=Paper=
{{Paper
|id=Vol-3925/paper13
|storemode=property
|title=Models and algorithms for analyzing information risks during the security audit of personal data information system
|pdfUrl=https://ceur-ws.org/Vol-3925/paper13.pdf
|volume=Vol-3925
|authors=Yuliia Kostiuk,Pavlo Skladannyi,Volodymyr Sokolov,Hennadii Hulak,Nataliia Korshun
|dblpUrl=https://dblp.org/rec/conf/cmigin/KostiukSSHK24
}}
==Models and algorithms for analyzing information risks during the security audit of personal data information system==
https://ceur-ws.org/Vol-3925/paper13.pdf
Models and algorithms for analyzing information risks
during the security audit of personal data information
system
Yuliia Kostiuk1,†, Pavlo Skladannyi1,∗,†, Volodymyr Sokolov1,†, Hennadii Hulak1,†
and Nataliia Korshun1,†
1
Borys Grinchenko Kyiv Metropolitan University, Bulvarno-Kudryavska Str., 18/2, Kyiv, 04053, Ukraine
Abstract
Security audits of information systems, including systems containing personal data, are a necessary step to
ensure an adequate level of security in the face of growing cyber threats. Given the complexity and diversity
of risks that may affect the confidentiality, integrity, and availability of information, effective tools for
assessing and formulating recommendations are key to optimizing resources and strengthening security.
The proposed risk analysis model uses methods that allow you to focus on identifying hidden threats, which
significantly increases the efficiency of auditors. The intelligent system used for personal data security
audits determines the level of security, assesses possible risks, and suggests measures to reduce potential
threats. This approach contributes to the continuous improvement of the security and reliability of
information systems in the context of the dynamic evolution of technologies and cyber threats.
Keywords
information security, personal data, risk assessment, fuzzy logic, model, decision support system, security
audit, risk management1
1. Introduction
Modern businesses are heavily dependent on information technology, making information system
security and risk management strategically important issues. Information is becoming a key business
asset, encompassing both static resources (databases, hardware configurations) and dynamic data
processing processes. At the same time, the introduction of the latest technologies is accompanied
by an increase in the threats of unauthorized access, privacy violations, and system failures [1–3].
Legal requirements, such as the GDPR in the European Union [4] and the Law of Ukraine “On
Personal Data Protection” [5], which oblige organizations to conduct regular audits and assess
potential threats, play an important role. In addition, the rapid development of technology, including
the introduction of cloud services, the Internet of Things, and artificial intelligence, creates new
vulnerabilities that must be taken into account when analyzing information security. Unaccounted-
for risks can lead to significant financial losses, fines, and loss of user confidence [6]. Effective risk
management contributes to the continuity of business processes, which guarantees the stable
operation of information systems [7]. Particular attention should be paid to the protection of personal
data at critical infrastructure facilities [8, 9], as their compromise can have large-scale consequences
for national security, the economy and society. A reliable cybersecurity system for such facilities
should include multi-level control mechanisms, regular threat monitoring, and the use of advanced
encryption and authentication technologies.
CH&CMiGIN’24: Third International Conference on Cyber Hygiene & Conflict Management in Global Information Networks,
January 24–27, 2024, Kyiv, Ukraine
* Corresponding author.
†
These authors contributed equally.
y.kostiuk@kubg.edu.ua (Y. Kostiuk); p.skladannyi@kubg.edu.ua (P. Skladannyi); v.sokolov@kubg.edu.ua (V. Sokolov);
h.hulak@kubg.edu.ua (H. Hulak); n.korshun@kubg.edu.ua (N. Korshun)
0000-0001-5423-0985 (Y. Kostiuk); 0000-0002-7775-6039 (P. Skladannyi); 0000-0002-9349-7946 (V. Sokolov); 0000-0001-
9131-9233(H. Hulak); 0000-0003-2908-970X (N. Korshun)
© 2025 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
�2. Related work
An effective security audit of personal data information systems is an integral part of information
security management. It allows you to assess the security of assets, analyze risks, and propose
measures to improve information protection. However, the specifics of personal data make such an
audit difficult to conduct, as data loss may be detected with a delay and the consequences are difficult
to determine. There is often uncertainty in making decisions about the level of security and
compliance with regulatory requirements [10–16].
An analysis of the literature shows the need for further research in the field of personal data
protection. It is necessary to develop models, algorithms, and risk analysis tools to ensure prompt
and effective decision-making during the security audit of personal data information systems [17–
24]. They should take into account the specifics of the systems and current regulatory requirements.
In general, the main purpose of the security system is to ensure the stable operation of the enterprise,
prevent threats, protect legitimate interests, and prevent information loss. It should include
classification of information, forecasting of threats, creation of response mechanisms, and increase
of cost-effectiveness of protective measures.
3. Problem statement
Risk is a combination of the probability of an event and its consequences. In most cases, the meaning
= ,
of risk is defined as follows:
(1)
where is the probability of successful implementation of the threat, is an assessment of the
damage caused by the impact of an information security incident in the event of successful
implementation of the threat. A threat is understood as a potential cause of an incident that can
cause damage, so various methods are used to assess risks, including a basic vulnerability score, a
full overlap protection model, an average risk value, and a loss probability function.
