=Paper=
{{Paper
|id=Vol-3826/short28
|storemode=property
|title=Fuzzy cognitive mapping as a scenario approach for information security risk analysis (short paper)
|pdfUrl=https://ceur-ws.org/Vol-3826/short28.pdf
|volume=Vol-3826
|authors=Svitlana Shevchenko,Yuliia Zhdanova,Olha Kryvytska,Halyna Shevchenko,Svitlana Spasiteleva
|dblpUrl=https://dblp.org/rec/conf/cpits/ShevchenkoZKSS24
}}
==Fuzzy cognitive mapping as a scenario approach for information security risk analysis (short paper)==
https://ceur-ws.org/Vol-3826/short28.pdf
Fuzzy cognitive mapping as a scenario approach
for information security risk analysis ⋆
Svitlana Shevchenko1,*,†, Yuliia Zhdanova1,†, Olha Kryvytska2,†, Halyna Shevchenko2,†
аnd Svitlana Spasiteleva1,†
1
Borys Grinchenko Kyiv Metropolitan University, 18/2 Bulvarno-Kudriavska str., 04053 Kyiv, Ukraine
2
National University of Ostroh Academy, 2 Seminarska str., 35800 Ostroh, Ukraine
Abstract
To avoid damaging their reputation in the field of information and cyber security, companies tend to keep
incidents and attacks that affect their operations under wraps. Insufficient information prevents a more
accurate risk assessment; as statistical analysis requires a large volume of historical data. Thus, a
quantitative-qualitative approach to risk analysis in cybersecurity, particularly scenario analysis, is most
commonly applied. The scenario approach to information security risk assessment is a powerful tool for
proactive information protection. Forecasting potential consequences, rather than responding to them,
allows companies to avoid significant and unnecessary costs. Scenario analysis enables the modeling of
various cyberattack situations, risk assessment, and management of information security risks. This
research is dedicated to the application of the “What-if” scenario analysis method for assessing information
security risks. The paper presents a detailed description of this methodology and the stages of the process.
The advantages and disadvantages of the scenario approach and its potential use in information security
risk management are identified. The scenarios are modeled using fuzzy cognitive maps. An influence matrix
was developed, and the key concepts were calculated. Potential scenarios were generated using the Mental
Modeler software tool.
Keywords
information security risk, information security system, cybersystem, cyber risk, cognitive modeling,
scenario analysis, fuzzy cognitive map 1
1. Introduction approach is highlighted as a key system for information
protection [1]. Implementing it allows for the following:
Information in today’s world has become one of the most
valuable assets of an enterprise. Its loss, leakage, or ● Timely identification of potential vulnerabilities in
destruction can lead to negative consequences for the the information system and the development of
organization, ranging from financial losses to reputational effective protection measures in advance.
damage, potentially even resulting in bankruptcy. ● Focusing efforts and resources on the most
Cybercriminals, who continually develop and refine valuable and critically important assets through
increasingly sophisticated attack methods, often count on the prioritization of risks, starting with the highest
such outcomes. Organizations frequently do not know ones.
where an attack may come from or even if it is happening. ● Avoiding unnecessary expenses by identifying
Just one asset vulnerability can grant an attacker access to appropriate means of information protection.
the entire company’s information assets. Therefore, ● Ensuring maximum compliance with the
information protection is a priority task for every necessary legal requirements in the information
organization. and cybersecurity system.
