Fuzzy expert system of information security risk assessment on the example of analysis Learning Management Systems

The rapid development and application of new digital technologies has, on the one hand, opened up new opportunities for more efficient management of technological and business processes. On the other hand, this leads to a significant increase in security threats, increasing the vulnerability of businesses and organisations to cybercriminals. In recent years, the rapid growth of incidents of various kinds has shown that traditional approaches to information security (IS) are insufficient. Consequently, software product information security risk assessment has become an important task for most organisations. Several models have been proposed to help different enterprises deal with the challenges of building information security. This paper proposes a new hierarchical structured model for information security risk assessment using fuzzy logic. A new method for information security risk assessment of software is also described using the example of automated control systems or enterprise resource planning (ERP) systems (using learning management systems as an example). The proposed new risk assessment model has been software implemented using fuzzy logic in the form of 15 fuzzy machines. In a series of experiments, we have scrutinised the information security risk assessment of various software products. The proposed method should solve the problem of flexible risk assessment.


I. INTRODUCTION
It is known that no organisation can be immune to data breaches and that when breaches occur, they can have serious consequences. A data breach can be looked at differently in different areas. Any action to breach the security of protected data that results in the transfer of data to unauthorised entities can be seen as an IS breach. A security breach can be the result of a cyber-attack, theft or loss of devices, theft or leakage of employee data such as security credentials, and human error. In industrial and business systems, major cyber-attacks include SQL injection, cross-site scripting (XSS) and privilege escalation. SQL injection is one of the most common attacks that can destroy a database by placing crafted malicious code in SQL statements through web page input. Developing an effective cyber security solution enables us to reduce data breaches threatened by cyber security risks, such as cyber-attacks on storage, processing and database management. Organising cyber security in the life of a society remains one of the major unresolved challenges in the information and communications technology domain.
Hypothesisthe problem is that companies find it difficult to manage information security in complex systems such as ERP. Why can't software developers fully secure a complex system, even with IS standards and IS risk assessment models in their arsenal? What can software developers offer to improve information security of complex systems? This reveals the problem in achieving security when programming complex systems. Careless use by employees or miscalculations in building information security will have an impact on the financial losses of the company. Software developers may use models for building information security that are not suitable for complex systems. Given due consideration for previous legacy models, a more flexible information security evaluation model is needed. The purpose of this research is to implement a flexible model for assessing information security risks for ERP systems. The issue of information security is very important precisely in ERP systems, since usually such systems allow you to manage all the main production business processes of an organization. The ERP system with poor information security will eventually lead the company to colossal financial losses. In conditions of lack of statistical data and high uncertainty of the external environment methods based on fuzzy expert systems that use the experience and knowledge of employees, inaccurate preliminary data, assumptions, can be the basis of sustainable economic development of the company. The general purpose of fuzzy management systems is to simulate the thought process of a person who makes conclusions in order to make some decision based on the information available about the control object. Situations of this kind are found in abundance in everyday life, as well as in the professional activities of people. Even if we do not take into account quite trivial operations (which nevertheless require such an approach), we can give a number of examples where automation and the use of elements of artificial intelligence are relevant and justified: from control of a car or technological process to the development of a company development strategy, based on a set of financial and economic indicators. The key to the successful use of such fuzzy-multiple methods in the management of complex systems is the ability of systems to use all the main sources of information about the control object, which include: mathematical models; actual data of observations of the behavior of the object; knowledge of peopleexperts in the studied area. Indeed, all these sources can be used in a fuzzy control system, mutually complementing each other. Mathematical model, if its construction is fundamentally possible and appropriate, is the most important source of information, allowing the replenishment of the knowledge base by the results of analytical research or simulation modeling. Processing of empirical data allows you to build an approximate model of the control object, as well as refine, tune the parameters of fuzzy control system. At the same time on the basis of knowledge and experience of experts a set of fuzzy rules, reflecting regularities of behavior of the studied object is formed. In cases when it is impossible to develop a mathematical model due to the high complexity of processes inherent in the control object, the advantages of methods based on fuzzy management are even stronger, as management is based not only on some model, but it is realized intellectual management, having in its basis the knowledge in all variety of their manifestations. Important advantages of fuzzy expert systems are non-linearity, the ability to use imprecise data, convenience for obtaining and processing of expert opinions.
