A system for assessing the interdependencies of information system agents in information security risk management using cognitive maps Yuliia Kostiuk1,†, Pavlo Skladannyi1,∗,†, Yuliia Samoilenko2,†, Karyna Khorolska1,†, Bohdan Bebeshko1,† and Volodymyr Sokolov1,† 1 Borys Grinchenko Kyiv Metropolitan University, Bulvarno-Kudryavska Str., 18/2, Kyiv, 04053, Ukraine 2 National University of Food Technologies, Volodymyrska Str., 68, Kyiv, 01601, Ukraine Abstract To determine the key concepts (information resources, threats, and vulnerabilities) necessary for this study, it is proposed to carry out system modeling of information security risk management processes using the Structured Analysis and Design Technique (SADT). This approach not only facilitates the identification of the relationships and informational content of these processes but also enables the classification of an enterprise’s primary information assets, the identification of critical resources, and the determination of the required level of protection. SADT allows for process modeling and the establishment of relationships between information resources, threats, and vulnerabilities, thereby enhancing the identification of system vulnerabilities and enabling more effective planning of protective measures. Information security risk management is an essential component of ensuring the sustainability and continuity of an enterprise’s business processes. In the face of a rapidly changing technological environment and a growing number of cyber threats, prioritizing the protection of information resources becomes imperative. This process typically involves several stages, including identifying and assessing resources, identifying potential threats, conducting comprehensive risk analyses, and implementing appropriate measures to minimize or eliminate risks. However, to ensure accurate risk assessments, it is crucial not only to understand individual assets but also to account for their interdependencies. Since each resource may be critical to others within the system, studies that consider these dependencies in the context of information security risk management remain limited. The risk assessment methodology utilizing Fuzzy Cognitive Maps (FCM) offers a means to systematize risk factors for deeper resilience analysis while reducing risks through effective countermeasures. Incorporating the core security attributes—confidentiality, integrity, and availability—enables precise risk assessment results and supports effective management decisions, ensuring the prioritization and proper protection of critical resources. Keywords fuzzy cognitive maps, information security risk management, SADT 1 1. Introduction Information systems used today to store and process large volumes of critical information are increasingly exposed to complex and diverse threats driven by rapidly evolving technologies, such as the Internet of Things (IoT), artificial intelligence (AI), and cloud computing. These advancements enable cybercriminals to employ sophisticated attack methods that are more challenging to detect, thereby presenting significant obstacles to traditional security systems. Such systems are no longer capable of effectively countering these threats without continuous adaptation to new conditions. In light of these challenges, international information security standards, such as ISO/IEC 27001:2022, CH&CMiGIN’24: Third International Conference on Cyber Hygiene & Conflict Management in Global Information Networks, January 24–27, 2024, Kyiv, Ukraine * Corresponding author. † These authors contributed equally. y.kostiuk@kubg.edu.ua (Y. Kostiuk); p.skladannyi@kubg.edu.ua (P. Skladanny); juliyasamoil@gmail.com (Y. Samoilenko); karynakhorolska@gmail.com (K. Khorolska); b.bebeshko@kubg.edu.ua (B. Bebeshko); v.sokolov@kubg.edu.ua (V. Sokolov) 0000-0001-5423-0985 (Y. Kostiuk); 0000-0002-7775-6039 (P. Skladanny); 0000-0003-3787-1435 (Y. Samoilenko); 0000-0003-3270-4494 (K. Khorolska); 0000-0001-6599-0808 (B. Bebeshko); 0000-0002-9349-7946 (V. Sokolov) © 2025 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR ceur-ws.org Workshop ISSN 1613-0073 Proceedings which specifies requirements for information security management systems, and the NIST Cybersecurity Framework (CSF), serve as essential tools for enterprises aiming to develop effective and adaptive security systems [1–5]. In this context, risk management in information security is becoming increasingly important as an integral component of enterprise strategy [6–14]. Effective risk management requires the accurate assessment and classification of information resources, detailed analysis and forecasting of potential threats, and the timely implementation of appropriate countermeasures to reduce the likelihood of successful attacks on the system [15–22]. Additionally, the integration of advanced technologies, such as machine learning and automated monitoring systems, plays a crucial role in enabling early anomaly detection and breach prevention [23–31]. Standards like ISO/IEC 27005:2018 offer clear methods and recommendations for conducting risk assessments, assisting businesses in prioritizing risk management efforts and correctly applying countermeasures [32–38]. It should also be noted that traditional methods of assessing information resources, which rely on a simple ranking of resources using quantitative or qualitative criteria, are no longer sufficient to provide a comprehensive and accurate picture of risks. This limitation is particularly evident given the current level of information technology development and the complexity of interdependencies among components in distributed systems. For instance, interactions between servers in a cloud environment can significantly alter the overall threat landscape, where even a minor vulnerability in one component can lead to severe consequences. This consideration has become the foundation for new standards, such as ISO/IEC 27035, which outlines security incident response processes. These processes incorporate detailed risk assessments, including the evaluation of dependencies between infrastructure components [1, 8, 14, 39–46]. Therefore, this paper proposes an approach to the assessment of information resources that not only considers their importance and criticality to the enterprise’s business processes but also enables a detailed analysis of their interdependencies. Such an analysis is crucial for generating accurate and reliable risk assessments, as practice shows that disregarding the relationships between different resources can result in significant errors, particularly in a rapidly evolving technological environment [3–5, 9]. To enhance the accuracy of risk assessments, it is essential to adopt new methodologies, such as those recommended in ISO/IEC 27019. This standard addresses specific aspects of cybersecurity for critical infrastructure, offering a more comprehensive approach to assessing and mitigating risks arising from resource interactions across various levels of the enterprise [6, 16, 25]. 