A sufficient number of methodologies dedicated to ● Enhancing the company’s reputation strategies
information protection systems have been developed, but and customer trust by ensuring a high level of
this field cannot remain static. Therefore, the improvement confidentiality and integrity of their data.
of methods and the development of new ones remain and
will continue to be a relevant issue. At present, a risk-based The complexity and multifaceted nature of the elements in
the information and cybersecurity system complicates the
process of predicting information protection needs. A
CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0000-0002-9736-8623 (S. Shevchenko);
and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0000-0002-9277-4972 (Y. Zhdanova);
∗
Corresponding author. 0000-0002-0844-3362 (O. Kryvytska);
†
These authors contributed equally. 0000-0002-8717-4358 (H. Shevchenko);
s.shevchenko@kubg.edu.ua (S. Shevchenko); 0000-0003-4993-6355 (S. Spasiteleva)
y.zhdanova@kubg.edu.ua (Y. Zhdanova); © 2024 Copyright for this paper by its authors. Use permitted under
Creative Commons License Attribution 4.0 International (CC BY 4.0).
olha.kryvytska@oa.edu.ua (O. Kryvytska);
halyna.shevchenko@oa.edu.ua (H. Shevchenko);
s.spasitielieva@kubg.edu.ua (S. Spasiteleva)
CEUR
Workshop
ceur-ws.org
ISSN 1613-0073
356
Proceedings
�productive and effective method for research and has on another. Using a cognitive map, both static and
forecasting in this area is modeling possible situations and dynamic analyses can be performed (see Fig. 1).
consequences. This approach allows for the analysis of
potential threats, risk assessment, and the development of
effective protection strategies. Numerous studies in this
field support this claim.
In the scientific work [2], researchers propose a model
for information security risk assessment based on decision
theory, fuzzy logic, and fault tree analysis. In the study [3],
a cognitive model is described, which enables the
investigation of the impact of potential threats on the
security level of a critical infrastructure object, and scenario
modeling of this impact is conducted. A risk-based approach
in the cybersecurity protection system is described in [4],
where the model of decision-making delays in information
protection and its effect on security risks is explored using
logistic equations and Hutchinson’s equation. “Attacker-
defender” situations are modeled using cognitive modeling in
[5]. The adaptation of SWOT analysis for assessing
information and cybersecurity risks is carried out in scientific Figure 1: Using a fuzzy cognitive map for modeling
articles [6, 7]. The authors of [8] present a method for
assessing information security risks based on scenarios Fig. 2 illustrates the modeling mechanism based on
involving advanced persistent threat attacks. The researchers cognitive modeling.
build risk scenarios for high-level vulnerabilities, analyze the
likelihood of each risk, and make decisions regarding both
technical and business risks. In the study [9], a model of
cognitive maps for information security risks is presented in
a static form as an oriented graph, with further selection of
methods for handling these risks.
Thus, experts’ interest in information security risk
management promotes the introduction of mathematical
methods in this field [10, 11]. We agree with the authors
who consider cognitive modeling appropriate for use in
information protection systems, as risk assessment is
characterized by a high degree of uncertainty, difficulty in
strict formalization, and subjective nature.
Cognitive modeling, as researchers argue in [5], is an
invaluable tool for identifying vulnerabilities in security
systems and developing measures to eliminate them. It
provides decision-makers with a valuable tool for analyzing
different scenarios and making informed decisions. The
complexity of applying this method requires practical
developments and the use of information and
communication technologies. The above allows us to
highlight the goal of this paper—to study the application of
fuzzy cognitive maps in constructing various dynamic
scenarios using the Mental Modeler software.
2. Cognitive modeling: Fuzzy
cognitive map and execution
stages
Cognitive modeling is based on the construction of a fuzzy
cognitive map, which is an oriented graph where the
vertices (concepts) represent system variables, and the
weighted edges reflect the strength of one concept’s
influence on another [12]. As is known, Kosko’s fuzzy
cognitive map is a weighted directed graph in which the
weights on the edges have values within the range of [-1; 1], Figure 2: Modeling mechanism based on cognitive approach
thus determining the level of influence one factor (concept)
357
�3. Scenario modeling based on critical risks should be the focus of the analysis
and security measures.
cognitive modeling 10. Model Scenarios.
