DEVELOPING A FUZZY RISK ASSESSMENT MODEL FOR ERPSYSTEMS
DOI:
https://doi.org/10.15588/1607-3274-2022-1-12Keywords:
information security, fuzzy logic, risk assessment, security, ERP-systemAbstract
Context. Because assessing information security risks is a complex and complete uncertainty process, and uncer-tainties are a major factor influencing valuation performance, it is advisable to use fuzzy methods and models that are adaptive to non-calculated data. The formation of vague assessments of risk factors is subjective, and risk assessment depends on the practical results obtained in the process of processing the risks of threats that have already arisen during the functioning of the organization and experience of information security professionals. Therefore, it will be advisable to use models that can adequately assess fuzzy factors and have the ability to adjust their impact on risk assessment. The greatest performance indicators for solving such problems are neuro-fuzzy models that combine methods of fuzzy logic and artificial neural networks and systems, i.e. “human-like” style of considerations of fuzzy systems with training and simulation of mental phenomena of neural networks. To build a model for calculating the risk assessment of information security, it is proposed to use a fuzzy product model. Fuzzy product models (Rule-Based Fuzzy Models/Systems) this is a common type of fuzzy models used to describe, analyze and simulate complex systems and processes that are poorly formalized.
Objective. Development of the structure of a fuzzy model of quality of information security risk assessment and protection of ERP systems through the use of fuzzy neural models.
Method. To build a model for calculating the risk assessment of information security, it is proposed to use a fuzzy product model. Fuzzy product models are a common kind of fuzzy models used to describe, analyze and model complex systems and processes that are poorly formalized.
Results. Identified factors influencing risk assessment suggest the use of linguistic variables to describe them and use fuzzy variables to assess their qualities, as well as a system of qualitative assessments. The choice of parameters is substantiated and the structure of the fuzzy product model of risk assessment and the basis of the rules of fuzzy logical conclusion is developed. The use of fuzzy models for solving problems of information security risk assessment, as well as the concept and construction of ERP systems and analyzed problems of their security and vulnerabilities are considered.
Conclusions. A fuzzy model has been developed risk assessment of the ERP system. Selected a list of factors affecting the risk of information security. Methods of risk assessment of information resources and ERP-systems in general, assessment of financial losses from the implementation of threats, determination of the type of risk according to its assessment for the formation of recommendations on their processing in order to maintain the level of protection of the ERP-system are proposed. The list of linguistic variables of the model is defined. The structure of the database of fuzzy product rules – MISO-structure is chosen. The structure of the fuzzy model was built. Fuzzy variable models have been identified.
References
Leighton J. Security Controls Evaluation, Testing and Assessment Handbook. Syngress, 2016, 678 p.
Rescher N. «Many-Valued Logic», Mc.Graw-Hill. New York, 1969. DOI:10.2307/2272880
Rosser J. B., Turquette A. R. Many-Valued Logics, North Holland. Amsterdam, 1952.
Common Vulnerability Scoring System version 3.1: Specification Document. CVSS Version 3.1 Release [Elektronnyi resurs], Forum of Incident Response and Security Teams. Rezhim dostupu: https://www.first.org/cvss/ specificationdocument.
Abhishek kumar srivastav, Irman Ali, Shani Fatema. A Quantitative Measurement Methodology for calculating Risk related to Information Security, IOSR Journal of Computer Engineering (IOSR-JCE), Volume 16, Issue 1, Ver. IX (Feb. 2014), pp. 17–20.
Hayashi Y., Imura A. Fuzzy neural expert system with automated extraction of fuzzy If-Then rules from a trained neural network, Proceedings. First International Symposium on Uncertainty Modeling and Analysis, 1990, pp. 489–494. DOI.1109/ISUMA.1990.151303
Buckleya J. J., Hayashi Y. Fuzzy neural networks: a survey, Fuzzy sets and systems, 1994, Vol. 66, Issue 1, pp. 1–13. https://doi.org/10.1016/0165-0114(94)90297-6
Hendrawirawan D. Tanriverdi H., Zetterlund C. ERP Security and Segregation of Duties Audit: A Framework for Building an Automated Solution, Information systems control journal, 2007, Vol. 2, 4 p. ISACA. All rights reserved. www.isaca.org
Nieto-Morote A., Ruz-Vila A. F. Fuzzy approach to construction Project risk assessment, International Journal of Project Management, 2011, Vol. 29, Issue 2, pp. 220– 231.