2. Literature review The methodology for ensuring enterprise information security based on information risk assessment using FCMs represents a comprehensive approach. It enables not only the visual evaluation of the potential impact of major threats on an enterprise’s information system but also the effective systematization of risk factors within a broader analysis of information security. By integrating traditional risk assessment methods with advanced technologies, this approach provides a more precise analysis of the impact of threats on critical enterprise resources [1–4, 6, 10–13]. Assessing information security risks is an essential component of ensuring the stable operation of an enterprise amidst the growing landscape of threats, particularly those associated with digitalization and globalization. The advancement of modern technologies further underscores the urgency of employing contemporary methods for risk assessment and management. As enterprise information resources often constitute vulnerable elements within IT infrastructures, effective risk management is critical to safeguarding their security [2–5, 7, 12]. Modern approaches to information security risk management incorporate both quantitative and qualitative assessment methods, enabling the evaluation of interdependencies among various enterprise resources and their significance to business processes. Notably, models that integrate external threats provide a more comprehensive understanding of risks. For instance, studies by Sharma and Shahi, among others, demonstrate the use of neural networks to predict threats based on historical data, offering valuable insights for proactive risk management [9–13, 15, 18]. Another example is the work of Bensou and Martinez, who developed a context-based risk assessment methodology. This approach not only evaluates the value of assets and the threats they face but also considers how these assets interact with the external environment, including other businesses and government agencies. By incorporating these interactions, the methodology provides a more accurate determination of the level of exposure enterprises face in the rapidly evolving digital landscape, particularly in scenarios involving attacks on supply chains or critical infrastructure [11, 19–22]. The FCM methodology, as part of this system, enables the assessment of both the likelihood and impact of threats while also identifying critical points within the enterprise’s information system. This approach facilitates more precise risk assessments and the implementation of appropriate countermeasures to mitigate potential losses. Such capabilities are especially vital in a world where emerging technologies, including artificial intelligence, the Internet of Things (IoT), and cloud computing, are continuously reshaping the nature and scope of threats. Given these trends, this paper proposes a methodology for assessing information resources that not only accounts for their significance to an enterprise’s business processes but also provides a detailed analysis of their interdependencies—an aspect crucial for achieving accurate risk assessments. Furthermore, innovative risk management approaches based on SADT technology facilitate the identification of key concepts, the recognition of critical resources, and the uncovering of relationships among them. This, in turn, significantly enhances the effectiveness of risk mitigation and information security measures [6–8, 23–24, 31–35]. Another crucial step is the integration of risk management into cybersecurity processes at the strategic level. Following the recommendations of Curtis and Chen, the increasing prevalence of cyber threats necessitates a cybersecurity strategy that embeds risk management as a core component of corporate culture and management practices. This approach aims to proactively prevent data breaches, cyber fraud, and other criminal activities [9, 13–17]. Thus, utilizing fuzzy cognitive maps to assess an enterprise’s information risks enables the integration of advanced technologies into the risk management process, ensuring a comprehensive approach to mitigating potential threats. To identify the key concepts (information resources, threats, and vulnerabilities) necessary for this study, it is proposed to use systematic modeling of information security risk management processes based on the Structured Analysis and Design Technique (SADT). SADT is a methodology for structural analysis and design that is widely used to model complex systems and processes. It has proven effective in the design of risk management systems, as it enables the visual modeling of processes and supports informed decision-making. This approach facilitates the identification of relationships and informational content within these processes, the classification of an enterprise’s primary information assets, the identification of the most critical resources, and the determination of the required levels of protection. The primary objective of SADT is to create a clear, logically structured framework that explains how a system operates, how its components interact, and which components are critical to achieving the desired outcomes [5, 8, 12]. In the context of information security risk management, SADT allows for the modeling of processes and the analysis of relationships among information resources, threats, and vulnerabilities. This enhances the ability to identify system vulnerabilities more effectively and plan protective measures accordingly. Therefore, this paper proposes an approach to the assessment of information resources that not only considers their importance and criticality to the business processes of an enterprise but also includes a detailed analysis of their interdependencies. Such analysis is crucial for generating accurate and well-founded risk assessments. As practice demonstrates, disregarding the interrelationships between different resources can result in significant errors in risk evaluation, particularly in a rapidly evolving technological environment [7–9, 16]. To enhance the accuracy of risk assessments, it is essential to adopt new methodologies, such as those outlined in ISO/IEC 27019. This standard addresses specific aspects of cybersecurity for critical infrastructure and provides a more holistic approach to assessing and mitigating risks associated with resource interactions at various levels within the enterprise [25–29]. 3. Methods The study of dependencies between information resources, as illustrated in the simplified model shown in Figure 1, enables a deeper analysis of the relationships within an enterprise’s information infrastructure, while accounting for modern security requirements. These dependencies are organized into a hierarchical structure, with the building serving as the highest-level node. The physical integrity of this node underpins all other enterprise resources. In the event of its destruction, and without the availability of data backups or alternative information processing centers located in other facilities, all critical information assets would effectively be lost [2, 16–19, 26, 39–41]. However, it is important to recognize that, in practice, most modern enterprises implement strategies involving multi-level redundancy and business continuity. These strategies often leverage cloud technologies, virtualization, and automated disaster recovery systems to mitigate the risks associated with such dependencies [3, 11–15]. Figure 1: Relationships between enterprise information resources. As the analysis