Information system security auditors should have access to effective tools that allow not only
assessing the level of security but also formulating reasonable recommendations and developing
countermeasures to improve it [13–15, 24–26]. This provides a favorable environment for in-depth
analysis and complex tasks, which is important for increasing the professional efficiency of auditors.
Risks to information systems, which can be caused by both technical errors and malicious acts,
threaten basic security properties such as confidentiality, integrity, and availability of data. Many
threats arise from insufficient adaptation of the infrastructure to changes in the external
environment or internal inconsistencies in security measures, making risk analysis a crucial step in
establishing the optimal level of protection, taking into account the allowable costs.
4. Proposed solution
In the case of information security risk analysis, a risk can be understood as any distribution
× ⟶ ,
belonging to a set of various distributions which is the set of outcomes
(2)
where is the set of system states; is the set of different decisions.
According to the definition of event probability, the process of risk analysis can be viewed as
obtaining expert estimates of the frequency of realization of the threat in information systems over
a given period. In the absence of statistical data or the emergence of new threats, such as an anti-
virus storm, the Bayesian approach is effectively used to quantify the factors that determine the level
of security, because, in statistical problems, several probabilistic hypotheses are often considered,
which change with the receipt of new information. The main advantage of the Bayesian approach is
the ability to dynamically adjust probabilities that reflect the degree of confidence in various threat
models based on current data, which allows you to obtain a posteriori estimates of the probability of
information security incidents, track the receipt of new statistical data, determine the
�interdependencies between risk factors, and formulate logical conclusions with a physical
interpretation of changes in the structure of the problem’s dependencies.
The basis of the Bayesian approach is Bayes’ theorem, the main theorem of probability theory,
which allows us to determine the probability that a certain event has occurred based on statistical
random variable , which has a probability density ( | ) with parameters . Based on the obtained
data. In the case of analyzing the level of security of information system resources, we consider a
distribution ( ). Then, according to the Bayes formula:
statistical data, we can conclude about another random variable , which has a probability
( | ) ( )
( | )= .
( )
(3)
The main characteristics of the security of personal data information system resources are the
following tuple of indicators: the ability to ensure confidentiality ( ), integrity ( ), and availability
( ) of information in the face of possible threats.
In the event of a threat of a certain type to the studied or similar resource equipped with the same
information security systems and no violations of confidentiality, integrity, and availability, it is
possible to calculate a posteriori probability of hypotheses for a particular data source.
When collecting facts, the probabilities of hypotheses will increase if the facts support them or
decrease if the facts refute them. If three indicators are obtained simultaneously, provided they are
( | ) ( | ) ( | ) ( )
independent, the appropriate formula is used:
( | , , )= .
∑ ( | ) ( | ) ( | ) ( )
(4)
It is worth noting that it is obvious that if the results of the experiment indicate that the
information security system did not provide a tuple of security indicators when exposed to a threat,
then opposite scenarios should be considered. This means that it is necessary to carefully analyze
the factors that contributed to the ineffectiveness of security measures and identify contradictions
between the planned and implemented security measures. The use of risk analysis models and
algorithms can help identify and resolve problems that arise when ensuring the security of personal
( , , | ) = 1 − ( , , | ).
data information systems:
(5)
The use of the Bayesian approach to analyzing information risks during the security audit of
personal data information systems is relevant due to the ability of this method to quantify the
probability of threats, taking into account new information and the specifics of personal data
processing. The application of Bayes’ theorem allows us to systematize data on risks and
vulnerabilities, evaluate the effectiveness of security measures, and determine optimal protection
strategies [10, 11, 16, 19, 27, 28]. Particular attention should be paid to the confidentiality, integrity,
and availability of personal data when identifying risks and developing protection strategies. Risk
assessment, which takes into account the likelihood of a threat and potential losses, helps to increase
the effectiveness of the information security system and helps to identify its weaknesses. Risk
= ,
assessment is defined as follows:
(6)
case of successful realization of the threat, = 1 … " is the number of possible threats.
where is the probability of successful realization of the th threat, is the damage estimate in
th
Despite the importance of risk analysis, there are difficulties in using expert judgment, as it
complicates the interpretation of the results. It is advisable to develop methods based on quantitative
expert assessments obtained in monetary terms to ensure objectivity and convenience. The solution
to these problems determines the relevance of further research in the field of risk analysis and
management in information security.
�5. Risk analysis and management
The concept of ensuring the information security of personal data systems emphasizes that audit is
a key component of the personal data security management cycle. There are three main types of
audit: active, expert, and compliance audits, to ensure its correctness, an integrated approach with a
combination of these types, as well as an analysis of security risks, is required [12–15, 24, 25, 28, 29].
Particular attention is paid to the study of decision support methods during the audit and the review
of tools for automating the processes of verification of personal data information systems. The
importance of the intellectual support of an expert with the use of data mining technologies to
improve the efficiency of the audit is emphasized.
Risk ( ) is considered by the vast majority of experts to be a complex value that involves the
existence of such factors as threats, vulnerabilities, and the damage itself, and is expressed using a
formula:
= # $ % (&),
where # is the amount of damage (loss) in the event of an information asset security breach; $ is
(7)
the probability of a threat occurring; % (&) is a function describing the probability of a threat to an
information asset depending on the cost of providing protective measures, where & is the cost of
providing information asset protection in monetary terms.
