9-1-106-114

2. Kozyr N.S. Costs and benefits of business information security. Management (Russia). 2023;11(4):110–118. (In Russ.). https://doi.org/10.26425/2309-3633-2023-11-4-110-118

3. Georgievskiy A.D., Cheremukhina Yu.Yu. System for ensuring information security and implementation of management mechanisms. Competency (Russia). 2025;(10):41–43. (In Russ.). https://doi.org/10.24412/1993-8780-2025-10-41-43

4. Sanakoev R.G., Pleshakov V.V. Mathematical models and optimization methods in the management of organizational systems: theory, methodology, and practice of application in expert activity. Engineering Journal of Don. 2026;(2). (In Russ.). URL: https://www.ivdon.ru/en/magazine/archive/n2y2026/10755

5. Namiot D. On cyberattacks using Artificial Intelligence systems. International Journal of Open Information Technologies. 2024;12(9):132–141. (In Russ.).

6. Vetrov I.A., Podtopelny V.V. Features of using Markov decision-making processes when modeling attacks on artificial intelligence systems. Vestnik of Samara University. Natural Science Series. 2024;30(4):147–160. (In Russ.). https://doi.org/10.18287/2541-7525-2024-30-5-147-160

7. Trapeznikov E.V., Magazev A.A., Kasenov A.A. The Markov model of cyber attacks and its application to the analysis of information security in automated systems. Modeling, Optimization and Information Technology. 2024;12(2). (In Russ.). https://doi.org/10.26102/2310-6018/2024.45.2.011

8. Yemshikov B.M., Ovezberdiev G.D. Markov decision-making processes: Modern approaches and application in intelligent systems. Symbol of Science. 2024;2(12-1):41–42. (In Russ.).

9. Kachaeva G.I., Sultanov N.G. Security threat protection strategies: development of a cybersecurity system. Herald of Dagestan State Technical University. Technical Sciences. 2025;52(2):107–115. (In Russ.). https://doi.org/10.21822/2073-6185-2025-52-2-107-115

10. Plokhuta K.D. Information Safety Risk Management and Compliance. Competency (Russia). 2025;(5):19–25. (In Russ.). https://doi.org/10.24412/1993-8780-2025-5-19-25