Fuzzy Logic and Its Application in the Assessment of Information Security Risk of Industrial Internet of Things

Abstract

This article addresses the issue of information security in the Industrial Internet of Things (IIoT) environment. Information security risk assessment in the IIoT is complicated by several factors: the complexity and heterogeneity of the system, the dynamic nature of the system, the distributed network infrastructure, the lack of standards and guidelines, and the increased consequences of security breaches. Given these factors, information security risk assessment in the IIoT requires a comprehensive approach adapted to the peculiarities and requirements of a particular system and industry. It is necessary to use specialized risk assessment methods and to take into account the context and peculiarities of the system. The method of information security risk assessment in the IIoT, based on the mathematical apparatus of fuzzy set theory, is proposed. This paper analyzes information security threats for IIoT systems, from which the most significant criteria are selected. The rules, based on which decisions are made, are formulated in the form of logical formulas containing input parameters. Three fuzzy inference systems are used: one to estimate the probability of threat realization, another to estimate the probable damage, and a final one to estimate the information security risk for the IIoT system. Based on the proposed method, examples of calculating the information security risk assessment in the IIoT environment are provided. The proposed scientific approach can serve as a foundation for creating expert decision support systems for designing IIoT systems.

1. Introduction

With the rapid evolution of the Industrial Internet of Things (IIoT), there is an urgent need to swiftly respond to, detect, and prevent intrusions. IIoT systems possess specialized features and encounter unique challenges when it comes to defending against cyber-attacks. Information security (IS) risk assessment plays a pivotal role in enterprise management practices, aiding in the identification, quantification, and mitigation of risks based on risk tolerance criteria and organizational objectives.

The necessity of a quick response to intrusions and their timely detection and prevention have arisen during the rapid development of the IIoT. IIoT systems have special features and face unique challenges working with cyber-attacks. IS risk assessment is an important part of the enterprise management practice that helps to identify, quantify, and minimize threats according to organizational risk acceptance criteria and goals.

The most extensive IIoT security research has been made in [1,2,3]. Hofer [1] presented a late 10-year review on cyber-physical systems architecture considering the concept of Industry 4.0. Using an initial automatic search and iterative refinement, 213 papers were found and studied. In result, the vast majority of architectural styles were categorized and schematized. It is concluded that there is a general increase in security-oriented cyber-physical systems architecture proposals, but no discussion on security in detail. In [2], authors focus on the concepts of the IoT, the Industrial IoT, and Industry 4.0, emphasize issues related to their security and privacy, and present a systematic review of current studies and potential directions for addressing the challenges of the Industrial IoT. The same review article [3] provides a systematic literature review on IIoT security from 2011 until 2019, focusing on IIoT security requirements. Special attention is given to options where the relatively new Fog computing paradigm can be used to fulfil these requirements and serve to enhance IIoT security. Furthermore, it should be noted that in the aforementioned studies, the authors argue that the traditional security strategy is insufficient and not ready to protect modern IIoT systems.

In continuation of the topic, authors [4] pay attention to the fact that IT infrastructure threat identification models—such as Microsoft STRIDE (STRIDE is an acronym that describes the six major threats to information security: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service и Elevation of Privilege), OWASP (Open Web Application Security Project), and ENISA (European Network and Information Security Agency)—fully describe the threats of the Internet of Things, but cannot fully identify the threats of the Industrial IoT. This raises a concern related to determining the correct classification of threats to industrial systems. The first step towards threat qualification in industrial systems was made by authors [5]. The study analyzed potential security threats for industries adapting to IIoT. A taxonomy of IIoT attacks was proposed, which would aid in risk—, according to the authors. This taxonomy was considered in terms of four dimensions: attack vector, attack target, attack impact, and attack consequence. However, the disadvantage of this taxonomy is the limited number of threats considered, which does not allow one to fully cover the whole picture of the situation. Authors [6] considered the development of this direction, namely, some types of threats such as spoofing, SQL injection, and DOS attacks on the five-level IIoT architecture. The authors stated that further research is required to obtain a more accurate and complete classification of threats in the IIoT. Considering security models, two main groups can be distinguished: preventive models designed for risk assessment and existing models designed to detect attacks. After the research, it can be stated that there are a significant number of qualitative studies with proposed systems for detecting anomalies and attacks. Various tools such as graph-based methods, blockchain technology, and machine learning algorithms have been used for this purpose [7,8,9,10].

IIoT systems have their own dynamics and uniqueness correlated to new approaches for adopting risk assessment because they require special attention. At the moment, there are few studies on this topic. Let us consider a few studies, emphasizing the most significant of them. Authors of [11] proposed an Analytic Hierarchy Process (AHP)-based risk assessment model for IIoT cloud technology. IIoT cloud is a combination of machines, robotic arms, controllers, and drivers in a single platform. This IIoT network risk assessment method is particularly valuable for the core hardware on which cloud services are executed. On other hand, the model does not provide a new solution for decision making and does not address IIoT system assets identification and classification issues. According to [12], the IEC 62443 cybersecurity standard was proposed to implement a cyber-defense platform for industrial IoT systems. This standard contains a set of instructions and measures that need to be implemented to ensure not only the industrial system security but also the operational one. The paper proposes a new approach based on IEC 62443-3-2 and IEC 62443-4-2 to verify, through an in-depth risk assessment, the compliance of objects with basic security requirements. However, despite the advantages described in the paper, the assessment model does not consider security requirements such as system integrity and resource availability, and the model does not propose measures to address the effects of threats on the IIoT system. In [13], it is pointed out that the protection of industrial equipment of IIoT systems is an obligation inherently linked to technological developments and IoT usage, which makes it important to identify the main vulnerabilities and associated risks and threats and to propose the most appropriate countermeasures. In this paper, a description of attacks on IIoT systems is presented, as well as a thorough analysis of solutions to these attacks as they have been proposed in the most recent sources. Authors [14] proposed a fuzzy association rule extraction algorithm based on a fuzzy matrix, and this is applied to the correlation of security events in a network environment. In addition, the embedded system is combined to build an IS risk assessment system and the performance of the system is specified according to the real situation.

An interesting approach to cyber risks in the mining industry is presented in [15]. The mentioned article discusses a method of cyber-attack risk analysis for different levels of automation in mining routines based on the use of fuzzy theory. The focus is a method that combines the Kaplan and Garrick approach and fuzzy theory. Fuzzy theory is implemented to estimate the risk parameters for the cyber-attack scenario execution in the mining industry. The proposed method can be used to identify the current state of the cybersecurity of mine shafts. The article [16] focuses on IS risk assessment and its importance to enterprise management. The authors point out that IS risk assessment helps to identify, quantify, and evaluate risks with respect to risk tolerance criteria and in-organizational objectives. The article also discusses various methods and tools for IS risk assessment such as Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVA), the CCTA Risk Analysis and Management Method (CRAMM), and risk surveillance. These are based on risk analysis, cost-benefit analysis, security subsystem selection, construction and testing, and examination of all aspects of security.

The review of articles on cybersecurity risk assessment methods/models confirms the importance and relevance of studying the problem of the IS of the industrial IoT, such as threat classification and security risk analysis of IIoT systems. An analysis of the studies indicates that a significant amount of research is dedicated to identifying the security measures, but the issue of preventive measures, including analysis and taxonomy of IS risks, is poorly studied.

The IIoT emerges as a network encompassing physical devices, machinery, sensors, and other elements of industrial production. These entities exchange data and interact with control systems to optimize and automate production processes. This paper introduces a method for evaluating IS within the IIoT environment, leveraging the principles of fuzzy logic [17].

Various standards and methods are used in assessing IS risks in the IIoT, including:

–

ISO 27400:2022 [18]: This standard offers guidance on principles, information risk assessment, and appropriate IS and privacy controls to mitigate risks associated with the Internet of Things.

–

ISA/IEC 62443 [19]: A series of international standards established by the IEC (International Electrotechnical Commission) specifying cybersecurity requirements for Automated Industrial Process Control Systems (APCSs) and Building Control and Management Systems (BCMSs).

–

NIST SP 800-XX series of standards [20,21,22]: These standards provide security recommendations tailored to industrial control systems, considering their unique performance, reliability, and security requirements. The series encompasses various risk assessment methods and approaches.

This paper is organized as follows. Section 2 is devoted to the description of the methodology and algorithms used in the development of the proposed fuzzy information security risk assessment model for the IIoT environment. Section 3 presents the key findings and results of the study aimed at addressing information security issues in the IIoT environment. Section 4 discusses and compares different approaches to information security risk assessment. Some limitations of the study, practical implications, and suggestions for future research are given in the last chapter “Conclusions”.

2. Proposed Methodology

The purpose of this study is to develop a model for determining the level of risk of information security of the industrial IoT environment using a fuzzy logic system.

According to [20], risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function—the adverse impacts that would arise if the circumstance or event occurs and the likelihood of occurrence. In [21], risk is the product of the probability of a security incident occurring and the damage that will be caused to the organization due to the incident. The probability of a security incident occurring depends on the probability that a threat will occur and the probability that the threat will be able to exploit vulnerabilities in the system successfully. We combine the latter two factors into the probability of a threat occurring and obtain the formula:

$$R=Y_1·Y_2$$

(1)

where $R$—risk level, $Y_1$—probability of a threat occurring, $Y_2$—level of inflicted damage.

Correctly defining risk criteria is an important step in the risk assessment process as it allows a more accurate determination of the likelihood of risks occurring and the level of potential damage. In addition, identifying risk criteria is also an important step for the subsequent planning and implementation of risk management measures.

According to ISO/IEC 27005:2022 information security, cybersecurity, and privacy protection [22], criteria designed to assess the likelihood of threats occurring include:

• Asset attractiveness;
• Asset availability;
• Asset value;
• Asset confidentiality;
• Asset integrity;
• Software and technical controls;
• Administrative controls;
• Procedural controls;
• Compliance of control measures with information security standards;
• Previous incidents.

Asset attractiveness is a characteristic that indicates how appealing a particular asset is to potential wrongdoers who may attempt unauthorized access to the asset or its information.

Asset availability is a characteristic that describes how easily access to an asset can be obtained. In other words, if an asset is easily accessible, the probability of threat realization will be very high for that asset.

Asset value is a characteristic that shows how important an asset is to the organization. The value of an asset can be determined by its cost or its significance to the organization’s business processes. If an asset has high value, it can lead to a higher probability of threat realization.

Asset confidentiality is a characteristic that reflects the degree of importance in maintaining the confidentiality of information related to the asset. Thus, if an asset is a source of confidential information, it can make it more attractive to potential wrongdoers.

Asset integrity is a characteristic that shows that the asset remains in its original state and is not subject to unauthorized changes or damage. If an asset has high integrity, it maintains its properties and functionality for an extended period without alterations.

Additionally, the first five criteria (asset attractiveness, asset availability, asset value, asset confidentiality, asset integrity) have been consolidated into a single criterion—asset significance, which facilitates the analysis and understanding of asset security within the IIoT system. The inclusion of these criteria into one comprehensive asset assessment criterion is due to their interdependence and their consolidated impact on asset assessment in the context of information security.

For the same reason, the four criteria: (1) software and technical control, (2) administrative control, (3) procedural control, and (4) compliance with information security standards have been consolidated into a single criterion—existing control, as these criteria describe the level of control existing within the organization.

As the third criterion, we have chosen previous incidents. This criterion evaluates whether attacks have been previously committed on the specific asset of an industrial IoT system. If they have, the probability of a threat occurrence will be higher because the wrongdoer is already familiar with this asset and may use past attack experience for the next one.

According to the Factor Analysis of Information Risk (FAIR) methodology [23], criteria designed to assess potential damage include:

• Damage related to equipment replacement costs;
• Downtime-related damage to the system;
• Damage associated with response costs;
• Reputational damage.

