Incidents Correlation Mechanism for Assessing Average and Total Criticality Level of Situation in the Infosphere 1 [0000-0002-2974-6987] 1 [0000-0001-5271-0248] Andrii Gizun , Alexey Pisarchuk , 1 [0000-0002-1408-5805] 2 [0000-0002-4055-1494] Vladyslav Hriha , Volodymyr Buriachok 3 [0000-0002-8341-9645] and Rat Berdibayev 1 National Aviation University, Kyiv, Ukraine 2 Borys Grinchenko Kyiv University, Kyiv, Ukraine 3 Almaty University of Power Engineering and Telecommunications, Almaty, Kazakhstan andriy.gizun@gmail.com Abstract. Today, the methods of incidents / potential crisis situations detecting and their criticality level assessing are proposed. However, these methods do not describe simultaneous occurrence of several crisis situations and determining of the average and total criticality level. In this paper the correlation issues of several events - security incidents – are reviewed and the mechanism for calculating an average and total criticality level of incidents is proposed. A mechanism basis of events correlation, as well as crisis management methods itself, includes Delphi methods and fuzzy logic model. Proposed mechanism appliance will allow the simultaneous occurrence of several incidents to be taken into account and assess their average and total impact on the information system. Keywords: crisis situation, information security management, correlation, business continuity management concept, mechanism, criticality level, impact, fuzzy logic. 1. Introduction The onrush of information technology (IT), along with an increase of communication and information processing capabilities, generates a significant increase in the number of incidents / potential crisis situations, which are described in international statistical reports and materials [1]. Crisis situations (CS) response problem in IT field is extremely important, though not yet sufficiently understood. Today, the role of crisis phenomena response systems in the process of managing and maintaining the enterprises viability, institutions and organizations of all ownership forms is constantly increasing. At the same time, protection not from catastrophic, but, more likely, emergency situations becomes more and more actual. In [2-4] describes methods for detecting, identifying incidents / potential crisis situations (IPCSs), and assessing the incidents criticality level based on fuzzy logic and Delphi methods. Fuzzy logic methods for solving similar problems are also used Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CybHyg-2019: International Workshop on Cyber Hygiene, Kyiv, Ukraine, November 30, 2019. in [5]. Paper [6] describes the integrated model of IPCS representation. On the basis of these methods a computing complex [7], which implements IPCS control processes, is developed. In addition, it is worth noting that a system with a similar mechanism of work, described in [9]. However, these works do not take into account the simultaneous occurrence situation of several (two or more) IPCSs, their reconciling and determination of the average and total criticality level. Therefore, the main purpose of this article is to develop a mechanism for correlating information security incidents and to determine an average and total criticality level of their impact on information system using fuzzy logic methods. 2. Incidents correlation mechanisms, average and total criticality level determination For the formalization of forecasting, detection, identification and assessing processes, n we introduce the following set of IPCSs: IКS  { IКS i }  i 1 {IКS1 , , IКSn }, (i  1, n) , where n determines the number of potential і CS, in other words incidents. that can lead to a crisis state, each of which is represented as a generalized six-component tuple [6]: IКSi   IKSi , Pi , Tie , Pi , ER i , LCSi  , in ~ which: IKSi – identifier of i -th IPCS, which is (or may become) the cause of CS occurrence; Pi – a subset of possible parameters used for forecasting or identification of i -th incident; Tie – a subset of all possible fuzzy (linguistic) standards that reflect the standard states of the