ERP-SYSTEM RISK ASSESSMENT METHODS AND MODELS

Context. Because assessing information security risks is a complex and complete uncertainty process, and non-appearance is a major factor influencing the effectiveness of the assessment, is advisable use vague methods and models that are adaptive to non-computed data. The formation of vague assessments of risk factors is subjective, and risk assessment depends on the practical results obtained in the process of processing the risks of threats that have already arisen during the functioning of the organization and experience of information security professionals. Objective. The object of the study are neural models that combine methods of fuzzy logic and artificial neural net-works and systems, that is, human-like style considerations of fuzzy systems with training and simulation of mental phi novena of neural networks. Method. The paper analyzes modern areas of research in the field of information protection in information systems, methods and technologies of information security risk Assessments, use of vague models to solve problems of information security risk assessment, as well as concept and con-struction of ERP systems and analyze problems of their security and vulnerability. Results. Identified factors influencing risk assessment suggest the use of linguistic variables to describe them and use fuzzy variables to assess their qualities, as well as a system of qualitative assessments. The choice of parameters for the development of the structure of a fuzzy product model of risk assessment and the basis of the rules of fuzzy logical conclusion justified. Conclusions. A vague risk assessment model of ERP systems is considered. You have selected a list of factors that affect information security risk. The methods of assessment of risks of information resources and ERP-systems in general, assessment of financial losses from the implementation of threats, determination of the type of risk according to its assessment for the formation of recommendations for their processing in order to maintain the level of protection of the ERP-system are considered. The list of linguistic variable models is considered. The structure of the database of fuzzy product rules – MISO-structure is selected. Fuzzy variable models are considered.

E -area definition variable (all range of its values); G -a syntactic procedure that generates the names of a fuzzy variable, allows you to operate elements of the term set T(X), in particular, to generate new terms; M -a semantic rule, which in accordance with each fuzzy variable X its value ) (x μ .
R -set of actual numbers; -feature affiliations.

INTRODUCTION
Risk implies a combination of the probability of damage by overcoming the system of protection using vulnerabilities and the severity of such damage. Minimizing the risks is done by developing a "security policy" (behavioral scheme) and managing it. Thus, the concept of "risk of information breach" is based on an analysis of "causes of information security Brea chess "and" consequences of information security breaches".
Risk assessment is carried out in the simplest case by two factors: the probability of accident and the severity of possible consequences.
Object of research in this paper is the information security of ERP-systems.
Subject of research -models and methods for assessing information security risks.
The purpose of this work is to improve the quality of information security and ERP systems risk assessment with fuzzy neural models.

PROBLEM STATEMENT
As part of the business risk of an enterprise, the risk of information security is defined as a product of loss (financial) from breach of confidentiality, integrity, authenticity or availability of information resources (the severity of consequences) for the likelihood of such infringement (probability of event): Vulnerability: The level of systemic risk is calculated as the sum of risks for all assets and each threat, taking into account the vulnerabilities and the effect of the taken countermeasures as the difference between the amount of planned costs for countermeasures and the total loss assessment at the determined system risk level.
Security risk assessment is an important element in the overall security risk management process, which is the process of ensuring that the organization's risk position was within the acceptable limit of the senior management, and consists of four main steps: Assessment of security risks, testing and oversight, risk mitigation and operational security.
Risk managers and decision-making organizers use risk assessments to determine which risks are reduced through control and which to take or transmit.
The assessment of information security risks is the process of identifying the vulnerable situations, threats, the probability of their occurrence, the level of risks and consequences related to organizational assets, as well as the control that can mitigate these threats and their consequences. It offers readers: 1) Assess the probability of threats and vulnerabilities that are possible; 2) Calculation of an impact that may that are possible; 3) Calculation of an impact that may have a threat to each asset; 4) Determination of quantitative (measurable) or qualitative (described) cost of risk.
Risk assessment includes seven steps: identification of system protection facilities; identification of the threat; identification of vulnerability; control analysis; determination of probability; analysis of consequences; identification of risk.
Complete risk assessment process should also include two more steps: Recommendations for monitoring and documentation of results.
According to the results of the risk assessment, it is decided that the choice of means to influence the risk in order to minimize the damage from the implementation of threats in the future. The following methods of exposure to risk are used.