The amount of damage is determined exclusively by the protected information, the probability of
a threat is a fixed value, and the probability of a threat being realized can be reduced by investing (&)
in the information security of the asset [12, 19, 25]. There is a tendency to reduce the likelihood of a
threat with increasing investment, but assessing the likelihood of threats, in particular, unauthorized
access to protected information becomes difficult when taking into account the intentional actions
of people. Increasing funding for information security reduces the likelihood of a threat
exponentially [20, 26–29].
Then the function and graph of the dependence (Figure 1) of the probability of a threat on
$ (&) = '( ,
)*∙,
information security costs will look like this:
∀(') ∈ 00; 13,
- 4,
∀(&) ∈ ,
(8)
where ' is the probability of a threat; 5 is the correction factor for information security costs; & is
the cost of protecting an information asset in monetary terms.
Figure 1: Dependence of the probability of a threat ( $ ) on investments in information security (&).
The experience of information attacks shows that increased investment in information security
for an organization’s valuable assets reduces the likelihood of a threat and increases the likelihood
of its implementation. This is confirmed by the facts of hacking of government websites, law
enforcement databases, and security systems of banks and corporations by professional hackers and
attackers who have extensive experience and use advanced technologies to find weaknesses in
protection [14, 15, 24–26, 29]. The proposed function and graph of dependence (Figure 2) of the
�probability of threat realization on information security costs will be in the form of a quadratic
function:
6−7
% (&) = (& − &8 )9 : 7,
&89
% (&) ∈ 06; 73,
00; 13,
; ∀6, 7 ∈ =.
(9)
6 < 7,
∀& ∈ .
Figure 2: Risk management dependence of the probability of realization of the threat ( % ) on
investments in information security (&).
parameters 6 and 7 are the upper and lower limits of the probability of a threat being realized,
The& parameter indicates the amount of money allocated to protect the information asset. The
determined by expert estimates. It is important to note that the inability to specify a lower bound on
the probability of a threat materializing is a drawback of the known models. Even with significant
investments in security, the probability of damage cannot be reduced to zero, as current experience
shows. An example is the probability of various events such as accidents or disasters.
function of the threat reaches the lower bound 7 presents certain difficulties. The Gordon-Loeb
Determining the amount of money for protective measures at which the value of the probability
economic model confirms that the optimal level of investment does not exceed > ? 36.8% of the
total losses in the event of an information asset security breach, which has been experimentally
considerations, it seems appropriate to link the value of &8 to a value equal to ? 36.8% of the
confirmed empirically [1–3, 17]. Given the lack of statistical data, and based on intuitive
>
amount of damage due to a breach of information security of an asset. Thus, the function of the
6−7 # 9
dependence of the probability of a threat realization on information security costs will be as follows:
% (&) = F& − G : 7,
# 9 (
D( E
(10)
where # is the amount of losses in the event of an information asset security breach.
It should be noted that the study considers several alternative classes of functions of dependence
on the probability of threat realization on information security costs. The choice of quadratic
dependence in this work is due to the difficulty of determining additional parameters (coefficients)
in alternative functions and their interpretation for providing expert assessments.
The task of finding the optimal level of investment in information security will then look like
this:
6−7 # 9
= # $ (&) % (&) : & = #'( )*∙, H F& − G : 7I : & ⟶ min.
# 9 (
D( E
(11)
� The development of a threat model includes the stages of identifying types of information assets
for risk assessment, determining the environment and sources of threats for each type of asset, which
depends on the organization’s information security needs, and the ratio of the cost of protection to
the risk. The process of risk identification is cyclical: first, a general threat scheme is formed, an
expert cost estimate is made, and then significant risk factors are identified for which detailed models
are developed. Threats from people require a high level of detail, in particular for internal and
external perpetrators, taking into account their motives and typical actions. The risk of a security
breach is determined based on expert assessments of the likelihood of a threat, its realization, and
the severity of the consequences. The optimal level of investment in security is determined through
nonlinear programming, in particular with the help of the Mathcad software product, which provides
a convenient interface for calculations and analysis [3, 11–14, 16, 18, 19, 25–28]. Analysis of possible
losses from threats to integrity, availability, and confidentiality, including fines for violation of
= MNO : : 9 ,
regulations and the cost of information recovery, is a key step in the risk assessment process:
(12)
where MNO is the cost of recovery for the threat group, which is determined by the formula:
MNO = , (13)
is the cost of recovery from the threat; 9 is the cost of compensation to personal data
subjects; 9 = P ∙ ", "is the number of lawsuits from personal data subjects; is the maximum fine
where
= Q , 9 , , P R,
calculated by the formula:
where = Q , 9 , , P , S R.
(14)
The probability of realization of the identified and assessed threats is assessed by an expert
W
method:
TU = V 6, (15)
where V is the answer to the question of the questionnaire; 6 is the importance coefficient
W
determined by the expert method and satisfying the condition
6 = 1. (16)
The degree of criticality of threat groups is proposed to be determined based on the calculated
Z
value of the risk factor
XY = ,
[
(17)
where XY is the risk coefficient; Z is the consequences of the threat (asset value); [ is the number
of threats in the group; \ is the risk measure.
