Methodology for determining the level of process control in complex systems taking into account risk‐oriented factors from safe time to pandemics Volodymyr Polishchuka, Miroslav Kelemenb, Martin Kelemen jr.b a Uzhhorod National University, Narodna Square, 3, Uzhhorod, 88000, Ukraine b Technical University of Kosice, Rampova 7, Kosice, 04121, Slovak republic Abstract Research has been conducted on the current problem of developing a methodology for determining the level of process control in complex systems, taking into account risk- oriented factors influencing it. For the first time, the study proposes stages of risk management in the process of assessing the level of controllability of complex systems, formalizes the input data used to assess risks using fuzzy models for various complex systems, constructs generalized step-by-step algorithms for risk-oriented assessment of controllability in complex systems. An experimental approbation has been made of the research on the problem of determining the level of process control in the airline system, taking into account risk-oriented factors influencing it. The study will be a useful tool to support decision-making to improve process control in various complex systems by taking into account the risks and threats to its operation for managers from safe time to pandemics as COVID-19. Keywords 1 Process control, risk factors, fuzzy set, decision making. 1. Introduction The level of security of human activity is getting better every day due to the improvement of technology, data analysis, management systems, and others. Standards of personnel training and safety management have also become significantly higher. Nevertheless, we face many risks that could potentially jeopardize the success of our operations if not adequately managed. One of the key components of measuring the risk of the functioning of complex systems is the generation of scenarios for the development of key risk factors. At present, the preparation of scenarios and risk management strategies is especially appreciated by the security and crisis managers, who usually work in conditions of extensive constraints and even an emergency situation in the companies and the national economy. Each complex system of operation has a different basic level, in relation to the uniqueness of its data. This is a certain amount and quality of data that can be processed. Big data in complex systems can be created from a large set of sensors, databases, information systems, social networks, etc. Therefore, the operation of a complex system requires certain decisions, and this, in turn, involves assessing the future. This assessment is implemented by maximizing uncertainties and risks. Effective risk management will improve the quality of decisions. Risks are a necessary component of human activity when there is uncertainty about the results of a decision process. When making management decisions, the problem of disclosing the uncertainty of the data on which decisions are made and adequate assessment to minimize risks is especially relevant. CMIS-2021: The Fourth International Workshop on Computer Modeling and Intelligent Systems, April 27, 2021, Zaporizhzhia, Ukraine EMAIL: volodymyr.polishchuk@uzhnu.edu.ua (V. Polishchuk); miroslav.kelemen@tuke.sk (M. Kelemen); martin.kelemen@tuke.sk (M. Kelemen, jr) ORCID: 0000-0003-4586-1333 (V. Polishchuk); 0000-0001-7459-927X (M. Kelemen); 0000-0003-1015-1112 (M. Kelemen, jr) © 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) The aim of the study is the urgent task of developing a methodology for determining the level of process control in the system, taking into account risk-oriented factors influencing it. The methodology is represented by a set of fuzzy methods and models based on risk-oriented factors using: the experience of experts in their assessment, the linguistic level of risk assessment criteria, the consequences of various threats to the system. The developed methodology will allow assessing the controllability of processes for a complex system taking into account the various risks that affect the functioning of the system. This methodology can be used to solve a number of applied problems in various complex systems, for example: for socio-economic systems, it is a modeling of financial risks [1-2]; for sociotechnical it is the assessment of risks and security incidents of airport network and information systems [3]; for humanistic systems, it is an assessment of the risk of performing individual parachutists' jumps to increase their safety [4]; for technical systems, it is the assessment of the risks of drone flights to study the environment in the mountains [5], and many others. The logic of the study is as follows: if the overall assessment of the system is high, risk-oriented factors influencing the controllability of a complex system, then we can talk about a high level of controllability of processes in the system, and competent management decisions will lead to system goals. Also, ensure the appropriate level of security of the system operation environment. 2. Overview of Domestic and Foreign Research Studies The Oxford Dictionary of English defines risk as "danger, the likelihood of adverse effects, loss or propensity to the accident". McNeill, Frey, and Embrechts [6] define risk as any event or action that may adversely affect an organization's ability to achieve its goals and implement its strategies. Although all of these definitions cover some key elements of risk, it is not possible to cover all aspects of it in a single definition from a single sentence. However, it is clear that the risk is strongly associated with uncertainty about future events. In the general case, the concept of risk can be considered a situation of the danger of the opportunity of an adverse event or the threat of possible losses, for which it is unknown whether they will occur in the future. According to [7, 8], there are three main approaches to risk assessment in solving practical problems: 1. Intuition, experience, and knowledge of experts who make judgments about the nature of the peculiarities of the processes of functioning of a complex system. For new innovative research objects, this is the only available way to analyze processes that did not exist or had a different structure in the past, and statistical history for which is missing or meaningless. 