The first three criteria collectively impact financial damage; hence, we consolidated them into the “Financial Damage” criterion.

The “Reputational Damage” criterion reflects potential negative consequences for a company’s reputation in the event of risky situations. It represents a kind of “non-material” damage, and we have designated it as a separate criterion, “Reputational Damage”. Therefore, we have chosen two criteria to assess the level of incurred damage: Financial Damage and Reputational Damage (non-material losses).

Considering the selected criteria, a fuzzy model was developed to assess the level of information risk in industrial IoT systems. This model divides the process of assessing information risk into three sequential stages. In the first stage, the probability of threats occurring, $Y_1$, is evaluated. In the second stage, the assessment of damage inflicted on the protected assets of IIoT systems, $Y_2$, is calculated. In the third stage, the information security risk assessment, $R$, is computed.

In the process of implementing algorithms for assessing the probability of the occurrence of a threat and the level of inflicted damage, according to the standards and recommendations [18,19,20,21,22], it is necessary to compose input and output linguistic variables—membership functions of the corresponding analytical types. Next, it is necessary to create a rule base—a set of logical expressions that define a cause-and-effect relationship between input and output values. In conclusion, we carry out defuzzification—the calculation of a clear output value based on the resulting membership function of the output block. In particular, the following term sets are used here:

–

Very Low (VL);

–

Low (L);

–

Medium (M);

–

High (H);

–

Very High (VH).

The next step in the research is:

–

Determining the weights of input linguistic variables, the essence of which is to determine the weight of each input linguistic variable in the rule base. To calculate the weight of each criterion, the method of paired comparisons is used [24]. After filling in the matrix of paired comparisons, the eigenvector is calculated, and this makes it possible to find the weights of the criteria of linguistic variables. These, in turn, are used to calculate the risks of information security.

–

Implementation of the information security risk assessment model based on fuzzy logic. This takes place in two research stages:

–

Formation of a base of fuzzy production rules to determine the assessment of the probability of occurrence of a threat and assess the level of inflicted damage caused both in interval values and in describing the nature of the risk in the following categories:

–

Very low risk;

–

Low risk;

–

Medium risk;

–

High risk;

–

Very high risk.

–

Evaluation of the correctness of the risk level determination model, which summarizes the studies by obtaining the value:

–

The probability of occurrence of threats and the level of possible damage, and

–

The risk of information security of the industrial IoT environment.

3. Results

This section presents the key findings and results of the study aimed at solving information security problems in the IIoT environment. There are many factors that complicate the assessment of information security risks in the IIoT, such as system complexity, heterogeneity, agility, distributed infrastructure, a lack of standards and guidelines, and the increasing potential consequences of a security breach. The authors propose a comprehensive method for assessing information security risks based on the application of fuzzy set theory and the method of hierarchy analysis. The work analyzes information threats to IIoT systems and identifies the most significant criteria. A description of two fuzzy inference systems is presented, used to assess the likelihood of a threat occurring and the potential damage, on the basis of which an assessment of information security in the context of the IIoT is made. The authors also provide specific examples illustrating risk assessment calculations for information security in the IIoT environment based on the proposed method.

3.1. Algorithm for Assessing the Probability of Occurrence of a Threat

To assess the probability of occurrence of a threat, it is necessary to select input linguistic variables (LVs). According to standards and recommendations [18,19,20,21,22], the most preferable are the following LVs:

–

$C_1$—asset attractiveness;

–

$C_2$—existing control;

–

C₃ —previous incidents.

The output variable is $Y_1$—Probability of a threat occurring. For linguistic evaluation of input and output variables, the following term sets are used: Very Low (VL); Low (L); Medium (M); High (H); Very High (VH). When setting input and output LVs, it is necessary to set membership functions for fuzzy sets that characterize the term sets of LVs.

Criteria 1: $C_1$—asset attractiveness. To assess attractiveness, a questionnaire was used with answers “Yes” or “No”:

$$C_1=\{\begin{array}{cc}1,& \mathrm{if} “\mathrm{Yes}”,\\ 0,& \mathrm{if} “\mathrm{No}”,\end{array}$$

(2)

Indeed, for each of the following questions, an affirmative answer is 1, and a negative answer is 0:

• Is the asset significant to the organization’s business processes?
• Is the asset important to the achievement of the organization’s objectives?
• Is the asset unique to the organization?
• Are there alternatives that can replace the asset?
• Does the asset contain sensitive data?
• Are there safeguards that protect the confidentiality of the information asset?
• Is the asset intact and not subject to change?
• Are there safeguards that protect the integrity of the asset?
• Is the asset easily accessible to the right users?
• Are there safeguards that protect the asset from unauthorized access?

The maximum number of points is 10; the minimum is 0. To determine the values of the set of linguistic variables “Attractiveness of an asset”, a survey of 10 experts with experience and knowledge in the field of information security was used. The results of the experiment in the form of an auxiliary matrix are presented in

Table 1. Auxiliary matrix.

Values of Base Terms	Number of Score
	1	2	3	4	5	6	7	8	9	10
Very Low (VL)	10	7	2	0	0	0	0	0	0	0
Low (L)	0	3	7	5	2	0	0	0	0	0
Medium (M)	0	0	1	5	8	6	3	0	0	0
High (H)	0	0	0	0	0	4	5	6	1	0
Very High (VH)	0	0	0	0	0	0	2	4	9	10

(10 experts attributed the number of points equal to 1 to the term “Very low” and the number of points equal to 2 to the term “Very low”; 7 experts and 3 experts to the term “Low “, etc.)

To construct membership functions, we identify the maximum elements in the rows of the auxiliary table. The membership function is then calculated using the following formula [17]:

$$\mu \left(a_{ij}\right)=\frac{a_{ij}}{a_{imax}},$$

(3)

where $a_{ij}$ is the matrix element and $a_{imax}$ is the maximum element of the row.

From the obtained values of the membership functions of the terms of the linguistic variable $C_1$ (asset attractiveness), we created

Table 2. Resulting matrix.

Values of Base Terms	$\mathbf{Number}\mathbf{of}\mathbf{Score} \left({\mathit{\gamma }}_{\mathit{i}\mathit{j}}\right)$
	1	2	3	4	5	6	7	8	9	10
Very Low (VL)	1	0.7	0.2	0	0	0	0	0	0	0
Low (L)	0	0.43	1	0.71	0.29	0	0	0	0	0
Medium (M)	0	0	0.125	0.625	1	0.75	0.375	0	0	0
High (H)	0	0	0	0	0	0.5	0.8	1	0.17	0
Very High (VH)	0	0	0	0	0	0	0.2	0.4	0.9	1

.

Using the data from Table 2, we will plot the membership function LV “Asset attractiveness” (Appendix A, Figure A1).

Criteria 2: C₂,—existing control. The values of the input LV $C_2$—existing control are determined by the number of security measures in industrial systems and the change in the range [0, 8]. These measures include:

–

Protection of network nodes;

–

Monitoring of network activity;

–

Authentication and authorization;

–

Protection from physical attacks;

–

Protection against malicious programs;

–

Data security;

–

Data backup;

–

Training.

Hence, the normalized values of the LV $C_2$ can be determined using Formula (4):

$$C_2=\frac{N_m}{8},$$

(4)

where $N_m$—the number of Information Security methods used at an industrial facility—are found in

Table 3. Normalized values of $C_2$.

$${\mathit{N}}_{\mathit{m}}$$	1	2	3	4	5	6	7	8
C2	0.125	0.250	0.375	0.500	0.625	0.750	0.875	1.000

.

Using the data from Table 3, we will plot the membership function LV “Existing control” (Appendix A, Figure A2).

Criteria 3: $C_3$—previous incidents. The numeric values of variables C₃—previous incidents—vary in the range [0, 100] and are determined by the percentage of computers attacked in IIoT systems per year and can be expressed by the formula [25]:

$$C_3=\frac{N_p}{40\%},$$

(5)

where $N_p$ is the percentage of computers attacked in an IIoT system per year, and 40% is the maximum permissible value.

According to the data in

Table 4. Normalized values of $C_3$.

$${\mathit{N}}_{\mathit{p}}$$	5%	10%	15%	20%	25%	30%	35%	40% and Higher
C3	0.125	0.250	0.375	0.500	0.625	0.750	0.875	1.000

, let us plot the membership functions of the LV “Previous incidents” (Appendix A, Figure A3).

Output variable $Y_1$—Probability of threat occurrence–is the process of determining the likelihood that a threat will occur in the future. The likelihood of threats being implemented may depend on various factors, such as the importance of information assets, the availability of appropriate security controls at the software, technical, administrative, and procedural control levels, as well as previous cases of security breaches.

Let us define terms for the output LV “Probability of threat occurrence”: ‘Very Low’, ‘Low’, ‘Moderate’, ‘High’, ‘Very High’. The descriptions of the terms are provided in

Table 5. Description of the terms for the LV “Probability of threat occurrence”.

Term	Meaning	Description
Very low	0–0.3	There are no objective prerequisites for the emergence of a threat
Low	0.2–0.5	Some prerequisites for the emergence of a threat exist, but the security measures taken significantly complicate its implementation
Average	0.4–0.7	Objective prerequisites for the emergence of a threat exist, and the number of security measures is sufficient to neutralize it
High	0.6–0.9	Objective prerequisites for the emergence of a threat exist, and the number of security measures is insufficient
Very high	0.8–1	Objective prerequisites for a threat exist, and security measures have not been taken

.

Using the data from Table 5, we will plot the membership function LV “Probability of threat occurrence” (Appendix A, Figure A4).

As a result, the input linguistic variables for the first stage were set, and the sets of terms and their membership functions were determined. These variables are used to determine the probability of a threat occurrence.

3.2. Algorithm for Assessing the Level of Inflicted Damage

In this section, the following criteria were used to assess the level of inflicted damage caused (input variables):

–

$C_4$—Financial damage;

–

$C_5$—Reputational damage.

The output variable $Y_2$ reflects the level of inflicted damage.

Criteria 4: $C_4$,—financial damage. The numerical value of the variable is [0, 100] and it is determined as a percentage of the costs of responding to an attack and restoring systems, fines, the cost of monitoring services, and damage from downtime and disruption of operations. To calculate it, we use the Return on Investment (ROI) method [26]:

$$C_4=\frac{ALE}{D}·100\%$$

(6)

where $ALE$ is the expected annual losses; D is the annual income. This allows us to obtain normalized values for the fourth criterion of financial damage (see

Table 6. Normalized values of $C_4$.

	1%	2%	3%	4%	5%	6%	7%	8%	9%	10%
C4	0.1	0.2	0.3	0.4	0.5	0.6	0.7	0.8	0.9	1.0

).

Let us define terms for the output LV “Financial damage”: ‘Very Low’, ‘Low’, ‘Moderate’, ‘High’, ‘Very High’. The descriptions of the terms are provided in

Table 7. Description of the terms for the LV “Financial damage”.

Term	Description
Very low	Minor damage, less than 1% of annual income
Low	Low damage, 2–4% of annual income
Average	Noticeable damage, 4–7% of annual income
High	Large damage, 7–10% of annual income
Very high	Very large damage, more than 10% of annual income

.

Using the data from Table 7, we will plot the membership function LV “Financial damage” (Appendix A, Figure A5).

Criteria 4: $C_5$—Reputational damage. The numerical value of the variable [0, 100] is determined as a percentage of losses due to the negative attitude of customers, partners, and investors towards the company. Let us try to estimate reputational damage as expected losses due to the negative attitude of clients, partners, and investors, divided by annual income [27]:

$$C_5=\frac{P}{D}·100\%,$$

(7)

where $P$ reflects losses due to the negative attitude of customers, partners, and investors towards the company over the past year; $D$ reflects annual income. This allows us to obtain normalized values for the fifth criterion of reputational damage (see

Table 8. Normalized values of $C_5$.