The following methods of exposure to risk are used. Risk reduction -reduction of possible damage or probability of adverse events. This can be achieved as this: exclusion of risk; reducing the likelihood of risk; reduction of possible losses.
Preservation of risk (acceptance) -provides for the refusal of actions aimed at compensation (without Financing), compensation of it from the sources of the Organization (Risk fund, self-insurance Fund), or with the involvement of external sources (subsidies, loans etc.). The most commonly refers to threats with low damage and low probability of occurrence.
Risk transfer -transfer of responsibility for it to third parties (most often for remuneration) while maintaining the existing level of risk.

REVIEW OF THE LITERATURE
There are two main approaches to assessing risk: qualitative and quantitative approaches. The third approach, called mixed or hybrid, combines elements of qualitative and quantitative approaches.
Quantitative assessments of the risk of information security use mathematical formulas for determining the exposure factor and the expected loss of one or every threat, as well as the probability of a threat implementation, called the annual rate of ARO. These figures are used to estimate the amount of resources (money) that will be lost annually to vulnerabilities used, called the annual duration of ALE loss. By using the received figures, the organization can plan to monitor this risk if the countermeasure is available and cost effective. These numbers allow for the analysis of costs and benefits for each countermeasure and the threat to the asset. Countermeasures that reduce the annual duration of damages more than their annual costs should be applied if there is sufficient resource to use the countermeasure.
The advantages of using this approach are the ability to quantify the consequences of incidents, analyze costs and benefits when choosing remedies and get a more accurate definition of risk.
The disadvantages include the dependence of quantitative indicators on their volume and accuracy of the measurement scale, inaccuracy of results, the need to enrich quality description, a large cost of the analysis, which requires more experience and modern tools.
Qualitative risk assessments of information security use experience, judgment and intuition, not mathematical formulas. Qualitative risk assessment may use surveys or questionnaires, interviews and group sessions to determine the level of threat and the annual loss duration. This type of risk assessment is very useful when it is too difficult to attribute values to a particular risk. Qualitative assessments of information security risks tend to be well perceived because they involve many people at different levels of the organization; they do not require a large number of mathematical computing, but the results tend to be less accurate than the results achieved by quantitative evaluation.
The disadvantages of approach are the inability to determine the probability and results, using numerical measures and approximate overall nature of the results.
It is possible to use a mixed approach to information security risk assessments. This approach combines some elements of both quantitative and qualitative assessments.
This approach is to assess greater credibility through presenting difficult facts, but it also engages people inside the organization to obtain an individual understanding. The disadvantage of this approach is that its implementation may take longer. However, a mixed approach can lead to better data than what these two methods can get separately.
Information risk assessment involves the use of various technologies, documents or software tools.
The methodology for assessing information security risks involves a sequence of actions that are necessary, as well as a tool (software product) to assess the risks at the enterprise.
Information risk assessment is carried out using various technologies, documents or software. The methodology for assessing information security risks is understood by a systematized sequence of actions (step-by-step instructions) that need to be done and a tool (software product) for risk assessment at the enterprise.
Based on the differences in risk analysis approaches, ways to review risk elements, functionality and other assessment methods, all risks vary as follows: 1. Graphical -methods that involve visualization of objects of analysis and processes of interaction between them, while graphs, trees or diagrams are built, allowing different ways to display information about the objects studied. In most cases, these methods only allow identification of risk elements and methods of interaction between them.
2. Mathematical methods, which define the properties of objects and their interaction with the help of some formal languages describing the laws of functioning, changes of properties, etc. These methods allow not only identifying elements, but also to analyze their behavior, changing their properties and influencing on other elements.
3. Linguistic -Methods that do not involve any tools and programs, and require only a team of person is responsible for risk analysis. At the same time, all the stages of risk assessment, as possible, assume only oral communication between groups of persons, during which the elements of risk are identified, the assumptions about their behavior are made and an approximate assessment of opportunities and losses is carried out. This class of methods is most popular and easy to use, but is not always able to lead to an adequate assessment of the situation.
In recent years, highly intensively developed methods of analysis and risk assessment, which are based on the elements of Fuzzy logic. Such methods allow to change the close tabular methods of rough assessment of risks on a mathematical method, as well as to significantly expand the possibilities of mathematical risk analysis methods [6][7][8].
