Abstract
Stages of creating a fuzzy inference system while analyzing information security risks are described in the article. A need and a possibility to use fuzzy modeling while implementing a security policy at an enterprise or organization is proved. The complexity of the task of evaluating information security risks due to the lack of standard techniques and approaches to risk evaluation is considered. Merits and demerits of the existing techniques of information security risk analysis are studied. Procedures of collecting and processing expert information necessary for creating a fuzzy inference system are described. A technique for building linguistic scales based on the statistical experiment method is proposed. The author constructed membership functions of fuzzy variables such as "a risk degree", "a damage level" and "a threat level" based on expert data necessary in building a fuzzy model. An example of calculating membership functions for one of the fuzzy variables is provided. The author developed rules for generating a fuzzy inference system. The proposed procedures and methods were implemented in the form of a fuzzy inference system in the Matlab environment. Stages of creating and analyzing the adequacy of the fuzzy model are described. A graphic interface of the variable editor, rule editor, and surfaces of the fuzzy inference model developed in the Matlab environment is provided. The proposed model makes it possible to reveal the dependence of values of such an output variable as "a risk degree" on the values of such input variables as "a threat level", "a damage level" and "a vulnerability level". The results of simulation automatically change when parameters of input variables change, which allows using this model under changing external conditions. The results can be used for solving problems of information security management.
Keywords: analysis of information security risks, information security management, processing of expert data, fuzzy modeling, membership function, production rules, fuzzy inference system, risk assessment model
References
1. Zaichenko Yu.P. Nechetkie modeli i metody v intellektual'nykh sistemakh [Indistinct models and methods in intellectual systems]. Kiev, Slovo Publ., 2008. 344 p.
2. Buldakova T.I., Mikov D.A. Realizatsiya metodiki otsenki riskov informatsionnoi bezopasnosti v srede Matlab [Realization of a technique of assessment of risks of information security in the environment of Matlab]. Voprosy kiberbezopasnosti – Cybersecurity Issues, 2015, no. 4 (12), pp. 53–61.
3. Kosmacheva I.M., Sibikina I.V., Galimova L.V. Algoritm otsenki riska narusheniya informatsionnykh servisov v organizatsii [Algorithm of assessment of risk of violation of information services in the organization]. Vestnik Astrakhanskogo gosudarstvennogo tekhnicheskogo universiteta. Seriya: Upravlenie, vychislitel'naya tekhnika i informatika – Vestnik of Astrakhan State Technical University. Series: Management, Computer Science and Informatics, 2015, no. 2, pp. 58–64.
4. Vybornova O.N. Ontologicheskaya model' protsessa otsenki riskov [Ontologic model of process of assessment of risks]. Vestnik Astrakhanskogo gosudarstvennogo tekhnicheskogo universiteta. Seriya: Upravlenie, vychislitel'naya tekhnika i informatika – Vestnik of Astrakhan State Technical University. Series: Management, Computer Science and Informatics, 2015, no. 2, pp. 97–102.
5. Davidyuk N.V., Belov S.V. Formirovanie nachal'noi populyatsii v protsedure geneticheskogo poiska varianta effektivnogo raspolozheniya sredstv obnaruzheniya na ob"ekte zashchity [Forming of initial population in the procedure of genetic search of option of an effective arrangement of sensors on subject to protection]. Vestnik Astrakhanskogo gosudarstvennogo tekhnicheskogo universiteta. Seriya: Upravlenie, vychislitel'naya tekhnika i informatika – Vestnik of Astrakhan State Technical University. Series: Management, Computer Science and Informatics, 2010, no. 1, pp. 114–118.
6. Sibikina I.V., Kosmacheva I.M., Davidyuk N.V. Monitoring kachestva podgotovki vypusknikov VUZa pri osushchestvlenii kompetentnostnogo podkhoda [Forming of initial population in the procedure of genetic search of option of an effective arrangement of sensors on subject to protection]. Vestnik Astrakhanskogo gosudarstvennogo tekhnicheskogo universiteta. Seriya: Upravlenie, vychislitel'naya tekhnika i informatika – Vestnik of Astrakhan State Technical University. Series: Management, Computer Science and Informatics, 2013, no. 1, pp. 208–214.