2. Observations of actual situations and losses from risks over a long period of time. In many practical problems, such data are absent. In addition, in critical technical, social, economic, and environmental systems, in which a very variable process environment has a significant impact, such data describe the dynamics of the process in past environmental conditions, and this is often out of date. 3. Use of observations of groups of individual risks with similar characteristics that can be made in a short period of time. This approach is the most suitable and promising in complex risk management problems in all types of uncertainties [9]. Individual risk-oriented factors form risk classes, which generally constitute a certain classification of risks for tasks of a given type. To date, no general principles and features of risk classification have been formed, there are virtually no developments for the generalization and formalization of risk classification that can be used in interdisciplinary research. In [10], Zgurovsky considers the problem of formalized risk classification as information- interconnected problems of classification of risk situations and the problem of recognizing risk situations, based on many factors of their occurrence. It is noted that the fundamental influence on the quality of classification, which is expressed in the accuracy and certainty of risk classification, causes the choice of many risk factors and many features of each risk factor. In [11], Panyagin identifies two main approaches to subject and management classification. Subject classification is carried out according to the meaning and content of each type and type of risk, it makes it possible to identify risks and characterize the possible consequences of risks (operational, innovative, non-return of investment, etc.) [12]. Management classification involves the allocation of risk classes by sources and stages of risk and by methods of risk management (technological, environmental, personnel errors, etc.). The approach of grouping risks by resources that are at risk of loss, allows you to predict or the occurrence of a particular risk situation to classify the risk and quickly pre-determine a group of adequate measures and management models for a particular class of risk [13]. H. Felix Kloman [14] under risk management defines the following. For many analysts, politicians, and scientists, environmental and nuclear risk management are the technologies that generate macro risks that threaten our very existence. For bankers and financial officials, it is prudent to use methods such as currency hedging and interest rate swaps. For insurance agents, it is the coordination of insurance risks and reduction of insurance costs. For hospital administrators, this can mean "quality assurance." For safety professionals, this is a reduction in accidents and injuries. Thus, Kloman believes that risk management is a range of methods used to more effectively manage their lives and organizations in conditions of "unprecedented uncertainty." Or it is a discipline to ensure resilience to future events that may cause adverse consequences. Analyzing the sources, we obtain that the following researchers described the risk management process. For example, Furley [15] presented seven steps: (1) identify risk factors; (2) assess the likelihood and consequences of the risk; (3) develop strategies to reduce identified risks; (4) control risk factors; (5) apply a contingency plan; (6) manage the crisis; (7) get out of the crisis. Bem [16] described the process with two main stages: risk assessment includes identification, analysis, prioritization, and risk control, which includes risk management planning, risk management and planning, tracking, and corrective action. Similar to the Deming quality improvement cycle (plan, do, test, act), Kliem and Ludin [17] proposed a four-phase process (identification, analysis, control, and reporting). According to the International Organization for Standardization 31000, risk management creates and protects value [18]. Several popular methods of risk management analysis have been reported in the literature, including Monte Carlo modeling [19], the process of analytical hierarchy [20], and fuzzy set theory [21]. The identification of risk factors is influenced by the field of activity of the object of study. For example, key risk factors for public-private partnership projects fall into two categories. The first includes risk factors that have powerful, independent effects, such as delays in government approval, public credit, and imperfections in the legal and regulatory systems. The second category includes risk factors that are highly volatile and easily influenced, such as downtime risks, insufficient market returns, and fee changes [22]. Ameyau and Chan [23] mentioned other risk factors, such as market/income risks, financial risks, relationship risks, and social risks. According to Lesard [24], risk management requires systematic management of the risks generated within each link in the chain and, more importantly, in the interfaces between the links to limit disruptions and their spread throughout the system. All this proves that effective risk management requires a systems thinking approach - understanding how systems affect each other as a whole. According to Neeman [25], the risk management process has become an integral part of defense project management procedures, for which uncertainty management is one of the main problems of current planning and project management. Moreover, in response to dangerous events, such as plane crashes or takeoffs, security requirements in the defense industry are strict and demanding. The classification of risks in solving problems of assessing the controllability of processes in complex systems is important, and often crucial for the formalization and formulation of the problem to be solved, and, accordingly, the quality of the result. Choosing an inefficient or incorrectly classified risk classification for a particular problem can lead to a narrowing and incomplete description of risks in the problem, and, as a consequence, can lead to incorrect solutions of the problem, or even prevent adequate solutions [26]. In addition, our study uses expert information that reflects the skills, experience, and knowledge of experts on risk indicators and is given in natural language, which is appropriate to use the theory of fuzzy sets [27-28]. For example, [29-30] discusses the general ideas and benefits on which modern views on the use of fuzzy logic in decision support systems are based. In [31-32] the use of fuzzy logic in different areas of application is presented, which allows determining the optimal parameters under conditions of uncertainty of the input data. And in [33-35] 35the advantages of research of complex objects of functioning in different modes and system analysis are scientifically substantiated. The above, argues and confirms the relevance of our study: the development of a methodology for determining the level of process control in complex systems, taking into account risk-oriented factors influencing it. The relevance of this study is proved by the need to understand the controllability of processes in various complex research systems, taking into account the risks of its operation, to achieve the goals of the system and the formalization of such processes. 