	1%	2%	3%	4%	5%	6%	7%	8%	9%	10%
C5	0.1	0.2	0.3	0.4	0.5	0.6	0.7	0.8	0.9	1.0

).

We understand that reputational damage is difficult to quantify and such an estimate will be approximate. However, this approach can help estimate how much of an organization’s annual revenue could be lost due to reputational damage following a cyberattack.

Let us define terms for the output LV “Reputational damage”: ‘Very Low’, ‘Low’, ‘Moderate’, ‘High’, ‘Very High’. The descriptions of the terms are provided in

Table 9. Description of the terms for the LV “Reputational damage”.

Term	Description
Very low	Minor damage, less than 1% of annual income
Low	Low damage, 2–4% of annual income
Average	Noticeable damage, 4–7% of annual income
High	Large damage, 7–10% of annual income
Very high	Very large damage, more than 10% of annual income

.

Using the data from Table 9, we will plot the membership function LV “Reputational damage” (Appendix A, Figure A6).

The output variable $Y_2$—the level of inflicted damage is the process of determining the financial, operational, reputational, and other losses that may arise as a result of an information security breach. Potential damage is the sum of all the costs that an organization will incur in the implementation of threats to the assets of an industrial IoT system.

Let us define terms for the output LV “Level of inflicted damage”: ‘Very Low’, ‘Low’, ‘Moderate’, ‘High’, ‘Very High’. The descriptions of the terms are provided in

Table 10. Description of the terms for the LV “Level of inflicted damage”.

Term	Meaning	Description
Very low	0–0.3	The level of damage caused has virtually no effect on the operation of the facility
Low	0.2–0.5	The level of damage caused slightly affects the operation of the facility
Average	0.4–0.7	The level of damage caused makes it difficult for the facility to operate
High	0.6–0.9	The level of damage caused has a significant impact on the operation of the facility
Very high	0.8–1	The level of damage caused greatly affects the operation of the facility

.

Using the data from Table 10, we will plot the membership function LV “Level of inflicted damage” (Appendix A, Figure A7).

As a result, the input linguistic variables for the second stage were set, and the sets of terms and their membership functions were determined. With the help of these variables, the level of inflicted damage is determined. The output LV “Level of inflicted damage“ was also set, and term-sets were defined and described.

3.3. Determining the Weights of Input Linguistic Variables

To assess the risk of information security, it is necessary to determine the weight for each input linguistic variable in the rule base. Let n elements or n objects be given. Then the calculation of the weight of each criterion is made using the method of paired comparisons—a statistical tool that is used to assess the relative preferences between different options or alternatives [17]. Based on the results of the expert’s survey, a matrix of paired comparisons is built $=\left(a_{ij}\right),$ $i, j=1, 2, \dots , n$:

$$A={\left(a_{ij}\right)}_{i, j=1, 2, \dots , n}=\left[\begin{array}{c}\begin{array}{c}{a}_{11}\\ a_{21}\end{array}\\ ⋮\\ a_{n1}\end{array} \begin{array}{c}\begin{array}{c}{a}_{12}\\ a_{22}\end{array}\\ ⋮\\ a_{n2}\end{array} \begin{array}{c}\begin{array}{c}\dots \\ \dots \end{array}\\ ⋮\\ \dots \end{array} \begin{array}{c}\begin{array}{c}{a}_{1n}\\ a_{2n}\end{array}\\ ⋮\\ a_{nn}\end{array}\right],$$

(8)

where the number $a_{ij}$ shows how many times, according to the expert, the degree of importance of one element $x_i$ is greater than the degree of importance of element x_j in the set $S$, or in terms of the membership function, the value µ_s(x_i) is greater than µ_s(x_j). At the same time, the expert operates with these concepts guided by the comparison scale according to the Saaty method [24] (see

Table 11. Scales for comparing two elements according to the Saaty method.

Comparing Two Elements	Value
$\mathrm{Both}\mathrm{elements}\mathrm{are}\mathrm{equally}\mathrm{important}:{\mu }_S\left(x_i\right)$$\mathrm{equals}{\mu }_S\left(x_j\right)$	1
$\mathrm{One}\mathrm{element}\mathrm{is}\mathrm{slightly}\mathrm{more}\mathrm{important}\mathrm{than}\mathrm{another}\mathrm{element}:{\mu }_S\left(x_i\right)$$\mathrm{is}\mathrm{slightly}\mathrm{larger}\mathrm{than}{\mu }_S\left(x_j\right)$	3
$\mathrm{One}\mathrm{element}\mathrm{is}\mathrm{clearly}\mathrm{more}\mathrm{important}\mathrm{than}\mathrm{the}\mathrm{other}:{\mu }_S\left(x_i\right)$$\mathrm{is}\mathrm{greater}\mathrm{than}{\mu }_S\left(x_j\right)$	5
$\mathrm{One}\mathrm{element}\mathrm{is}\mathrm{significantly}\mathrm{more}\mathrm{important}\mathrm{than}\mathrm{another}\mathrm{element}:{\mu }_S\left(x_i\right)$$\mathrm{is}\mathrm{noticeably}\mathrm{larger}\mathrm{than}{\mu }_S\left(x_j\right)$	7
$\mathrm{One}\mathrm{element}\mathrm{is}\mathrm{absolutely}\mathrm{more}\mathrm{important}\mathrm{than}\mathrm{another}\mathrm{element}:{\mu }_S\left(x_i\right)$$\mathrm{is}\mathrm{much}\mathrm{larger}\mathrm{than}{\mu }_S\left(x_j\right)$	9
Values intermediate in degree between those listed	2, 4, 6, 8

).

The elements of the matrix of paired comparisons, symmetrical with respect to the diagonal of the matrix, must satisfy the requirement:

$$a_{ij}=\frac{1}{a_{ij}}.$$

(9)

This condition (8) means that if the membership degree of element $x_i$ is $a_{ij}$ times stronger than the membership degree of element $x_j$, then the membership degree of element $x_j$ must be $1/a_{ij}$ times stronger than the membership degree of element $x_i$. Then the problem of constructing the membership function is reduced to finding the eigenvector E of the matrix $A$ corresponding to the largest eigenvalue of the matrix, that is, the vector that is the solution to the equation

$$A·E=E·e_{max}$$

(10)

where $e_{max}$ is the largest eigenvalue of a matrix $A$.

Further, for each element of the matrix of pairwise comparisons, a certain weight ${\omega }_i$, $i=1,\dots ,n$, is determined, and the condition ${\omega }_1+\dots +{\omega }_n=1$ is satisfied. Then we can construct a matrix $V$ of relative weights:

$$V={\left(v_{ij}\right)}_{i, j=1, 2, \dots , n} =\left[\begin{array}{c}\begin{array}{c}{\omega }_1/{\omega }_1\\ {\omega }_2/{\omega }_1\end{array}\\ ⋮\\ {\omega }_n/{\omega }_1\end{array} \begin{array}{c}\begin{array}{c}{\omega }_1/{\omega }_2\\ {\omega }_2/{\omega }_2\end{array}\\ ⋮\\ {\omega }_n/{\omega }_2\end{array} \begin{array}{c}\begin{array}{c}\dots \\ \dots \end{array}\\ ⋮\\ \dots \end{array} \begin{array}{c}\begin{array}{c}{\omega }_1/{\omega }_n\\ {\omega }_2/{\omega }_n\end{array}\\ ⋮\\ {\omega }_n/{\omega }_n\end{array}\right]$$

(11)

where each element $v_{ij}>0$ of the matrix of relative weights (38) is the ratio of the weight of the $i$-th object $a_i$ to the weight of the $j$-th object $a_j$, i.e., $v_{ij}={\omega }_i/{\omega }_j$ for any $i, j=1, 2, \dots , n$. Matrix elements located symmetrically with respect to the main diagonal are inverse to each other, i.e., $v_{ij}=1/v_{ji}$ for any $i, j=1, 2, \dots , n$.

After filling in the matrix of paired comparisons (38), the eigenvector is calculated, and for this the sum and product method and the square root method are used ([24,25]):

$$e_i=\sqrt[n]{{\displaystyle \prod }_{j=1}^n{a}_{ij}}, i=1, 2, \dots ,n.$$

(12)

Next, to find the weights of the criteria, we use

$${\omega }_i=\frac{e_i}{{{\displaystyle \sum }}_{j=1}^n{e}_j}, i=1, 2, \dots ,n.$$

(13)

In conclusion, we note that on the basis of the implementation of algorithms (8)–(13), we obtained expert and calculated results of the study:

–

Expert estimates of respondents (i)–(v) on the values of pairwise comparison coefficients, $e_i^{\left(\mathrm{i}\right)},e_i^{\left(\mathrm{ii}\right)},\dots ,e_i^{\left(\mathrm{v}\right)}, i=\overline{1,3}$—eigenvector and ${\omega }_i^{\left(\mathrm{i}\right)},{\omega }_i^{\left(\mathrm{ii}\right)},$ $\dots ,$ ${\omega }_i^{\left(\mathrm{v}\right)},$ $i=\overline{1,3}$—values of weights according to criteria $C_1$, $C_2$ и $C_3$ (see

Table A1. The results of assessments by experts (i) and (ii) by pairwise comparison coefficients, eigenvector, and weight values by criteria $C_1$, $C_2$, and $C_3$.

Input Variables	Expert (i)					Expert (ii)
	${\mathit{C}}_1$	${\mathit{C}}_2$	${\mathit{C}}_3$	${\mathit{e}}_{\mathit{i}}^{\left(\mathbf{i}\right)}$	${\mathit{\omega }}_{\mathrm{i}}^{\left(\mathbf{i}\right)}$	${\mathit{C}}_1$	${\mathit{C}}_2$	${\mathit{V}}_3$	${\mathit{e}}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{i}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{i}\right)}$
$\mathrm{Asset}\mathrm{attractiveness}\left(C_1\right)$	1.0	0.5	3.0	1.14	0.3487	1.0	1.0	2.0	1.26	0.3474
$\mathrm{Existing}\mathrm{control} \left(C_2\right)$	2.0	1.0	2.0	1.59	0.4836	1.0	1.0	3.0	1.44	0.4434
$\mathrm{Previous}\mathrm{incidents} \left(C_3\right)$	0.3	0.5	1.0	0.55	0.1677	0.3	0.5	1.0	0.55	0.1692

,

Table A2. Results of evaluations by experts (iii) and (iv) by pairwise comparison coefficients, eigenvector, and weight values by criteria $C_1$, $C_2$, and $C_3$.

Input Variables	Expert (iii)					Expert (iv)
	${\mathit{C}}_1$	${\mathit{C}}_2$	${\mathit{C}}_3$	${\mathit{e}}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{i}\mathbf{i}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{i}\mathbf{i}\right)}$	${\mathit{C}}_1$	${\mathit{C}}_2$	${\mathit{C}}_3$	${\mathit{e}}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{v}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{v}\right)}$
$\mathrm{Asset}\mathrm{attractiveness}\left(C_1\right)$	1.0	2.0	1.0	1.26	0.4126	1.0	0.5	2.0	1.00	0.3711
$\mathrm{Existing}\mathrm{control} \left(C_2\right)$	0.5	1.0	2.0	1.00	0.3275	0.5	1.0	3.0	1.14	0.4247
$\mathrm{Previous}\mathrm{incidents} \left(C_3\right)$	1.0	0.5	1.0	0.79	0.2599	0.5	0.3	1.0	0.55	0.2042

and

Table A3. The results of assessments by experts (v) by the coefficients of pairwise comparison, eigenvector, and weight values according to criteria $C_1$, $C_2$, and $C_3$ and the weight value of those assessing the probability of threats.