corresponding parameters from the Pi subset; Pi – a subset ~ of the parameters current values for a certain period of time; ER i – a subset of heuristic rules (similar to [8]) based on fuzzy parameters that are used to detect / identify the i -th IPCS; LCSi – situation criticality level, caused by i -th IPCS. A detailed description of the procedure for detecting, identifying the IPCS, is described in [3]. The revealed situation refers to the crisis one only if its criticality level is higher than average or bigger, that is LCSi  BC e . Otherwise, the incident either remains out of place (at a sufficiently low criticality level) or is responding to it in order to control and eliminate it as a normal information security incident. Each incident is characterized by a criticality level that is given by a set n LCS  { LCSi }  {LCS1 ,…,LCS n }, (i  1, n) . Criticality level is determined by the i 1 ~ ~ ~ parameters of a situation criticality assessing, taking into account their weight E ~ i   (e *L coefficients, that is LCS ~e ) . It is established that a criticality level can be e 1 described by taking into account the functional dependencies between ~L e – parameters of criticality level assessing. A detailed method for criticality level assessing and the set of estimated parameters are described in [2]. The disadvantage of this model is a failure to take into account the mutual influence of incidents, which coincide in time, on the information system environment. Since one or another IPCS is characterized by a set of critical parameters that determine the degree of incident impact on the environment in a certain aspect, each one of IPCSs can increase the overall level of influence on the system depending on the magnitude of their correlation with each other. Thus, the correlation coefficient establishes dependency between different IPCSs and can reach values from 0 to 1. Moreover, IPCSs that have a homogeneous effect on the controlled environment have a correlation coefficient of 1, and IPCSs that affect the environment in various aspects and their interdependence is not manifested at all in the general criticality level determination, have the correlation coefficient value of 0. Therefore, correlated IPCSs increase the effect of each other's influence on the environment, which can be represented as the average and total criticality level with taking into account their interdependence, and not correlated IPCSs cause impact, the level of which can be assessed only separately for each incident. Proceeding from these positions, we will propose application in the IPCS model and method for criticality level assessing of the correlation mechanism for a current situation. This mechanism is based on certain common criteria of criticality level for different IPCSs, additionally the higher the number of identical parameters is, the higher the correlation coefficient will be. So each incident can be estimated by applying a general set of criticality level estimation parameters that are proposed in [2]. The number and composition of the characteristic parameters for each IPCS can have different values and is determined by the experts. Mechanism itself has several stages, in particular: 1) Determination of the IPCS number, with which operations are performed, and sets of evaluative parameters for each of them. 2) Determination of the main and dependent IPCSs. In this case, write ordering of IPCSs set varies is in such a way that the main incident has the 1st number. 