reveals, a single information resource may depend on multiple others, significantly increasing the complexity of managing such systems. For instance, an Exchange server may depend simultaneously on both physical server 2 and an Active Directory server, creating a complex web of infrastructure interdependencies that must be carefully considered when designing a security strategy. Modern risk management methods, particularly those incorporating the concepts of Business Continuity and Disaster Recovery, emphasize the examination of all potential points of failure. These include not only physical components but also network and software resources, ensuring a comprehensive approach to minimizing risks [6, 39, 41]. When analyzing the database server, it is evident that a redundancy mechanism is in place—the company employs an additional server capable of handling the load in the event of a failure of the primary server. This ensures uninterrupted access to critical data [7]. However, for effective risk management, it is essential to account for the complex interdependencies among the data stored on these servers. Even a minor error in modeling these dependencies can result in significant consequences during an incident [8]. Furthermore, the integration of advanced technologies, such as artificial intelligence, machine learning, and automated monitoring systems, enables not only the prediction of potential failures but also rapid responses to emerging threats. This significantly enhances the security and stability of the enterprise’s information infrastructure [9]. When developing a modern model of information risk management for an enterprise, several key assumptions can be made to determine the effectiveness and depth of the analysis of dependencies between information resources and infrastructure elements. The first assumption is that the business goals of the enterprise are directly influenced by all the end elements in the hierarchy of the information resource system [10]. Consequently, ensuring the proper functionality and security of the organization requires guaranteeing the confidentiality, integrity, and availability of data and other critical resources, in alignment with the established hierarchy of dependencies [11, 17]. For instance, user data in such a hierarchy follows a clearly defined chain of dependencies, beginning with the Active Directory server and extending to the physical location of the building. Since enterprise infrastructures are continually exposed to risks from cyber threats, natural disasters, and technical failures, it is important to recognize that most modern companies actively adopt strategies for multi-level redundancy and business continuity. These strategies often involve the use of cloud technologies, virtualization, and automated disaster recovery systems [12]. Such measures not only mitigate the impact of physical disasters on operations but also enable rapid recovery from cyberattacks or failures, ensuring greater resilience and operational stability. Additionally, for a more precise risk assessment, it is essential to assign a specific weight to each element in the dependency chain. This weighting enables a more efficient analysis of risks based on particular threats. For example, if one element depends on another that carries a high level of risk (e.g., due to software vulnerabilities or unresolved configuration errors), this risk should be proportionally transferred to the dependent element to accurately represent its contribution to the overall security posture of the organization [13, 17, 39–41]. In the case of redundant or duplicated infrastructure elements (e.g., a backup server taking over if the primary server fails), the OR connection type is used. This approach reduces the overall risk level, as the risk is distributed among multiple components that perform the same functions. Conversely, the use of the AND connection type—where a dependent element relies on only one specific higher-level element—provides a clear delineation of the dependency chain, ensuring transparency in business continuity planning [10, 14, 24]. In general, the adoption of modern approaches to risk modeling provides a more accurate representation of dependencies within a system, which is critical for managing enterprise cybersecurity, particularly in the face of contemporary threats such as cyberattacks, phishing, and insider threats [1, 3, 4, 19–23, 30–32, 39, 40]. With the advancement of cutting-edge technologies, such as artificial intelligence (AI) and machine learning (ML), it has become possible to automatically detect and predict risks through big data analysis. This capability enables not only the timely identification of vulnerabilities in information systems but also rapid responses to potential threats, thereby enhancing the overall level of protection. In particular, automated monitoring systems play a crucial role by detecting anomalies in real time, ensuring a more efficient and swift response to emerging threats. In the context of risk modeling for our information system, risk values can be assessed using a 4×4 risk matrix (Figure 2), which serves as an effective tool for classifying the likelihood of threats and evaluating their impact. In this matrix, the probability of a threat is represented by the columns, while the level of impact is represented by the rows. The following categories are used to classify risks: from 1 to 5—low risk; from 6 to 9—medium risk; from 10 to 16—high risk. This structured approach enables a clear and systematic evaluation of risks, facilitating better decision-making in the management of information system security [33–35]. Figure 2: The value of risk. Although this matrix offers a clear understanding of the probability and potential impact of threats on various elements of the system, it is important to note that, in practice, it is not always possible to determine these values with precision. This challenge is particularly relevant in the context of rapidly evolving technologies and continuously emerging threats. Therefore, in the subsequent stages of the analysis, these intervals will be used to enable a more flexible risk assessment. This approach allows for the consideration of diverse scenarios and potential outcomes, ensuring a more adaptive and comprehensive evaluation of risks. Thus, the utilization of the 4×4 risk matrix, combined with the consideration of all critical aspects of risk management, enables enterprises to effectively identify key points of vulnerability. This approach facilitates the development of comprehensive protection strategies that encompass both technical and organizational measures. These strategies are designed to mitigate risks and ensure the continuity of business processes, even in the event of serious incidents [17–19]. 