Fuzzy model for assessing information security risks and maintaining the level of security of ERP-systems

Abstract

The work is devoted to the issue of using a fuzzy model to assess information security risks and support the level of security of ERP systems. The requirements for information security of ERP-systems are considered and the problems of their security and vulnerability are analyzed. The main factors influencing the risk assessment are identified. Given the qualitative, inaccurate and largely uncertain or incomplete nature of information on most factors, it is proposed to use a linguistic approach to describe them. This approach provides the opportunity to obtain a quantitative description of the model elements in the presence of only fuzzy information about the value of information security risk factors and allows to simplify the further process of ranking risk factors and numerically calculating the values of their consequences. A fuzzy production model for assessing the risk of information security of ERP systems is developed, which allows risk assessment to be performed on four factors: resource value, the impact of the consequences on the resource, the probabilityof a threat and resource vulnerability. The base of fuzzy production rules has a MISO structure. The specified model is implemented using the MATLAB application package and the Fuzzy Logic Toolbox extension package. For fuzzy inference, the Sugeno algorithm is used. The simulation results of the process of obtaining information security risk assessments demonstrated a rather high accuracy of the proposed model when comparing them with expert estimates. The proposed approaches to risk assessment can be used both for assessing specific types of risks with the information security of the ERP system and the general information security risk of the ERP system.

Keywords: ERP-system, information security threats, information security risks, fuzzy model, production model, fuzzy inference.

References
1. Leighton J. (2016) Security Controls Evaluation, Testing, and Assessment Handbook, Syngress, 678 p.
2 Methods of information security management system protection: SSU ISO/IEC 27001:2015. 2016. Valid 2017.01.01. Kyiv.: State enterprise “UkrNDNC”, (2016). 22 p.
3. Abhishek kumar srivastav, Irman Ali, Shani Fatema. A (2014) Quantitative Measurement Methodology for calculating Risk related to Information Security. IOSR Journal of Computer Engineering (IOSR-JCE). Volume 16, Issue 1, Ver. IX, Feb. 2014, P. 17-20.
4. Ekhlakov Yu.P. (2014) Fuzzy model for assessing the risks of software product promotion. Business informatics. 3 (29): P. 69-78.
5. Gladysh S.V. (2010) Presentation of knowledge on information security incident management through fuzzy temporary colored Petri nets. International Scientific and Technical Journal "Information Technology and Computer Engineering".. 1 (17): P. 57-64.
6. Nieto-Morote A.A. Ruz-Vila F. (2011) Fuzzy approach to construction project risk assessment. International Journal of Project Management. Vol. 29, Issue 2. P. 220–231.
7. Information security of Ukraine in the conditions of European integration. The concept of threats to information security. Types of information security threats. Learning materials online. https://pidruchniki.com/12800528/politologiya/ponyattya_zagroz_informatsiyniy_bezpetsi.
8. Criteria for assessing the security of information in computer systems from unauthorized access ND TPI 2.5-004-99. 1999. Valid 1999.07.01. К. : SSIPS SS Of Ukraine. 57 p.
9. Shevchenko V.L., Kulazhsky V.I., Kulchytsky O.S. (2014) Unauthorized access to information resources of the ERP-system. Collection of scientific works of the Center for Military Strategic Studies of the Ivan Chernyakhovsky National University of Defense of Ukraine. 1. P. 9-12.
10. Kruglov V.V., Borisov V.V., Fedulov A.S. (2012) Fuzzy models and networks. Hotline - Telecom,. 284p.
11. Common Vulnerability Scoring System version 3.1: Specification Document. CVSS Version 3.1 Release. Forum of Incident Response and Security Teams. https://www.first.org/cvss/ specification-document.
12. National vulnerability database Release . National Institute of Standards and Technology. https://nvd.nist.gov.
13. National vulnerability database Release. Vulnerability Metrics. National Institute of Standards and Technology. https://nvd.nist.gov/vuln-metrics/cvss.