There are no specific models or standards for information security assessment for complex systems. In any case, this points to the importance of studying all known information security assessment models. There are a number of good papers on "How to evaluate information security of a software product"?
In this paper, Bo Feng, Qiang Li, Yuede Ji and others propose a new user analysis model to find potential victims by analyzing large amounts of personal information and user behaviour in social media, the model estimates the security risk [1]. Pil Sung Woo, Sang Sun Hwang, Soon Hyun Hwang and Balho H. Kim conducted a study on a theoretical standard for creating secure systems by analyzing the structure of power information management system in addition to quantifying the risk of cyber attacks, which remain poorly understood [2]. In this paper, Timothy Kieras, Muhammad Junaid Farooq and Quanyan Zhu described Risk Analysis of Internet of Things (IoT) Supply Chain Threats (RIoTS), a security risk assessment framework borrowed from systems reliability theory to include the supply chain [3]. In this paper, Manish Shrestha, Christian Johansen, Josef Noll and Davide Roverso described Smart Grid Security Classification (SGSC), which is related to risk analysis methods (ANSSI standard methodology) with the difference that the SGSC classification method aims to assign a security class to a system based on (combinations of) scores assigned to different aspects of system vulnerabilities and the corresponding implemented protection mechanisms [4]. In this paper, Jasna Markovic-Petrovic, Mirjana Stojanovic and Slavica Bostjancic Rakas proposed a new method for security risk assessment in supervisory control and data acquisition (SCADA) networks using fuzzy logic [5]. Wenrui Wang, Fan Shi, Min Zhang, Chengxi Xu and Jinghua Zheng proposed a heterogeneous information network based ranking method for vulnerability risk assessment in a particular network [6]. Jiali Wang, Martin Neil and Norman Fenton obtained a combined Extended Factor Analysis of Information Risk-Bayesian Networks (EFBN) approach using Monte Carlo simulation and showed that it can provide an integrated solution for cybersecurity risk assessment and decision making [7]. In this study, Yahia Alemami, Mohamad Afendee Mohamed, Saleh Atiewi aims to present the most popular and interesting algorithms currently in use [8]. In this paper, Yazdan Movahedi, Michel Cukier, Ambrose Andongabo and Ilir Gashi described the approach, which investigated consists of clustering vulnerabilities by using textual information in vulnerability records and then modelling the mean-vulnerability function by relaxing the monotonic intensity function assumption that prevails in studies that use software reliability models (SRMs) and heterogeneous Poisson process in modelling [9]. In this paper, Kaikai Pan, Andre Teixeira, Claudio David Lopez and Peter Palensky analyzed the cybersecurity of Energy Management System (EMS) against data attacks. The results show how vulnerable the EMS is to data attacks and how collaborative modeling can help in vulnerability assessment [10]. In this study, Omer Keskin, Kevin Matthe Caramancion, Irem Tatar, Owais Raza and Unal Tatar presented and compared existing Cyber Third-Party Risk Management (C-TPRM) methods created by different companies to identify the most commonly used indicators and evaluation criteria [11]. Lelin Lv, Huimin li, Lunyan Wang, Qing Xia and Li Ji innovatively introduce interval intuitionistic fuzzy weighted averaging operator (IVIFWA), Tchebycheff metric distance and interval intuitionistic fuzzy weighted geometric operator (IVIFWG) into a relation system, reference point method and full multiplication method, MULTIMOORA sub-method to optimize FMEA information aggregation process [12]. In this paper, Samia Oukemeni, Helena Rifa-Pous, and Joan Manuel Marques Puig proposed a general framework to guide the development of privacy indicators and to measure and evaluate the privacy level of Social Networking on the Internet, in particular microblogging systems [13]. In this paper, Simon Parkinson, Mauro Vallati, Andrew Crampton and Shirin Sohrabi presented GraphBAD, a graph-based analysis tool capable of analyzing security configurations to identify anomalies that may lead to potential security risks [14]. In this paper, Abdullah Algarni, Vijey Thayananthan and Yashwant Malaiya described a comprehensive formal model that estimates two components of security risks: cost of hacking and probability of data leakage within 12 months [15]. In this research, Muhamad Al Fikri, Fandi Aditya Putra, Yohan Suryanto and Kalamullah Ramli focuses on information security risk assessment by implementing a combined technique in a commercial organization using semiquantitative methods [16]. The aim of the paper by the authors Muhammad Imran Tariq, Shakeel Ahmed, Nisar Ahmed Memon and others was to improve the method of information security management analysis by proposing a formalized approach, i.e. fuzzy analytic hierarchy process (AHP). This approach was used to prioritise and select the most appropriate set of information security controls to meet the information security requirements of an organisation [17]. In this paper, Jinxin Zuo, Yueming Lu, Hui Gao, Ruohan Cao, Ziyv Guo and Jim Feng summarised the architecture and vulnerabilities in IoT and proposes a comprehensive information security assessment model based on multilevel decomposition feedback [18].
Cybersecurity standards are published materials that outline methods that focus on protecting the cyber environment of a user or organisation. The main purpose is to reduce risks, including preventing or mitigating cyber attacks. These published materials consist of collections of tools, policies, security concepts, security measures, guidelines, risk management approaches, actions, training, best practices, safeguards and technologies.
Basic standards on information security: 1) ISO/IEC 27000 -Information security management systems -Overview and vocabulary.