3.1. Task formulation 11. Using the Mental Modeler software, simulate
scenarios to analyze the impact of the most
1. Define the Structure of the Fuzzy Cognitive Map [8]. significant concepts. This enables the exploration
2. Let represent a directed graph, 𝐺̅ = of how different risk factors interact and affect the
{𝐶, 𝐸 , 𝑊},wherе 𝐶 = {𝐶 }—is the set of factors overall security posture of the information asset.
(concepts); in our case, this is the set of possible
threats to a specific information asset, 3.2. Building the fuzzy cognitive map as a
vulnerabilities that the threat can exploit, and the graph and matrix
possible consequences of threat realization; 𝐸 =
Once the structure is defined, construct the fuzzy cognitive
{𝑒 } is the set of edges representing causal
map as a weighted directed graph. Each node represents a
relationships between factors.
concept (such as a threat or vulnerability), and the edges
3. 𝑊 = {𝑤 } is the set of edge weights (strength of
between them represent the causal relationships. The
influence). In our case, 𝑤 = 𝑟 = 𝑝 𝑞 , 0 ≤ 𝑤 ≤
weights on the edges quantify the strength of these
1, where 𝑟 being the risk level, 𝑝 is the relationships. Additionally, the graph can be represented as
probability of each threat’s realization; 𝑞 is the an adjacency matrix, where each element denotes the
probability of corresponding losses. These values weight of the edge from concept to concept. This matrix
are calculated based on expert assessments and form is useful for further analysis, including determining
using SWOT analysis. the most influential nodes (critical risks) and simulating the
4. Characterize the Strength of Influence Between dynamic behavior of the system under different scenarios.
Each Pair of Concepts. Building a Fuzzy Cognitive Map is a flexible process that can
5. This is done using the risk level and qualitative involve various numbers of participants and utilize different
expert evaluations. Experts assess the likelihood information sources. One person may create a map based on
of each threat and the impact it would have on the personal experience, while a group of experts can develop it
information asset, which contributes to based on data collected from the organization or obtained
determining the strength of influence between through surveys. Additionally, all participants can be
concepts. involved in the process to achieve a more objective picture.
6. Build the Model. In our research, we propose using SWOT analysis to
7. Construct a weighted directed graph based on the identify the system and influence weights during a
fuzzy cognitive map for evaluating information brainstorming session, following the methods described in
security risks. Each edge in the graph is assigned studies [6, 7, 9].
a weight corresponding to the calculated risk As a sample, we will highlight an information asset,
level, thus representing the impact one concept such as the organization’s database, and conduct the
(e.g., a threat or vulnerability) has on another. identification of threats and vulnerabilities associated with
8. Identify Critical Risks. this asset (see Table 1).
9. Identify the risks with the highest degree of
influence, as they pose the greatest threat. These
Table 1
Vulnerabilities and threats of an information asset
Availability Integrity Confidentiality
Vulnerability Threat Vulnerability Threat Vulnerability Threat
Database protection Physical damage Database protection Physical damage to Database Unauthorized
is missing to databases is missing databases (intentional protection is access (direct
(intentional or or unintentional) missing and remote
unintentional)
Weak Theft and data Weak passwords for Theft and data Weak Theft and data
cryptographic falsification data access falsification cryptographic falsification
protection protection
Uninterruptible Equipment failure Absence of access Modification of data Two-factor Unauthorized
power supply and loss of rights segmentation (intentional or authentication access (direct
systems are missing unsaved data unintentional) is absent and remote)
The system for Data loss The system for Data loss Absence of Unauthorized
regular data backup regular data backup access rights access (direct
is absent is absent segmentation and remote)
358
�Let’s define the following concepts: Table 2
Determination of the degree of risk for each factor
● С1 is physical damage to databases (intentional and Factors pі qi ri
unintentional) С1 0,165 0,246 0,04059
● С2 is data theft and falsification С2 0,165 0,216 0,03564
● С3 is data modification (intentional and С3 0,25 0,52 0,13
unintentional) С4 0,165 0,32 0,0528
● С4 is unauthorized access (direct and remote) С5 0,165 0,41 0,06765
● С5 is equipment failure and loss of unsaved data С6 0,09 0,384 0,03456
● С6 is data loss С7 0,2 0,394 0,788
С8 0,2 0,39 0,78
● С7 is lack of a regular data backup system
С9 0,132 0,31 0,04092
● С8 is weak passwords for data access С10 0,132 0,422 0,055704
● С9 is lack of uninterruptible power supplies С11 0,072 0,338 0,024336
● С10 is lack of two-factor authentication С12 0,132 0,476 0,062832
● С11 is lack of database protection С13 0,132 0,376 0,049632
● С12 is lack of access rights segregation
● С13 is weak cryptographic protection. The fuzzy cognitive map modeling will be carried out
using the software Mental Modeler [13]. Fig. 3 shows the
To determine the risk level for each factor (Table 2), we cause-and-effect relationships between the system elements
will apply the formula 𝑤 = 𝑟 = 𝑝 𝑞 , 0 ≤ 𝑤 ≤ 1, where (concepts), demonstrating how changes in one element can
𝑟 is the risk level, 𝑝 is the probability of each threat lead to changes in others.