The mechanism of risk assessment through fuzzy logic in general is imagines with itself the expert system. The knowledge base of such system will make rules that reflect the logic of the relationship of input values of risk factors and risk level. In the simplest case, a table describs this logic in general, which more accurately reflects the real relationships of factors and consequences. Such connections are formalized and described by the production rules of the "if-something" type. In addition, the fuzzy logic mechanism provides for the formation of factor ratings levels and their representation in the form of fuzzy variables. The process of shaping this type of assessments in general is quite complex, because it requires a large number of sources of information, consideration of their quality and the use of experts experience.
To determine the level of risk, it is advisable to use the theory of fuzzy sets, which allows you to describe vague concepts and knowledge, operate them and draw vague conclusions. The theory of fuzzy models used to solve problems in which inputs are unreliable and poorly formalized, as in the case of the problem solved in this work. To assess the risk, it is appropriate to use the mechanism of a vague logical conclusion -obtaining a conclusion in the form of a fuzzy set corresponding to the current values of input variables, using a fuzzy knowledge base and fuzzy operations.
There are developed models of fuzzy conclusion of Mamdani, Sugeno, Larsen and Tsukamoto [9]. The most commonly used in practice are Mamdani and Sugeno algorithms. The main difference between them is the method of specifying the values of the output variable in the rules constituting the knowledge base. In systems such as Mamdani, values of input variables are given in fuzzy volumes, in Sunio-type systems -as linear coexistence of input variables. For tasks, which are identifications that are more important, it is advisable to use the algorithm Sugeno, and for tasks in which more important is the explanation and justification of the decision, the Mamdani algorithm will have an advantage.

MATERIALS AND METHODS
A fuzzy plural (fuzzy set) is a set of arbitrary elements that cannot be accurately stated whether these elements have some distinctive properties used for fuzzy values.
Therefore, the fuzzy set A is defined as many ordered pairs consisting of elements of X universal set X and relevant degrees of belonging to the μ A -is the indicator affiliation feature (or just a feature of belonging) that takes value in the ordered plural M = [0; 1] and indicates the degree (or level) of the element x subset of A.
The degree of belonging μ A is a subjective measure of , as the ; X x∈ element, corresponds to the notion whose meaning is formalized by A [10] fuzzy set.
Classical logic cannot work with vague concepts because all statements in formal logical systems can have only two mutually exclusive rules: "True" with the meaning of Truth "1" and "not true" with the meaning of truth "0".
One of the attempts to escape from the double-digit binary logic to describe uncertainty was the introduction of Lukasevich [11] three-digit logic with a third State "may" with the value Truth "0.5". By typing fuzzy sets in the review, Zade [12] suggested summarizing the classical binary logic based on the consideration of the infinite number of truth-values.
In the suggested version of vague logic, the meanings of true statements are summarized to the interval [0; 1], that is, include both individual cases of classical binary logic and Lukasevich's trivial logic. This approach allows us to consider statements with different values of truth and to perform reasoning with uncertainty. "Perhaps true", "perhaps wrongly", etc. The higher the confidence in the truth expression, the closer the value of the degree of truth to "1". In the boundary cases "0", if there is absolute certainty in the false statement, and "1", if there is an absolute sure of the truth statement. The fuzzy reflection of T: Ω → [0, 1] acts on a multitude of fuzzy statements Ω = A, B, C. In this case, the value of the Ω A∈ [0, 1] and is an estimate of uncertainty [10].
Like normal logic, fuzzy logic uses operations to construct complex statements.
1. Logical objection -"Not A", "false as A", the value of truth of which: Logical Conjunction -"A and B", who's meaning is truth: 3. Logical disjunction -"A or B", whose meaning is truth: 4. Fuzzy momentum is "with A should B", " if A, then B", whose truth-values are: . In describing objects and phenomena by means of Fuzzy sets, the concept of fuzzy and linguistic variables [10, 13, and 14] is used.
Fuzzy variable characterized by the following expression Fuzzy plural on X, which describes the limitations on possible values of a fuzzy variable α, has a drawer: Linguistic variable is a subjective assessment of a person, which is expressed as a natural language, regarding a specific value of a numerical variable.
Linguistic variable is called set For example, the expert determines the thickness of the manufactured product using the concepts of "low thickness", "average thickness" and "high thickness", with the minimum thickness equal to 10 mm, and the maximum -80 mm.