3) Determination of the correlation coefficients for each dependent and main IPCSs respectively. Let’s consider each of these steps. The main element of the integrated IPCSs representation model is an IKSi identifier that binds a IКS set element to a specific incident, which is determined by its corresponding name. For example, if n=5 we obtain 5 IКS  { IКS i }  {IКS1 , IКS 2 , IКS 3 , IКS4 , IКS5 }  A, B, C, D, E , where i 1 A,B,C,D,E – incidents names. Accordingly each of these incidents is characterized by N E  N its sets of evaluation parameters Li   Le   ~  ~L1 ,~L2 ,..., ~LE , e  1, E , where i 1  e 1 i 1 Е – number of parameters. For example, under conditions study for an incident A at Е=15,  15  L A   Le    L1 , L2 ,..., L15   { TR, DVF , GS , OS , OLED, RD, RTLH , RM , F ,  e 1 ~  ~ ~ ~ DDI , CRT , CRP, LM , DIEPF , DVChS }. In order to determine dependency between IPCSs, we introduce two categories of events: the main and dependent incidents. There are two ways to allocate and assign the value of the main and dependent events, such as: 1) by time - the IPCS, which was detected first, acquires the status of the main while all the others - dependent IPCSs; 2) by the criticality level - the status of the main IPCS is assigned to the incident with the highest criticality level or selected by an expert or system operator, the user, based on the position of which CS aspects he considers the most threatening. For example, if human life is a priority, then IPCS that is most threatened in this aspect or criticality of information systems operation - IPCSs which interrupt these processes or reduce the quality of their provision, will be selected as the main one. Of course, the 2nd method is more prioritized, since in that case there is no danger of ignoring the critical aspects of the IPCS influence on the controlled environment. Correlation coefficient shows same aspects of the impact of different IPCSs and is determined by the number of common parameters between main and dependent events. Proposed mechanism is based on a consistently determined coefficient of correlation between the main and each dependent IPCSs using the formula | (Lосн  Lзалi ) | K IKSосн IKS зал  , (1) i | Lзалi | until all dependencies between IPCSs are taken into account, and moreover Lосн is a set of evaluation parameters of main IPCS and L зал is a set of estimation parameters of dependent IPCSs. Next, let's unravel the problem of determining the average and total criticality levels for a set of detected IPCSs. Note that each of these procedures can be carried out both by taking into account the correlation between incidents and without it. Thus, an average criticality level can characterize the situation formed from the point of view of its development in the time perspective, in particular for the formation of forecasts for longer development. To determine an average criticality level of a situation that arose from several simultaneous incidents influence we will use the following formulas: - without taking into account a correlation coefficient 1 N LCS сер   LCSi , (2) ~ N i 1 ~ where LCSсер is average criticality level of several IPCSs with taking into account a ~ dependancy between them, LCSосн is criticality level of a main IPCS, LCS i - is ~ ~ criticality level of і-th IPCS, N - is total number of incidents. - with taking into account a coefficient of correlation, which will allow to assess criticality level in a particular aspect of identified IPCSs manifestation N 1 К LCSсер  ( LCSосн   K IKSосн IKS заг * LCSi ) , (3) ~ N ~ i2 i ~ where LCSсер is an average criticality level of several IPCSs with taking into account ~ a dependency between them, LCSосн is criticality level of a main IPCS, LCS i - is ~ ~ criticality level of other (dependent) IPCSs and K IKSосн IKS заг is a correlation coefficient i between a main and corresponding dependent IPCSs, N - is total number of incidents. Schematically, the process of finding an average IPCS criticality level and a corresponding correlation coefficients is shown in Figure 1. Total criticality level of the situation that arose as a result of a set of incidents impact is important for choosing the appropriate responses to them. This is due to the fact that countermeasures selected for only one IPCS will not be sufficient to neutralize a set of them, since each incident brings its part to a general growing level. If criticality level of a single incident is estimated between 0 to 100 points, then the total amount is likely to exceed 100 points. This situation is unacceptable. Obviously, in this case, the definition of a total level can not be carried out by the banal addition of individual IPCSs criticality levels. Let's