occurring; 𝑞 is the probability of the corresponding losses.
Figure 3: Fuzzy Cognitive Map for Information Security Risk Management
As a characteristic of the cognitive map, researchers suggest It is evident that the more connections there are, the higher
calculating its density (clustering coefficient) using the the density, and therefore, the greater the potential for
following formula: changes. In our case, the density is moderate. This is
𝑛 reasonable due to the selection of a small number of factors
𝑑= ,
𝑁 (threats and vulnerabilities).
where n is the total number of connections, N is the total For the systematic analysis of the fuzzy cognitive map,
number of concepts. we use the matrix method. This method allows for
Thus, formalizing knowledge about the system and identifying
22 patterns in its functioning. The results are presented in
𝑑= = 0,13.
13 Fig. 4.
359
�Figure 4: Cognitive Matrix for Information Security Risk Management
To assess the properties of a fuzzy cognitive map, we use calculate various indicators based on it: consonance,
the formal apparatus of graph theory, specifically the dissonance, and the impact of concepts on risk assessment.
transitive closure operation, which allows us to build a The results are presented in Fig. 5.
complete graph of interactions between concepts and
Figure 5: Key Indicators of the Fuzzy Cognitive Map for Information Security Risk Management
A static analysis for this process has been modeled. By С3 is threat: Data modification (intentional or
comparing the obtained risk level with the benchmark unintentional).
outlined in the organization’s Security Policy, the С8 is vulnerability: Weak passwords for data access.
information security officer decides on risk treatment: to Let’s model situations when these respective values
minimize, transfer, mitigate, or accept the risks. At the next change.
stage, various scenario modeling is conducted depending on Situation 1.
the measures chosen by the company’s management. The risk of data modification С3 will have a nearly
maximum value if the risk level associated with the
3.3. Scenario building based on concept vulnerability of weak passwords for data access increases by
changes 0.01 (Fig. 6).
The results of the previous matrix indicate that the most
significant concepts, i.e., those with the greatest impact on
the system, are:
360
�Figure 6: Simulated Scenario with Changes to С3
Situation 2. maximum value if the risk level associated with the
The risk of data modification С3 and unauthorized vulnerability of weak passwords for data access increases by
access (both direct and remote) С4 will have a nearly 0.02 (Fig. 7).