4. Design of a dependency assessment model for an enterprise information system When designing a dependency assessment model for an enterprise information system, it is essential to address both the technical and organizational aspects of risk management. Given the prevalence of modern threats and the rapid pace of technological advancements, such models must be flexible and capable of adapting to new conditions. To achieve this, a well-defined algorithm is employed to construct a comprehensive view of risks and dependencies within the system. This approach ensures an effective evaluation of the risk level associated with each element, enabling informed decision- making and improved security measures [25, 36–38]. The risk management process is conducted in several stages. During the preparatory stage, the information system is divided into subsystems and individual elements, followed by an expert assessment of the significance level of each subsystem. At the stage of risk assessment for the system, subsystems, and elements, the composition and number of elements within each subsystem are identified. Additionally, an expert evaluation of the characteristic criteria for each element is performed based on predefined categories, and the risks are calculated for each subsystem and for the entire system as a whole [20–24]. The subsequent step involves determining the adequacy of the risk level. A risk is deemed adequate if its level is classified as “below average” or “low”. If the risk level is found to be inadequate, plans and measures are developed to mitigate these risks. Alternatively, in cases of repeated application of the methodology, adjustments are made, with these refinements being implemented in practice. The risk of an individual element of a subsystem of a certain type is determined by the formula: = , (1) where —is the degree of interest of the attacker in attacking elements of this type, —is the degree of damage to the subsystem from the consequences of a possible attack on elements of this type, — the degree of vulnerability of the horns of this type, —the degree of probability of an attack on an element of this type. The specific risk of homogeneous elements is calculated as follows: = , (2) where —is the risk of an individual element of the subsystem -of the subsystem, —is the number of homogeneous elements -of the -th type in the subsystem, —is the total number of elements of all types in the subsystem. Subsystem risk: = ( ), (3) where —is the degree of importance of the subsystem, —is the specific risk of homogeneous elements, —number of types of elements. The total risk of a subsystem can be calculated as the sum of the risks of all its elements: = , (4) where —risk -of the subsystem, —is the number of subsystems in the system. Analyzing formulas (1), (2) and (4), we can conclude that, with equal risk parameters of individual elements of each subsystem, the risk of the entire system is a power function of the form = 4. The formula for calculating the risk is as follows: = ∙ , (5) where —is the risk of the whole system in -is the state of equality of risk levels of its elements in conventional units, —is the system constant when operating in this configuration, —is the risk level of the system in terms of expert assessments in -the state of equality of risk levels of its elements. Obviously, the parameter reflects a qualitative assessment of the system’s risk. From formula (5) we can express: = , (6) ! = , (7) The resulting value can be translated into a qualitative assessment using the scale used: to do this, round it to the nearest whole number and determine which level of risk it corresponds to on the scale. The degree of assessment is ranked on a five-point scale, where 1 is low and 5 is high. The risk is calculated for each resource of the structure: “subsystem element—subsystem—system”. Expert assessments are used to rank the risks of indicators for each element of the subsystem. The risk for the entire system is defined as the arithmetic mean of the risks of subsystems. The following indicators are used for risk assessment: —level of subsystem significance (indicator of “destructiveness”) —conditional ranking of subsystems in the hierarchy of the entire system, determined by the degree (contribution) of a particular subsystem to the functioning of the entire system; —number of elements of this type—the number of elements in the subsystem that ensure the performance of technological functions; —the degree of interest of the attacker in attacking the element—the measure of interest on the part of the attacker in performing unauthorized actions; —the degree of damage from the consequences of an attack on an element—the degree of damage caused in the event of a successful threat; —the degree of vulnerability of the element—the degree of change in the technological properties of the element in the event of a successful threat; —the degree of probability of an attack is a measure of the probability of successful unauthorized actions by an attacker that lead to changes in the functional characteristics of the system or obtaining confidential information. Expert opinions were obtained through the use of questionnaires. These questionnaires consist of scoring sheets that include a list of resources, indicators, and criteria used to evaluate the degree of risk. The risk assessment utilized the following criteria for each indicator: the attacker’s interest in targeting the element, the damage resulting from the attack, the vulnerability of the element, and the likelihood of the attack being realized. An attacker’s interest may stem from access to commercial or technical information, personal gain, or unmotivated malicious intent. Damage is assessed based on the element’s interconnections with other parts of the subsystem, the consequences of its failure, and the costs associated with mitigating the impact of an attack. Vulnerability considers the physical accessibility of the element as well as its susceptibility to informational and mechanical vulnerabilities. Likelihood of an attack is determined by the effectiveness of existing protection mechanisms, the element’s ability to resist attacks and physical impact, and the historical analysis of similar attacks on analogous elements. Once experts evaluate each criterion, the arithmetic mean for each element is calculated, and the resulting score is rounded to the nearest whole number. Risks are assessed on a five-point scale, ranging from minimum to maximum risk. The methodology employs a dynamic algorithm that accounts for the interconnections among elements and subsystems at all levels of operation. Since monitoring systems are integral to enterprise infrastructure, this methodology can be adapted for assessing the risks of other enterprise information systems. This adaptability is particularly effective due to the interdependence of assets, which can be analyzed using cognitive maps. The first step in constructing a dependency assessment model for an enterprise information system is to identify the highest level in the hierarchy of the enterprise’s information resources. This typically includes critical elements such as the main server or a key building that serves as the operational hub. Starting with the most critical components enables the assessment of dependencies on these elements and provides a foundation for progressively analyzing smaller, yet equally significant components. This hierarchical approach ensures the integrity of the analysis and facilitates an accurate evaluation of the impact each element has on the overall security of the enterprise [26–29, 31]. The next step is to assign weights to the three main components of dependencies: privacy #$% , # & and #'('. These components are key to determining