The next step is to compare indicators for threat groups. Alternatives to 6 are compared for each
6 = QZ, ], \R.
indicator and threat groups are ranked:
(18)
The critical group of threats is determined by the risk coefficient, for this purpose, the assessments
5(6 )5(6 ) = QXY R.
of alternatives are compared:
(19)
To assess the security risk of personal data information systems, an object-oriented assessment
model can be used, based on the use of the Petri net apparatus, which is distinguished by the
developed rules for triggering transitions and allows taking into account the degree of risk to
personal data information systems, as well as the probability of realization and repulsion of personal
data security threats. The method for formalizing a mathematical object-oriented risk assessment
=< , TU , _, , ` >,
model based on colored Petri nets is as follows:
(20)
�where is the set of Petri net states; TU is the set of probabilities of threats realization; _ is the set
of parameters of threats and countermeasures); ` is the output positions (set of residual risk values).
of transitions that determine the rules for changing the network states; is the input positions (set
The advantage of the model is the ability to implement the following features: a probabilistic network
allows you to take into account both personal data risks and countermeasures to counter them by
setting the probabilities of transitions. The Petri net helps to identify features related to personal
data risks and countermeasures and ensures the implementation of a risk mitigation mechanism
when implementing countermeasures. In addition, the network is dynamic, since at each cycle of
calculation of the mathematical model, it is adapted to the changing properties of the personal data
protection system [30].
To minimize the risks to personal data information systems, methods for identifying
countermeasures, comparing them, calculating the probability of eliminating threats, and
formulating an efficiency theorem have been proposed and implemented. When calculating a set of
countermeasures that reduce the residual risk to zero, their effectiveness approaches one [12–14, 16,
T =< XY , _, b >,
18, 25]. The formed set of countermeasures (T) can be represented as a tuple
where XY is the value of the residual risk achieved by applying the formed set of countermeasures;
(21)
_ is the ratio of neutralized threats to the total number of threats; b is the cost of the formed set of
residual risk of XY ⟶ 0, _ ⟶ 1, with an acceptable value of the total cost of this set of
countermeasures. Thus, the modeling task is reduced to finding a set of countermeasures that has a
countermeasures.
The analysis and management of personal data information security risks include various
methods, including tabular methods, fuzzy logic, game theory, and intruder modeling [12, 14–16, 19,
24, 25, 29]. Evaluation of the effectiveness of the protection system often uses economic indicators,
but the complexity of the source data complicates the calculations. Risk analysis tools, such as
COBRA, CRAMM, DS Office, FAIR, and OpenFAIR, are used to assess threats but have their
limitations and requirements for integration with other systems. The choice of tool depends on the
needs of the organization. The development of a new method includes collecting statistics on
incidents, assessing specific threats, and using economic indicators to respond quickly to changes.
Identifying vulnerabilities and system weaknesses is a key step in assessing the security of
information systems, especially those containing personal data. In the context of risk management,
risk analysis becomes an integral part of the methodology, which includes the identification of
information system components, potential threats, and vulnerabilities (Figure 3). The complexity of
information systems requires a systematic approach that includes several stages to ensure
consistency and adequacy of security factors [21–24, 26–29].
Figure 3: Risk management.
� The risk management methodology should be universal so that it can be applied in different areas
and ideas can be organized in a structured way. Traditional probabilistic methods of risk analysis are
becoming ineffective due to the lack of sufficient statistical data. Risk management includes measures
to minimize the consequences, such as avoidance, probability reduction, protection, risk transfer
(e.g., through insurance), threat detection, and recovery. This ensures the validity of decisions and
the resilience of information systems in the face of technological change and cyber threats.
6. Modeling of the information security audit process of personal data
systems
Modeling the stages of an information security audit of personal data systems involves a
comprehensive approach to assessing and improving measures to protect confidential information.
The first step is to analyze information assets, determine their importance, identify threats and
vulnerabilities, and develop models of offenders and threats. The system security assessment
includes verification of compliance with standards and the effectiveness of security measures. The
final stage is the development of recommendations for security modernization, implementation of
new technologies, and monitoring of changes in threats. Modeling these stages helps to maintain a
high level of personal information security and reduce the risks associated with personal data
processing [14, 15, 20–22, 24, 29].
The process of building a systemic model of personal data protection based on IDEF technologies
includes several stages. The first step is to create a model that reflects the relationship between the
security audit of personal data information systems and the organization’s activities. The second
stage is the decomposition of the model for a more detailed analysis of the audit aspects. The third
stage involves the formation of an ontology to unify terms in the field of personal data protection,
which is important for standardizing the process. The last stage involves optimizing the model and
ontology to increase efficiency and clarity [11–13, 17, 19].
First, a model of the relationship between the audit of information security of personal data
systems and the main activities of the organization is built, which is then decomposed. Figure 4
shows a functional model that reflects the main stages of conducting an information security audit
of personal data systems.
Figure 4: Functional model of security audit of personal data information system.
� The analysis showed that the stages of “Assessment of compliance of personal data systems
security with the requirements of regulatory documents” and “Assessment of risks to personal data
systems information security” are labor-intensive and require expert support. The author proposes
an ontology for systematizing the subject area of information security audit of personal data systems,
including tasks, models, and decision-making methods, as well as a database of precedents for
specific situations. The security profile of personal data information systems assesses compliance
with security requirements through the evaluation indicators determined by experts for the level of
protection [12–15, 20–22, 25–28]. A methodology for assessing the security of personal data
information systems based on the creation of a security profile is proposed. To assess the compliance
framework, 15 group indicators of security of personal data information systems, designated as c ,
of the level of security of personal data information systems with the requirements of the regulatory
where ( = 1,2, … ,15) (Table 1), were identified. Group indicators determine the measures to ensure
the security of personal data by the requirements of regulatory documents on personal data
protection.