Figure 7: Simulated Scenario with Changes in С3 and С4
Scenario 3. associated with vulnerabilities such as weak passwords for
The risk of data modification С3 and data theft and data access increases by 0.02 (Fig. 8).
falsification С2 will reach near-maximum levels if the risk
Figure 8: Simulated Scenario with Changes in С3 and С2
361
�Thus, the use of fuzzy cognitive maps allows for the [7] S. Shevchenko, Y. Zhdanovа, K. Kravchuk,
identification of key concepts that influence system Information Protection Model based on Information
behavior. Through cognitive modeling, it is possible to Security Risk Assessment for Small and Medium-Sized
explore how changes in the values of these factors will affect Business, Cybersecur. Educ. Sci. Tech. 2(14) (2021)
other system elements. This enables the development of 158–175. URL: doi: 10.28925/2663-
various event scenarios and the evaluation of their 4023.2021.14.158175.
consequences. However, one limitation is that cognitive [8] X. Ban, X. Tong, A Scenario-based Information
maps are tools for visualizing and structuring expert Security Risk Evaluation Method, Int. J. Secur. Appl. 8
knowledge but do not replace objective data. They reflect (2014) 21–30. doi: 10.14257/ijsia.2014.8.5.03.
the subjective understanding of experts about the system [9] S. Shevchenko, et al., Information Security Risk
and can serve as a basis for further analysis. Nevertheless, Management using Cognitive Modeling, in:
for effective use of cognitive maps, it is necessary to apply Cybersecurity Providing in Information and
more specialized software that includes a threat library, Telecommunication Systems, vol. 3550 (2023) 297–
their sources, a set of asset vulnerabilities, and other tools 305.
that allow automating routine operations and providing a [10] S. Zybin, et al., Approach of the Attack Analysis to
more accurate information security risk analysis. Reduce Omissions in the Risk Management, in:
Workshop on Cybersecurity Providing in Information
4. Conclusions and Telecommunication Systems, CPITS, vol. 2923
(2021) 318–328.
The proposed methodological approach to information and [11] D. Berestov, et al., Synthesis of the System of Iterative
cyber security risk management through scenario analysis, Dynamic Risk Assessment of Information Security, in:
represented by fuzzy cognitive mapping, enables the Workshop on Cybersecurity Providing in Information
identification of key indicators that determine system and Telecommunication Systems II, CPITS-II-2, vol.
behavior, the influence of various factors and concepts on 3188 (2021) 135–148.
the system as a whole, and the identification of the highest [12] B. Kosko, Fuzzy Cognitive Maps, Int. J. Man-Machine
risks and priorities for developing measures to ensure Studies, 24 (1986) 65–75.
confidentiality, integrity, and availability of information. [13] S. A. Gray, et al., Using Fuzzy Cognitive Mapping as a
This approach provides the ability to construct event Participatory Approach to Analyze Change, Preferred
development scenarios, which supports informed States, and Perceived Resilience of Social-Ecological
managerial decision-making. Systems, Ecology and Society, 20(2) (2015).
The research results will be useful for information
security professionals, managers responsible for data
protection, as well as students studying disciplines related
to risk management in the field of security.
References
[1] S. Shevchenko, et al., Protection of Information in
Telecommunication Medical Systems based on a Risk-
Oriented Approach, in: Workshop on Cybersecurity
Providing in Information and Telecommunication
Systems, vol. 3421 (2023) 158–167.
[2] A. Gusmão, et al., Cybersecurity Risk Analysis Model
Using Fault Tree Analysis and Fuzzy Decision Theory,
Int. J. Inf. Manag. 43 (2018). doi:
10.1016/j.ijinfomgt.2018.08.008.
[3] O. Saliyeva, Yu. Yaremchuk, Cognitive Model for
Researching the Level of Security of a Critical
Infrastructure Object, Security of Information, 26(2)
(2020) 64–73.
[4] V. Kononovich, et al., Influence of Delays Decision
Action for Information Protection on Information
Security Risks, Ukrainian Sci. J. Inf. Secur. 20(1) (2014)
83–91.
[5] V. Veksler, et al., Cognitive Models in Cybersecurity:
Learning from Expert Analysts and Predicting
Attacker Behavior, Frontiers in Psychology, 11 (2020).
[6] H. Shevchenko, et al., Information Security Risk
Analysis SWOT, in: Cybersecurity Providing in
Information and Telecommunication Systems, vol.
2923 (2021) 309–317.
362