EXPERIMENTS
The term-many and extended term set in the conditions of an example can be characterized by the functions of belonging (see Fig. 1-2).
Fuzzy numbers are fuzzy variables defined in the metric axis, which is a fuzzy number A defined as fuzzy for a set of real R numbers with function affiliation R with feature af- x is a real number, i.e. A ∈ .
The system of Fuzzy logic conclusion is the process of obtaining fuzzy conclusions in the necessary management object based on fuzzy conditions or preconditions, representing information about the current state of the object.
The basis for a fuzzy logical conclusion is the indistinct system, which consists of linguistic rules. Let x and y are input and output linguistic variable; A and B are some fuzzy sets (feature affiliations) taken from the term sets of x and y variables, respectively.
The linguistic rule of vague conclusion "if any" looks like: R = " A x∈ , then B y∈ ", where R " A x∈ " is a vague statement, called the rule }, or the operation of algebraic ) For an example of fuzziness, see Fig. 3 [16].
2. The base of the system rules of fuzzy output is intended for the formal presentation of empirical knowledge of experts in a particular subject area in the form of fuzzy product rules. Thus, the base of fuzzy product rules of fuzzy output system is a system of fuzzy product rules; reflecting expert's knowledge on methods of management of the object in different situations, nature of its functioning in different conditions, etc. i.e., contains the formalized human knowledge.
Depending on the number of fuzzy statements in the prerequisites and the conclusions database of the fuzzy product model, the structure of one of the following types can be represented [17]: -SISO-Structure; -MISO-Structure; -MIMO Structure. 3. Database. It contains definition of the belonging to the fuzzy sets function used in fuzzy rules: 4. Decision-making unit (block of vague logical conclusion). Performs withdrawal operations based on existing rules: aggregation of conditions -the procedure for determining the level of truthfulness of the rules of the system of fuzzy conclusion. Activation of conclusionsthe procedure for determining the level of truthfulness of the conclusions of the product rules. Accumulation -the procedure for finding the function of belonging for each of the original linguistic variables specified by the set of rules [9]. 5. Block of Dephazyfication. Dephazyfication in fuzzy output systems is the process of transition from the function of the source linguistic variable to its clear (Numeric) value. The purpose of dephazyfication is to obtain quantitative values for each output variable used by external means in relation to the fuzzy output system using the results of accumulating all outgoing linguistic variables [10]. Neural fuzzy networks have fuzzy values in different components of traditional neural networks based on the theory of fuzzy sets and fuzzy logic. Different types of intelligent systems have their own characteristics, for example, regarding the possibilities of learning, generealization and getting results, which makes them the most suitable for solving some classes of problems and less suitable for others.
Neural networks are convenient for the problems of pattern recognition, but are very inconvenient to explain how they perform recognition. They can automatically gain knowledge, but the process of their learning is often slow enough, and the analysis of the trained network is very complex (trained network is usually "black box" for the user). At the same time, some priori information (expert knowledge) to accelerate the learning process in the neural network is difficult to enter.
Systems with fuzzy logic, opposite, are easy to explain obtained with their help of conclusions, but they cannot automatically gain knowledge for their use in mechanisms Vive den. The need to break the universal sets into separate areas, as a rule, limits the number of input variables in such systems a small value.
Hayashi and Imura [18] have shown that a directspread neural network can approximated any system based on vague rules, and any direct-spread neural network can be aproximized by a system based on vague rules. In theory, systems with fuzzy logic and artificial neural networks are similar to each other, but in practice, they have their own advantages and shortcomings. This understanding has formed the basis for the creation of the apparatus of fuzzy neural networks, in which the output is made based on fuzzy logic, but the relevant affiliation functions are adjusted using methods of teaching neural networks, for example, method of reverse propagation error. Such systems not only use a priori information, but also can acquire new knowledge, being logically transparent.
Neuro-fuzzy network is the presentation of a fuzzy output system in the form of a neural network convenient for learning, analyzing and using. The structure of the neuro-fuzzy network corresponds to the main blocks of fuzzy output systems [19,20].
