RISK ASSESSMENT MODELING OF ERP-SYSTEMS

Authors

  • A. D. Kozhukhivskyi State University of Telecommunications, Kyiv, Ukraine, Ukraine
  • O. A. Kozhukhivska State University of Telecommunications, Kyiv, Ukraine, Ukraine

DOI:

https://doi.org/10.15588/1607-3274-2022-4-12

Keywords:

Security, fuzzy logic, fuzzy product model, risk assessment, security, ERP-system

Abstract

Context. Because assessing security risks is a complex and complete uncertainty process, and uncertainties are a major factor influencing valuation performance, it is advisable to use fuzzy methods and models that are adaptive to noncomputed data. The formation of vague assessments of risk factors is subjective, and risk assessment depends on the practical results obtained in the process of processing the risks of threats that have already arisen during the functioning of the organization and experience of security professionals. Therefore, it will be advisable to use models that can ade-quately assess fuzzy factors and have the ability to adjust their impact on risk assessment. The greatest performance indicators for solving such problems are neuro-fuzzy models that combine methods of fuzzy logic and artificial neural networks and systems, i.e. “human-like” style of considerations of fuzzy systems with training and simulation of mental phenomena of neural networks. To build a model for calculating the risk assessment of security, it is proposed to use a fuzzy product model. Fuzzy product models (Rule-Based Fuzzy Models/Systems) this is a common type of fuzzy models used to describe, analyze and simulate complex systems and processes that are poorly formalized.

Objective. Development of a fuzzy model of quality of security risk assessment and protection of ERP systems through the use of fuzzy neural models.

Method. To build a model for calculating the risk assessment of security, it is proposed to use a fuzzy product model. Fuzzy product models are a common kind of fuzzy models used to describe, analyze and model complex systems and processes that are poorly formalized.

Results. Identified factors influencing risk assessment suggest the use of linguistic variables to describe them and use fuzzy variables to assess their qualities, as well as a system of qualitative assessments. The choice of parameters was substantiated and a fuzzy product model of risk assessment and a database of rules of fuzzy logical conclusion using the MATLAB application package and the Fuzzy Logic Toolbox extension package was implemented, as well as improved by introducing the adaptability of the model to experimental data by introducing neuro-fuzzy components into the model. The use of fuzzy models to solve the problems of security risk assessment, as well as the concept and construction of ERP systems and the analyzed problems of their security and vulnerabilities are considered.

Conclusions. A fuzzy model has been developed risk assessment of the ERP system. Selected a list of factors affecting the risk of security. Methods of risk assessment of information resources and ERP-systems in general, assessment of financial losses from the implementation of threats, determination of the type of risk according to its assessment for the formation of recommendations on their processing in order to maintain the level of protection of the ERP-system are proposed. The list of linguistic variables of the model is defined. The structure of the database of fuzzy product rules – MISO-structure is chosen. The structure of the fuzzy model was built. Fuzzy variable models have been identified.

Author Biographies

A. D. Kozhukhivskyi, State University of Telecommunications, Kyiv, Ukraine

Dr. Sc., Professor, Professor Department of Information and Cybernetic security

O. A. Kozhukhivska, State University of Telecommunications, Kyiv, Ukraine

Dr. Sc., Associate Professor Department of Information and Cybernetic security

References

Leighton J. Security Controls Evaluation, Testing and Assessment Handbook. Syngress, 2016, 678 p.

Methody zahysty systemy upravlinnia informaciinoiu Bezpekou [Tekst], DSTU ISO/IES 27001, 2015. Chyn. 2017.01.01. Kyiv, DP “UkrNDNC”, 2016, 22 p.

Informaciini tehnolohii. Metody zahystu. Zvid praktyk shchodo zahodiv informaciinoi bezpeky [Tekst], ISO/IES 27002:2015, 2015, Chyn. 2017.01.01. Kyiv, DP “UkrNDNC”, 2016.

Informaciini tehnolohii. Metody zahystu. Systemy ke-ruvannia informaciinoiu bezpekoiu. Nastanova [Tekst], DSTU ISO/IES 27003, 2018, Chyn, 2018.01. 01. Kyiv, DP “UkrNDNC”, 2018.

Informaciini tehnolohii. Metody zahystu. Systemy ke-ruvannia informaciinoiu bezpekoiu. Monitoring, Vy-miriuvannia, analisuvannia ta ociniuvannia [Tekst], DSTU ISO / IES27004, 2015, 2018, Chyn. 2018.01. 01. Kyiv, DP “UkrNDNC”, 2018.

Informaciini tehnolohii. Metody zahystu.Upravlinnia Rysykamy informaciinoi bezpeku [Tekst], DSTU ISO / IES 27001: 2015, Chyn. 2015.01.01. Kyiv, DP “Ukr-NDNC”, 2016.

Ehlakov Yu. P. Nechyotkaya model ocenki riskov Prodvizheniya prohramnyh produktov, Biznes-informatika, 2014, No. 3 (29), pp. 69–78,

Gladysh S. V. Predstavlenie znanii ob upravlenii in-Cyndentami informacionnoj bezopasnosti posredstvom Nechyotkich vremennyh raskrashennyh Setei Petri, Mizhnarodnyi naukovotehnichnyi zhurnal “Informaciini tehnolohii ta kompyuterna inzheneriia”, 2010, No. 1 (17), 2010, pp. 57–64.