Input Variables	Expert (v)					Criteria Weights
	${\mathit{C}}_1$	${\mathit{C}}_2$	${\mathit{C}}_3$	${\mathit{e}}_{\mathit{i}}^{\left(\mathbf{v}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{v}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{i}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{i}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{i}\mathbf{i}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{v}\right)}$	${\mathit{\omega }}_{\mathit{i}}$
$\mathrm{Asset}\mathrm{attractiveness}\left(C_1\right)$	1.0	2.0	1.0	1.26	0.5396	0.3487	0.3474	0.4126	0.3711	0.4119
$\mathrm{Existing}\mathrm{control} \left(C_2\right)$	0.5	1.0	2.0	1.00	0.2970	0.4836	0.4434	0.3275	0.4247	0.3952
$\mathrm{Previous}\mathrm{incidents} \left(C_3\right)$	1.0	0.5	1.0	0.79	0.1634	0.1677	0.1692	0.2599	0.2042	0.1929

, Appendix A);

–

Calculated ${\omega }_i,$ $i=\overline{1,3}$ values of weights estimating the level $Y_1$—threat occurrence probability (see Table A3, Appendix A);

–

Calculated ${\omega }_i^{\left(\mathrm{i}\right)},{\omega }_i^{\left(\mathrm{ii}\right)},$ $\dots ,$ ${\omega }_i^{\left(\mathrm{v}\right)},$ and $\omega ·i=\overline{4,5}$ values $e_i^{\left(v\right)}$ according to criteria C₄ and $C_5$ assessing the level of $Y_2$—the damage caused (see

Table A4. The results of assessments by experts (i)–(v) by the coefficients of pairwise comparison, eigenvector, and weight values according to criteria $C_4$, $C_5$, and the weight value estimating the level of inflicted damage.

Input Variables		Criteria Weights
	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{i}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{i}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{i}\mathbf{i}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{i}\mathbf{v}\right)}$	${\mathit{\omega }}_{\mathit{i}}^{\left(\mathbf{v}\right)}$	${\mathit{\omega }}_{\mathit{i}}$
$\mathrm{Financial}\cos \mathrm{ts}\left(C_4\right)$	0.6667	0.3333	0.6667	0.7500	0.5000	0.5833
$\mathrm{Reputation}\mathrm{damage} \left(C_5\right)$	0.3333	0.6667	0.3333	0.2500	0.5000	0.4167

, Appendix A).

3.4. Implementation of the Information Security Risk Assessment Model Based on Fuzzy Logic

3.4.1. Formation of a Base of Fuzzy Production Rules

The rule base of fuzzy inference systems is formed on the basis of predefined input and output linguistic variables. After fuzzy input and output variables, membership functions, as well as weight coefficients of criteria $C_1-C_5$ were defined, the following were created:

–

Information base of fuzzy production rules for evaluating $Y_1$—probability of occurrence of threats (total 125 rules)—with the values of the terms of the input linguistic variable $C_1$—attractiveness of assets—with a weight coefficient ${\omega }_1$ = 0.4126; $C_2$—existing control—with a weight coefficient ${\omega }_2$ = 0.3952; $C_3$—previous incidents—with weight coefficient ${\omega }_3$ = 0.1929; Very low—0.2, Low—0.4, Medium—0.6, High—0.8; Very high—1.0 and the calculated values of the term boundaries of the output linguistic variable $Y_1$—probability of occurrence of a threat: Very low—[0.0; 0.3], Low—(0.3; 0.5], Medium—(0.5; 0.7], High—(0.7; 0.9], Very High—(0.9; 1.0]) (see

Table A5. The base of production rules for assessing $Y_1$—the probability of occurrence of threats.

(i)	(ii)	(iii)	(iv)	(v)	(vi)	(vii)	(viii)	(ix)	(i)	(ii)	(iii)	(iv)	(v)	(vi)	(vii)	(viii)	(ix)
1	VL	0.2	VL	1.0	VL	0.2	0.52	VL	64	M	0.6	M	0.6	H	0.8	0.64	M
2	VL	0.2	VL	1.0	L	0.4	0.55	VL	65	M	0.6	M	0.6	VH	1.0	0.68	M
3	VL	0.2	VL	1.0	M	0.6	0.59	VL	66	M	0.6	H	0.4	VL	0.2	0.44	M
4	VL	0.2	VL	1.0	H	0.8	0.63	L	67	M	0.6	H	0.4	L	0.4	0.48	M
5	VL	0.2	VL	1.0	VH	1.0	0.67	L	68	M	0.6	H	0.4	M	0.6	0.52	M
6	VL	0.2	L	0.8	VL	0.2	0.44	VL	69	M	0.6	H	0.4	H	0.8	0.56	H
7	VL	0.2	L	0.8	L	0.4	0.48	L	70	M	0.6	H	0.4	VH	1.0	0.60	H
8	VL	0.2	L	0.8	M	0.6	0.51	L	71	M	0.6	VH	0.2	VL	0.2	0.36	M
9	VL	0.2	L	0.8	H	0.8	0.55	L	72	M	0.6	VH	0.2	L	0.4	0.40	H
10	VL	0.2	L	0.8	VH	1.0	0.59	L	73	M	0.6	VH	0.2	M	0.6	0.44	H
11	VL	0.2	M	0.6	VL	0.2	0.36	L	74	M	0.6	VH	0.2	H	0.8	0.48	H
12	VL	0.2	M	0.6	L	0.4	0.40	L	75	M	0.6	VH	0.2	VH	1.0	0.52	H
13	VL	0.2	M	0.6	M	0.6	0.44	L	76	H	0.8	VL	1.0	VL	0.2	0.76	L
14	VL	0.2	M	0.6	H	0.8	0.47	L	77	H	0.8	VL	1.0	L	0.4	0.80	L
15	VL	0.2	M	0.6	VH	1.0	0.51	M	78	H	0.8	VL	1.0	M	0.6	0.84	M
16	VL	0.2	H	0.4	VL	0.2	0.28	L	79	H	0.8	VL	1.0	H	0.8	0.88	M
17	VL	0.2	H	0.4	L	0.4	0.32	L	80	H	0.8	VL	1.0	VH	1.0	0.92	M
18	VL	0.2	H	0.4	M	0.6	0.36	M	81	H	0.8	L	0.8	VL	0.2	0.68	M
19	VL	0.2	H	0.4	H	0.8	0.39	M	82	H	0.8	L	0.8	L	0.4	0.72	M
20	VL	0.2	H	0.4	VH	1.0	0.43	M	83	H	0.8	L	0.8	M	0.6	0.76	M
21	VL	0.2	VH	0.2	VL	0.2	0.20	M	84	H	0.8	L	0.8	H	0.8	0.80	M
22	VL	0.2	VH	0.2	L	0.4	0.24	M	85	H	0.8	L	0.8	VH	1.0	0.84	M
23	VL	0.2	VH	0.2	M	0.6	0.28	M	86	H	0.8	M	0.6	VL	0.2	0.61	M
24	VL	0.2	VH	0.2	H	0.8	0.32	M	87	H	0.8	M	0.6	L	0.4	0.64	M
25	VL	0.2	VH	0.2	VH	1.0	0.35	M	88	H	0.8	M	0.6	M	0.6	0.68	M
26	L	0.4	VL	1.0	VL	0.2	0.60	VL	89	H	0.8	M	0.6	H	0.8	0.72	H
27	L	0.4	VL	1.0	L	0.4	0.64	L	90	H	0.8	M	0.6	VH	1.0	0.76	H
28	L	0.4	VL	1.0	M	0.6	0.68	L	91	H	0.8	H	0.4	VL	0.2	0.53	M
29	L	0.4	VL	1.0	H	0.8	0.71	L	92	H	0.8	H	0.4	L	0.4	0.56	H
30	L	0.4	VL	1.0	VH	1.0	0.75	L	93	H	0.8	H	0.4	M	0.6	0.60	H
31	L	0.4	L	0.8	VL	0.2	0.52	L	94	H	0.8	H	0.4	H	0.8	0.64	H
32	L	0.4	L	0.8	L	0.4	0.56	L	95	H	0.8	H	0.4	VH	1.0	0.68	H
33	L	0.4	L	0.8	M	0.6	0.60	L	96	H	0.8	VH	0.2	VL	0.2	0.45	H
34	L	0.4	L	0.8	H	0.8	0.64	L	97	H	0.8	VH	0.2	L	0.4	0.49	H
35	L	0.4	L	0.8	VH	1.0	0.67	M	98	H	0.8	VH	0.2	M	0.6	0.52	H
36	L	0.4	M	0.6	VL	0.2	0.44	L	99	H	0.8	VH	0.2	H	0.8	0.56	H
37	L	0.4	M	0.6	L	0.4	0.48	L	100	H	0.8	VH	0.2	VH	1.0	0.60	VH
38	L	0.4	M	0.6	M	0.6	0.52	M	101	VH	1.0	VL	1.0	VL	0.2	0.85	M
39	L	0.4	M	0.6	H	0.8	0.56	M	102	VH	1.0	VL	1.0	L	0.4	0.88	M
40	L	0.4	M	0.6	VH	1.0	0.59	M	103	VH	1.0	VL	1.0	M	0.6	0.92	M
41	L	0.4	H	0.4	VL	0.2	0.36	M	104	VH	1.0	VL	1.0	H	0.8	0.96	M
42	L	0.4	H	0.4	L	0.4	0.40	M	105	VH	1.0	VL	1.0	VH	1.0	1.00	M
43	L	0.4	H	0.4	M	0.6	0.44	M	106	VH	1.0	L	0.8	VL	0.2	0.77	M
44	L	0.4	H	0.4	H	0.8	0.48	M	107	VH	1.0	L	0.8	L	0.4	0.81	M
45	L	0.4	H	0.4	VH	1.0	0.52	M	108	VH	1.0	L	0.8	M	0.6	0.84	M
46	L	0.4	VH	0.2	VL	0.2	0.28	M	109	VH	1.0	L	0.8	H	0.8	0.88	H
47	L	0.4	VH	0.2	L	0.4	0.32	M	110	VH	1.0	L	0.8	VH	1.0	0.92	H
48	L	0.4	VH	0.2	M	0.6	0.36	M	111	VH	1.0	M	0.6	VL	0.2	0.69	M
49	L	0.4	VH	0.2	H	0.8	0.40	H	112	VH	1.0	M	0.6	L	0.4	0.73	H
50	L	0.4	VH	0.2	VH	1.0	0.44	H	113	VH	1.0	M	0.6	M	0.6	0.76	H
51	M	0.6	VL	1.0	VL	0.2	0.68	L	114	VH	1.0	M	0.6	H	0.8	0.80	H
52	M	0.6	VL	1.0	L	0.4	0.72	L	115	VH	1.0	M	0.6	VH	1.0	0.84	H
53	M	0.6	VL	1.0	M	0.6	0.76	L	116	VH	1.0	H	0.4	VL	0.2	0.61	H
54	M	0.6	VL	1.0	H	0.8	0.80	L	117	VH	1.0	H	0.4	L	0.4	0.65	H
55	M	0.6	VL	1.0	VH	1.0	0.84	M	118	VH	1.0	H	0.4	M	0.6	0.69	H
56	M	0.6	L	0.8	VL	0.2	0.60	L	119	VH	1.0	H	0.4	H	0.8	0.72	H
57	M	0.6	L	0.8	L	0.4	0.64	L	120	VH	1.0	H	0.4	VH	1.0	0.76	VH
58	M	0.6	L	0.8	M	0.6	0.68	M	121	VH	1.0	VH	0.2	VL	0.2	0.53	H
59	M	0.6	L	0.8	H	0.8	0.72	M	122	VH	1.0	VH	0.2	L	0.4	0.57	H
60	M	0.6	L	0.8	VH	1.0	0.76	M	123	VH	1.0	VH	0.2	M	0.6	0.61	VH
61	M	0.6	M	0.6	VL	0.2	0.52	M	124	VH	1.0	VH	0.2	H	0.8	0.65	VH
62	M	0.6	M	0.6	L	0.4	0.56	M	125	VH	1.0	VH	0.2	VH	1.0	0.68	VH
63	M	0.6	M	0.6	M	0.6	0.60	M

where (i)—is a serial number; (ii)–(iii)—the value of the term of the input linguistic variable $C_1$—Attractiveness of assets with a weighting coefficient ω₁ = 0.4126; (iv)–(v)—value of the term of the input linguistic variable C₂—Existing control with a weight coefficient ω₂ = 0.3952; (vi)–(vii)—value of the term of the input linguistic variable C₃—Previous incidents with a weight coefficient ω₃ = 0.1929; (viii)–(ix)—calculated value of the term of the output linguistic variable Y₁—Probability of occurrence of a threat.