Table 1
Group Indicators of Security of Personal Data Information Systems
Designation Name of group security indicators of personal data information systems
c
Ensuring the security of personal data using identification and authentication of
…
access subjects and objects
c
…
Incident detection and response
c
Configuration management of personal data information systems and personal
data protection system
designated as c f , the numerical estimates of gThij of which form the overall estimates of group
The group indicators include private indicators of security of personal data information systems,
indicators gThij . The assessment of private security indicators of personal data information systems
c f is carried out by experts using questionnaires that take into account the requirements for each
level of personal data security.
answer, the score is gThij = 0; if the answer is “partially,” then gThij = 0,5; if the answer is “yes,”
If the assessment of private indicators, the fulfillment of which is mandatory, results in a “no”
then gThij = 1. In the case of assessing private indicators, the fulfillment of which is optional, a
“yes” answer leads to a score of gThij = 1; a “no” answer leads to the fact that the partial indicator
The final normalized score for the group indicator gThiklmnop is calculated using the following
is defined as unassessed and is not taken into account in the formation of the assessment results.
∑ gThij
formula:
gThiklmnop = q , = 1 ÷ 15, v = 1 ÷ [ ,
gThirst
(22)
where [ is the number of private security indicators of personal data information systems
representing the group indicator; c gThi is the value of the group indicator assessment; gThirst is
the maximum possible value of the quantitative assessment; gThi q is the significance coefficient
(0 ≤ q ≤ 1), which is assigned by an expert to adapt the personal data protection system to the
Based on the final scores of the group indicators gThiklmnop , a normalized score gT is calculated,
conditions of their processing and the technical means used.
which reflects the degree of compliance with the requirements of the regulatory framework for
personal data protection:
� ∑ gThiklmnop
gT = , = 1 ÷ 15,
gT~•€
(23)
where gT~•€ is the maximum possible value of the quantitative assessment gT. Since the maximum
value of each of the 15 group indicators is 1, gT~•€ = 15.
In this case, the method of expert assessments can be used not only to assess the degree of
compliance with certain requirements for personal data protection but also to compare different
options for building a personal data protection system [20–23, 27, 28]. The levels of compliance of
the security of personal data information systems with the requirements of the regulatory framework
are determined by expert assessments, taking into account the fact that the personal data operator
can adapt the personal data protection system to the processing conditions and technical means used
(Figure 5):
0 ≤ gT < 0,75 is an unacceptable level of security in personal data information systems.
0,75 ≤ gT < 0,95 is moderated security, but countermeasures are required.
•
0,95 ≤ gT ≤ 1 is the value of the security level that meets the requirements of regulatory
•
•
documents on personal data protection.
Figure 5: Diagram of assessment of compliance of the level of security of personal data information
systems with the requirements of the regulatory framework.
Presentation of the results in the form of the above diagram allows for a visual assessment of the
state of personal data protection. The results of the assessment reveal the inconsistency of the
security of certain assets of personal data information systems with regulatory requirements, and
then an assessment of information security risks caused by this inconsistency is made.
7. Decision-making algorithm for assessing personal data information
security risks using data mining
The use of fuzzy logic for information security risk assessment is driven by the need to adapt to
uncertainty and the dynamics of cyber threats, which allows for the consideration of fuzzy or
ambiguous concepts and expert experience. Methods for assessing information security risks include
tabular methods, fuzzy logic, game theory, and a combination of expert and mathematical
approaches. They allow risk assessment in the absence of accurate data and take into account social
and psychological aspects. It is important to use fuzzy logic to formalize qualitative information,
which provides flexibility in forecasting and risk assessment [10, 14–18, 21, 24].
� Effective control of information system security audits using audit logs includes a personal data
risk assessment algorithm that uses data mining. The assessment begins with the identification of
the object and analysis of threats and vulnerabilities of systems, after which the likelihood and
impact of threats on the confidentiality, integrity, and availability of data are assessed. Next, the
overall risk is calculated, which allows you to make decisions on threat mitigation measures. An
important part is the use of machine learning to detect anomalies in data processing and continuous
security monitoring. A fuzzy logic-based information security risk assessment model supports
experts in making decisions under uncertainty [20–24, 28]. In this context, the term “information
security risk” is defined as the expected potential damage resulting from the impact of a threat
due to the presence of vulnerabilities on an information asset:
= .
ƒ•~•„…/‡ˆ‰Š,
ˆ‹Œ•‡~•Žˆ•‹ •‰‰…‹Ž,
(24)
Consider information security risk in a context where ƒ•~•„…/‡ˆ‰Š, represents the damage
caused by the impact of a threat on an information asset; ˆ‹Œ•‡~•Žˆ•‹ •‰‰…‹Ž, determines the value of
security risk and can be expressed as a percentage (0 ≤ ≤ 100%) relative to the value of the asset
this asset. The parameter which takes a value in the range from 0 to 1, determines the information
ˆ‹Œ•‡~•Žˆ•‹ •‰‰…‹Ž, .