Fuzzy models and algorithms of fuzzy output on their basis can be presented in the form of fuzzy products networks, in the structure of identical multilayered neural networks with direct signal distribution (feed forward), elements of each layer (or combination of layers), implementing a separate stage of fuzzy output in a fuzzy production model: The first layer of neurons performs the function of introducing fuzziness (phazyfication); Hidden layers display a combination of fuzzy rules and implement the fuzzy output algorithm; The last layer performs the function of bringing to clarity (dephazyfication) of the original variable.
At present, a large number of different architectures of neuro-fuzzy networks are known [21,22]: -Fuzzy neural systems (fuzzy neural systems): In neural networks, fuzzy logic principles are applied to speed up the configuration process or improve the parameters; -Fuzzy logic is only an instrument of neural networks and such a system cannot be interpreted in fuzzy rules, since it represents the "black box"; -Competing neuro-fuzzy systems (concurrent neurofuzzy systems): A fuzzy system and a neural network are working on one task without affecting each other's parameters; -Parallel neuro-Fuzzy systems (cooperative neurofuzzy systems): Settings executed are with the help of neural networks, after which the fuzzy system functions in-dependently; -Integrated (hybrid) neuro-fuzzy systems (Integrated neuro-fuzzy systems) -systems with close interaction of fuzzy logic and neural networks.
ERP is understood to be the concept of a coherent solution for accounting, control, planning and management of industrial and financial resources of the enterprise. Research firm Gartner Group to describe management systems that provide automation of planning, forecasting and financial management processes, production, logistics and marketing, accounting, product design, development of technological processes, etc. introduced the term. ERP is a global management standard proposed by the U.S. Manufacturing and Reserves Management Community.

RESULTS
ERP-System is a corporate integrated information system that implements the ERP concept, creating a single information environment for automation of planning, accounting, control, management and analysis of the main business processes of the enterprise.
The purpose of the ERP-system is to integrate all departments and structures of the company into a single information and technological computer network to meet all the needs of individual units.
The most common ERP systems are SAP, Oracle E-Business Suite, and Microsoft Dynamics.
The term ERP-system used in the following two meanings as: 1) information system for identification and planning of all resources of the enterprise, which are necessary for the sale, production, purchase and accounting in the process of fulfillment of client orders; 2) Methodology for effective planning and management of all resources of the enterprise, which are necessary for the sale, production, procurement and accounting when fulfilling customers orders in the spheres of production, distribution and service provision.
The typical ERP-system ensures the following tasks: -financial management; -Production management; -Managing inventory formation and distribution; -Management implementation and marketing; -Management of customer retention; -Supply management; -Project management; -Personnel management; -Service management; -Quality assurance procedures. In addition, the ERP-systems can support electronic data exchange with other software applications, as well as simulate situations that are related to planning and forecasting.
The use of ERP-Systems has the following advantages for the enterprise: -Saving business in the long term by optimizing processes; -Reducing operating expenses due to simplified business processes and best practices; -Improve user collaboration; -Reducing risk by increasing data integrity and financial control; -Reducing management and operation costs through single-form and integrated systems; -Providing a unified system that reduces IT, workforce and training costs; -Obtaining real-time information by business; -Facilitating the reporting and planning process with improved data and analytics; -Increase accountability and security by controlling user rights.
In addition to advantages, the use of ERP-Systems has its drawbacks: -deploying and maintaining the ERP-system can be very expensive; -System deployment is a long and complicated process; -Deploying a system of significant changes in management; -ERP-systems are often less complex than specialized software and may not be used or replaced.
The objectives and tasks of information security in ERP-systems are as follows: -mitigation of the risks of loss/disclosure; -Compliance with state and intra corpo-rate standards of information protection; -Data integrity protection; -Guarantee of confidentiality of company's internal information.
ERP-systems have a complex architecture that combines various technologies, such as application servers, databases, inter-platform software, Web server, operating systems, ID management systems, etc. This complexity creates additional threats in terms of information security, which can occur in the design and development stages of the ERP-system, and during the implementation and operation stages [24].
The typical ERP-system consists of three components, connected through the client-server architecture (see Fig. 4): -DB level; -Application level; -View level ((assigned to the user).
Data storage is carried out in the database (level DB), their processing is done on the server application (application level), and user interaction occurs through the client application (presentation layer). The environment, which unites all the components that are on different architectural levels of the ERP, is the network infrastructure.

Level of Application DB Level Representation Level
Client Application DB server Server Figure 4 -Three level environment of ERP-systems The three tiered client-server architecture can be deployed to a multilevel system.