the level of importance of each element in the context of security and its vulnerability to various threats. The weight of each component is estimated on a scale from 0 to 1 in increments of 0.1, which allows you to accurately reflect the importance of each aspect for a particular element [30–35]. This approach provides a more detailed assessment of dependencies in the system and allows you to identify even non-obvious vulnerabilities that may affect security. After determining the weights of the components, the next step is to adjust the risks using a specialized dependency formula [34–38]. This formula enables the consideration of not only individual elements but also their interrelationships. For instance, in cases where elements are connected according to the OR principle, the risk for each component is adjusted using the average value of the adjusted risks of the interconnected elements. Conversely, for elements that depend on multiple other components, the adjustment must account for all higher levels of dependencies. This means that if one element relies on several others, accurately determining its risk level requires incorporating the risks of all these elements as well as their interactions. Further risk adjustments are made using special formulas: # = #, (8) )* . ,.-.- # × 0' (#)* , # , , #-.- ) × , (9) where #0—is the total dependency weight for the element, #$% , # & and #'('—are the weights of the dependency components, and (Risk Value) is the risk value for the higher-level entity to which the current entity is related. The formula allows you to adjust the risk value depending on the weight of the components and the type of connection of the elements. In the real world, accurate risk assessment can be challenging due to rapidly changing technologies and the continuous evolution of threats. Therefore, the application of such models necessitates constant updating and adaptation. To address this, intervals of risk values are employed to create a more flexible model for risk assessment and forecasting [17, 29]. Incorporating these intervals allows for the identification of potential threats, even in scenarios that were not initially considered during the early stages of the analysis. The total weight of dependencies, determined by the sum of the component weights and their maximum value, enables the construction of a comprehensive picture of dependencies for each element within the system. Notably, the risk adjustment process can incorporate advanced technologies, such as cloud services and automated monitoring systems, which facilitate the real- time identification of potential threats [6–8, 19–22]. These innovations not only enhance the effectiveness of risk assessment but also enable faster and more efficient responses to potential security incidents. An example of risk adjustment: 1. Low dependence and low risk: If an asset has a low dependence on a low-risk element ( = 1), the risk adjustment can be as little as +1 point. 2. Medium dependence and medium risk: in the case of medium dependence and medium risk ( = 2), the risk adjustment can be increased by +2.4 points. 3. High dependence and high risk: If an asset is highly dependent and exposed to a high risk element ( = 3), the risk adjustment can be significant—by +7.2 points. These adjustments allow for a more accurate reflection of the real level of risk and enable an enterprise to develop more effective strategies for protecting its information resources [9–12]. As a result of applying this dependency assessment model, an enterprise receives a clear picture of potential threats, which allows it to respond quickly to possible incidents and increase the overall level of cybersecurity in a rapidly changing threat environment. Figure 3 shows part of the enterprise model, where each infrastructure element is assigned the appropriate weights for the dependency components. Figure 3: Determining dependency weights for infrastructure elements. Each element is assessed in the context of the risks associated with its dependencies on other elements [13]. It is important to note that, following the initial risk assessment for each organizational element, these values are adjusted based on the actual dependencies between the elements [14–16]. For instance, when assessing customer data, we consider not only its direct vulnerability but also the elevated risk level of the database servers that store this data. This approach provides a more accurate representation of the actual threat level to the information. It should also be noted that the adjustment of risk values depends on the availability of redundant infrastructure elements. For example, for customer data with duplication at the database server level, the risk adjustment is limited to +2.1, as the presence of redundant resources mitigates the potential impact of the threat [18]. However, certain key system elements, such as private data, require significant adjustments to their risk values. This is because such data has dual dependencies—on both the Active Directory server and the physical server. These additional dependencies introduce heightened vulnerability, necessitating an increase in the risk level by +4 points [19–21]. Algorithms for assessing the security of enterprise information resources can be based on the use of FCM. A cognitive map is a sign-oriented graph where the key factors of the modeling object (concepts) are interconnected by arcs that reflect cause-and-effect relationships. These connections characterize the degree of influence of concepts on each other and are set using fuzzy WijWij weights in the form of interval scores or linguistic terms. In general, a fuzzy cognitive map is defined as a tuple of sets [20–22]: 1 2 = 3 , 1, #4, (10) where FCM—is an oriented graph specified by a tuple of sets: = { }—a finite set of vertices (concepts), 1 = {15}—is a finite set of links between concepts (the set of oriented graph arcs), and # = {# }—a finite set of weights of these connections. Figure 4 shows an example of building an FCM for assessing information risks of an enterprise. In the example of building an FCM for assessing information risks of an enterprise, the concepts are divided into five types: 6—a set of target factors, 7—a set of destabilizing factors (threats), —set of information resources, —set of basic factors (intermediate concepts indicators), —a set of controlling factors [4, 9]. The weights of the links were determined on the basis of expert assessments using linguistic variables (“weak”, “medium”, “strong”) on a scale of [0,1]. Three main factors were selected as the target concepts to be analyzed: “Reputation”, “Quality of products/services” and “Material and technical condition”, which reflect the general state of the enterprise in the market [4–7]. Figure 4: FCM for assessing information risks of an enterprise. The FCM built in this way allows us to assess the impact of both individual threats and their combination on a particular target factor. The overall effect of the impact of the concept С7 (threat) on the concept С 6 (target factor) is determined using the reach matrix: 8 #, (11) # = ‖# ‖ × , (12) where# = ‖# ‖ × —is the adjacency matrix of the FCM, # —is the weight of the link between - m and -FCM concepts, —is the number of FCM concepts [8, 9]. With fuzzy values of weights # the multiplication and addition operations are replaced by the operations of finding the minimum and maximum, respectively. The indirect effect of the impact С7 on С 6 is determined by the minimum value of the weights of the links in the path: 8 (С7 → С 6) = 0 3# 4. (13) 7 6 The full (total) effect of the impact on С on С is determined by adding up all the values of the links that exist between the concepts (С7 → С 6) = 0' 3 1, 82, … 8 4, (14) where 8 —is the indirect effect between the threat С7 and the target factor С 6{# }—is the set of weights of links on the path between concepts С7 and С 6 —is the number of indirect effects (i.e., the number of paths between concepts С7 and С 6) [10–12]. Table 1 presents the concepts selected for analysis and their variable states, offering a generalized example of how concepts can be defined within the framework of FCMs for assessing enterprise information risks. It is crucial to note that transitions between the different states of each concept are guided by expert opinions or the results of risk analysis [13]. Risk -of the target factor in relation to the -threat is determined by the formula: = 8(С7 → С 6) ? , (15) where ? —value -of the resource, 8(С7 → С 6)—is the full effect of the threat С7 on С 6, —is the probability of realization -of the threat being realized. The total risk for the considered set of threats is defined as: C = @ A@ , (16) B B where 0—is the number of threats, —is the number of target factors, and D—is the significance of the -of the target factor determined by experts [14, 15]. Table 1 Concepts and Their Variable States for Analyzing Enterprise Information Risks Con- Concept name Type of concept Variables states chain С17 Theft Destabilizing factor x₁: the average number of thefts per unit of time. (threat) С72 Modification Destabilizing factor x₂: the average number of unauthorized modifications per unit of time. (threat) С73 Disclosure Destabilizing factor x₃: the average number of disclosures per unit of time. (threat) С74 Viruses Destabilizing factor x₄: the average number of virus attacks per unit of time. (threat) С75 Hardware and Controlling factor x₅: the average number of hardware and software failures per unit of time. software failures С1 Databases Basic factor x₆: the level of reliability of information in databases, %. С2 Confidential Target factor x₇: level of confidentiality, %. information С3 Software. Target factor x₈: software availability level, %. С4 Hardware resources Basic factor x₉: operability of computers and other equipment, %. С1 Emotional and Destabilizing factor x₁₀: number of stressful situations or incidents, units. psychological state (threat) С2 Violation of the Destabilizing factor x₁₁: the number of production schedule disruptions, units. company’s work (threat) schedule С3 Qualification level of Target factor x₁₂: the average level of qualification of employees on a five-point scale. employees С16 Reputation of the Target factor x₁₃: number of negative publications or statements, units. company С62 Quality of service Target factor x₁₄: the share of employees who successfully work in their specialty, %. provision С63 Material and technical Basic factor / x₁₅: capitalization, UAH. condition Controlling factor Table 2 presents estimates of the impact of threats С17−С75 on the target factors С16−С63. The analysis of the FCM shows that, given the strength of the connection between the concepts, the realization of the threat “Theft” in relation to the information resources of the enterprise “strongly” affects the concepts “Quality of products/services” and “Material and technical condition” and “moderately” affects the concept “Reputation” of the enterprise [19–22, 40–43]. By determining the value of the target factors in absolute or conditional units С7 it is possible to calculate the potential risk (damage) both for individual target factors from the impact of certain threats and the overall (total) risk [18, 39–41]. The use of the FCM makes it possible not only to visually identify the negative processes that occur in the information system under the influence of threats, but also to identify the most vulnerable areas and ways to reduce the impact of threats through the introduction of appropriate control measures (countermeasures) {С } which allows to reduce the level of information risks to an acceptable value. For example, if viruses are considered as a threat to the company’s information resources (concept С74), and the level of impact of this threat on the target factors С62 (“Quality of products/services”) and С63 (“Material and technical condition”) is defined as “strong”, then to reduce this impact, it is necessary to implement such countermeasures as choosing an anti-virus protection strategy, selecting an appropriate anti-virus program, managing anti-virus tools, etc. This will reduce the degree of influence of the concept С74 on the concepts С62 and С63 to the “medium” level [16, 17, 39, 41–43]. Table 3 shows the recommended measures (a set of controlling factors) and estimates of the degree of their impact on the mentioned concepts. The corresponding FCM after the introduction of countermeasures (concepts С1 −С 31) is shown in Figure 5. Table 2 Assessment of the Degree of Impact of Threats on Target Factors The threat The full effect of the threat on the target The full effect of the threat on the target factor (СEF ) factor before countermeasures are taken after the introduction of countermeasures СGH СGI СGJ СGH СGI СGJ С17 average strong strong weak average average С72 average average average weak weak weak С73 weak weak weak weak weak weak С74 - strong strong - average average С75 - strong strong - average average Figure 5: FCM for assessing information risks of an enterprise taking into account a set of controlling factors. An analysis of the ratio between risks and the costs of mitigation measures enables the identification of rational approaches to managing an enterprise’s information security and justifies the necessary expenditures on security. Decision-making regarding the selection of appropriate countermeasures and the evaluation of acceptable risk levels should be guided by the cost- effectiveness criterion [2, 16, 40–43]. In this context, the following formulations of tasks for selecting control factors to reduce risks are possible: 1. N ≤ -PP when Q → 0 —determining the minimum costs of implementing information security measures while ensuring an acceptable level of risk; 2. N ≤ -PP when Q → 0 —minimizing risk at a given cost of implementing measures [9]. Here N and N —total risk and costs of information security measures (countermeasures), -PP and -PP —permissible values of the total risk and costs. The effectiveness of controlling influences is calculated by the formula: Q− Q / R= / × 100%, (17) Q / where Q —is the calculated initial risk, and Q —is the risk after the introduction of additional countermeasures. Table 3 Set of Controlling Factors The impact of the The impact of the Designation Concept name concept on Designation Concept name concept on communication communication СBW , СWX , Differentiation of average СBZ W Organization of the document average СWY user access levels storage procedure СW[ , СW\ , Control and average