use this Shortliffe formula, which is used to determine the degree of trust for two or more interconnected evidences in decision-making performed by expert systems. Having replaced the "measure of confidence" in it with "criticality level", we can use it for our problem. We determine the formula for n-value of IPCS criticality level. So, for 2 IPCSs we will have LCS12  LCS1  LCS2 (1- LCS1 ) or because the formula is symmetric ~ ~ ~ ~ LCS12  LCS 2  LCS1 (1  LCS 2 ) . For 3 IPCS - LCS123  LCS 3 + LCS12 ~ ~ ~ ~ ~ ~ ~ (1 - LCS 3 ) . Substituting in the last expression an analytical records of finding LCS12 , ~ ~ and having carried out algebraic transformations we obtain an expression for the calculation of a total criticality level of 3 IPCSs LCS123 = LCS4 ++LCS2 (1- LCS3 )(1- LCS4 )+ LCS1 (1- LCS 2 )(1- LCS3 )(1- LCS4 ) . ~ ~ ~ ~ ~ By summarizing and systematizing we will formulate a formula for determining a total criticality level for n incidents (potential crisis situations) without a correlation between them N 1 N LCSсум  LCS N   LCSi  (1 - LCSi ) , (4) ~ ~ i 1 ~ i=i+1 ~ where LCSсум - is total criticality level of several IPCSs without taking into account a ~ dependency between them (correlation), LCS i is criticality level of і-th IPCS, N is ~ total number of incidents. Similarly to an average criticality level value we can apply mechanism of events correlation to the detected IPCSs. Then a criticality level, with taking into account a dependency between individual incidents in the aspect of their influence, is calculated by the formula N 1 N K LCSсум  LCS NK   LCSіK  (1- LCSіK ) , (5) ~ ~ i 1 ~ i=i+1 ~ K where LCSсум is total criticality level of several IPCSs with taking into account a ~ correlation between them, N is total number of incidents, LCSіK  K IKSосн IKSзаг * ~ i LCSi , i  2,N is criticality level of correlated і-th IPCS , LCS1K  LCSосн , N is ~ ~ ~ total number of incidents. 3. Experimental research of correlation mechanisms, average and total criticality level determination Let’s consider the work of events correlation mechanisms and assessting of the situation total and average criticality levels, which was formed under the influence of several IPCSs in an example. Let A, B, C, D and E be the identifiers of incidents, where А – Change of climatic conditions in the server, В – Network denial of service attack, С – Theft of equipment and media, D – Network hack by the violator, Е – Flood. First, we need to define the sets of estimation parameters that correspond to each of them in order to detect a dependency between these IPCSs. Thus the change of climatic conditions in the server is characterized by such a set of estimating parameters: L A  { TR – L1 ; DVF – L2 ; OS – L4 ; OLED – L5 ; DDI – L10 ; CRT – L11 ; CRP – L12 } . Similarly for a network denial of service attack: LB  { TR – L1 ; DVF – L2 ; OS – L4 ; OLED – L5 ; F – L9 ; DDI – L10 ; CRT – L11 ; CRP – L12 ; DVChS – L15 } . For stealing of equipment and media: LC  { DVF – L2 ; OS – L4 ; OLED – L5 ; F – L9 ; DDI – L10 ; DVChS – L15 } . Network hack by a violator is characterized by a set L D  { TR – L1 ; DVF – L2 ; OS – L4 ; F – L9 ; CRT – L11 ; CRP – L12 ; DVChS – L15 } . And the last IPCS is a flood: LE  { TR – L1 ; DVF – L2 ; GS – L3 ; OLED – L5 ; RTLH – L7 ; F – L9 ; DDI – L10 ; RTLH – L7 ; CRP – L12 } . During the experimental research IPCSs were simulated and evaluated using the CSAS software [7] in a fuzzy and crisp form as shown in Table 1. Table 1. IPCS assessment results IPCS Criticality level FN A 60 points or 0,6 0/0,4; 1/0,6; 0/0,8 B 80 points or 0,8 0/0,6; 1/0,8; 0/1 C 30 points or 0,3 0/0,1;1/0,3;0/0,5 D 40 points or 0,4 0/0,2; 1/0,4; 0/0,6 E 50 points or 0,5 0/0,3; 1/0,5; 0/0,7 Let’s assume that expert has selected a theft of equipment and media as the main IPCS, since the main emphasis in the organization's activities is to ensure the information confidentiality. Then LCSC  LCSосн  LCS1 , LCS А  LCSзал2  LCS2 , ~ ~ ~ ~ ~ ~ LCSB  LCSзал3  LCS3 , LCSD  LCSзал4  LCS4 , LCSE  LCSзал5  LCS5 . ~ ~ ~ ~ ~ ~ ~ ~ ~ Let’s calculate the correlation coefficients for the selected dependent events using the expression (1): | (Lосн L зал2 ) | | (L C L D ) | 4 K12 = K C А = K IKSосн IKS зал    , K13 = K C B = 2 | L зал2 | | LD | 7 | (L C L B ) | 6 2 | (L C L A ) | 4 K IKSосн IKS зал    , K14 = KC D = K IKSосн IKS зал   , 3 | LB | 9 3 4 | LA | 7 | (L C L E ) | 3 K15 = K C E = K IKSосн IKS зал   . 