3. Conceptual and methodological bases of constructions of risk‐oriented level of process control in complex systems 3.1. Formal formulation of the class of tasks and input data Let us know some objects of study that we will consider as a complex poorly structured system S. There are many known system goals and many factors that affect the controllability of complex systems. Also known indicators of risk-oriented factors influencing the system within the objectives of the system. Fuzzy models of system evaluation are built on the basis of known indicators. Within this, it is necessary to assess the controllability of processes in the object of study for quality decision- making depending on risk-oriented factors influencing the system. Thus, the stages of risk management in the process of assessing the level of controllability of complex systems are proposed. 1. Formation of the list of risk factors:  Identification of goals and objectives for identifying risk-oriented factors;  Identification of the most risk-oriented factors of influence;  Analysis of risk-oriented factors of influence. The first stage is to understand the specificity of the threat and the place of its possible manifestation. Under the identification and analysis of risks means the study of its specifics and features, which are due to their nature and other features characteristic of this occasion. It is important to study future losses, as well as changes in risks over time, the degree of threat to a particular period. 2. Building models for assessing the risks of process control in complex systems. The main purpose of this stage is to study and develop models, methods, tools, and instruments that will assess risk factors in a complex system, as well as to study their negative impact on the controllability of complex systems. 3. Analysis, selection, and decision-making to reduce the threat of risk-oriented factors:  Choice of risk management strategy and tactics;  Selection of an action program (scenario) for risk reduction;  Decision-making and organization of the developed program. At this stage, the decision-maker (DM) forms and selects an individual approach to the risk of a complex system. The need for this selection procedure is related to the different effectiveness of risk management methods and the different size of resources required for their implementation. When choosing risk and the method of its management, you should always take into account resource constraints and try to optimize their losses. To assess all resources can be summarized on one scale - financial. Therefore, depending on the complex system under consideration, it is necessary to adequately select risk factors in relation to the system resource that may suffer losses in the event of risk; determine risk assessment scales; build evaluation methods; perform analysis, selection and decision- making on proactive risk reduction management to increase process control in the system under study. Examining the system, we determine the sets of input data K  ( K1 , K 2 ,..., K m ) , according to which the level of process control will be assessed in a complex system S. Indicators can be a whole system of risk criteria, factors, and models, based on which a single aggregate assessment is derived. For example, the level of controllability of the aircraft is influenced by indicators that depend on risk- oriented situations, or the level of safe financing of innovative projects is influenced by risk management and forecasting factors. To assess the level of controllability of the system operation processes according to risk-oriented factors influencing the system, the class of problems Z is proposed - fuzzy evaluation of the system taking into account risk-oriented factors of influence. Solving problem Z provides an understanding of process control in complex systems, taking into account and disclosing various risks. A system set-theoretic model of the problem of estimating process control in complex systems, taking into account risk-oriented factors of influence can be represented as follows: Z  {S , K R , M R | Y } , (1) Where: S is a complex poorly structured system; K R is information models of criteria (groups of criteria) for assessing risk-oriented factors affecting the system, or models for assessing threats to the system, which will potentially lead to a weakening of controllability of processes in it; M R is type of model for assessing control processes in complex systems, taking into account system threats, indicators of various risks, and experience of experts. As a result, we obtain an initial estimate of Y, which carries the content of process control in the system, taking into account risk-oriented factors. This assessment will be called an aggregate risk- based assessment of the level of process control in the system. Fig. 1. illustrates the algorithm for selecting a model of risk-oriented assessment of the level of process control in a complex system, based on available input data, taking into account system threats, indicators of various risks, and the experience of experts. At the output of each model will be aggregated risk-oriented assessment of the level of process control in the system, based on the assessment of the risk of system operation. Figure 1: Algorithm for selecting systems risk functioning assessment models Since this study focuses on various complex systems, therefore, based on the theoretical study, we can formalize the input data used to assess risks using fuzzy models. 4. Risk-oriented impact factors are indicators of risk that are assessed by some expert using a linguistic variable. To do this, based on experience, skills, and knowledge about the impact of risks on the system S, a group of experts (or an expert) draws conclusions and makes a linguistic assessment of each indicator K, from some term set T  {T1 ; T2 ;...; Tl } . We present the term set of linguistic variables as the level of probability of occurrence of a risk event described by the indicator K to achieve the target needs of the system. Also, to each assessment, the expert puts or number of "reliability"  (T ) their reasoning from the interval [0; 1], or normalized quantitative risk assessment. To obtain a quantitative assessment of risk, separately for each criterion, intelligent analysis of these values, which generate risk, based on the theory of fuzzy sets and membership functions [6]. The membership function is constructed and investigated depending on the type of data, their structure, the frequency of receipt, the subjectivity of receipt, and other characteristics. This will allow comparing the obtained