Thus, the main aspects of security to consider when using the ERP-system, are: -network security; -Operating system security; -DB security; -application-level security; -Protection of information on the client computer.
Ensuring security of information is necessary at each of the selected levels of the ERP-system, with the choice of information security mechanisms at the above levels depends on the specifics of a particular project and the risk level of each threat.
ERP systems are generally developed as large, complex, homo geneous, critical applications, and are usually developed and marketed as commercial extraordinary software by large software vendors such as SAP, Oracle, and Microsoft. ERP application development is theoretically based on the best industry practices, and they are designed to meet the broad business requirements covering a wide range of industries.
The functionality provided by commercial ERP-systems is designed in such a way that it can be configured to enable customers to incorporate their own business rules to meet specific business or industrial requirements. However, even after the configuration is completed, gaps often remain between the standard functions provided and specific requirements of the organization. Aiming to improve user adoption, most ERP systems customers complete the development of extensions and settings to make sure the app better supports business processes.
As ERP systems handle and store confidential personal and commercial information relating to employees, customers, suppliers, prospects and projects, further development beyond the original scheme exposes the application to increased risk of data breaches and non-compliance with the rules.
Custom development tends to constitute a very small portion of the entire application, but since they are accessing and processing the same sensitive data as the un-derlying program, they pose a significant security risk, which can potentially cost an organization's loss from a security breach. Extension and configuration of ERP applications is a specialized technical effort that requires, apart from the necessary development skills, to understand the architectural, functional and security model of the program, including proposed by the manufacturer best practices for product expansion. Here are some key aspects of security that enterprise developers must take into account when using ERP-applications: 1) Access Management. ERP application access control refers to the identification and management of authorized users, including giving them the appropriate roles needed to access processes and data. Access control is crucial for protecting data against unauthorized disclosure and change at the same time, maintaining appropriate availability levels for authorized users for operational purposes.
2) Database level security. At the heart of the ERPsystem is RDBMS, which manages data entry/output and storage on the database server. The ability to customize data objects for different users is the key to any application and the basis for the security architecture to control access to data. Different database platforms provide tools for creating logical data objects that allow various users to view and handle common business objects differently.
3) Data encryption/ Data masking. In addition to functional access and data access controls, ERP data can be encrypted to mitigate exposure risks. Encryption is the most important tool for protecting sensitive information, more commonly used to transmit data, ensuring privacy and data integrity. For static data, encryption is not required for all security scenarios, but for sensitive personal data such as credit card numbers or passwords, this is an important tool. Data masking is a technique that is used to protect further data when encryption is not necessary. This allows you to move sensitive information in a way that will not prevent ordinary operations with a database such as maintaining reference integrity and limiting data types. Data values change but meet the schema requirements, allowing extracts from a database that usually contain sensitive data used for development purposes and testing. Data masking can be done using scripts, or special tools from developers of ERP systems.
Among the most common security problems, ERPsystem can specify the following threats: -The delay of updates that are necessary mainly to eliminate the vulnerabilities found in the software, and the installation of which is vital to prevent the possibility of using these vulnerabilities; -Insufficient control of access rights, which, in the wrong setting, become potential internal risks to the system and threaten the integrity and confidentiality of information; -Insufficient training of personnel working with the system, especially for new employees, who do not have deep knowledge of internal processes and errors, which may violate the principles of business processes execution; -Insufficient checking of personnel having unimpeded access to system processes and ability to change the functionality of the ERP-system software; -Use of unlicensed programs that can be used together with the ERP-system to achieve a single goal (for example, support for sales data in the ERP system, but run reports using Excel); -Errors in implementation and configuration of the platform (customization, incorrect credentials, open ports, etc.) ERP system, which has many configuration files, can also potentially compromise the functioning of the process and data; -Failure to comply with the regulatory norms and regulations intended to protect confidential information entails financial and reputational consequences.
Here is a list of common vulnerabilities of ERP-systems: 1) Complexity. ERP systems handle transactions and implement procedures to ensure that users have different access privileges. For example, in SAP R/3 system, there are actually automated object objects that allow to perform various actions on systems. In an organization of medium size can be created about one hundred types of transactions, each transaction usually requires that the smallest, two-object authorization. On the example of the SAP system, if the company has 200 users, there are approximately 800 000 (100 * 2 * 20 * 200) methods for configuring the security parameters of ERP-systems [25].