5 | LE | 8 Thus, all correlation coefficients for this set of 5 IPCSs are calculated. Let’s calculate an average criticality level without taking into account the interdependencies between individual IPCSs, using the formula (2). 1 LCSсер  (LCS1 + LCS2 + LCS3 + LCS4 + LCS5 ) = (1/5) * ({0/0,1;1/0,3;0/0,5} + ~ 5 ~ ~ ~ ~ ~ {0/0,2; 1/0,6; 0/0,8} + {0/0,6; 1/0,8; 0/1} + {0/0,2; 1/0,4; 0/0,6} + {0/0,3; 1/0,5; 0/0,7}) = (1/5)({0/0,3; 0/0,7; 0/0,9; 0/0,5; 1/0,9; 0/1,1; 0/0,7; 0/1,1; 0/1,3}+{0/0,6; 1/0,8; 0/1} + {0/0,2; 1/0,4; 0/0,6} + {0/0,3; 1/0,5; 0/0,7}) = (1/5)({0/0,7; 1/0,9; 0/1,1}+{0/0,6; 1/0,8; 0/1} + {0/0,2; 1/0,4; 0/0,6} + {0/0,3; 1/0,5; 0/0,7}) = (1/5)({0/1,3; 0/1,5; 0/1,7; 0/1,5; 1/1,7; 0/1,9; 0/1,7; 0/1,9; 0/2,1}+{0/0,2; 1/0,4; 0/0,6} + {0/0,3; 1/0,5; 0/0,7}) = (1/5)({0/1,5; 1/1,7; 0/1,9}+{0/0,2; 1/0,4; 0/0,6} + {0/0,3; 1/0,5; 0/0,7}) = (1/5)({0/1,5; 1/1,7; 0/1,9}+{0/0,2; 1/0,4; 0/0,6} + {0/0,3; 1/0,5; 0/0,7}) = (1/5)( {0/1,7; 0/1,9; 0/2,1; 0/1,9; 1/2,1; 0/2,3; 0/2,1; 0/2,3; 0/2,5}+ {0/0,3; 1/0,5; 0/0,7}) = (1/5)({0/1,9; 1/2,1; 0/2,3}+ {0/0,3; 1/0,5; 0/0,7}) = (1/5)({0/2,2; 0/2,4; 0/2,6; 0/2,4; 1/2,6; 0/2,8; 0/2,6; 0/2,8; 0/3}) = (1/5)({0/2,4; 1/2,6; 0/2,8}) = {0/0,48; 1/0,52; 0/0,56} or after defuzzification LCSсер  0,52 or 52 points ~ on a 100-point scale. In order to determine the average value of criticality level for a particular aspect, it is usually necessary to apply a correlation mechanism on some particular most important characteristic. Since the system [7] allows us to present results in a fuzzy and crisp form, we will continue to make calculations to simplify computations using the instrument of ordinary (crisp arithmetic). Let’s determine an average criticality level of the current situation by the expression (3). 5 1 К LCSсер  ( LCS1   K IKSосн IKS заг * LCSi ) = (1/5)* (0,3 + (4/7)*0,6) + (2/3)*0,8 + ~ 5 ~ i2 і ~ (4/7)*0,4 + (3/8)*0,5) = 0,32 or 32 points on a 100-point scale. Let's analyze the correctness of a mechanism usage for determining a total criticality level of a situation depending on taking in account the mutual incidents correlation. Let’s calculate a total criticality level without taking into account the interdependencies between individual IPCSs, using the formula (4). 4 5 LCS сум  LCS5   LCSi  (1 - LCS i ) = 0,5 + 0,3 ((1-0,6)(1-0,8)(1-0,4)(1-0,5)) + ~ ~ i 1 ~ i=i+1 ~ 0,6 ((1-0,8)(1-0,4)(1-0,5)) + 0,8((1-0,4)(1-0,5)) + 0,4 (1-0,5) = 0,5 + 0,0072 + 0,036 + 0,24 + 0,2 = 0,9832 or 98 points on a 100-point scale. Let’s apply a mechanism of incidents correlation in order to determine a total criticality level of a situation as a result of their complex influence. Let’s determine a total criticality level of a current situation in terms of expression (5), and a correlation coefficients apply the same as in a previous example, and the input data from Table. 1 Accordingly LCS2K  K12 * LCS2 , LCS3K = K13 * LCS3 , LCS4K = K14 * LCS4 , ~ ~ ~ ~ ~ ~ LCS5K  K15 * LCS5 і LCS1K = LCS1 . ~ ~ ~ ~ 4 5 K Thus LCSсум  LCS 5K   LCSіK  (1- LCSіK ) = (3/8)0,5 + 0,3((1-(4/7)0,6)(1- ~ ~ i 1 ~ i=i+1 ~ (2/3)0,8)(1-(4/7)0,4)(1-(3/8)0,5)) + (4/7)0,6 ((1-(2/3)0,8)(1-(4/7)0,4)(1-(3/8)0,5)) + (2/3)0,8((1-(4/7)0,4)(1-(3/8)0,5)) + (4/7)0,4(1-(3/8)0,5) = 0,1875 + 0,0577 + 0,1003 + 0,3343 + 0,1857 = 0,8655 or 87 points on a 100-point scale. As we can see, a total and average criticality level value with taking into account a correlation between incidents is lower than without taking into account, which is explained by the allocation of a specific aspect of impact assessment, under the experimental conditions - preserving the information resources confidentiality. Thus, the effect that generates a violation of other characteristics in these calculations is not taken into account. To check a proposed mechanism adequacy, let’s check