Nieto-Morote A. A., RuzVila F. Fuzzy approach to construction Project risk assessment, International Journal of Project Management, 2011, Vol. 29, Issue 2, pp. 220–231.

Kozhukhivskyi A. D., Kozhukhivska O. A. ERP-System Risk Assessment Methods and Models (Tekst), Radio Electronics, Computer Science, Control, 2020, No. 4(55), pp. 151–162. DOI 10. 15588/1607-3274-2020-4-15

Kozhukhivskyi A. D., Kozhukhivska O. A. Developing a Fuzzy Risk Assessment Model for ERP-Systems (Tekst) Radio Electronics, Computer Science, Control, 2022, No. 1, pp. 106–119. DOI 10. 15588/1607-3274-2022-1-12

Baskerville R. An analysis survey of information sy-stem security design methods: Implications for Infor-mation Systems Development, ACM Computing Survey, 1993, pp. 375–414.

Peltier T. R. Facilitated risk analysis process (FRAP). Auerbach Publication, CRC Press LLC, 2000, 21 p.

Alberts C., Dorofee A. Managing Information Security Risks: The Octave Approach. Addison-Wesley Professional, 2002, 512 p.

Stolen K., Den Braber F., Dirmitrakos T. Model-based risk assessment – the CORAS approach [Elektronnyi resurs], 2002, Rezhim dostupu: http://folk.uio.no/nik/2002/Stolen.pdf

Suh B., Han I. The IS risk analysis based on business model, Information and Management, 2003, Vol. 41, No. 2, pp. 149– 158.

Karabacaka B., Songukpinar I. ISRAM: Information security risk analysis method, Computer & Security, March, 2005, pp. 147–169.

Goel S., Chen V. Information security risk analysis – a matrixbased approach [Elektronnyi resurs], University at Albany, SUNY, 2005, Rezhim dostupu: https://www.albany.edu /~goel/publications/goelchen2005.pdf

Elky S. An introduction to information system risk management [Elektronnyi resurs], SANS Institute InfoSec Reading Room, 2006, Rezhim dostupu: https://www.sans.org/readingroom/whitepapers/auditing/introduction -information-systemrisk-management-1204.

Yazar Z. A. Qualitative risk analysis and managment tool – CRAMM [Elektronnyi resurs], SANS Institute InfoSec Reading Room, 2011. Rezhim dostupu: https://www.sans.org/readingroom/whitepapers/auditing/qualitative -risk-analysismanagement-tool-cramm-83

Korchenko A. G. Postroenie system zashhity informa-cii na nechetkih mnozhestvah. Teoriya i prakticheskie resheniya. Kyiv, MK-Press, 2006, 320 p.: IL.

Karpenko A.C. Lohika Lukasevicha i prostye chisla. Moscow, Nauka, 2000, 319 p.

Teoriya algoritmov ta matematychna lohika [Elektronnyi resurs], Materialy dystanciinogo navchnnya sumskogo derzhavnogo universytetu. Rezhim dostupu: https://dl. sumdu. edu.ua /textbooks/ 85292/354091/index.html

Kruglov V. V., Borisov V. V., Fedulov A. C. Nechitki modeli i seti. Moscow, Goriachaya liniya, Telekom, 2012, 284 p. IL.

Kruglov V. V., Borysov V. V. Iskusstvennye neironnye seti. Teoriya i praktika. Moscow, Goriachaya liniya, Telekom, 2002, 382 p.: Il.

Zade L. Ponyatie lingvisticheskoi pemennoi i ego Primenenie k ponyatiyu priblizhyonnykh reshenii, Per. s Angl. Moscow, Mir, 1976, 166 p.

Jang J.-S. R. ANFIS: Adaptive Network – based Fuzzy Inference System, IEEE Trans. On System, Man and Cybernetics, 1993, Vol. 23, No. 3, pp. 665– 685.

Common Vulnerability Scoring System version 3.1: Specification Document. CVSS Version 3.1 Release [Elektronnyi resurs], Forum of Incident Response and Security Teams. Rezhim dostupu: https://www.first.org/cvss/ specificationdocument

National vulnerability database Release [Elektronnyi resurs], National Institute of Standards and Technology. Rezhim dostupu: https://nvd.nist.gov

FUZZY LOGIC TOOLBOX [Elektronnyi resurs], Czentr Inzhenernykh Tekhnolohii i Modelirovaniia Eksponenty, Rezhim dostupu: https://exponenta.ru/fuzzy-logic-toolbox.

Downloads

Published

2022-12-13

How to Cite

Kozhukhivskyi, A. D., & Kozhukhivska, O. A. (2022). RISK ASSESSMENT MODELING OF ERP-SYSTEMS . Radio Electronics, Computer Science, Control, (4), 149. https://doi.org/10.15588/1607-3274-2022-4-12

Issue

Section

Control in technical systems