2) ISO/IEC 27001 -Information technology -Security
Techniques -Information security management systems -Requirements. The 2013 release of the standard specifies an information security management system in the same formalized, structured and succinct manner as other ISO standards specify other kinds of management systems.

3) ISO/IEC 27002 -Code of practice for information
security controlsessentially a detailed catalog of information security controls that might be managed through the ISMS. 4) ISO/IEC 27003 -Information security management system implementation guidance 5) ISO 15408 -This standard develops what is called the "Common Criteria". It allows many different software and hardware products to be integrated and tested in a secure way. 6) IEC 62443cybersecurity standard defines processes, techniques and requirements for Industrial Automation and Control Systems (IACS). 7) ETSI EN 303 645standard provides a set of baseline requirements for security in consumer Internet of things (IoT) devices.

II. RISK ASSESSMENT CRITERIA
We need to define criteria and metrics for assessing software information security by analysing the above-mentioned standards. On the basis of interdisciplinary analysis (the above-mentioned studies and standards) a list consisting of 50 IS risks, which can be used in the practical activities of the enterprise, since the neutralization (elimination, minimization) of IS risks is the essence and content of the process of ensuring IS of the enterprise. On the basis of the offered list also it is possible to build models of threats on which the task of creation of information security systems (ISS) is made. Besides the list of concrete risks can be used during estimation of influence of accepted IS measures on efficiency of activity of enterprise. The IS risks are presented in Table 1.  Table 1 is presented as a fuzzy information security risk assessment model in Figure 1. These characteristics are fully consistent with the definition of an information security risk assessment for a software product. The problem appeals to the solution of three questions: software security scale, regulation of user behaviour, list of requirements for software developers. Therefore, we propose the following methodology for information security assessment using fuzzy logic.
A flexible information security assessment model requires the execution of fuzzy logic because of its flexibility and variability in evaluating any initially hard-coded parameter. A fuzzy approach helps to make decisions with different options, fuzziness and vulnerabilities [17]. It is practical for dealing with uncertainty, complexity and decision making on complex issues of controversial nature. In the paper Muhammad Imran Tariq, Shakeel Ahmed, Nisar Ahmed Memon and others argue that prioritizing information security management tools using fuzzy AHP leads to efficient and cost-effective evaluation of information security management tools for an organization to select the most appropriate ones. The proposed formalised approach and prioritisation processes are based on International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001: 2013 standards [17]. The evaluation results have clearly demonstrated the advantages of the proposed method using fuzzy logic over the purely objective approach in terms of more accurate risk assessment and higher return on security investments [5]. Muhammad Imran Tariq proposed a framework for information security assessment in cloud systems, which was implemented using a fuzzy inference system based on fuzzy set theory and fuzzy logic rules. Matlab was used to test the framework. The fuzzy results confirm that the proposed framework can be used to protect information in a cloud computing environment [19]. In these researches, Hakan Acikgoz, Fatih Kececioglu, Ahmet Gani, Mustafa Tekin and Mustafa Sekkeli suggests Controllers of Type 2 Fuzzy Logic Takagi Sugeno Kang (IT2-TSK-FLC) and Type 2 Fuzzy Logic Interval System (T2FLS). The results confirm that the proposed controllers provide fast speed, reliable operation against uncertainties and have better performance [20][21].
We propose 4 levels of tangibility in assessing the information security of a software application. At the first level, both external and internal components of information security are used as an indicator of the risk assessment objective. At the first level, we establish the Risk objective. For ease of grouping in the second level, we introduce the first level of risk classification. At the third level, risks are described, or a subset of the risk classification is set. The fourth level describes the risks, assuming that the third level did not describe the risks. This structure can be used as separately (element by element) for an assessment of risks of certain groups and subgroups, and as means for complex (holistic) assessment of information security of the software product used in the company.
Next, using the classification of information security risk assessment criteria, we construct 15 machine phases using the Mamdani algorithm. In these papers, Alibek Barlybayev, Batyr Orazbayev and others showed that the Matlab software product is very suitable for this simulation [22][23][24]. Using a fuzzy expert system to assess information security is not a new idea. But the main works with the use of fuzzy logic is related to the existing standards for assessing information security, with the carnally known established formulas for calculating information security risks. This can lead to misuse of fuzzy logic as a tool, when multiple parameters are reduced to one or two variables. This paper proposes a new four-level hierarchical system of parameters for assessing information security risks. And the use of fuzzy logic makes the calculations flexible, since the number of parameters, rigidly defined at the initial stage, is constantly increasing.