, Appendix A).

–

Aggregate fuzzy rules for assessing the probability of occurrence of a threat. Note that aggregation is the process of combining the output parameters of each rule into one fuzzy set. The rules for aggregating fuzzy products are carried out using the classical fuzzy logical operation “AND” of two elementary statements [24,28]. For example, the output variable $Y_1$ – the probability of occurrence of a threat occurring–takes on the value “Very Low” in rules No. 1, 2, 3, 6, and 26, which can be combined using a conjunction. As a result of the aggregation of the resulting rules, fuzzy causal relationships between antecedents and consequents were obtained (see

Table A6. Aggregated fuzzy rules for assessing $Y_1$—the probability of occurrence of a threat.

(i)	(ii)			(iii)
R1	(C1 = VL) ∧ (C2 = VL) ∧ (C3 = VL) ∨ (C1 = VL) ∧ (C2 = VL) ∧ (C3 = L) ∨	(C1 = VL) ∧ (C2 = VL) ∧ (C3 = M) ∨ (C1 = VL) ∧ (C2 = L) ∧ (C3 = VL) ∨	(C1 = L) ∧ (C2 = VL) ∧ (C3 = VL)	Y1 = VL
R2	(C1 = VL) ∧ (C2 = VL) ∧ (C3 = H) ∨ (C1 = VL) ∧ (C2 = VL) ∧ (C3 = VH) ∨ (C1 = VL) ∧ (C2 = L) ∧ (C3 = L) ∨ (C1 = VL) ∧ (C2 = L) ∧ (C3 = M) ∨ (C1 = VL) ∧ (C2 = L) ∧ (C3 = H) ∨ (C1 = VL) ∧ (C2 = L) ∧ (C3 = VH) ∨ (C1 = VL) ∧ (C2 = M) ∧ (C3 = VL) ∨ (C1 = VL) ∧ (C2 = M) ∧ (C3 = L) ∨ (C1 = VL) ∧ (C2 = M) ∧ (C3 = M) ∨ (C1 = VL) ∧ (C2 = M) ∧ (C3 = H) ∨	(C1 = VL) ∧ (C2 = H) ∧ (C3 = VL) ∨ (C1 = VL) ∧ (C2 = H) ∧ (C3 = L) ∨ (C1 = L) ∧ (C2 = VL) ∧ (C3 = L) ∨ (C1 = L) ∧ (C2 = VL) ∧ (C3 = M) ∨ (C1 = L) ∧ (C2 = VL) ∧ (C3 = H) ∨ (C1 = L) ∧ (C2 = VL) ∧ (C3 = VH) ∨ (C1 = L) ∧ (C2 = L) ∧ (C3 = VL) ∨ (C1 = L) ∧ (C2 = L) ∧ (C3 = L) ∨ (C1 = L) ∧ (C2 = L) ∧ (C3 = M) ∨ (C1 = L) ∧ (C2 = L) ∧ (C3 = H) ∨	(C1 = L) ∧ (C2 = M) ∧ (C3 = VL) ∨ (C1 = L) ∧ (C2 = M) ∧ (C3 = L) ∨ (C1 = M) ∧ (C2 = VL) ∧ (C3 = VL) ∨ (C1 = M) ∧ (C2 = VL) ∧ (C3 = L) ∨ (C1 = M) ∧ (C2 = VL) ∧ (C3 = M) ∨ (C1 = M) ∧ (C2 = VL) ∧ (C3 = H) ∨ (C1 = M) ∧ (C2 = L) ∧ (C3 = VL) ∨ (C1 = M) ∧ (C2 = L) ∧ (C3 = L) ∨ (C1 = H) ∧ (C2 = VL) ∧ (C3 = VL) ∨ (C1 = H) ∧ (C2 = VL) ∧ (C3 = L)	Y1 = L
R3	(C1 = VL) ∧ (C2 = M) ∧ (C3 = VH) ∨ (C1 = VL) ∧ (C2 = H) ∧ (C3 = M) ∨ (C1 = VL) ∧ (C2 = H) ∧ (C3 = H) ∨ (C1 = VL) ∧ (C2 = H) ∧ (C3 = VH) ∨ (C1 = VL) ∧ (C2 = VH) ∧ (C3 = VL) ∨ (C1 = VL) ∧ (C2 = VH) ∧ (C3 = L) ∨ (C1 = VL) ∧ (C2 = VH) ∧ (C3 = M) ∨ (C1 = VL) ∧ (C2 = VH) ∧ (C3 = H) ∨ (C1 = VL) ∧ (C2 = VH) ∧ (C3 = VH) ∨ (C1 = L) ∧ (C2 = L) ∧ (C3 = VH) ∨ (C1 = L) ∧ (C2 = M) ∧ (C3 = M) ∨ (C1 = L) ∧ (C2 = M) ∧ (C3 = H) ∨ (C1 = L) ∧ (C2 = M) ∧ (C3 = VH) ∨ (C1 = L) ∧ (C2 = H) ∧ (C3 = VL) ∨ (C1 = L) ∧ (C2 = H) ∧ (C3 = L) ∨ (C1 = L) ∧ (C2 = H) ∧ (C3 = M) ∨ (C1 = L) ∧ (C2 = H) ∧ (C3 = H) ∨ (C1 = L) ∧ (C2 = H) ∧ (C3 = VH) ∨ (C1 = L) ∧ (C2 = VH) ∧ (C3 = VL) ∨	(C1 = L) ∧ (C2 = VH) ∧ (C3 = L) ∨ (C1 = L) ∧ (C2 = VH) ∧ (C3 = M) ∨ (C1 = M) ∧ (C2 = VL) ∧ (C3 = VH) ∨ (C1 = M) ∧ (C2 = L) ∧ (C3 = M) ∨ (C1 = M) ∧ (C2 = L) ∧ (C3 = H) ∨ (C1 = M) ∧ (C2 = L) ∧ (C3 = VH) ∨ (C1 = M) ∧ (C2 = M) ∧ (C3 = VL) ∨ (C1 = M) ∧ (C2 = M) ∧ (C3 = L) ∨ (C1 = M) ∧ (C2 = M) ∧ (C3 = M) ∨ (C1 = M) ∧ (C2 = M) ∧ (C3 = H) ∨ (C1 = M) ∧ (C2 = M) ∧ (C3 = VH) ∨ (C1 = M) ∧ (C2 = H) ∧ (C3 = VL) ∨ (C1 = M) ∧ (C2 = H) ∧ (C3 = L) ∨ (C1 = M) ∧ (C2 = H) ∧ (C3 = M) ∨ (C1 = M) ∧ (C2 = VH) ∧ (C3 = VL) ∨ (C1 = H) ∧ (C2 = VL) ∧ (C3 = M) ∨ (C1 = H) ∧ (C2 = VL) ∧ (C3 = H) ∨ (C1 = H) ∧ (C2 = VL) ∧ (C3 = VH) ∨ (C1 = H) ∧ (C2 = L) ∧ (C3 = VL) ∨	(C1 = H) ∧ (C2 = L) ∧ (C3 = L) ∨ (C1 = H) ∧ (C2 = L) ∧ (C3 = M) ∨ (C1 = H) ∧ (C2 = L) ∧ (C3 = H) ∨ (C1 = H) ∧ (C2 = L) ∧ (C3 = VH) ∨ (C1 = H) ∧ (C2 = M) ∧ (C3 = VL) ∨ (C1 = H) ∧ (C2 = M) ∧ (C3 = L) ∨ (C1 = H) ∧ (C2 = M) ∧ (C3 = M) ∨ (C1 = H) ∧ (C2 = H) ∧ (C3 = VL) ∨ (C1 = VH) ∧ (C2 = VL) ∧ (C3 = VL) ∨ (C1 = VH) ∧ (C2 = VL) ∧ (C3 = L) ∨ (C1 = VH) ∧ (C2 = VL) ∧ (C3 = M) ∨ (C1 = VH) ∧ (C2 = VL) ∧ (C3 = H) ∨ (C1 = VH) ∧ (C2 = VL) ∧ (C3 = VH) ∨ (C1 = VH) ∧ (C2 = L) ∧ (C3 = VL) ∨ (C1 = VH) ∧ (C2 = L) ∧ (C3 = L) ∨ (C1 = VH) ∧ (C2 = L) ∧ (C3 = M) ∨ (C1 = VH) ∧ (C2 = M) ∧ (C3 = VL)	Y1 = M
R4	(C1 = L) ∧ (C2 = VH) ∧ (C3 = H) ∨ (C1 = L) ∧ (C2 = VH) ∧ (C3 = VH) ∨ (C1 = M) ∧ (C2 = H) ∧ (C3 = H) ∨ (C1 = M) ∧ (C2 = H) ∧ (C3 = VH) ∨ (C1 = M) ∧ (C2 = VH) ∧ (C3 = L) ∨ (C1 = M) ∧ (C2 = VH) ∧ (C3 = M) ∨ (C1 = M) ∧ (C2 = VH) ∧ (C3 = H) ∨ (C1 = M) ∧ (C2 = VH) ∧ (C3 = VH) ∨ (C1 = H) ∧ (C2 = M) ∧ (C3 = H) ∨ (C1 = H) ∧ (C2 = M) ∧ (C3 = VH) ∨	(C1 = H) ∧ (C2 = H) ∧ (C3 = L) ∨ (C1 = H) ∧ (C2 = H) ∧ (C3 = M) ∨ (C1 = H) ∧ (C2 = H) ∧ (C3 = H) ∨ (C1 = H) ∧ (C2 = H) ∧ (C3 = VH) ∨ (C1 = H) ∧ (C2 = VH) ∧ (C3 = VL) ∨ (C1 = H) ∧ (C2 = VH) ∧ (C3 = L) ∨ (C1 = H) ∧ (C2 = VH) ∧ (C3 = M) ∨ (C1 = H) ∧ (C2 = VH) ∧ (C3 = H) ∨ (C1 = VH) ∧ (C2 = L) ∧ (C3 = H) ∨ (C1 = VH) ∧ (C2 = L) ∧ (C3 = VH) ∨	(C1 = VH) ∧ (C2 = M) ∧ (C3 = L) ∨ (C1 = VH) ∧ (C2 = M) ∧ (C3 = M) ∨ (C1 = VH) ∧ (C2 = M) ∧ (C3 = H) ∨ (C1 = VH) ∧ (C2 = M) ∧ (C3 = VH) ∨ (C1 = VH) ∧ (C2 = H) ∧ (C3 = VL) ∨ (C1 = VH) ∧ (C2 = H) ∧ (C3 = L) ∨ (C1 = VH) ∧ (C2 = H) ∧ (C3 = M) ∨ (C1 = VH) ∧ (C2 = H) ∧ (C3 = H) ∨ (C1 = VH) ∧ (C2 = VH) ∧ (C3 = VL) ∨ (C1 = VH) ∧ (C2 = VH) ∧ (C3 = L)	Y1 = H
R5	(C1 = H) ∧ (C2 = VH) ∧ (C3 = VH) ∨ (C1 = VH) ∧ (C2 = H) ∧ (C3 = VH) ∨	(C1 = VH) ∧ (C2 = VH) ∧ (C3 = M) ∨ (C1 = VH) ∧ (C2 = VH) ∧ (C3 = H) ∨	(C1 = VH) ∧ (C2 = VH) ∧ (C3 = VH) ∨	Y1 = VH

where (i)—is the ordinal number of the rules R_j, $j=\overline{1,5}$; (ii)—Rule; (iii)—Consequent.