estimates, by translating into a normalized scale, to reveal the vagueness and uncertainty of the obtained data, which will improve the quality of decision-making made using the intellectual analysis of such data. 5. Risk-oriented factors are a set of threats K of some assets of the system, which, if possible, the occurrence of such a phenomenon or event, which may result in undesirable effects on the system, which will weaken the controllability of processes in it. The input data in this concept are defined as follows:  T – the consequences of the implementation of threats K. This indicator is determined using a linguistic variable from some term set, for example, T  {M ; A; H ; C } , where M - the minimum consequences of the threat, A - the average consequences of the threat, H - maximum consequences of the threat, C - critical consequences of the threat;  μ – the degree of possibility of realization of the threat in the system. The degree is quantified from the interval [0; 1], for example, putting different meanings: it is impossible to realize the threat; the minimal possibility of threat realization; the average possibility of threat realization; the high possibility of threat realization; critical threat capability;  L – the severity of the consequences of the incident on the asset. An incident is a realized threat. This indicator is evaluated expertly using a linguistic variable from some term set L, where the variables can be, for example, vital consequence (if it makes it impossible to achieve global goals by the system), decisive consequence (if it makes it impossible to achieve local goals of the system), and to some extent affects the quality of achieving global goals), useful or not applicable (other cases). Next, to present the methodology for obtaining an aggregate risk-oriented assessment of the level of process control in the system, we present generalized algorithms of fuzzy models: a two-level fuzzy mathematical model for establishing the risk of system operation and the level of process control in it; fuzzy risk assessment model for data mining systems; an expert model for assessing the risks of the system operation, taking into account the consequences of the implementation of various threats to the system and assessing financial losses. 3.2. Two‐level fuzzy mathematical model for establishing the risk of system operation and the level of process control in it A two-level mathematical model given, on the basis of which we can to take into account the processes of controllability in complex systems and to assess the level of risk of systems functioning [2]. The model is based on the use of fuzzy mathematics, linguistic variables, and the assessment of the confidence of assigning such variables by an expert. Suppose that at the input we have some complex system S, consisting of many research objects (subsystems) X  {x1 , x2 ,..., xn } , which need to assess the level of risk of the system and draw a conclusion about the level of process control system taking into account risk-oriented factors influencing it. The objects of the study will be evaluated according to the input expert assessments, the proposed set of risk criteria K  ( K g1 , K g 2 ,..., K gm ) , which is classified into groups g. Each criterion is evaluated by an expert: linguistic evaluation of the term set of linguistic variables T  {t1 ; t 2 ;...; tt } . For example, such a term set of linguistic variables can be denoted as follows: T  {L; BA; A; AA; H } . Where: L – "low risk"; BA – "below average risk"; A – "average risk"; AA – "above average risk"; H – "high risk". Based on the fuzzy estimation model, we construct a generalized step-by-step algorithm for obtaining an aggregate estimate, and the reliability and adequacy of the model are proved in [2]. Step 1. Introduction of expert input data and determination of the resulting thermal evaluation. Based on the knowledge entered on the object of research and the constructed knowledge base, the resulting thermal evaluation is determined by the formula (2) for the relevant groups of criteria. Let the object with m inputs and one output be analyzed: Tgj  L (Tg1 j , Tg 2 j ,..., Tgmj ). (2) Where: Tgj  initial resulting term estimate from the term set T for the group of criteria g; Tg1 j , Tg 2 j ,..., Tgmj  input linguistic estimates by a group of criteria g. L  is an operator that matches the initial resulting thermal estimate Tgj for a group of criteria, with the input variables Tg1 j , Tg 2 j ,..., Tgmj (inference rule), j  1, n . Next, the expert, or group of experts, for each T builds the rules of belonging of the resulting terms. These rules can be constructed in the percentage of belonging of these or those in terms of an input variable. Formally, the rules of belonging represent a system of logical expressions - "If, Then, Else", which associate the values of the input variables Tg1 j , Tg 2 j ,..., Tgmj with one of the possible values Tgj , j  1, n : If ( K g1 j  L and K g 2 j  L and … and K gmj  L ) Or ( K g1 j  L and K g 2 j  L and … and K gmj  BA ) Or … Or ( K g1 j  BA and K g 2 j  L and … and K gmj  L ) Then Tgj  L Else …. Step 2. An aggregate assessment of the reliability of the expert's opinions is determined. The aggregate estimate of the reliability (Tgj ) , j  1, n calculated by the following formula: 1 m (3) (Tgj )  k  i 1  (Tgij ), j  1, n , Step 3. Obtaining one generalized risk assessment of research objects by groups of criteria g. For each group of criteria g, the risk level  gj , is calculated, relative to the percentage scale [a; b] and the resulting thermal estimate Tgj , according to the formula:   (Tgj ) (4)  (b  a )  a , 0   (Tgj )  0,5;  2  gj   b    (Tgj ) (b  a ), 0,5  (T )  1. 1  2 gj A generalized estimate of the risk Ogj for each group of criteria g is obtained by the formula: Ogj  (b   gj ) / b, j  1, n. (5) Step 4. Introduction of weights by groups of risk criteria. For each group of criteria, DM sets the weights p g , after which the normalized weights are calculated by the formula: pg (6) p  ag  p  1. , g g g g Step 5. Reckoning of risk-oriented assessment of the system for all groups of criteria. The aggregate score is determined by the convolutions, for example, the average will look like: OR 3 ( x j )   a O ; j  1, n. g g gj (7) Step 6. Derivation of the level of process control in the system. Estimates of OR (x) with the initial variable Y are equated to establish the level of process control in the system taking into account risk-oriented factors. For example, the original variable may take the value: "low risk of system operation, which determines a high level of process control in the system". The model reveals the vagueness of input estimates, increases the objectivity of expert judgments. The formulated knowledge base does not depend on the number of criteria by groups, so they can be increased if necessary, as well as change the levels of decision-making. 