III. A FUZZY INFORMATION SECURITY RISK ASSESSMENT MODEL
In the first fuzzy machine 1.1. Documentation risks we will use the input variables: 1. In the third fuzzy machine 1. Organisational service risks we will use input variables: 1.1. Documentation risks; 1.2. Human risks. 1. Organizational risks.
In the fourth fuzzy machine 2. Reputation (branding) risks we will use input variables:2.1. Dissemination in the external environment of information of an economic nature that threatens the company's reputation; 2.2. Mentioning a company in the context of extremism, money laundering, cyber threats and cyber terrorism; 2.3. Use of uncertified and unlicensed products; 2.4. Possibility of external penetration into the company's Intranet system. The output variable will be 2. Reputation (branding) risks.
In the fifth fuzzy machine 3.1. Privacy regulations we will use the input variables: 3. In the Fourteenth Fuzzy Machine 5. Availability risks we will use the input variables: 5.1. Unauthorized latent longterm exploitation of information and computing resources; 5.2. DDoS attacks on the ABS and employees' computers; 5.3. Unauthorized remote access to Information System and PC; 5.4. Unprotected remote access (authorized) to Information System and PC; 5.5. Insecurity of email. 5.6. SPAM threats. Output variable -5. Availability risks.
All 15 fuzzy machines are closely related, which are described in Figure 2. The features represent the values of the subclasses. The subclassifications provide the value of the classifications. The classifications provide information security evaluation.  Figure 2 shows the test results for each of the fifteen fuzzy machines. The defuzzification result is shown in blue in the right corner. As an example, the Platonus Learning Management System v5.2 (build#788 ) was used at the Kazakh University of Economics, Finance and International Trade http://pl.kuef.kz/.

FIGURE 2. Test results of calculation of the fuzzy machine Risks.
We modeled on Matlab a fuzzy expert system using the Mamdani algorithm to assess the information security risks of software. Regarding the linguistic variables, we used the risk criteria from Table 1. Now we were faced with the task of programming this model into a single fuzzy expert system. The fuzzy expert system is developed in the C # programming language and is described in Figure 3.

R=P(t)*S R -Risk. P(t) -Probability of an information security threat. Sasset value.
Since we want to correlate among the different methods, we need to normalize the calculated formulas:

