Development of a fuzzy risk assessment model for information security management

The object of research is the process of assessing information security risks of information resources during the functioning of information activity objects, which is the basis of effective security management. One of the most problematic areas of classical probabilistic risk assessment models is high subjectivity in determining quantitative values of indicators. To eliminate these shortcomings, it is proposed to create universal, scalable and trainable risk assessment models based on qualitative characteristics. The study used an adaptive neuro-fuzzy logical inference system (ANFIS). A mathematical model of information security risk assessment was obtained, which expands existing solutions by scaling. The approach used in the model allows to automatically adapt to dynamic changes in the functioning of the information activity object. The proposed model has the following features: automated generation of the rule base and retraining of the fuzzy system. The use of artificial neural networks to automate the adjustment of the parameters of the fuzzy system allows to avoid the subjectivity characteristic of expert assessments. This provides the ability to obtain current values of the information security risk level. The conducted experimental studies quantitatively confirmed the effectiveness of the model, which demonstrated classification accuracy of up to 95% and a significant reduction in the mean square error to 0.01 compared to classical probabilistic models and traditional fuzzy expert systems. This is due to the fact that the proposed model has a number of features, in particular, automated generation of the rule base and the possibility of retraining the fuzzy system, which is provided by the use of artificial neural networks. Due to this, automatic adaptation to dynamic changes in the object and accurate obtaining of current values of the risk level are ensured. Compared to similar known models, this provides automated adjustment of parameters based on the results of retraining (with an error of > 1–2%) and reliable information security management by prioritizing protective measures and responding promptly to threats.