СW[ Developing a procedure for average СWZ , СW] management of recovery from virus attacks СW access to the premises СW^ , СBW Development and strong СB^ W , СW[B , Developing a procedure for average implementation of СW[X prompt response to incidents the virus protection concept СBB W , СB[ W Administrative and average СW[[ , СW[] Use of licensed software, average technical means of access control controlling the work of users СB[ W , СB\ W Measures to prevent average СW[ , СW[\ , Technical support of average failures СW[Y hardware resources СBW , СBY W , Formation of a average С[^ , СW] , W Development of measures to average СW[Z corporate culture of СW]B improve the stability of information security production processes СBX W Backup and restore strong The methodology for ensuring enterprise information security through information risk assessment using FCMs is a comprehensive approach. It enables not only the visual evaluation of the potential impact of major threats on the enterprise information system but also the effective systematization of risk factors as part of a holistic analysis of information security [3, 14, 35–38, 41– 43]. This methodology serves as a practical tool to support decision-making across all levels of the enterprise security policy. It enhances the convenience and accuracy of information security management at both strategic and operational levels, enabling the implementation of adaptive and timely management measures. Automating the processes of analyzing information risks, prioritizing them, and selecting effective countermeasures to protect an enterprise’s information assets significantly reduces the time required for comprehensive risk analysis. It also improves the quality of decision-making and helps reduce the costs associated with implementing security measures. This is achieved by structuring all stages of analysis and countermeasure selection. Automation enables the flexible adaptation of security strategies to the enterprise’s current needs and facilitates a rapid response to evolving threat conditions. The proposed structure of the decision support system (DSS) for managing enterprise information risks, based on cognitive modeling, offers enhanced objectivity and efficiency in information security decision-making. Cognitive modeling enables a deeper analysis of the cause-and-effect relationships between threats and risks, facilitates the timely identification of the most vulnerable elements within the information system, and supports the development of adaptive countermeasures [7, 10, 33]. Such a system significantly reduces potential losses from both external and internal threats while ensuring optimal resource allocation and maintaining stable information security. This approach enables the consideration of interdependencies among various information resources in the process of managing information security risks. It facilitates the analysis of how specific factors can influence the overall security of information assets and the achievement of the organization’s information security objectives. In light of current trends in cybersecurity and technologies such as cloud computing, automated recovery systems, and virtualization, it is crucial to account for these dependencies when developing a sustainable risk management model. These technologies not only mitigate the impact of physical disasters on operations but also ensure rapid recovery from cyberattacks, thereby enhancing the resilience of the infrastructure against unpredictable threats [8, 18]. 5. Conclusions The study proposes a method for assessing the dependencies among information resources within an information system, which can significantly enhance the accuracy and efficiency of risk analysis at an enterprise. While similar approaches have been applied in both scientific and practical contexts, the importance of considering these dependencies and their impact on the overall level of risk is becoming increasingly evident and critical amidst modern challenges and rapid technological advancements. International standards in the field of information security, particularly ISO/IEC 27005:2018, along with established risk management guidelines, emphasize the necessity of incorporating dependencies among information resources into the processes of risk analysis and assessment. This standard highlights the importance of determining the degree of dependency between information resources and their impact on enterprise security, specifically in maintaining the confidentiality, integrity, and availability of data. In this context, the proposed method considers dependencies not only in terms of the direct significance of information resources but also through their role in achieving the strategic goals of the enterprise and their susceptibility to various threats. Additionally, the dependency assessment model incorporates not only direct connections between infrastructure elements but also considers scenarios where information resources exhibit multiple dependencies or duplication. This approach enables risk mitigation through the redundant allocation of resources or the integration of additional security layers. Such measures are particularly relevant in the context of the increasing adoption of cloud technologies, virtualization, and automated recovery systems. The method of assessing information risks in an enterprise using fuzzy cognitive maps enables a 1.5 to 2-fold reduction in the time required for decision-making regarding the selection of necessary countermeasures. This approach significantly reduces information risks by implementing effective management actions (countermeasures) while keeping the total cost of information protection within acceptable limits. Due to its flexibility, the proposed method can be seamlessly integrated into existing risk management processes, enabling the adjustment of risk assessments to account for the real dependencies between information resources. In the future, an extended model can be developed that incorporates quantitative methods to more precisely measure the security status of an enterprise. This advancement will provide timely, accurate, and well-founded data for decision- making, aligning with the requirements of modern cybersecurity and the dynamically evolving threat landscape. References [1] P. Curtis, M. Chen, Risk Management in Information Security, Elsevier, 2020. [2] R. Sharma, R., M. Shahi, Neural Network Models for Cyber Risk Assessment, Springer, 2019. [3] A. Bensou, R. Martinez, Context-Based Risk Assessment in Cybersecurity, IEEE Transactions on Cybersecurity 12(3) (2020) 45–52. [4] P. Wang, H. Chen, Fuzzy Cognitive Maps in Information Risk Management, International Journal of Intelligent Systems 36(4) (2021) 1234–1252. [5] A. Korchenko, A. Golubev, Information Security Risk Assessment: Approaches and Best Practices, Springer, 2018. [6] X. Zhang, Y. Liu, Advanced Risk Management Models for Information Security Systems, Computer Science and Technology 14(1) (2022) 23–29. [7] Z. Li, J. Yang, A Comparative Study of Risk Management Frameworks in Cybersecurity, Journal of Cybersecurity Research 8(2) (2021) 157–168. [8] M. Chen, H. Zhang, Integrating Fuzzy Logic in Information Security Risk Assessment, Journal of Risk Analysis 31(4) (2020) 