, Appendix A).

–

Information base of fuzzy production rules for evaluation $Y_2$—the level of inflicted damage caused by threats to the protected assets of IIoT systems (total 25 rules)–with the values of the terms of the input linguistic variable C₄—financial costs with a weight coefficient ${\omega }_4$ = 0.5833 and $C_5$—damage to reputation with a weight coefficient ω₅ = 0.4167: Very low—0.2, Low—0.4, Medium—0.6, High—0.8; Very high—1.0, and the calculated value of the term boundaries of the output linguistic variable $Y_2$—manifestation of the damage: Very Low—[0.0; 0.3], Low—(0.3; 0.5), Medium—(0.5; 0.7), High—(0.7; 0.9), Very High—(0.9; 1.0] (see

Table A7. Information base of fuzzy production rules for assessing the level of inflicted damage.

(i)	(ii)	(iii)	(iv)	(v)	(vi)	(vii)	(i)	(ii)	(iii)	(iv)	(v)	(vi)	(vii)	(i)	(ii)	(iii)	(iv)	(v)	(vi)	(vii)
1	VL	1	VL	1	1.000	VL	10	L	2	VH	5	3.251	M	19	H	4	H	4	4.000	H
2	VL	1	L	2	1.417	VL	11	M	3	VL	1	2.166	L	20	H	4	VH	5	4.417	H
3	VL	1	M	3	1.834	L	12	M	3	L	2	2.583	M	21	VH	5	VL	1	3.332	M
4	VL	1	H	4	2.251	L	13	M	3	M	3	3.000	M	22	VH	5	L	2	3.749	H
5	VL	1	VH	5	2.668	M	14	M	3	H	4	3.417	M	23	VH	5	M	3	4.166	H
6	L	2	VL	1	1.583	L	15	M	3	VH	5	3.834	H	24	VH	5	H	4	4.583	VH
7	L	2	L	2	2.000	L	16	H	4	VL	1	2.749	M	25	VH	5	VH	5	5	VH
8	L	2	M	3	2.417	L	17	H	4	L	2	3.166	M
9	L	2	H	4	2.834	M	18	H	4	M	3	3.583	H

where (i)—is a serial number; (ii)–(iii)—the value of the term of the input linguistic variable $C_4$—Financial costs with a weighting coefficient ω₄ = 0.5833; (iv)–(v)—the value of the term of the input linguistic variable C₅—Damage to reputation with a weight coefficient ω₅ = 0.4167; (vi)–(vii)—calculated value of the term of the output linguistic variable Y₂—Manifestation of the damage caused.

, Appendix A).

–

Aggregated fuzzy rules for assessing the level of inflicted damage caused. As a result of the aggregation of the resulting rules, fuzzy causal relationships between antecedents and consequents were obtained (see

Table A8. Aggregated fuzzy rules for assessing the level of inflicted damage.

(i)	(ii)			(iii)
R6	(C4 = VL) ∧ (C5 = VL) ∨	(C4 = VL) ∧ (C5 = L)		Y2 = VL
R7	(C4 = VL) ∧ (C5 = M) ∨ (C4 = VL) ∧ (C5 = H) ∨	(C4 = L) ∧ (C5 = VL) ∨ (C4 = L) ∧ (C5 = L) ∨	(C4 = L) ∧ (C5 = M) ∨ (C4 = M) ∧ (C5 = VL)	Y2 = L
R8	(C4 = VL) ∧ (C5 = VH) ∨ (C4 = L) ∧ (C5 = H) ∨ (C4 = L) ∧ (C5 = VH) ∨	(C4 = M) ∧ (C5 = L) ∨ (C4 = M) ∧ (C5 = M) ∨ (C4 = M) ∧ (C5 = H) ∨	(C4 = H) ∧ (C5 = VL) ∨ (C4 = H) ∧ (C5 = L) ∨ (C4 = VH) ∧ (C5 = VL)	Y2 = M
R9	(C4 = M) ∧ (C5 = VH) ∨ (C4 = H) ∧ (C5 = M) ∨	(C4 = H) ∧ (C5 = H) ∨ (C4 = H) ∧ (C5 = VH) ∨	(C4 = VH) ∧ (C5 = L) ∨ (C4 = VH) ∧ (C5 = M)	Y2 = H
R10	(C4 = VH) ∧ (C5 = H) ∨	(C4 = VH) ∧ (C5 = VH)		Y2 = VH

where (i)—is the ordinal number of rules R_j, $j=\overline{6,10}$; (ii)—Rule; (iii)—Consequent.

, Appendix A).

As a result, we have obtained bases of fuzzy rules for determining the probability of occurrence of a threat and assessing the level of inflicted damage. These two parameters are used to calculate a clear output value of the risk level $R$, which has the following gradations:

–

Very low risk: [0.0000; 0.0625), meaning a slight adverse impact on the activities of the organization and the assets of the organization;

–

Low risk: [0.0625; 0.2025), meaning a limited adverse impact on the activities of the organization and the assets of the organization;

–

Medium risk: [0.2025; 0.5625), meaning that threats can have a serious adverse effect on the activities of the organization, the assets of the organization, individuals, and other organizations;

–

High risk: [0.5625; 0.7225), meaning that threats can have a serious or catastrophic adverse effect on the activities of the organization and the assets of the organization;

–

Very high risk: [0.7225; 1.0000], meaning that threats can lead to multiple serious or catastrophic consequences for the organization’s activities and the organization’s assets.

3.4.2. Evaluation of the Correctness of the Model for Determining the Level of Risk

We will evaluate the correctness of the proposed information security risk model based on fuzzy logic in three scenarios.

Scenario 1: Average Risk. Let the values of the following linguistic variables arrive at the input of the model system to determine the level $Y_1$—the probability of occurrence of a threat:

–

Attractiveness of assets, $C_1$ = 0.25;

–

Existing control, $C_2$ = 0.20;

–

Previous incidents, $C_3$ = 0.55.

Then, the fuzzification of five fuzzy statements—“Asset assessment is Very Low”, “Asset assessment is Low”, “Asset assessment is Medium”, “Asset assessment is High” and “Asset assessment is Very High” for the input linguistic variable $C_1-C_3$ asset assessment—gives the following values of the degree of truth of fuzzy statements:

–

Attractiveness of assets, C₁: ${\mu }_1^{VL}\left(R\right)$ = 0.4, ${\mu }_1^L\left(R\right)$ = 0.6, ${\mu }_1^M\left(R\right)$ = 0.0, ${\mu }_1^H\left(R\right)$ = 0.0, ${\mu }_1^{VH}\left(R\right)$ = 0.0;

–

Existing control, $C_2$: ${\mu }_2^{VL}\left(R\right)$ = 0.3, ${\mu }_2^L\left(R\right)$ = 0.7, ${\mu }_2^M\left(R\right)$ = 0.0, ${\mu }_2^H\left(R\right)$ = 0.0, ${\mu }_2^{VH}\left(R\right)$ = 0.0;

–

Previous incidents, $C_3$: ${\mu }_3^{VL}\left(R\right)$ = 0.0, ${\mu }_3^L\left(R\right)$ = 0.8, ${\mu }_3^M\left(R\right)$ = 0.2, ${\mu }_3^H\left(R\right)$ = 0.0, ${\mu }_3^{VH}\left(R\right)$ = 0.0.

Next, we determine the degree of truth of the conditions for each of the rules of the fuzzy inference system:

–

If the condition of a fuzzy production rule is a simple fuzzy statement, then the degree of its truth corresponds to the value of the membership function of the corresponding term of the linguistic variable.

–

If the condition represents a compound statement, then the degree of truth of the compound statement is determined using the logical operation of conjunction.

Therefore, according to the base of production rules (see Table A5, Appendix A) and the fuzzy inference system based on the conjunction operation (see Table A6, Appendix A), for level $Y_1$ the probability of occurrence of a threat occurring has a non-zero value for rules 3, 8, 28, and 33:

–

Rule 3. $Y_1$ = M: $\mu \left(R_3\right)$ = min(0.4; 0.3; 1.0) = 0.3;

–

Rule 8. $Y_1$ = M: $\mu \left(R_8\right)$ = min(0.4; 0.7; 1.0) = 0.4;

–

Rule 28. $Y_1$ = M: $\mu \left(R_{28}\right)$ = min(0.6; 0.3; 1.0) = 0.3;

–

Rule 33. $Y_1$ = M: $\mu \left(R_{33}\right)$ = min(0.6; 0.7; 1.0) = 0.6.

The truth values of all other rules are zero, so there is no need to take them into account. Indeed, the combination of the membership functions of all subsets is usually carried out classically, that is, by taking the maximum from the values of the membership functions of each subset:

$$\mu \left(R_{Y_1=M}\right)=\max \left(\mu \left(R_3\right);\mu \left(R_8\right);\mu \left(R_{28}\right);\mu \left(R_{33}\right)\right)=0.6$$

(14)

Then, as a result of defuzzification, we obtain the value of the level of the output linguistic variable $Y_1$, the probability of occurrence of a threat occurring in the form of a weighted average value by the degree of membership of values at which all applicable membership functions reach their maximum value (15):

$$Y_1=\frac{{\overline{R}}_{Y_1=M}·\mu \left(R_{Y_1=M}\right)}{\mu \left(R_{Y_1=M}\right)}=\frac{0.55·0.6}{0.6}=0.55,$$

(15)

where (see Figure A1, the histogram of dotted line with dot):

$${\overline{R}}_{Y_1=M}=\frac{\underset{Y_1=M}{\min }R+\underset{Y_1=M}{\max }R}{2}=\frac{0.4+0.7}{2}=0.55$$

Now, let the input of the system of information security risk assessment models based on fuzzy logic determine the level $Y_2$ (caused damage) and receive the values of the input parameters:

–

Financial costs, $C_4$ = 0.67;

–

Damage to reputation, $C_5$ = 0.33.

Then, the fuzzification of fuzzy statements by terms for the input linguistic variables $C_4-C_5$ of the system of risk assessment models of the output linguistic variable $Y_2$, level of inflicted damage, gives the following values of the degree of truth of the fuzzy inference system:

–

Financial costs, $C_4$: ${\mu }_4^{VL}\left(R\right)$ = 0.0, ${\mu }_4^L\left(R\right)$ = 0.0, ${\mu }_4^M\left(R\right)$ = 0.3, ${\mu }_4^H\left(R\right)$ = 0.7, ${\mu }_4^{VH}\left(R\right)$ = 0.0;

–

Damage to reputation, $C_5$: ${\mu }_5^{VL}\left(R\right)$ = 0.0, ${\mu }_5^L\left(R\right)$ = 0.2, ${\mu }_5^M\left(R\right)$ = 0.8, ${\mu }_5^H\left(R\right)$ = 0.0, ${\mu }_5^{VH}\left(R\right)$ = 0.0.