As complexity increases, the possibility of errors and conflicts of authority also increases [26].
2) Specificity of the software. Software vendors regularly correct the vulnerabilities because hackers track business applications to find and use security issues: SAP Monthly releases a hot fix, Oracle issues security fixes to quarterly, moreover, business applications become increasingly exposed to Internet or migrate to the cloud [27].
Internal business applications close to prying eyes, and this leads to the illusion of "safe as classified", but in specific business applications find trivial and extremely dangerous security vulnerabilities that are rare in popular products.
3) Lack of competent specialists. Most ERP system training programs are designed to teach how to use system capabilities and pay little attention to ERP security and auditing [25]. The majority of companies understand the threats of ERP systems by the security service at best superficially [28]. Many companies do not pay proper attention to the security of the ERP system. The implementation consultants tend to be concerned only by having to deploy the system in time and invest in a pre-determined budget. Safety issues are considered secondary. Because of this, the security of the system turns out to be weak, and to identify and fix safety problemsa difficult and costly measure. 4) Lack of security auditing tools. ERP security Audit is done manually, as various tools with ERP, packages do not provide system security auditing tools. Manual audit is a complex and laborious process that increases the possibility of error [26]. 5) A large number of settings. In the default, system settings there are many parameters and subtle settings that include the differentiation of rights for different Objects, such as transactions and tables. In all these mass settings, the task of securing is not easy even for a system. In addition, the customer somehow sharpens a large part of the ERP system settings, so that there are no two identical ERP systems. In addition, they develop their programs, safety of which should also be taken into account in the comprehensive assessment of the [29]. For this reason, it is difficult to develop a consistent approach or methodology for security audits.
We provide a list of vulnerabilities of ERP systems, according to the level of architecture [30].
Network layer: 1. Ability to intercept and modify traffic: -lack of data encryption -data transfer between the client and the server client-server requests containing critical information can be intercepted or modified; -password transfer in the open form.
2. Vulnerabilities in the encryption or authentication protocol: -ash authentication; -XOR password encryption; -Introduction of the use of old authentication protocols; -Non correct authentication algorithms. 3. Using a network protocol vulnerability would cause legitimate users to be denied access so that an attack could be carried out: -Error in RFC the YSTEM_-CREATE_INSTANCE function (exploit the vulnerability allows arbitrary code); -Error in RFC RFC_START_GUI function (exploiting the vulnerability also allows arbitrary code); -Error in RFC the RFC_START_PROGRAM function (exploit the vulnerability could allow arbitrary code or learn about the RFC server configuration); -Error in RFC the TRUSTED_SYSTEM_SECURITY function (exploit the vulnerabilities allows information about existing users and groups on the RFC server).
Operating system level: 1) OS software vulnerabilities: Any vulnerability in the OS used to access applications.
2) Weak OPERATING OS passwords: -possibility of remote selection of passwords; -Empty passwords for remote control tools such as RAdmin and VNC.
3) Unsafe OS settings: -NFS and SMB (data can be accessed by an anonymous user via NFS or SMB); -File permissions; -The unsafe settings of the hosts (trusted hosts can be set by servers that can easily be captured by an attacker. Application vulnerabilities.
-All possible vulnerabilities in web applications; -Buffer overflow and format string in web servers and application servers; -Dangerous access rights.

DISCUSSIONS
Modern scientific directions in the field of information protection in information systems, methods and technologies of information security risk assessment, use of fuzzi models to solve problems of information security risk assessment, as well as concepts and developments of ERP systems and problems of their security and vulnerability.
According to the results of the survey, the proposed factors influencing risk assessment use linguistic variables to qualities, and determine the system of qualitative assessments describe them and use fuzzy variables to assess their.

CONCLUSIONS
The approach to information security risk assessment of ERP systems may be further developed and lie the basis of the development of information risk management systems.
Ensuring security of information is necessary at each of the selected levels of the ERP-system, with the choice of information security mechanisms at the above levels depends on the specifics of a particular project and the risk level of each threat. Assessment of information security risks when using the ERP-system is necessary to develop recommendations for reducing the level of risks, as well as taking effective measures to ensure the information security of the entire enterprise.