7. Azhmukhamedov I.M. Dinamicheskaya nechetkaya kognitivnaya model' otsenki urovnya bezopasnosti informatsionnykh aktivov VUZa [Dynamic indistinct cognitive model of assessment of level of safety of data assets of higher education institution]. Vestnik Astrakhanskogo gosudarstvennogo tekhnicheskogo universiteta. Seriya: Upravlenie, vychislitel'naya tekhnika i informatika – Vestnik of Astrakhan State Technical University. Series: Management, Computer Science and Informatics, 2012, no. 2, pp. 137–142.
8. Uskov A.A. Printsipy postroeniya sistem upravleniya s nechetkoi logikoi [The principles of creation of control systems with fuzzy logic]. Pribory i sistemy. Upravlenie, kontrol', diagnostika – Instruments and Systems: Monitoring, Control, and Diagnostics, 2004, no. 6, pp. 7–13.
9. Sivanandam S.N., Sumathi S., Deepa S.N. Introduction to fuzzy logic using Matlab. Berlin, Springer, 2007. 430 p.
10. Leonenkov A.V. Nechetkoe modelirovanie v srede MATLAB i fuzzyTECH [Indistinct modeling in the environment of MATLAB and fuzzyTECH]. St. Petersburg, BHV-Petersburg Publ., 2005. 716 p.
11. Sibikina I.V., Kvyatkovskaya I.Yu. Postroenie lingvisticheskikh shkal v tselyakh vyyavleniya vazhnykh distsiplin, formiruyushchikh kompetentsiyu [Creation of linguistic scales for identification of the important disciplines forming competence]. Vestnik Astrakhanskogo gosudarstvennogo tekhnicheskogo universiteta. Seriya: Upravlenie, vychislitel'naya tekhnika i informatika – Vestnik of Astrakhan State Technical University. Series: Management, Computer Science and Informatics, 2012, no. 2, pp. 182–186.
12. Sibikina I.V., Kvyatkovskaya I.Yu. Teoreticheskie osnovy razrabotki informatsionnykh sistem i resursov na osnove modeli kompetentsii dlya avtomatizirovannykh sistem upravleniya vuzom [Theoretical bases of development of information systems and resources on the basis of competence model for automated control systems for higher education institution]. Astrakhan', ASTU Publ., 2016. 100 p.
13. Kosmacheva I.M., Yakovleva E.P. Podsistema upravleniya dostupom v informatsionnykh sistemakh vuza [The subsystem access control in information systems of the University]. Vestnik Astrakhanskogo gosudarstvennogo tekhnicheskogo universiteta. Seriya: Upravlenie, vychislitel'naya tekhnika i informatika – Vestnik of Astrakhan State Technical University. Series: Management, Computer Science and Informatics, 2016, no. 2, pp. 25–34.
14. Belov S.V., Mel'nikov A.V. Protsedura otsenki pokazatelei zloumyshlennogo proniknoveniya v sostave avtomatizirovannoi sistemy kontrolya fizicheskoi bezopasnosti ob"ekta zashchity [Procedure of evaluation of indicators of malicious penetration in the automated monitoring system of physical security of the protected object]. Vestnik Astrakhanskogo gosudarstvennogo tekhnicheskogo universiteta. Seriya: Upravlenie, vychislitel'naya tekhnika i informatika – Vestnik of Astrakhan State Technical University. Series: Management, Computer Science and Informatics, 2014, no. 2, pp. 28–37.
15. Belov S.V., Dosmukhamedov B.R. Otsenka stepeni zloumyshlennogo interesa k razlichnym komponentam ob"ekta zashchity [Assessment of the level of malicious interest in the various components of the protected object]. Vestnik Astrakhanskogo gosudarstvennogo tekhnicheskogo universiteta. Seriya: Upravlenie, vychislitel'naya tekhnika i informatika – Vestnik of Astrakhan State Technical University. Series: Management, Computer Science and Informatics, 2013, no. 1, pp. 14–20.