202–211. [9] J. Xu, J., X. Wang, Evaluating Cybersecurity Risks: A Fuzzy Approach, International Journal of Information Security 22(3) (2021) 200–210. [10] Yu. Kostiuk, et al., Information and Intelligent Forecasting Systems Based on the Methods of Neural Network Theory, Smart Information Systems and Technologies (SIST) (2023) 168–173 [11] K. Tan, H. Zhou, Assessment of Information Security Risks Using Machine Learning Algorithms, Journal of Network and Computer Applications 54(6) (2021) 81–89. [12] R. Gupta, P. Singh, Cyber Risk Quantification and Mitigation Using Advanced Analytics, Springer, 2020. [13] Yu. Kostiuk, et al., Information Protection and Data Exchange Security in Wireless Mobile Networks with Authentication and Key Exchange Protocols, Electronic Professional Scientific Journal “Cybersecurity: Education, Science, Technology” 1(25) (2024) 229–252. doi: 10.28925/26634023.2024.25.229252. [14] V. Ravichandran, Cybersecurity Risk Management and Mitigation Strategies, Elsevier, 2021. [15] O. Kryvoruchko, Y. Kostiuk, A. Desiatko, Systematization of signs of unauthorized access to corporate information based on application of cryptographic protection methods, Ukrainian Scientific Journal of Information Security 30(1) (2024) 140–149. [16] W. Shen, L. Zhang, A Review of Cyber Risk Management Strategies for Enterprises, Journal of Information Security and Applications 23(1) (2021) 72–85. [17] Q. Liu, Y. Wang, Fuzzy Risk Analysis in Information Security Systems, International Journal of Information Technology 10(5) (2022) 233–241. [18] Yu. Kostiuk, et al., Integrated protection strategies and adaptive resource distribution for secure video streaming over a Bluetooth network, Information technology 4(6) (2024) 14–33. [19] T. Xu, Z. Chen, Advanced Risk Management Methods in Cybersecurity and Information Protection, IEEE Access 8(1) (2020) 105234–105242. [20] X. Zhao, J. Sun, Cybersecurity Risk Management for Cloud Computing Systems, Journal of Cloud Computing: Advances, Systems and Applications 8(4) (2021) 16–28. [21] Y. Smitiukh, et al., Development of a prototype of an intelligent system for predicting the quality of dairy production, IEEE Intelligent Systems (2022). [22] O. Kryvoruchko, et al., Analysis of technical indicators of efficiency and quality of intelligent systems, Journal of Theoretical and Applied Information Technology 101(24) (2023) 8127–8139. [23] S. Wang, T. Zhang, Smart Systems and Cybersecurity Risk Management, Smart Computing Review 12(2) (2021) 46–53. [24] Yu. Kostiuk, A. Golynskyi, Strategies for integrated protection of wireless sensor networks, Science and Technology Today (Series ‘Pedagogy’, Series ‘Law’, Series ‘Economics’, Series ‘Physical and Mathematical Sciences’, Series ‘Technology’) 5(33) (2024) 1232–1247. [25] Y. Sun, J. Liu, Comprehensive Risk Assessment for Information Security: A Case Study Approach, Journal of Information Technology 35(1) (2022).79–91. [26] S. Lee, J. Yang, AI-Driven Risk Management in Information Security, Journal of Cyber Intelligence and Data Mining 7(3) (2021) 85–92. [27] O. Kryvoruchko, Yu. Kostiuk, Development of a Decision Support Information System Based on SYSML, Information Technologies and Society (2(4)) (2022) 58–64. doi: 10.32689/maup.it.2022.2.8. [28] P. Gupta, A. Soni, Evaluation of Risk Factors in Information Security Using Fuzzy Logic, International Journal of Computer Science and Information Security 18(4) (2020) 191–198. [29] P. Wang, H. Chen, Fuzzy Cognitive Maps in Information Risk Management, International Journal of Intelligent Systems 36(4) (2021) 1234–1252. doi: 10.1002/int.22345. [30] R. Sharma, M. Shahi, Neural Network Models for Cyber Risk Assessment, Springer, 1(2) (2019) 34–45. doi: 10.1007/s00542-019-05052-w. [31] J. Xu, X. Wang, Evaluating Cybersecurity Risks: A Fuzzy Approach, International Journal of Information Security 22(3) (2021) 200–210. doi: 10.1007/s10207-021-005663. [32] M. Chen, H. Zhang, Integrating Fuzzy Logic in Information Security Risk Assessment, Journal of Risk Analysis 31(4) (2020) 202–211. doi: 10.1111/j.1539-6924.2020.01430.x 33. [33] A. Bensou, R. Martinez, Context-Based Risk Assessment in Cybersecurity, IEEE Transactions on Cybersecurity 12(3) (2020) 45–52. doi: 10.1109/TCS.2020.2963054. [34] X. Zhao, J. Sun, Cybersecurity Risk Management for Cloud Computing Systems, Journal of Cloud Computing: Advances, Systems and Applications 8(4) (2021) 16–28. doi: 10.1186/s13677- 021-00255-5. [35] K. Tan, H. Zhou, Assessment of Information Security Risks Using Machine Learning Algorithms, Journal of Network and Computer Applications 54(6) (2021) 81–89. doi: 10.1016/j.jnca.2021.102382. [36] Q. Liu, Y. Wang, Fuzzy Risk Analysis in Information Security Systems, International Journal of Information Technology 10(5) (2022) 233–241. doi: 10.1007/s41870-02100658-w. [37] Y. Sun, J. Liu, Comprehensive Risk Assessment for Information Security: Case Study Approach, Journal of Information Technology 35(1) (2022) 79–91. doi: 10.1057/s41265021-00170-7. [38] R. Gupta, P. Singh, Cyber Risk Quantification and Mitigation Using Advanced Analytics, Springer, 9(2) (2020) 117–126. doi: 10.1007/s10462-020-09744-0. [39] D. Berestov, et al., Analysis of Features and prospects of Application of Dynamic Iterative Assessment of Information Security Risks, in: Proceedings of Workshop on Cybersecurity Providing in Information and Telecommunication Systems, vol. 2923 (2021) 329–335. [40] S. Shevchenko, et al., Information Security Risk Management using Cognitive Modeling, in: Proceedings of Workshop on Cybersecurity Providing in Information and Telecommunication Systems II, vol. 3550 (2023) 297–305. [41] S. Shevchenko, et al., Protection of Information in Telecommunication Medical Systems based on a Risk-Oriented Approach, in: Proceedings of Workshop on Cybersecurity Providing in Information and Telecommunication Systems, vol. 3421 (2023) 158–167. [42] D. Berestov, et al., Synthesis of the System of Iterative Dynamic Risk Assessment of Information Security, in: Proceedings of Workshop on Cybersecurity Providing in Information and Telecommunication Systems II, vol. 3188 (2021) 135–148. [43] S. Zybin, et al., Approach of the Attack Analysis to Reduce Omissions in the Risk Management, in: Proceedings of Workshop on Cybersecurity Providing in Information and Telecommunication Systems, vol. 2923 (2021) 318–328. [44] M. Zaliskyi, et al., Heteroskedasticity analysis during operational data processing of radio electronic systems, in: S. Shukla, A. Unal, J. Varghese Kureethara, D.K. Mishra, D.S. Han (Eds.), Data science and security, volume 290 of Lecture Notes in Networks and Systems, Springer, Singapore, 2021, pp. 168–175. doi: 10.1007/978-981-16-4486-3_18. [45] I. Ostroumov, et al., A probability estimation of aircraft departures and arrivals delays, In: O. Gervasi, et al. (Eds.), Computational Science and Its Applications – ICCSA 2021. ICCSA 2021, volume 12950 of Lecture Notes in Computer Science, Springer, Cham, 2021, pp. 363–377. doi: 10.1007/978-3-030-86960-1_26. [46] O. Solomentsev, et al., Data processing through the lifecycle of aviation radio equipment, in: Proceedings of IEEE 17th International Conference on Computer Sciences and Information Technologies (CSIT), IEEE, Lviv, Ukraine, 2022, pp. 146–151. doi: 10.1109/CSIT56902.2022.10000844.