The decomposition of the fuzzy inference system suggests dividing it into two relatively
independent parts that solve the problem of assessing two indicators—the probability of successful
threat implementation and the risk (potential damage) from the impact of the threat on personal
data. Additionally, a set of fuzzy productive rules for risk assessment is proposed, obtained by
Threat_Probability(• ) is high and Vulnerability(•9 ) is high, THEN Threat_Probability(• ) is
converting the deterministic rules built in the ontology into fuzzy rules, such as: “IF
high,” ..., “IF Threat_Probability(• ) is high AND Information_Asset_Value(•P ) is high, THEN
Risk(•S ) is high” (Figure 6).
Figure 6: A set of rules for risk assessment based on fuzzy logic.
personal data system. Each term set (•, c, ‘) for variables (• , •9, • , •P , ) was assigned a “center
The fuzzy logic method was used to analyze information security risks during the audit of the
of gravity,” which allowed us to build a training set for a fuzzy neural network designed to assess
information security risks to personal data system assets. For this purpose, a modular fuzzy neural
network implemented in MATLAB using the ANFIS adaptive neuro-fuzzy inference system was
used. This approach allows us to effectively assess information security risks in the face of
In Figure 7 ’“ , ’h , ’” are the values of membership functions for input variables • , •9, •P and
uncertainty and system complexity (Figure 7).
output variables • , •S ; LOM-1 (logic output modules), LOM-2 are logic output modules; DM-1
(defasification modules), DM-2 are defasification modules; • , , • ,9 , • , are numerical values
corresponding to term sets for variable;• , •S, , •S,9 , •S, are numerical values corresponding to term
sets for variable •S .
Figure 8 shows the possible options for decisions regarding the construction of information
security systems: obtaining a rational solution (i.e., a solution that satisfies the given constraints on
information security risk and the allocated costs for information security), accepting the risk, or
increasing the budget.
�Figure 7: Structure of a modular neural network.
Figure 8: Algorithm for assessing the effectiveness of the personal data protection system.
The proposed modular neural network model has advantages, in particular, the ability to learn
and reduce the number of fuzzy rules due to the division into modules. An algorithm for evaluating
the effectiveness of personal data protection based on the Clements-Hoffman scheme with full
overlap has been developed, which allows comparing and optimizing protection systems according
to the criteria “information security risks is the cost of protection costs”. The assessment can be
carried out in two problem formulations:
Minimizing the risk of information security • in the presence of a limit on the total cost of
information protection • ( ) ⟶ min at • = Σ—, — ≤ •˜˜…™Ž•š›… .
•
Minimization of costs • for the creation of protective barriers while limiting the total risk
• (at œ ( ) ≤ •˜˜…™Ž•š›… ) where •˜˜…™Ž•š›… is the maximum allowable cost of creating
•
� protective barriers; •˜˜…™Ž•š›… is the maximum permissible value of the total risk • , i.e.,
—; 0 ≤
∗
the potential damage from the impact of threats; — is the cost of creating a barrier
— ≤ 1; 0 ≤ • ( ) ≤ 1; 0 ≤ •˜˜…™Ž•š›… ≤ 1; 0 ≤ • ≤ 1; 0 ≤ •˜˜…™Ž•š›… ≤ 1.
8. Prototype of an intelligent decision support system for auditing the
information security of a personal data system
A prototype of an intelligent decision support system for auditing the information security of
personal data systems combines technical solutions and algorithmic approaches, using artificial
intelligence and machine learning to analyze security. The system provides automatic detection and
classification of threats and vulnerabilities, development of protection strategies, as well as
recommendations for effective security measures, taking into account the specifics of the
information system. An important component is real-time security monitoring for rapid response to
new threats, which allows taking into account the dynamics of threats and modern technological
challenges (Figure 9) [21, 23, 30–34].
Figure 9: Architecture of an intelligent decision support system for auditing the information security
of a personal data system.
The software of intelligent decision support systems for auditing the information security of
systems with personal data implements the main modules through the MATLAB graphical interface,
with the ability to enter data through the Excel tabular interface, which organizes access to data via
COM/DCOM for the Python computing core and the neural network unit for analyzing information
security risks. The system analyzes information systems, builds a model of an intruder and threats,
and assesses the level of security and compliance with regulatory requirements, as well as risks to
information assets. This makes it possible to formulate recommendations for the modernization of
personal data protection, which helps to reduce the risks from threats to personal data information
security [20–23, 27, 28, 31].
�9. Mechanism for improving the accuracy of the information security
risk model built using fuzzy logic
To improve the accuracy of the information security risk assessment model built using fuzzy logic,
training is performed, during which the model parameters are iteratively changed to minimize
deviations between the logical conclusion and experimental data [26–28]. This includes changing the
weights and parameters of membership functions. It is important to keep in mind that transparency
must be maintained during model training to ensure meaningful interpretation.
(where ž is the mathematical expectation and Ÿ 9 is the variance) has the form:
The parameters of the membership function can be determined by. The Gaussian function (21)
1 (¡)¢)£
= ( 9¤£
Ÿ√2
(25)
before using it as a membership function, we modify (22) so that the “height” of a vertex (its ordinate)
] = ( )¥∙(¦§¢) .
always remains equal to 1
£
The two coefficients introduced for this purpose (V and ž) graphically represent the “width” of
(26)
the membership function (coefficient V), which is analogous to the “variance” parameter, and the
coordinate of the membership function vertex on the abscissa axis (coefficient ž), which is analogous
to the “mathematical expectation” parameter. This modification of the Gaussian function is due to
the convenience of programming and a special restriction on the constancy of the ordinate of the
abscissa axis are determined by the variable ¨, ž, and the coordinates of the ordinate axis are
vertices of the membership function. In the modified Gaussian function, the coordinates of the
determined by the variable ].