According to the base of production rules (see Table A7, Appendix A) and the fuzzy inference system based on the conjunction operation (see Table A8, Appendix A), the level $Y_2$, the level of inflicted damage, has a non-zero value for rules 12, 13, 17, and 18:

–

Rule 12. $Y_2$ = M: $\mu \left(R_{12}\right)$ = min(0.3; 0.2) = 0.2;

–

Rule 13. $Y_2$ = M: $\mu \left(R_{13}\right)$ = min(0.3; 0.8) = 0.3;

–

Rule 17. $Y_2$ = M: $\mu \left(R_{17}\right)$ = min(0.7; 0.2) = 0.2;

–

Rule 18. $Y_2$ = H: $\mu \left(R_{18}\right)$ = min(0.7; 0.8) = 0.7.

The truth values of all other rules are zero, so there is no need to take them into account. Indeed, the maximum value of the input linguistic variables and the combined value of the membership functions of all subsets, respectively, gives:

$$\begin{array}{c}\mu \left(R_{Y_2=M}\right)=\max \left(\mu \left(R_{12}\right);\mu \left(R_{13}\right);\mu \left(R_{17}\right)\right)=0.3,\\ \mu \left(R_{Y_2=H}\right)=\max \left(\mu \left(R_{18}\right)\right)=0.7\end{array}$$

(16)

Then, as a result of defuzzification, we will obtain the value of the level of the output linguistic variable $Y_2$—level of inflicted damage—in the form of a weighted average value by the degree of membership of the values at which all applicable membership functions reach their maximum value (16):

$$\begin{array}{c}{Y}_2=\frac{{\overline{R}}_{Y_2=M}·\mu \left(R_{Y_2=M}\right)+{\overline{R}}_{Y_2=H}·\mu \left(R_{Y_2=H}\right)}{\mu \left(R_{Y_2=M}\right)+\mu \left(R_{Y_2=H}\right)}\\ =\frac{0.55·0.3 + 0.75·0.7}{0.3 + 0.7}=0.69\end{array}$$

(17)

where (see Figure A1, the histogram of dotted line with dot and the histogram of long dotted line):

$${\overline{R}}_{Y_2=M}=\frac{\underset{Y_2=M}{\min }R+\underset{Y_2=M}{\max }R}{2}=\frac{0.4+0.7}{2}=0.55,$$

$${\overline{R}}_{Y_2=H}=\frac{\underset{Y_2=H}{\min }R+\underset{Y_2=H}{\max }R}{2}=\frac{0.6+0.9}{2}=0.75$$

Having determined the values of the probability of the appearance of threats and the level of possible damage by using Formulas (1), (16) and (17), we will find the value of the information security risk:

$$R=Y_1·Y_2=0.55·0.69=0.38$$

(18)

Thus, we obtained the value which corresponds to the average of the information security risk.

Scenario 2: High Risk. Let the values of the following linguistic variables arrive at the input of the model system:

–

Attractiveness of assets, $C_1$ = 0.85;

–

Existing control, $C_2$ = 0.70;

–

Previous incidents, C₃ = 0.90.

Then, fuzzification gives the following values of the degree of truth of fuzzy statements:

–

Attractiveness of assets, $C_1$: ${\mu }_1^{VL}\left(R\right)$ = 0.0, ${\mu }_1^L\left(R\right)$ = 0.0, ${\mu }_1^M\left(R\right)$ = 0.0, ${\mu }_1^H\left(R\right)$ = 0.5, ${\mu }_1^{VH}\left(R\right)$ = 0.5;

–

Existing control, $C_2$:${\mu }_2^{VL}\left(R\right)$ = 0.0, ${\mu }_2^L\left(R\right)$ = 0.0, ${\mu }_2^M\left(R\right)$ = 0.08, ${\mu }_2^H\left(R\right)$ = 0.12, ${\mu }_2^{VH}\left(R\right)$ = 0.0;

–

Previous incidents, $C_3$: ${\mu }_3^{VL}\left(R\right)$ = 0.0, ${\mu }_3^L\left(R\right)$ = 0.0, ${\mu }_3^M\left(R\right)$ = 0.0, ${\mu }_3^H\left(R\right)$ = 0.2, ${\mu }_3^{VH}\left(R\right)$ = 0.6.

Therefore, according to the base of production rules (see Table A5, Appendix A) and the fuzzy inference system based on the conjunction operation (see Table A6, Appendix A), the level $Y_1$—the probability of occurrence of a threat occurring—has a non-zero value for rules 89, 90, 94, 95, 114, 115, 119, and 120:

–

Rule 89. $Y_1$ = H: $\mu \left(R_{89}\right)$ = min(0.5; 0.08; 0.2) = 0.08;

–

Rule 90. $Y_1$ = H: $\mu \left(R_{90}\right)$ = min(0.5; 0.08; 0.6) = 0.08;

–

Rule 94. $Y_1$ = H: $\mu \left(R_{94}\right)$ = min(0.5; 0.12; 0.2) = 0.12;

–

Rule 95. $Y_1$ = H: $\mu \left(R_{95}\right)$ = min(0.5; 0.12; 0.6) = 0.12;

–

Rule 114. $Y_1$ = H: $\mu \left(R_{114}\right)$ = min(0.5; 0.08; 0.2) = 0.08;

–

Rule 115. $Y_1$ = H: $\mu \left(R_{115}\right)$ = min(0.5; 0.08; 0.6) = 0.08;

–

Rule 119. $Y_1$ = H: $\mu \left(R_{119}\right)$ = min(0.5; 0.12; 0.2) = 0.12;

–

Rule 120. $Y_1$ = VH: $\mu \left(R_{120}\right)$ = min(0.5; 0.12; 0.6) = 0.12.

The value of membership functions for all subsets are:

$$\begin{array}{c}\mu \left(R_{Y_1=H}\right)=\max (\mu \left(R_{89}\right);\mu \left(R_{90}\right);\mu \left(R_{94}\right);\mu \left(R_{95}\right);\mu \left(R_{114}\right);\\ \mu \left(R_{115}\right);\mu \left(R_{119}\right))=0.12; \mu \left(R_{Y_1=VH}\right)=\mu \left(R_{120}\right)=0.12\end{array}$$

(19)

Then, as a result of defuzzification, we obtain the value of the level of the output linguistic variable $Y_1$—the probability of occurrence of a threat:

$$\begin{array}{c}{Y}_1=\frac{{\overline{R}}_{Y_1=H}·\mu \left(R_{Y_1=H}\right)+{\overline{R}}_{Y_1=VH}·\mu \left(R_{Y_1=VH}\right)}{\mu \left(R_{Y_1=H}\right)+\mu \left(R_{Y_1=VH}\right)}\\ =\frac{0.75·0.12+0.9·0.12}{0.12+0.12}=0.82\end{array}$$

(20)

where (see Figure A1, the histogram of long dotted line and the histogram of solid line):

$$\begin{gathered} {\overline{R}}_{Y_1=H}=\frac{\underset{Y_1=H}{\min }R+\underset{Y_1=H}{\max }R}{2}=\frac{0.6+0.9}{2}=0.75, \\ {\overline{R}}_{Y_1=VH}=\frac{\underset{Y_1=VH}{\min }R+\underset{Y_1=VH}{\max }R}{2}=\frac{0.8+1.0}{2}=0.90 \end{gathered}$$

Now, let the input of the system of information security risk assessment models based on fuzzy logic determine the level $Y_2$—caused damage—and receive the values of the input parameters:

–

Financial costs, $C_4$ = 0.50;

–

Damage to reputation, $C_5$ = 0.75.

Then, the fuzzification of fuzzy statements by terms for the input linguistic variables $C_4-C_5$ of the system of risk assessment models of the output linguistic variable $Y_2$—level of inflicted damage—gives the following values of the degree of truth of the fuzzy inference system:

–

Financial costs, $C_4$: ${\mu }_4^{VL}\left(R\right)$ = 0.0, ${\mu }_4^L\left(R\right)$ = 0.0, ${\mu }_4^M\left(R\right)$ = 0.0, ${\mu }_4^H\left(R\right)$ = 0.14, ${\mu }_4^{VH}\left(R\right)$ = 0.0;

–

Damage to reputation, $C_5$: ${\mu }_5^{VL}\left(R\right)$ = 0.0, ${\mu }_5^L\left(R\right)$ = 0.0, ${\mu }_5^M\left(R\right)$ = 1.0, ${\mu }_5^H\left(R\right)$ = 0.0, ${\mu }_5^{VH}\left(R\right)$ = 0.0.

According to the information base of the production rules (see Table A7, Appendix A) of the fuzzy inference system based on the conjunction operation (see Table A8, Appendix A), the level $Y_2$—level of inflicted damage—has a non-zero value for Rule 18:

–

Rule 18. $Y_2$ = H: $\mu \left(R_{18}\right)$ = min(0.14; 1.0) = 0.14.

The value of membership functions for all subsets are:

$$\mu \left(R_{Y_2=H}\right)=\max \left(\mu \left(R_{18}\right)\right)=0.14$$

(21)

Then, as a result of defuzzification, we obtain the value of the level of the output linguistic variable $Y_2$—level of inflicted damage:

$$Y_2=\frac{{\overline{R}}_{Y_2=H}·\mu \left(R_{Y_2=H}\right)}{\mu \left(R_{Y_2=H}\right)}=\frac{0.75·0.14}{0.14}=0.75$$

(22)

where (see Figure A1, the histogram of long dotted line):

$${\overline{R}}_{Y_2=H}=\frac{\underset{Y_2=H}{\min }R+\underset{Y_2=H}{\max }R}{2}=\frac{0.6+0.9}{2}=0.75$$

Now determine the values of the probability of the appearance of threats and the level of possible damage by using Formulas (1), (20) and (22), and we will find the value of the information security risk:

$$R=Y_1·Y_2=0.82·0.75=0.62$$

(23)

Thus, we obtained the value which corresponds to the high information security risk.

Scenario 3: Low Risk. Let the values of the following linguistic variables arrive at the input of the model system:

–

Attractiveness of assets, $C_1$ = 0.40;

–

Existing control, $C_2$ = 0.28;

–

Previous incidents, $C_3$ = 0.32.

Then, fuzzification gives the following values of the degree of truth of fuzzy statements:

–

Attractiveness of assets, $C_1$: ${\mu }_1^{VL}\left(R\right)$ = 0.0, ${\mu }_1^L\left(R\right)$ = 0.5, ${\mu }_1^M\left(R\right)$ = 0.5, ${\mu }_1^H\left(R\right)$ = 0.0, ${\mu }_1^{VH}\left(R\right)$ = 0.0;

–

Existing control, C₂: ${\mu }_2^{VL}\left(R\right)$ = 0.19, ${\mu }_2^L\left(R\right)$ = 1.0, ${\mu }_2^M\left(R\right)$ = 0.0, ${\mu }_2^H\left(R\right)$ = 0.0, ${\mu }_2^{VH}\left(R\right)$ = 0.0;

–

Previous incidents, $C_3$: ${\mu }_3^{VL}\left(R\right)$ = 0.21, ${\mu }_3^L\left(R\right)$ = 1.0, ${\mu }_3^M\left(R\right)$ = 0.0, ${\mu }_3^H\left(R\right)$ = 0.0, ${\mu }_3^{VH}\left(R\right)$ = 0.0.