3.3. Fuzzy model for assessing the risk of systems operation using data mining A fuzzy model for assessing the risk of functioning of data mining systems is developed, proven and tested for the tasks of assessing the security risks of network systems, assessing the risks of project financing, assessing the risk of the municipal system and others [4]. Suppose we have a complex system of functioning S, consisting of a set of objects of study (subsystems) X  {x1 , x2 ,..., xn } . Each object of study has its own set of criteria for assessing the risk of functioning of the object in the system K i  {K i1 ; K i 2 ;...; K im i }, i  1, n. The evaluation of the criteria is proposed in a hybrid way, based on the experience of experts for the functioning of the system and the intellectual analysis of quantitative data [36]. Each indicator of the functioning system is evaluated by an expert using the linguistic variable T, for example: high level of criterion; the level of the criterion is above average; average level of criterion and others. In addition, for each criterion, a quantitative assessment of the risk  from the interval [0; 1], for example within the analysis of "Big data", or assigned a quantitative risk assessment in an expert manner, such as the confidence of the expert. Input data, risk assessment of the system are as follows: tij – variable from the term set T in the i-th object of study by the j-th criterion;  ij – quantitative estimate from the interval [0; 1], according to the i-th object of research and the j-th criterion, i  1, n, j  1, mi . Formally, we present a fuzzy model for assessing the risk of system operation in the following form [4]:  (t ; )  ( R ( S ); Y ). (8) operator that matches the set of output values of with input variables . The input data of the model are: t – expert level of the criterion on the object of study of the functioning of the system; is a quantitative assessment of the considered criterion. At the output of the evaluation model we have: risk-oriented assessment of system operation; Y the level of process control in the system. Based on the fuzzy estimation model, we construct a generalized step-by-step algorithm. Step 1. Fuzzification of input hybrid data. Let the term set of linguistic variables T be represented on some numerical interval to distinguish the terms [ a1 ; ak 1 ] , k is the number of linguistic variables. The values of the partitioning of the intervals can be adjusted and changed in the process of using the real data of the operating system. The dependence of the level of the criterion of the object of study tij and the quantitative assessment of the considered criterion  ij ( i  1, n; j  1, mi ) we propose to consider using membership functions [4]. This will allow you to adequately compare the data. Since the quantitative values of  ij are known and the intervals of numerical values for tij , are known, then for each criterion for subsystems, it is necessary to express the dependence on the membership function, similar to formula (4). Since, the terms are defined on some range of values, then the obtained values of  ij are normalized: ij   ij ak 1 . (9) The obtained values of ij , ( i  1, n; j  1, mi ) are interpreted as a function of revealing the uncertainty of fuzzy expert considerations regarding the level of the criterion in the object of study and quantification of the considered criterion. Thus, in the first step, the input of hybrid data was fuzzification and moved from linguistic and quantitative estimates to a single estimate. Step 2. Aggregation of fuzzification input hybrid data within a complex system. The second step displays the aggregate value for the objects of study x1; x2 ;...; xn , according to the following formula: 1 i m (10) i  mi j 1  ij . Where mi , i  1, n the number of criteria for the object of study xi . Estimates i  [0;1] are quantitative, normalized indicators of the corresponding object of study xi in the system S. The greater the value of i  [0;1] , the worse the level of control of the corresponding object of study. Step 3. Considering the importance of research objects. Suppose that in order to make further decisions regarding the risk assessment of the system operation, there is a need to set weighting factors {w1 , w2 ,..., wn } from the interval [1;10] for each object of research. If experts do not need it, without reducing the generality, the objects of study will be considered balanced. Since all calculations are reduced to one measurement scale, then determine the normalized weights vi using different approaches [36]. Step 4. Defuzzification data. The aggregate risk-oriented assessment of the functioning of the system S is calculated. The obtained estimates i , i  1, n are normalized, but it is necessary to change the direction of the target, because the smaller i the lower the risk functioning of the system. To do this, use one of the convolutions, changing the direction of the target [4]. For example, a risk-based assessment based on average expert judgment will take the form: n (11)  R3 ( S )  i 1 vi (1  i ). Estimates of R (S ) are normalized, so DM, based on experience and knowledge in the applied application problem can leave a distinction between the levels of process control in the system Y. 3.4. Expert model for assessing the risks of the system operation, taking into account the consequences of the implementation of various threats to the system and assessing financial losses An expert model for assessing the risks of the system operation, taking into account the consequences of the implementation of various threats to the system and assessing financial losses, which is tested for Evaluation of Airport NIS Security for Safe and Sustainable Air Transport [3]. The model is able to assess the risks of a complex system, uses intelligent analysis of knowledge of experts, reveals the vagueness of input estimates, increases the degree of validity of further management decisions based on the results. For this model, risk-oriented factors are the set of threats K, the consequences of the implementation of threats T, the degree of possibility of the threat in the system μ and the severity of the consequences of the incident on the asset L. Based on the expert evaluation model, we construct a generalized step-by-step algorithm. Step 1. Fuzzification of input data. In the first step, we consider the dependence of the consequences of the threat of the system and the degree of possibility of such implementation. To do this, we use an approach based on fuzzy set theories [3, 36]. The dependence of the consequences of the realization of the threat Tij and the degree of possibility of such realization ij , ( i  