To correct the shape of the membership function, two parameters of the Gaussian function are
changed: the variance and the mathematical expectation. In the process of modeling in Fuzzy Logic,
increasing the “width” of the membership function of input variables (variance for Gaussian curves)
while reducing the variance of the output variable gives a smoother, more uniform surface [13–16,
21, 25, 29]. The Fuzzy Logic interface allows you to build a three-dimensional image of the “surface
of the fuzzy inference system” and a graph of the dependence of the output variable on the input
variables, which helps to control the quality of the inference mechanism, where a smooth and
monotonous graph indicates the sufficiency and consistency of the rules. The use of the “center of
gravity” method during defuzzification leads to a narrower range of output values, which means that
the risk level will never reach maximum or minimum values. For a model using fuzzy logic, it is
advisable to introduce a correction factor to eliminate the effect of narrowing the range. In this case,
output variable to the normalized value of the risk variable 0 ÷ 1 relative to the average value.
the object model will look like the one shown in Figure 10. This correction function stretches the
Figure 10: Object model using the correction factor.
Obtaining the parameters of the membership function in the information security risk assessment
model using fuzzy logic is reduced to an optimization problem, where the criterion is the minimum
area between the target and the obtained function, and the optimization parameters are the variance
and mathematical expectation of the Gaussian function. Since the surface of the model has local
minima and maxima that reduce accuracy, optimization allows you to obtain coefficients that make
the model look monotonic. For multidimensional optimization, it is advisable to use the Gauss-Seidel
method. The program algorithm shown in Figure 11, includes the creation of a model for assessing
�the risk of information security breach using fuzzy logic and automatic optimization of this model,
as well as analysis and graphical display of the model in the form of a three-dimensional surface.
Figure 11: Algorithm of the information security risk assessment model using fuzzy logic.
The information security risk assessment toolkit includes dialog interaction procedures that
simplify decision-making and methodological techniques for preparing information and obtaining
results. The program module also solves the problem of narrowing the range of initial values and
includes an adaptive learning mechanism.
8. Conclusions
Taking into account the multidimensionality and component heterogeneity of information
technologies and systems, as well as the complexity of harmful effects, necessitates the use of
probabilistic models to assess information risks. Within this methodology, risk analysis becomes the
main tool for determining the level of security of information systems, since security is defined as a
�state in which risks do not exceed the acceptable level. Statistical monitoring of attacks and their
consequences is becoming necessary for enterprises of all sizes, with a special emphasis on strategic
risk management. The use of risk analysis models and algorithms during the security audit of
personal data information systems, in particular through the integration of audit methods and fuzzy
logic, creates an effective toolkit for risk assessment and management. This approach ensures
flexibility and adaptability of the assessment, maintaining a high level of accuracy and transparency
in the process. The inclusion of an adaptive learning mechanism allows for improving risk
management methods, increasing the efficiency and reliability of information systems.
An important aspect is the cyber defense of critical facilities and infrastructures, where the
consequences of attacks can be catastrophic. Risk analysis and risk management in such
infrastructures using probabilistic models opens up new opportunities for forecasting and improving
the efficiency of information systems. The use of intelligent systems to support decision-making in
audits allows not only to determine the level of security and assess compliance with regulations but
also to provide recommendations for modernizing personal data protection, reducing the risk of
dangerous threats to information security.
Declaration on Generative AI
The authors have not employed any Generative AI tools.
References
[1] Н. Таnака, Vulnerability and effects of Information security investment: A firm level empirical
analysis of Japan, Forum on financial Information systems and cyber security, 2005.
[2] D. Landoll, The security risk assessment handbook, 2021. doi: 10.1201/9781003090441.
[3] V. Vіsіntіnе, An introduction to information risk assessment, 2009.
[4] European Union, Regulation (EU) 2016/679 of the European Parliament and of the council,
Official Journal of the European Union, 2016, 119/1–119/88. URL: https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679.
[5] Verkhovna Rada of Ukraine, On protection of personal data, 2297-VI, 2025. URL:
https://zakon.rada.gov.ua/laws/show/en/2297-17#Text.
[6] O. Mykhaylova, et al., Mobile application as a critical infrastructure cyberattack surface, in:
Workshop on Cybersecurity Providing in Information and Telecommunication Systems II,
CPITS-II, vol. 3550 (2023) 29–43.
[7] A. Zahynei, et al., Method for calculating the residual resource of fog node elements of
distributed information systems of critical infrastructure facilities, in: Workshop on
Cybersecurity Providing in Information and Telecommunication Systems 3654 (2024) 432–439.
[8] S. Shevchenko, et al., Protection of information in telecommunication medical systems based on
a risk-oriented approach, in: Workshop on Cybersecurity Providing in Information and
Telecommunication Systems, vol. 3421 (2023) 158–167.