R=S*L(t)*L(v) Sasset value. L(t)threat level. L(v)level/degree of vulnerability. Rnorm=(S-Smin)/(Smax-Smin)*(L(t)-L(t)min)/(L(t)max-L(t)min)*(L(v)-L(v)min)/(L(v)max-L(v)min)
Then we conduct an experiment to assess the information security risk of the software used by some universities. In addition, these 6 LMS are evaluated by a software quality assessment expert. The results of the evaluation are described in Table   According to NIST 800-30, ISO/IEC TR 13335-3:1998, BS 7799, and ISREFES, the assessment was conducted by non-specialists in software information security. These auditors studied the characteristics and sub-characteristics of these information security risk assessment methodologies. The auditors made assessments strictly according to the rules of the described methodology. After reviewing the entire procedure, they placed the scores for the 6 software samples in the 2nd, 3rd, 4th, and 5th columns of Table 2.
The last column of results in Table 2 was put by an expert in the field of cryptography, software architecture, he also has relevant certificates. When the expert evaluated the quality of 6 programs, he relied on his experience, not on a particular method. That is, the expert did not use the described techniques. In addition, this expert has worked with these software for a long time, so he knows how to choose the best one. Consequently, the expert's evaluation is more objective, because the expert makes his/her evaluation based on his/her personal experience with the 6 programs and his/her experience in developing secure software. Next, we conduct a correlation study. This study will give us an understanding of the effectiveness of our methodology. The results of the analysis are presented in Table 3. Explore Table 2 using a statistical hypothesis test. The point of testing is to draw a strong inference about a certain property of the general population from the available sample of data. A strong inference is some statement with a probability close to unity.
Assume that the value of the general average is equal to the value of ISREFES. The following conditions are given: The question is whether the sample data is consistent with the hypothesis that the overall mean is equal to ISREFES. In conventional terms it looks like H0: µ = ISREFES.
The general approach to any statistical hypothesis testing is that we cannot prove the tested hypothesis. We can only refute it. Here the object of the study is not to confirm the standards, but to look for evidence of deviation from them. That is, the so-called alternative hypothesis. In our case, the alternative hypothesis is that the general mean does not equal ISREFES. Ha: µ ≠ ISREFES. The calculations are shown in Table 4. t-criterion was in the range -0.07758≤tfact≥0.064225. The question is whether this is a lot or a little, good or bad? In other words, is it possible to say that the sample mean (Xavg) and the general mean (ISREFES) are close enough to consider the difference between them to be random? Or was the t-test too high, and the difference between the means does not fall within the range of possible random deviation? To answer these questions it was helpful to compare the observed criterion with the critical level, which cuts off the unlikely event. The observed value of the t-criterion is less than the critical value, which can be clearly seen in the table. The observed t-criterion falls into the hypothesis acceptance zone. Or in other words to the place where such deviation from the general average for a given sample size and significance level is frequent. Therefore, if the observed criterion is less than the critical one, the null hypothesis is not rejected, which does not mean it is proved. However, the t-criterion is quite far from the critical region.
But could there be a difference between the averages after all? Perhaps we just didn't detect it? We tested the same hypothesis another way, with a p-value. The p-value is the probability of obtaining an observed or even larger criterion, provided that the null hypothesis is true. The p-value is greater than the given level of significance. The null hypothesis cannot be rejected because the p-value is greater than 0,05. At this significance level and sample size, we do not reject the null hypothesis, although we do not prove it. For the test, we will artificially increase the number of samples to 30. n = 30, d.f. = 29. The calculation data is shown in Table 5. Increasing the sample reduced the variance of the mean and hence increased the sensitivity of the criterion. By increasing the number of degrees of freedom to 29, the scatter of the criterion narrowed considerably, i.e. it became more powerful. And the sample mean, while unchanged, did not fall within the critical range. The p-value remained quite large. The null hypothesis that the sample and the general mean are equal is not rejected. We conclude statistically that the ISREFES methodology is correct. The main thing is to use the concept of "risk" as the main indicator. Also, the sense of Risk is divided into Organizational risks, Reputation (branding) risks, Privacy risks, Integrity risks, Availability risks at the level of being. Fuzziness gives the very flexibility in impact characteristics, removed the coefficients robustness of influence on the final estimate.

V. CONCLUSION
This paper proposes a new method of information security risk assessment. The method is based on fuzzy logic using the Mamdani algorithm. The constructed fuzzy expert system has an extended classification of risk assessment criteria, which is based on the analysis of the above-mentioned standards. On the basis of interdisciplinary analysis (the above-mentioned studies and standards) the list consisting of 50 IS risks, which can be used in the practical activities of the enterprise, since the neutralization (elimination, minimization) of IS risks is the essence and content of the process of ensuring IS of the enterprise. On the basis of the offered list it is also possible to build models of threats, on the basis of which the tasks of creation of ISS are made. In addition, the list of specific risks can be used in the assessment of the impact of the IS measures taken on the effectiveness of the enterprise. This fuzzy method makes the calculations flexible, since the number of parameters, rigidly defined at the initial stage, is constantly increasing. The results and conclusion of the experiments confirm the correctness of the developed method. ISREFES showed a result > 0.99, the strongest positive correlation with NIST 800-30, ISO/IEC TR 13335-3:1998, BS, Expert. The other evaluation techniques, however, have only one high correlation greater than 0.99 if ISREFES is excluded from the sample. Ambiguity adds flexibility to the evaluation. This methodology can be used to assess the information security risks of any complex (socially significant ERP system) automated management system used in other areas, such as the banking sector, medical information systems, etc. The only disadvantage of these methods is the high labor intensity of experts in the evaluation.