Information in today’s world has become one of the most valuable assets of an enterprise. Its loss, leakage, or destruction can lead to negative consequences for the organization, ranging from financial losses to reputational damage, potentially even resulting in bankruptcy. Cybercriminals, who continually develop and refine increasingly sophisticated attack methods, often count on such outcomes. Organizations frequently do not know where an attack may come from or even if it is happening. Just one asset vulnerability can grant an attacker access to the entire company’s information assets. Therefore, information protection is a priority task for every organization.

A sufficient number of methodologies dedicated to information protection systems have been developed, but this field cannot remain static. Therefore, the improvement of methods and the development of new ones remain and will continue to be a relevant issue. At present, a risk-based approach is highlighted as a key system for information protection [ 1 ]. Implementing it allows for the following: ● ● ● ● ●

Timely identification of potential vulnerabilities in the information system and the development of effective protection measures in advance.

Focusing efforts and resources on the most valuable and critically important assets through the prioritization of risks, starting with the highest ones.

Avoiding unnecessary expenses by identifying appropriate means of information protection.

Ensuring maximum compliance with the necessary legal requirements in the information and cybersecurity system.

Enhancing the company’s reputation strategies and customer trust by ensuring a high level of confidentiality and integrity of their data.

The complexity and multifaceted nature of the elements in the information and cybersecurity system complicates the process of predicting information protection needs. A productive and effective method for research and forecasting in this area is modeling possible situations and consequences. This approach allows for the analysis of potential threats, risk assessment, and the development of effective protection strategies. Numerous studies in this field support this claim.

In the scientific work [2], researchers propose a model for information security risk assessment based on decision theory, fuzzy logic, and fault tree analysis. In the study [3], a cognitive model is described, which enables the investigation of the impact of potential threats on the security level of a critical infrastructure object, and scenario modeling of this impact is conducted. A risk-based approach in the cybersecurity protection system is described in [4], where the model of decision-making delays in information protection and its effect on security risks is explored using logistic equations and Hutchinson’s equation. “Attackerdefender” situations are modeled using cognitive modeling in [5]. The adaptation of SWOT analysis for assessing information and cybersecurity risks is carried out in scientific articles [ 6, 7 ]. The authors of [ 8 ] present a method for assessing information security risks based on scenarios involving advanced persistent threat attacks. The researchers build risk scenarios for high-level vulnerabilities, analyze the likelihood of each risk, and make decisions regarding both technical and business risks. In the study [ 9 ], a model of cognitive maps for information security risks is presented in a static form as an oriented graph, with further selection of methods for handling these risks.

Thus, experts’ interest in information security risk management promotes the introduction of mathematical methods in this field [ 10, 11 ]. We agree with the authors who consider cognitive modeling appropriate for use in information protection systems, as risk assessment is characterized by a high degree of uncertainty, difficulty in strict formalization, and subjective nature.

Cognitive modeling, as researchers argue in [5], is an invaluable tool for identifying vulnerabilities in security systems and developing measures to eliminate them. It provides decision-makers with a valuable tool for analyzing different scenarios and making informed decisions. The complexity of applying this method requires practical developments and the use of information and communication technologies. The above allows us to highlight the goal of this paper—to study the application of fuzzy cognitive maps in constructing various dynamic scenarios using the Mental Modeler software. 2. Cognitive modeling: Fuzzy cognitive map and execution stages Cognitive modeling is based on the construction of a fuzzy cognitive map, which is an oriented graph where the vertices (concepts) represent system variables, and the weighted edges reflect the strength of one concept’s influence on another [ 12 ]. As is known, Kosko’s fuzzy cognitive map is a weighted directed graph in which the weights on the edges have values within the range of [-1; 1], thus determining the level of influence one factor (concept) has on another. Using a cognitive map, both static and dynamic analyses can be performed (see Fig. 1). 3. Scenario modeling based on cognitive modeling 3.1. Task formulation 1. Define the Structure of the Fuzzy Cognitive Map [ 8 ]. 2. Let represent a directed graph, ̅ = { , , },wherе = { }—is the set of factors (concepts); in our case, this is the set of possible threats to a specific information asset, vulnerabilities that the threat can exploit, and the possible consequences of threat realization; = { } is the set of edges representing causal relationships between factors. 3. = { } is the set of edge weights (strength of influence). In our case, = = , 0 ≤ ≤ 1, where being the risk level, is the probability of each threat’s realization; is the probability of corresponding losses. These values are calculated based on expert assessments and using SWOT analysis. 4. Characterize the Strength of Influence Between