the results correctness in output as a form of criticality levels input data of all detected incidents, which are 0 (minimum level) and 1 (maximum level) (Tab. 2). Table 2. IPCS assessment results Criticality level Criticality level IPCS minimum maximum A 0 100 points or 1 B 0 100 points or 1 C 0 100 points or 1 D 0 100 points or 1 E 0 100 points or 1 Obviously when a criticality level of all IPCSs will be 0 points, then LCS сер  ~ К LCSсер  0 and LCSсум  LCSсум К 0. ~ ~ ~ Let’s consider the situation that arises under the incidents influence with criticality maximum. We calculate an average (by the formula (2)) and a total (by formula (4)) criticality level of the situation without taking into account correlation coefficients of incidents in this case: 1 LCSсер  (LCS1 + LCS2 + LCS3 + LCS4 + LCS5 ) = 1/5(1+1+1+1+1) = 1 or 100 ~ 5 ~ ~ ~ ~ ~ 4 5 points and LCSсум  LCS5   LCSi  (1- LCS i ) = 1 + 1 ((1-1)(1-1)(1-1)(1-1)) + ~ ~ i 1 ~ i 2 ~ 1((1-1)(1-1)(1-1)) + 0,8((1-1)(1-1)) + 1(1-1) = 1 or 100 points.. Let’s perform similar calculations with taking into account an incidents correlation interdependence according to formulas (3) and (5), respectively: 5 1 К LCSсер  ( LCS1   K IKSосн IKS заг * LCSi ) = (1/5)* (1 + (4/7)*1) + (2/3)*1 + (4/7)*1 ~ 5 ~ i2 і ~ + (3/8)*1) = 0,64 or 64 points on a 100-point scale and 4 5 K LCSсум  LCS 5K   LCSіK  (1 - LCS іK ) = (3/8) + (1-(4/7))(1-(2/3))(1-(4/7))(1- ~ ~ i 1 ~ i 2 ~ (3/8)) + (4/7)(1-(2/3))(1-(4/7))(1-(3/8)) + (2/3)(1-(4/7))(1-(3/8)) + (4/7)(1-(3/8)) = 0,375 + 0,038265 + 0,05102 + 0,178571 + 0,357143 = 1 or 100 points on a 100- point scale. As can be seen, the obtained results are quite correct and do not exceed the scope of admissible values 0; 1 , which confirms the adequacy of developed mechanisms. 4. Сonclusions The proposed correlation mechanism, the main stages of which are: 1) selection of IPCS and estimating parameters sets from the general set which characterize their influence on the environment; 2) the choice of the main and dependent IPCSs, as well as the corresponding change in the incidents numbering in a system; 3) determination of the correlation coefficient of each dependent IPCSs with the main one, that determines the interdependence between them. The obtained correlation coefficients can be used to calculate the average and total criticality levels of a situation that arose under the influence of several interrelated and simultaneous incidents (potential crisis situations). The basis of the mechanism, as well as in the methods of detection and evaluation of IPCSs, are methods of fuzzy logic and Delphi method. The correlation coefficients determine the common impact features of each incident on the protected system or environment and are determined by comparing the criticality level assessment parameters of each IPCS. The practical and scientific significance of this mechanism is the ability to evaluate the simultaneous impact of several IPCSs in a certain aspect on the state of the controlled environment. In addition, the determination of the average criticality level will allow to assess the situation from the statistical point of view and make forecasts for its further development. A total criticality level allows to choose a countermeasures that is adequate to a level of risk. And the application of incidents correlation mechanism allows to calculate a situation criticality level in a specific aspect of information, national or other security [21-24]. References 1. Gizun, A., Hriha, V., Roshchuk, M., Yevchenko, Y., Hu, Z. (2019). “Method of informational and psychological influence evaluation in social networks based on fuzzy logic”. 4th International Scientific-Practical Conference Problems of Infocommunications Science and Technology. pp. 444-448. 2. А. Korchenko, V. Kozachok, A. Gizun, “Method of criticality level assessment for crisis management systems”, Ukrainian Information Security Research Journal, 2015, Vol. 17, №. 1, p. 86-98. 3. Pisarchuk, A. A., Bondarenko, Y. L., Melnik, A. L. (2008). “Method of forming optimum structure of direction finding network by nonlinear chart of compromises”. Journal of Automation and Information Sciences, № 40(5), pp. 68-79. 