[9] S. Shevchenko, et al., Information security risk management using cognitive modeling, in:
Workshop on Cybersecurity Providing in Information and Telecommunication Systems II, vol.
3550 (2023) 297–305.
[10] C. J. Alberts, et al., Operationally critical threat, asset and vulnerability evaluation, 2018.
[11] C. F. Endorf, Measuring ROI on security, Information security management handbook, edited
by H. F. Tipton, M. Krauze, 6th ed., part 1, sect. 1.1, ch. 12 (2017) 133–137.
[12] J. Cеbulа, L. Yоung, A taxonomy of operational cyber security risks, 2010.
[13] W. Stallings, Effective cybersecurity: Understanding and using standards and best practices,
Addison-Wesley, 2019.
[14] Y. Kostiuk, H. Heidarov, The role of tokens and session management in information security
systems to counter cross-site attacks, Science and Technology Today 5(33) (2024) 1216–1231.
doi: 10.52058/2786-6025-2024-5(33)-1216-1231.
�[15] G. Wangen, Quantifying and analyzing information security risk from incident data, Graphical
Models for Security (2019) 129–154. doi: 10.1007/978-3-030-36537-0_7.
[16] Y. Kostiuk, et al., Integrated protection strategies and adaptive resource distribution for secure
video streaming over a Bluetooth network, in: Cybersecurity Providing in Information and
Telecommunication Systems II, vol. 3826 (2024) 129–138.
[17] L. Spedding, A. Rose, Business risk management handbook: A sustainable approach, 2018.
[18] K. Henry, Risk management and analysis, Information security management handbook, edited
by H. F. Tipton, M. Krauze, 6th ed., part 1, sect.1.4, ch. 28 (2017) 321–329.
[19] M. Gаrnаеvа, Kaspersky security bulletin 2015, Overall statistics for 2015 (2015).
[20] O. Kryvoruchko, et al., Methodology for developing an information system for internal audit
support, in: Proceeding of IEEE 4th International Conference on Smart Information Systems and
Technologies (SIST) (2024) 106–110. doi: 10.1109/sist61555.2024.10629532.
[21] S. Honchar, A. Onyskova, Relevance of the subjective component in cybersecurity risk
assessment, Theoretical and Empirical Scientific Research: Concept and Trends 2 (2020) 22–23.
doi: 10.36074/24.07.2020.v2.07.
[22] O. Kryvoruchko, et al., Analysis of technical indicators of efficiency and quality of intelligent
systems, Journal of Theoretical and Applied Information Technology 101(24) (2023) 812–813.
[23] Y. Kostiuk, et al., Research of Methods of Control and Management of the Quality of Butter on
the Basis of the Neural Network, in: Proceeding of International Conference on Smart
Information Systems and Technologies (SIST) (2022) 1–6. doi: 10.1109/sist54437.2022.9945764.
[24] C. A. Wilhelmsen, T. Lee, Ostrom. Risk assessment: tools, techniques, and their applications,
John Wiley & Sons, 2019.
[25] R. А. Cаrаllі, Introducing ОCTАVЕ Аllеgrо: Improving the information security risk assessment
process, 2008.
[26] United Kingdom Central Computer and Telecommunication Agency, CRAMM user guide, Risk
analysis and management method, 2001.
[27] Y. Kostiuk, et al., Information and intelligent forecasting systems based on the methods of neural
network theory, in: IEEE International Conference on Smart Information Systems and
Technologies (SIST) (2023) 168–173. doi: 10.1109/sist58284.2023.10223499.
[28] B. Engelmann, R. Rauhmeier, The Basel II risk parameters, Springer Berlin Heidelberg, 2011. doi:
10.1007/978-3-642-16114-8.
[29] O. Skitsko, et al., Threats and risks of the use of artificial intelligence, Cybersecurity: Education,
Science, Technique 1(25) (2023) 6–18. doi: 10.28925/2663-4023.2023.22.618.
[30] R. Syrotynskyi, et al., Methodology of Network infrastructure analysis as part of migration to
zero-trust architecture, Cyber Security and Data Protection 3800 (2024) 97–105.
[31] Y. Chunxiao, W. Zhongfu, F. Yunqing, An attribute-based delegation model and its extension,
Journal of Research and Practice in Information Technology 38(1) (2006) 220–234.
[32] O. Solomentsev, et al., Data processing through the lifecycle of aviation radio equipment, in:
Proceedings of IEEE 17th International Conference on Computer Sciences and Information
Technologies (CSIT), IEEE, Lviv, Ukraine, 2022, pp. 146–151. doi:
10.1109/CSIT56902.2022.10000844.
[33] M. Zaliskyi, et al., Heteroskedasticity analysis during operational data processing of radio
electronic systems, in: S. Shukla, A. Unal, J. Varghese Kureethara, D.K. Mishra, D.S. Han (Eds.),
Data science and security, volume 290 of Lecture Notes in Networks and Systems, Springer,
Singapore, 2021, pp. 168–175. doi: 10.1007/978-981-16-4486-3_18.
[34] I. Ostroumov, et al., A probability estimation of aircraft departures and arrivals delays, In: O.
Gervasi, et al. (Eds.), Computational Science and Its Applications – ICCSA 2021. ICCSA 2021,
volume 12950 of Lecture Notes in Computer Science, Springer, Cham, 2021, pp. 363–377. doi:
10.1007/978-3-030-86960-1_26.