Each Pair of Concepts. 5. This is done using the risk level and qualitative expert evaluations. Experts assess the likelihood of each threat and the impact it would have on the information asset, which contributes to determining the strength of influence between concepts. 6. Build the Model. 7. Construct a weighted directed graph based on the fuzzy cognitive map for evaluating information security risks. Each edge in the graph is assigned a weight corresponding to the calculated risk level, thus representing the impact one concept (e.g., a threat or vulnerability) has on another. 8. Identify Critical Risks. 9. Identify the risks with the highest degree of influence, as they pose the greatest threat. These critical risks should be the focus of the analysis and security measures. 10. Model Scenarios. 11. Using the Mental Modeler software, simulate scenarios to analyze the impact of the most significant concepts. This enables the exploration of how different risk factors interact and affect the overall security posture of the information asset. 3.2. Building the fuzzy cognitive map as a graph and matrix Once the structure is defined, construct the fuzzy cognitive map as a weighted directed graph. Each node represents a concept (such as a threat or vulnerability), and the edges between them represent the causal relationships. The weights on the edges quantify the strength of these relationships. Additionally, the graph can be represented as an adjacency matrix, where each element denotes the weight of the edge from concept to concept. This matrix form is useful for further analysis, including determining the most influential nodes (critical risks) and simulating the dynamic behavior of the system under different scenarios. Building a Fuzzy Cognitive Map is a flexible process that can involve various numbers of participants and utilize different information sources. One person may create a map based on personal experience, while a group of experts can develop it based on data collected from the organization or obtained through surveys. Additionally, all participants can be involved in the process to achieve a more objective picture. In our research, we propose using SWOT analysis to identify the system and influence weights during a brainstorming session, following the methods described in studies [ 6, 7, 9 ].

As a sample, we will highlight an information asset, such as the organization’s database, and conduct the identification of threats and vulnerabilities associated with this asset (see Table 1).

Availability

Vulnerability Database protection is missing Weak cryptographic protection Uninterruptible power supply systems are missing The system for regular data backup is absent

Threat Physical damage to databases (intentional or unintentional) Theft and data falsification Equipment failure and loss of unsaved data Data loss

Integrity

Vulnerability Database protection is missing

Threat Physical damage to databases (intentional or unintentional) Weak passwords for data access

Theft and data falsification Absence of access rights segmentation The system for regular data backup is absent

Modification of data (intentional or unintentional) Data loss

Confidentiality Vulnerability Threat Database Unauthorized protection is access (direct missing and remote Weak cryptographic protection Two-factor authentication is absent Absence of access rights segmentation

Theft and data falsification Unauthorized access (direct and remote) Unauthorized access (direct and remote) Let’s define the following concepts: ● ● ● ● ● ● ● ● ● ● ● ● ● С1 is physical damage to databases (intentional and unintentional) С2 is data theft and falsification С3 is data modification (intentional and unintentional) С4 is unauthorized access (direct and remote) С5 is equipment failure and loss of unsaved data С7 is lack of a regular data backup system С8 is weak passwords for data access С9 is lack of uninterruptible power supplies С10 is lack of two-factor authentication С11 is lack of database protection С12 is lack of access rights segregation С13 is weak cryptographic protection.

To determine the risk level for each factor (Table 2), we will apply the formula = = , 0 ≤ ≤ 1, where is the risk level, is the probability of each threat lead to changes in others. occurring; is the probability of the corresponding losses. Determination of the degree of risk for each factor

The fuzzy cognitive map modeling will be carried out using the software Mental Modeler [ 13 ]. Fig. 3 shows the cause-and-effect relationships between the system elements (concepts), demonstrating how changes in one element can As a characteristic of the cognitive map, researchers suggest It is evident that the more connections there are, the higher calculating its density (clustering coefficient) using the the density, and therefore, the greater the potential for following formula: number of concepts.

Thus, where n is the total number of connections, N is the total =

, 22 13 = = 0,13. changes. In our case, the density is moderate. This is reasonable due to the selection of a small number of factors (threats and vulnerabilities).

For the systematic analysis of the fuzzy cognitive map, we use the matrix

method. This method allows for formalizing knowledge about the system and identifying patterns in its functioning. The results are presented in To assess the properties of a fuzzy cognitive map, we use the formal apparatus of graph theory, specifically the transitive closure operation, which allows us to build a complete graph of interactions between concepts and calculate various indicators based on it: consonance, dissonance, and the impact of concepts on risk assessment. The results are presented in Fig. 5. A static analysis for this process has been modeled. By comparing the obtained risk level with the benchmark outlined in the organization’s Security Policy, the information security officer decides on risk treatment: to minimize, transfer, mitigate, or accept the risks. At the next stage, various scenario modeling is conducted depending on the measures chosen by the company’s management. 3.3. Scenario building based on concept changes The results of the previous matrix indicate that the most significant concepts, i.e., those with the greatest impact on the system, are:

С3 is threat: Data modification (intentional or unintentional).

С8 is vulnerability: Weak passwords for data access.

Let’s model situations when these respective values change.

Situation 1.

The risk of data modification С3 will have a nearly maximum value if the risk level associated with the vulnerability of weak passwords for data access increases by 0.01 (Fig. 6).

The proposed methodological approach to information and cyber security risk management through scenario analysis, represented by fuzzy cognitive mapping, enables the identification of key indicators that determine system behavior, the influence of various factors and concepts on the system as a whole, and the identification of the highest risks and priorities for developing measures to ensure confidentiality, integrity, and availability of information.

This approach provides the ability to construct event development scenarios, which supports informed managerial decision-making.

The research results will be useful for information security professionals, managers responsible for data protection, as well as students studying disciplines related to risk management in the field of security.