4. A. Gizun, V.Gnatyuk, N.Balyk, P. Falat, “Approaches to improve the activity of computer incident response teams”, Proceedings of the 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IDAACS 2015, p. 442-447, 2015. 5. Manjunatha K.C., Mohana H.S, P.A Vijaya,"Implementation of Computer Vision Based Industrial Fire Safety Automation by Using Neuro-Fuzzy Algorithms", IJITCS, vol.7, no.4, pp.14-27, 2015. DOI: 10.5815/ijitcs.2015.04.02. 6. Hu, Z., Gizun, A., Gnatyuk, V., Kotelianets, V., & Zhyrova, T. (2017). “Method for rules set forming of cyber incidents extrapolation in network-centric monitoring”. 4th International Scientific-Practical Conference Problems of Infocommunications Science and Technology, PIC S and T. pp. 444-448. 7. A. Gizun, “Computer complex for detection and evaluation of crisis situations in information sphere”, Ukrainian Information Security Research Journal, Vol. 18, №. 1, p. 66-73, 2016. 8. Zaied, Abdel Nasser H., Samah Ibrahim Abdel Aal, and Mohamed Monir Hassan. "Rule- based expert systems for selecting information systems development methodologies." International Journal of Intelligent Systems and Applications 5.9 (2013): 19. 9. Qi Cheng, Lei Yu,”Operational Mechanism and Evaluation System for Emergency Logistics Risks ", IJISA, vol.2, no.2, pp. 25-32, 2010. 10. Layton, T. (2007). Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: Auerbach publications 11. Coombs W.T. “Conceptualizing crisis communication Handbook of crisis and risk communication". New York : Routledge, 2009. P. 100 – 119. 12. Harris S. „CISSP Certification All–in–One Exam Guide". McGraw–Hill Osborne Media, 2010. 5th edition. 1216 p. 13. Killmeyer Jan. “Іnformation Security Architecture: An Integrated Approach to Security in the Organization". Auerbach Publications, 2006. 424 p. 14. SEVA4A: An ontology for emergency notification systems accessibility / A. Malizia, T. Onorati, P. Dias [et al.], Expert systems with Applications. (2010). Vol. 37. Is. 4. pp. 3380 – 3391. 15. Weber P. “Complex system reliability modeling with Dynamic Object Oriented Bayesian Networks (DOOBN)", Reliability Engineering and System Safety. Volume 91. Issue 2. (2006). PP. 149-162. 16. Da Veiga A., Martins N. “Improving the information security culture through monitoring and implementation actions illustrated through a case study", Computers & Security. (2015). vol. 49. pp. 162-176. 17. Soomro Z. A., Shah M. H., Ahmed J. “Information security management needs more holistic approach: A literature review", International Journal of Information Management. (2016). vol. 36. №. 2. pp. 215-225. 18. Shameli-Sendi A., Aghababaei-Barzegar R., Cheriet M. “Taxonomy of information security risk assessment (ISRA)", Computers & Security. (2016). vol. 57.pp. 14-30. 19. Safa N. S. Information security conscious care behaviour formation in organizations. „Computers & Security", (2015). vol. 53. pp. 65-78. 20. de Gusmão, A. P. H., e Silva, L. C., Silva, M. M., Po- leto, T., & Costa, A. P. C. S. (2016). “Information security risk analysis model using fuzzy decision theory", International Journal of Information Management, 36(1), 25-34. 21. Gnatyuk S., Akhmetova J., Sydorenko V., Polishchuk Yu., Petryk V. Quantitative Evaluation Method for Mass Media Manipulative Influence on Public Opinion, CEUR Workshop Proceedings, Vol. 2362, pp. 71-83, 2019. 22. Fedushko, S., Ustyianovych, T., Gregus, M. (2020) Real-time high-load infrastructure transaction status output prediction using operational intelligence and big data technologies. Electronics (Switzerland), Volume 9, Issue 4, 668. DOI: 10.3390/electronics9040668 23. A. Peleschyshyn, T. Klynina, S. Gnatyuk, Legal Mechanism of Counteracting Information Aggression in Social Networks: from Theory to Practice, CEUR Workshop Proceedings, 2019, Vol. 2392, pp. 111-121. 24. S. Gnatyuk, M. Aleksander, P. Vorona, Yu. Polishchuk, J. Akhmetova, Network- centric Approach to Destructive Manipulative Influence Evaluation in Social Media, CEUR Workshop Proceedings, Vol. 2392, pp. 273-285, 2019.