1, n; j  1, m ) is naturally considered as a statement of the membership functions “value x is greater”. This is due to the fact that the higher the possibility of a threat and the more critical the consequence, the more dangerous the incident in the system, which entails a high risk of process control in the system. Therefore, one of the functions of belonging to the type "value x is greater" is constructed. Since the value of the degree of possibility of realization of threat ij is known and the intervals of numerical values for Tij , are known, then for each threat on the considered assets, the dependence of  ij on the formula of the constructed membership function is expressed, similarly to formula (4). Since, risk-oriented factors of influence are associatively compared with the percentage scale, so it is natural to determine on the percentage scale and in terms of the consequences of the implementation of threats K. The obtained values of  ij  [0;100] are normalized, similarly (9): f ij  xij 100 . (12) The obtained value f ij , ( i  1, n; j  1, m ) is called the "incident factor" and will be interpreted as a function of revealing the uncertainty of fuzzy expert considerations regarding the consequences of the system threat and the degree of possibility of such implementation i−th asset, j−th threat. The greater the value of f ij  [0;1] , the greater the j-th threat to system security within the i-th asset. Step 2. Aggregation of the "incident rate" within the asset. In the second step, we derive the aggregate value for the asset Ai , by a formula similar to (10): 1 (13)  m ai  j 1 f ij . ki Where ki , i  1, n the number of system threats to the asset Ai . Estimates ai  [0;1] are quantitative, normalized security indicators of the system corresponding to the asset Ai . The greater the value of ai  [0;1] the greater the possibility of a phenomenon or event, which may result in undesirable effects on the system, which will lead to a weakening of process control within the i-th asset. Step 3. Risk assessment of system assets. The risk of system operation will depend on the "incident rate" and the severity of the consequences of L. For each indicator, a group of experts makes an assessment from some interval, for example [0,1; 1], where: V - vital [0,8; 1], C - decisive [0,4; 0,8], U - useful or not used [0,1; 0,4]. Risk assessment is defined as multiplication: Ri  ai  Li , i  1, n. (14) The more severe the consequence for the system asset, the greater the risk, and the R-score is close to one. The obtained risk-oriented estimate R is normalized, then on its basis we will determine the degree of risk of the system asset, for example: "insignificant degree of risk of the system on the i-th asset". Step 4. Considering the importance of the system asset. Suppose that for further decisions on the risks of the system, there is a need for each asset to set the weights {w1 , w2 ,..., wn } , or the assets will be considered equilibrium. If the weights of some interval [a; b], then you need to reduce to one scale of measurement, by normalizing them – vi . Step 5. Defuzzification data. Next, we derive an aggregate risk-oriented assessment of the functioning of the system for the assets under consideration, to understand the level of process control in the system. It is necessary to change the direction of the goal, because the less R the less risk, and the more v the more important the asset. To do this, use one of the convolutions, for example, the middle will look like: n (15)  Y3  1  vi (1  Ri ). i 1 Step 6. Calculation of financial losses of the incident for assets. The realized risk of some asset of the system leads to a decrease in the level of process control in the system, failure to achieve systemic goals, and this usually leads to financial losses. The performance of an asset has its price over a period of time. The cost of recovery depends on the asset. In this case, you can calculate the financial loss separately for assets, this can be done using the approach described in [3]. Based on a risk-oriented assessment of the functioning of the system can be compared with the Y linguistic representation of the level of controllability of processes in the system, taking into account financial losses or without them. 4. Results Consider an example of a developed methodology for determining the level of process control in the system of an airline, taking into account risk-oriented factors influencing it. For example, risk- oriented factors influencing the controllability of the processes of the airline system, the following set [36] FR  {R1 , R2 ,..., R12 } :  R1 – risk in the breaks of aviation services;  R2 – competition risks;  R3 – risks of stagnation in the market of aviation services;  R4 – risks of natural disasters;  R5 – risks of changes in the regulator and in the legislation;  R6 – risks of political and social crises;  R7 – risks of changes in the price of raw materials;  R8 – risks of technological innovations;  R9 – risks of cyber threats;  R10 – risks of terrorism;  R11 – risks of environmental pollution;  R12 – explosion hazards. Have a group of experts, based on experience and knowledge of the airline system, analyze and insert one linguistic estimate for each FR indicator. We propose the following term set T  {T1 ; T2 ; T3 ; T4 ; T5 } , where: T1 – "minor risk"; T2 – "low risk"; T3 – "medium risk"; T4 – "high risk"; T5 – "marginal risk". In addition, to each assessment, the expert puts the number of "reliability" (T ) of their reasoning from the interval [0; 1]. Let us represent the training test input data and weight coefficients w (interval [1; 10]) in Fig. 2. Figure 2: Visualization of input data Let's evaluate the level of process control in the system of the airline, according to the fuzzy model of risk assessment of the operation of systems using data mining and based on the above algorithm. Step 1. Fuzzyfication of hybrid input data. First of all, let's fuzzyfication the input hybrid data. Terms are defined on a percentage scale, to distinguish terms [0; 100], where T1 – [0; 20], T2 – [20; 40], T3 – [40; 60], T4 – [60; 80], T5 – [80; 100]. Next, the quadratic S-spline membership function is selected, and based on the input data is calculated (according to the approach from formula (4)):   (32,91; 36,75; 40,83; 36,75; 45,22; 40,83; 36,75; 36,75; 32,91; 40,83; 50; 36,75). Next, according to formula (9), we normalize the obtained values:   (0,33; 0,37; 0,41; 0,37; 0,45; 0,41; 0,37; 0,37; 0,33; 0,41; 0,50; 0,37). Step 2. Aggregation of fuzzyfication input hybrid data within a complex system. Because in the studied system of the airline risk-oriented factors are not classified by groups of objects of study or subsystems, they are already separate objects, so this step is skipped. Step 3. Considering the importance of risk-oriented factors. Let the influencing factors be considered separately as objects of research that have their importance w.  w , i  1,12. 