Development and Implementation of an Advanced Fuzzy Expert System for the Assessment of Information Security Risks

Abstract

This research paper describes an improved fuzzy expert system for assessing information security (IS) risks. More and more organizations are facing significant IS problems. These problems arise in protecting corporate information systems from these threats. Traditional IS risk assessment methodologies often have difficulties. Difficulties arise in eliminating ambiguity and uncertainty that are characteristic of these dynamic environments. This study presents a new approach using fuzzy logic. Fuzzy logic is used to accurately identify and evaluate the subtle intricacies of each IS risk factor. Using linguistic variables and fuzzy sets, the proposed system effectively reproduces the reasoning processes. This research paper delineates the formulation of an advanced fuzzy expert system aimed at enhancing IS risk assessments amidst the evolving complexity of cyber threats. By utilizing linguistic variables and fuzzy sets, the proposed system effectively replicates human-like reasoning processes. This allows for a flexible and dynamic framework for risk assessment. This methodology is characterized by the effective integration of both qualitative and quantitative data, resulting in a comprehensive risk assessment model. The usefulness of this model is validated by its application in learning management systems. The systems evaluated include Platonus, SmartENU, Directum, MOOCENU, KPI, and a university website. Quantitative evaluations were conducted according to standards such as NIST 800-30, ISO/IEC 27001, BS 7799, and a proposed model, yielding scores that range from 0.205 to 0.998 across different criteria and systems. Correlation analysis between the standards and the expert-proposed model revealed high consistency, with correlation coefficients ranging from 0.994 to 0.996. These results underline the robustness of the proposed model in aligning closely with established IS standards and suggest its potential for broader application in IS risk assessment.

Received: 30 October 2024 | Revised: 17 February 2025 | Accepted: 10 March 2025

Conflicts of Interest

The authors declare that they have no conflicts of interest to this work.

Data Availability Statement

Data available on request from the corresponding author upon reasonable request.

Author Contribution Statement

Alibek Barlybayev: Conceptualization, Methodology, Validation, Formal analysis, Investigation, Resources, Data curation, Writing – original draft, Writing – review & editing, Supervision, Project administration, Funding acquisition. Alua Turginbayeva: Methodology, Software, Validation, Resources, Data curation, Visualization.