Kozhukhivskyi A. D., Kozhukhivska O. A. ERP-System Risk Assessment Methods and Models (Tekst), Radio Electronics, Computer Science, Control, 2020, No. 4(55), pp. 151–162. DOI 10.15588/1607-3274-2020-4-15.
Baskerville R. An analysis survey of information system security design methods: Implications for Information Systems Development, ACM Computing Survey, 1993, pp. 375–414.
Peltier T. R. Facilitated risk analysis process (FRAP), Auerbach Publication, CRC Press LLC, 2000, 21 p.
Alberts C., Dorofee A. Managing Information Security Risks: The Octave Approach. Addison-Wesley Professional, 2002, 512 p.
Stolen K., den Braber F., Dirmitrakos T. Model-based risk assessment – the CORAS approach [Elektronnyi resurs], 2002. Rezhim dostupu, http://folk.uio.no/nik/2002/Stolen.pdf
Suh B., Han I. The IS risk analysis based on business model, Information and Management, 2003, Vol. 41, No. 2, pp. 149–158.
Karabacak B., Songukpinar I. ISRAM: Information security risk analysis method, Computer & Security, March, 2005, pp. 147–169.
Goel S., Chen V. Information security risk analysis – a matrix-based approach [Elektronnyi resurs], University at Albany, SUNY, 2005. Rezhim dostupu: https://www.albany.edu /~goel/publications/goelchen2005.pdf
Elky S. An introduction to information system risk management [Elektronnyi resurs], SANS Institute InfoSec Reading Room, 2006. Rezhim dostupu: https://www.sans.org/readingroom/whitepapers/auditing/introduction-informationsystem-risk-management-1204.
Yazar Z. A. A Qualitative risk analysis and managment tool – CRAMM [Elektronnyi resurs], SANS Institute InfoSec Reading Room, 2011, Rezhim dostupu: https://www.sans.org/readingroom/whitepapers/auditing/qualitative-risk-analysismanagement-tool-cramm-83
Korchenko A. G. Building information protection systems on fuzzy sets. Theory and practical solutions. Kyev, MKPress, 2006, 320 p.: IL.
Security issues in ERP. Security, Audit and Control Features SAP ERP 4th Edition, Audit Program. Isaca, 2015, 574 p.
A Complete Guide to the Common Vulnerability Scoring System. Forum of Incident Response and Security Teams (June2007). Rezhim dostupu: http://www.first.org/cvss/cvssguide.pdf
Polyakov A. ERP Security Deserves Our Attention Now More Than Ever [Elektronnyi resurs], Forbes, 2017. Rezhim dostupu: https://www.forbes.com/sites/forbestechcouncil/2017/07/07/ erp-security-deserves-our-attention-now-more-than-ever/.
“NVD Common Vulnerability Scoring System Support v2”. National Vulnerability Database. National Institute of Standards and Technology. Retrieved March 2, 2013.
Jang J.-S. R. ANFIS: Adaptive Network – based Fuzzy Inference System, IEEE Trans. On Syst. Man and Cybernetics, 1993, Vol. 23, No. 3, pp. 665– 685.
National vulnerability database Release [Elektronnyi resurs], National Institute of Standards and Technology. Rezhim dostupu: https://nvd.nist.gov
National vulnerability database Release. Vulnerability Metrics [Elektronnyi resurs], National Institute of Standards and Technology. Rezhim dostupu: https://nvd.nist.gov/vulnmetrics/cvss
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2022 A. D. Kozhukhivskyi, O. A. Kozhukhivska
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Creative Commons Licensing Notifications in the Copyright Notices
The journal allows the authors to hold the copyright without restrictions and to retain publishing rights without restrictions.
The journal allows readers to read, download, copy, distribute, print, search, or link to the full texts of its articles.
The journal allows to reuse and remixing of its content, in accordance with a Creative Commons license СС BY -SA.
Authors who publish with this journal agree to the following terms:
-
Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License CC BY-SA that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
-
Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
-
Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.