12 Then determine the normalized weights, respectively: vi  wi i 1 i v=(0,105; 0,084; 0,074; 0,074; 0,074; 0,084; 0,095; 0,074; 0,095; 0,105; 0,074; 0,063). Step 4. Deffuzification data. The aggregate risk-oriented assessment of the airline's operation is calculated according to the formula (11): R3 ( S )  0,613. The distinction between the levels of process control in the system, taking into account risk- oriented factors, is proposed as follows: R  (0,8;1] high; R  (0,6;0,8] above average; R  (0,4;0,6] average; R  (0,2;0,4] below average; R  [0;0,2] low. The distinctions between levels are determined either expertly or by teaching methods in the presence of a reliable, large enough sample of data. As a result, on the test example we can conclude that the airline has a level of process control given the risk-oriented factors influencing its activities – above average. 5. Discussion To apply the developed methodology, determine the level of process control in the system, to solve the class of applied problems of fuzzy system evaluation taking into account risk-oriented factors, it is necessary to adequately determine the set of evaluation risks, select and configure the proposed fuzzy models, configure fuzzyfication of input data. All these tasks are assigned to system analysts who develop an information system within the application problem. Thus, for a qualitative comparison of data, the delimitation of terms must be carried out separately for each indicator, as different indicators have their own numerical meaning. To qualitatively obtain input quantitative estimates and data mining (knowledge) using fuzzy set theory, membership functions and a systems approach, you can use the models described in [2-4 ,36, 38]. The study proposes a class of tasks for fuzzy evaluation of the system taking into account risk- oriented factors of influence, the solution of which provides an understanding of process control in complex systems, taking into account and disclosing various risks. The built methodology, consisting of a set of methods and models based on risk-oriented factors has a number of advantages, namely: increases the objectivity of expert assessments using input hybrid data: linguistic variables and quantitative assessments; derives an aggregate risk-oriented assessment of the functioning of the system taking into account the considerations of DM; displays the level of controllability of processes in the system. For the applied application of the developed methodology the generalized algorithms which choice depends on the available input data, the account of threats of system, indicators of various risks and experience of experts are offered. The proposed algorithms are a tool with which we can adequately solve the innovation problem. In the algorithm for fuzzyfication of input data we determine what type and type of membership function you want to choose for proper operation. The use of different types of convolutions can lead to ambiguity of the final results. This can be attributed to the disadvantage of this approach. 6. Conclusions Research of the current problem of developing a methodology for determining the level of process control in complex systems, taking into account risk-oriented factors influencing it. This is the first time the following results have been obtained:  The stages of risk management in the process of assessing the level of controllability of complex systems on the basis of the conducted theoretical research are offered;  Formalized input data used to assess risks using fuzzy models for various complex systems, namely: risk indicators assessed by some expert using a linguistic variable; quantitative assessment of the "reliability" of experts on considerations of the risk indicator; quantitative assessment of the risk criterion on the basis of intellectual analysis of the data that generate risk, using the theory of fuzzy sets and membership functions; linguistic variable consequences of the implementation of threats to the system; the degree of possibility of realization of the threat in the system; the severity of the consequences of the incident on the asset of the system, which is estimated by some expert using a linguistic variable;  A set-theoretic model is proposed, which solves a class of problems of process control assessment in complex systems taking into account risk-oriented factors of influence and an algorithm for choosing a risk-oriented assessment model;  Generalized step-by-step algorithms are constructed: a two-level fuzzy mathematical model for establishing the risk of the system functioning and the level of process control in it; fuzzy model of risk assessment of systems operation using data mining; expert model for assessing the risks of the system operation, taking into account the consequences of the implementation of various threats to the system and assessing financial losses;  An example of the developed methodology for determining the level of process control in the airline system taking into account risk-oriented factors influencing it is demonstrated. The rationality of the obtained aggregate risk-oriented assessments of the system operation to determine the level of process control in the system is proved by significant approbations of models for various applied tasks. The reliability of the obtained results is ensured by the correct use of fuzzy set theory for the development of expert knowledge, a systematic approach, which is confirmed by research results. We see further research in the developed methodologies for assessing the level of process control in complex systems using the effects of human factors on a complex system. We also plan research of expert database and creating an information model based on fuzzy logic for quantitative and qualitative evaluation of physical data of a new chemical working substance for decontamination, disinfection, and deactivation for transport services, respectively also for operational risk and data assessment and other project activities. The study will be a useful tool to support decision-making to improve process control in various complex systems by taking into account the risks and threats to its operation, and a platform for exploring new application areas for the use of knowledge. 7. Acknowledgements This work was supported by the Slovak Research and Development Agency (APVV) under the contract no. PP-COVID-20-0002. 8. References [1] S.M. Shehata, A.M. Abdeljawad, L.A. Mazouz, L.Y.K. Aldossary, M.Y. Alsaeed and M. Noureldin Sayed. “The Moderating Role of Perceived Risks in the Relationship between Financial Knowledge and the Intention to Invest in the Saudi Arabian Stock Market”. Int. J. Financial Stud, Vol. 9, 9 (2021). doi: 10.3390/ijfs9010009 [2] O. Voloshyn, M. Malvar, M. Sharkadi and V. Polishchuk, Fuzzy Mathematical Modeling Financial Risks, in: Proceedings of Second International Conference on Data Stream Mining & Processing (DSMP), IEEE, Lviv, Ukraine, 2018, pp. 65-69. doi: 10.1109/DSMP.2018.8478604. [3] M. Kelemen, V. Polishchuk, B. Gavurová, R. Andoga, S. Szabo, W. Yang, J. Christodoulakis, M. Gera, J. Kozuba, P. Kaľavský, and M. Antoško. “Educational Model for Evaluation of Airport NIS Security for Safe and Sustainable Air Transport”. Sustainability, Vol. 12, (2020): 6352. doi: 10.3390/su12166352. [4] M. Malyar, V. Polishchuk, M. Sharkadi and A. Polishchuk, Model of Operation Management Systems Risk Assessment, in: Proceedings of 15th International Conference on Computer Sciences and Information Technologies (CSIT), IEEE, Zbarazh, Ukraine, 2020, pp. 190-193. doi: 10.1109/CSIT49958.2020.9321930. [5] V. Polishchuk, A. Polishchuk, J. Jevčák, L. Choma and M. Kelemen jr, Criteria for the Information model for assessing the risks of UAV flights in environmental research on mountain terrain, in: Proceedings of XXth International Multidisciplinary Scientific GeoConference SGEM, Varna, Bulgaria, 2020, 2.1. pp. 97-102. doi:10.5593/sgem2020/2.1/s07.013 [6] A. J. McNeil, R. Frey, and P. Embrechts, Quantitative risk management: Concepts, techniques and tools, 2nd ed., Princeton university press, 2015. [7] A. Chaudhuri, S.K Ghosh, Need for Risk Classification, in: Bankruptcy Prediction through Soft Computing based Deep Learning Technique, Springer, Singapore, 2017, pp. 19-20. doi: 10.1007/978-981-10-6683-2_5 [8] A. Dicke, On Risk Classification. A public policy Monograph, American Academy of Actuaries, New York, NY, 2011. [9] Adam M. Finkel, Confronting uncertainty in risk management. A Guide for Decision-Makers. Washington, DC, Center for Risk Management, Resources for the Future, 1990. [10] M. Zgurovsky, and N. Pankratova, Osnovy systemnoho analizu, [Fundamentals of systems analysis]. Kiev, VNV, 2007. (In Ukranian). [11] A. Panyagina. “Podkhody k ponimaniyu i klassifikatsii riskov”. [Approaches to understanding and classifying risks]. Modern Economics: Problems, Trends, Prospects, 6 (2012). (In Russian). [12] K.J. Crocker, A. Snow, The Theory of Risk Classification, in: G. Dionne (Eds.), Handbook of Insurance, Springer, New York, 2013, pp. 281-313. doi: 10.1007/978-1-4614-0155-1_11. [13] D. Porrini. “Risk Classification Efficiency and the Insurance Market Regulation”. Risks, 3(4) (2015). doi: https://doi.org/10.3390/risks3040445. [14] H. F. Kloman. “Risk management agonists”. Risk Analysis, 10 (1990). [15] R. Fairley. “Risk Management for software projects”. IEEE Softw., 11 (1994). [16] B.W. Boehm. “Software risk management: Principles and practices”. IEEE Softw., 8 (1991). [17] R.L. Kliem, and I.S. Ludin, Reducing Project Risk, UK, Gower: Farnham, 1997. [18] Risk Management-Principles and Guidelines ISO 31000:2018, 2018. URL: https://www.iso.org/standard/65694.html [19] S. Ye, and R.L.K. Tiong. “NPV-at-risk method in infrastructure project investment evaluation”. J. Constr. Eng. Manag., 126 (2000). [20] M. Hastak, and A. Shaked. “ICRAM-1: Model for international construction risk assessment”. J. Manag. Eng., 16 (2000). [21] Y. Wu, Z. Song, L. Li, and R. Xu. “Risk management of public-private partnership charging infrastructure projects in China based on a three-dimension framework”. Energy, 165 (2018). [22] Y. Wang, Y. Wan, Y. Wu, and J. Li. “Exploring the risk factors of infrastructure PPP projects for sustainable delivery: A social network perspective”. Sustainability, 12 (10), 4152 (2020). doi: 10.3390/su12104152 [23] E.E. Ameyaw, and A.P.C. Chan. “Evaluation and ranking of risk factors in public–private partnership water supply projects in developing countries using fuzzy synthetic evaluation approach”. Expert Syst. Appl., 42 (2015). doi: 10.1016/j.eswa.2015.02.041 [24] D.R. Lessard, Uncertainty and Risk in Global Supply Chains; Research Paper No. 4991-13, MIT Sloan School, Cambridge, MA, USA, 2013. doi: 10.2139/ssrn.2240274 [25] A. Naaman. Establishment of the Armed Force—Research Development in Air Force, Between the Poles, Part 3, IDF, Jerusalem, Israel, 2016. [26] Risk Classification. Statement of Principles, 2014. URL: http://www.actuarialstandardsboard.org/wpcontent/uploads/2014/07/riskclassificationSOP.pdf [27] G.J. Klir, and B. Yuan, Fuzzy Sets and Fuzzy Logic: Theory and Applications, NJ, USA, Prentice Hall, Englewood Cliffs, 1995. [28] M. Sugeno, G. T. Kang. “Structure identification of fuzzy model”. Fuzzy sets and systems. 1. 28 (1988): 15-33. [29] E. Lughofer, Evolving fuzzy systems-methodologies, advanced concepts and applications. Vol. 53. Berlin, Springer, 2011. [30] R.R. Yager, and L.A. Zadeh, An introduction to fuzzy logic applications in intelligent systems. Vol. 165. NY, Springer Science & Business Media, 2012. [31] V. Polishchuk, M. Kelemen, B. Gavurová, C. Varotsos, R. Andoga, M. Gera, J. Christodoulakis, R. Soušek, J. Kozuba, P. Blišťan, S. and Szabo Jr. “A Fuzzy Model of Risk Assessment for Environmental Start-up Projects in the Air Transport Sector”. Int. J. Environ. Res. Public Health, Vol. 16, 3573 (2019). doi: 10.3390/ijerph16193573. [32] A. Sobrino. “Fuzzy Logic and Education: Teaching the Basics of Fuzzy Logic through an Example (by Way of Cycling)”. Education Sciences, Vol. 3 (2) (2013). doi: 10.3390/educsci3020075. [33] K. Olejnik, A. Fabijanska, P. Pelczynski, and A. Stanislawska. “Controllability of low- consistency chemical pulp refining process”. Computers & Chemical Engineering, 128, (2019). doi: 10.1016/j.compchemeng.2019.06.024 [34] E. Johann, M. Franceschetti, and J. Köpke. “Controllability of business processes with temporal variables”. 34th. ACM/SIGAPP Symposium on Applied Computing, 2019, 40–47. [35] M. Zavatteri, C. Combi, and L. Viganò. “Resource controllability of workflows under conditional uncertainty”. In: С. Di Francescomarino, R. Dijkman, U. Zdun (Ed.), Business Process Management Workshops, Springer, Cham, 2019, pp. 68-80. doi: 10.1007/978-3-030- 37453-2_7 [36] O. Voloshyn, M. Malyar, V. Polishchuk, and M. Sharkadi. “Informatsiyne modelyuvannya nechitkykh znan”. [Information modeling of fuzzy knowledge]. Radioelektronika, informatyka, upravlinnya, 2018/4 (2018). (In Ukranian). doi: 10.15588/1607-3274-2018-4-8 [37] V.P. Kharchenko, T.F. Shmelova, and YU.V. Sikirda, Pryynyattya rishenʹ v sotsiotekhnichnykh systemakh: monohrafiya, [Decision making in sociotechnical systems: a monograph]. Kyiv, NAU, 2016. (In Ukranian) [38] Z. Dvorak, D. Rehak, A. David, and Z. Cekerevac. “Qualitative Approach to Environmental Risk Assessment in Transport”. Int. J. Environ. Res. Public Health, 17, 5494, (2020). doi: 10.3390/ijerph17155494