Therefore, according to the base of production rules (see Table A5, Appendix A) and the fuzzy inference system based on the conjunction operation (see Table A6, Appendix A), the level $Y_1$—the probability of occurrence of a threat occurring—has a non-zero value for rules 89, 90, 94, 95, 114, 115, 119, and 120:

–

Rule 26. $Y_1$ = VL: $\mu \left(R_{26}\right)$ = min(0.5; 0.19; 0.21) = 0.19;

–

Rule 27. $Y_1$ = L: $\mu \left(R_{27}\right)$ = min(0.5; 0.19; 1.0) = 0.19;

–

Rule 31. $Y_1$ = L: $\mu \left(R_{31}\right)$ = min(0.5; 1.0; 0.21) = 0.21;

–

Rule 32. $Y_1$ = L: $\mu \left(R_{32}\right)$ = min(0.5; 1.0; 1.0) = 0.5;

–

Rule 51. $Y_1$ = L: $\mu \left(R_{51}\right)$ = min(0.5; 0.19; 0.21) = 0.19;

–

Rule 52. $Y_1$ = L: $\mu \left(R_{52}\right)$ = min(0.5; 0.19; 1.0) = 0.19;

–

Rule 56. $Y_1$ = L: $\mu \left(R_{56}\right)$ = min(0.5; 1.0; 0.21) = 0.21;

–

Rule 57. $Y_1$ = L: $\mu \left(R_{57}\right)$ = min(0.5; 1.0; 1.0) = 0.5.

The value of membership functions for all subsets are:

$$\begin{array}{c}\mu \left(R_{Y_1=VL}\right)=\mu \left(R_{26}\right)=0.19;\mu \left(R_{Y_1=L}\right)=\max (\mu \left(R_{27}\right);\\ \mu \left(R_{31}\right);\mu \left(R_{32}\right);\mu \left(R_{51}\right);\mu \left(R_{52}\right);\mu \left(R_{56}\right);\mu \left(R_{57}\right))=0.5\end{array}$$

(24)

Then, as a result of defuzzification, we obtain the value of the level of the output linguistic variable $Y_1$—the probability of occurrence of a threat:

$$\begin{array}{c}{Y}_1=\frac{{\overline{R}}_{Y_1=VL}·\mu \left(R_{Y_1=VL}\right)+{\overline{R}}_{Y_1=L}·\mu \left(R_{Y_1=L}\right)}{\mu \left(R_{Y_1=VL}\right)+\mu \left(R_{Y_1=L}\right)}\\ =\frac{0.2·0.19+0.35·0.5}{0.19+0.5}=0.31\end{array}$$

(25)

where (see Figure A1, the histogram dot line (VL) and the histogram dotted line (L)):

$${\overline{R}}_{Y_1=VL}=\frac{\underset{Y_1=VL}{\min }R+\underset{Y_1=VL}{\max }R}{2}=\frac{0.1+0.3}{2}=0.2,$$

$${\overline{R}}_{Y_1=L}=\frac{\underset{Y_1=L}{\min }R+\underset{Y_1=L}{\max }R}{2}=\frac{0.2+0.5}{2}=0.35$$

Now, let the input of the system of information security risk assessment models based on fuzzy logic determine the level $Y_2$—caused damage— and receive the values of the input parameters:

–

Financial costs, $C_4$ = 0.16;

–

Damage to reputation, $C_5$ = 0.84.

Then, the fuzzification of fuzzy statements by terms for the input linguistic variables $C_4-C_5$ of the system of risk assessment models of the output linguistic variable $Y_2$—level of inflicted damage—gives the following values of the degree of truth of the fuzzy inference system:

–

Financial costs, $C_4$: ${\mu }_4^{VL}\left(R\right)$ = 0.4, ${\mu }_4^L\left(R\right)$ = 0.6, ${\mu }_4^M\left(R\right)$ = 0.0, ${\mu }_4^H\left(R\right)$ = 0.0, ${\mu }_4^{VH}\left(R\right)$ = 0.0;

–

Damage to reputation, $C_5$: ${\mu }_5^{VL}\left(R\right)$ = 0.0, ${\mu }_5^L\left(R\right)$ = 0.0, ${\mu }_5^M\left(R\right)$ = 0.0, ${\mu }_5^H\left(R\right)$ = 0.6, ${\mu }_5^{VH}\left(R\right)$ = 0.0.

According to the base of production rules (see Table A7, Appendix A) and the fuzzy inference system based on the conjunction operation (see Table A8, Appendix A), the level $Y_2$—level of inflicted damage—has a non-zero value for Rules 4 and 9:

–

Rule 4. $Y_2$ = L: $\mu \left(R_4\right)$ = min(0.4; 0.6) = 0.4;

–

Rule 9. $Y_2$ = M: $\mu \left(R_9\right)$ = min(0.6; 0.6) = 0.6.

The value of membership functions for all subsets are:

$$\mu \left(R_{Y_2=L}\right)=\mu \left(R_4\right)=0.4, \mu \left(R_{Y_2=M}\right)=\mu \left(R_9\right)=0.6$$

(26)

Then, as a result of defuzzification, we obtain the value of the level of the output linguistic variable $Y_2$—level of inflicted damage:

$$\begin{array}{c}{Y}_2=\frac{{\overline{R}}_{Y_2=L}·\mu \left(R_{Y_2=L}\right)+{\overline{R}}_{Y_2=M}·\mu \left(R_{Y_2=M}\right)}{\mu \left(R_{Y_2=L}\right)+\mu \left(R_{Y_2=M}\right)}\\ =\frac{0.35·0.4+0.55·0.6}{0.4+0.6}=0.47\end{array}$$

(27)

where (see Figure A1, the histogram of dotted line and the histogram of dotted line with dot):

$${\overline{R}}_{Y_2=L}=\frac{\underset{Y_2=L}{\min }R+\underset{Y_2=L}{\max }R}{2}=\frac{0.2+0.5}{2}=0.35,$$

$${\overline{R}}_{Y_2=M}=\frac{\underset{Y_2=M}{\min }R+\underset{Y_2=M}{\max }R}{2}=\frac{0.4+0.7}{2}=0.55$$

Now determine the values of the probability of the appearance of threats and the level of possible damage by using Formulas (1), (25) and (27), and we will find the value of the information security risk:

$$R=Y_1·Y_2=0.31·0.47=0.15$$

(28)

We obtained the value which corresponds to the low level of information security risk in IIoT systems.

Thus, using test sets of fuzzy input variables, we obtained clear values of information security risk level. Using fuzzy input information, it is possible to predict the deterioration of the system’s safety level and make timely decisions to prevent possible dangerous situations.

4. Discussion

Fuzzy logic methods have gained traction in recent research for assessing information risks. For instance, [29] introduces a risk assessment approach grounded in an attack tree model, utilizing both fuzzy set theory and probabilistic risk assessment technology. This innovative method is applied to the context of a ship control system risk scenario within industrial control systems. The analysis commences by identifying potential risks, constructing a tree-like attack model, and subsequently employing triangular fuzzy numbers and expert knowledge to gauge factors influencing end-node probabilities. Through fuzzy arithmetic, interval probabilities for both the root node and attack paths are determined, yielding the overall potential risks and probabilities of occurrence for each attack path.

Intriguingly, [30] explores cybersecurity risk assessment of industrial control systems through a unique lens. The paper proposes a methodology reliant on order divergence which measures α within an intuitionistic fuzzy framework characterized by interval values. Departing from conventional methods, where the weights of risk indices remain constant, this approach adapts a novel order α divergence measure to IVIFNs (Interval Intuitionistic Fuzzy Numbers). The integration of IVIFNs facilitates the description of estimated risk indices, while variable weight vectors derived from divergence closeness determine the weights of risk indices. The study presents strategies for node and attack path integration within attack defense trees, leading to risk scores calculation using a designated score function.

Addressing the significance of cybersecurity risk assessment within IIoT systems, [31] proposes a comprehensive model for dynamic IIoT risk assessment. This model, initiated by defining the IIoT context, encompasses diverse risk calculation algorithms, prominently highlighting approaches grounded in artificial intelligence and machine learning. The methodology’s application is demonstrated through a case study involving an IIoT-based supervisory control and data acquisition system in a hydroelectric power plant.

In [32], the focus centers on the development of an access control model that dynamically analyzes the security risk of access requests through contextual IoT information. This model employs real-time contextual data associated with the requesting user to compute security risks for each access request. Attributes of the user, action severity, resource sensitivity, and user risk history are considered as inputs to assess and calculate the risk value, ultimately informing access decisions.

In [33], the authors introduce the IORs (Risk Indicator Objects), a notable contribution that leverages the MITRE ATT&CK knowledge base for ICS (Industrial Control Systems) to facilitate ongoing risk monitoring. This approach enables the utilization of existing variables for continuous risk analysis. IORs extend compromise indicators by integrating detection strategies with probabilistic inference, serving as a powerful tool for quantifying cybersecurity risks. The library, endorsed by professionals from major companies, now encompasses 95 IORs.

A compelling study, [34], proposes a model for vulnerability risk analysis based on the widely accepted CVSS (Common Vulnerability Scoring System). This innovative model addresses two key limitations of CVSS: (1) the need for additional indicators beyond those stipulated by CVSS, and (2) CVSS’s primary usage within IT environments, rendering it less suitable for industrial settings. To overcome these issues, the study’s first part offers an overview of the key protocols, standards, and buses within the IIoT landscape. The second part establishes a comprehensive framework for risk characterization in industrial environments, effectively addressing the limitations of the CVSS index.

A noteworthy contribution comes from the study outlined in [35], proposing a hierarchical structured model for information security risk assessment utilizing fuzzy logic. This new approach extends to the assessment of software risks in learning management systems. The novel risk assessment model is implemented on the MATLAB platform using fuzzy logic through a set of 15 fuzzy machines.

Similarly, [36] delves into the application of a fuzzy expert system for assessing the security of a University Information System (UIS). The authors employed the Visual Basic language and the MATLAB Fuzzy Logic toolkit to tackle the challenge of assessing compliance with the ISO/IEC 27,001 standard—a key foundation for modeling information system security.

In [37], the authors introduce a robust fuzzy model tailored to conducting information security risk assessment within IIoT systems. This model relies on the additive weighting method to establish weighting coefficients for each criterion and leverages fuzzy logic for its implementation. The authors showcase the practical execution of this model using the MATLAB system. Notably, the authors assert that fuzzy logic offers a suitable technological foundation for discerning information security risks and generating dependable practical outcomes.

In [38], the authors embark on an exploration of the cybersecurity landscape in ICS (Industrial Control Systems). The study encompasses several key aspects: (1) elucidating the fundamental principles and unique attributes underlying ICS functionality; (2) presenting a concise history of cyber-attacks targeting ICSs; (3) providing an overview of ICS security-less assessment; (4) conducting a review of “unique ICS” testbeds designed to capture interactions across different levels of ICSs; and (5) outlining current trends in ICS attack and defense strategies.

Turning attention to [39], the article delves into a critical challenge—assessing the creditworthiness of enterprises operating within the trade and services sector. Notably, this assessment poses particular intricacies for borrowers, especially small businesses. Such evaluation necessitates careful consideration of factors such as the developmental stage of small enterprises, their specific activities, and the inherent uncertainty tied to financial outcomes. The study analyzes an array of indicators, including industry and regional specifics, small enterprise activity measures, and financial and economic metrics pertinent to the service and trade domain. Decision-making rules are meticulously formulated in the shape of logical formulas embedded with crucial parameters.

5. Conclusions

This research is devoted to solving the problem of determining the level of IS risks in industrial IoT systems using fuzzy logic. Risk assessment as part of information security (risk management) is an essential tool in building defenses. The risk assessment process is designed to identify the risk to the system and determine the security measures taken to mitigate the risk. The proposed method is based on a new risk analysis model that takes into account multiple risk criteria, such as the attractiveness of the asset, the level of existing controls, the presence of previous threats, and financial and reputational losses as a result of the realization of threats. The main advantage of this method is that it realistically models the system environment, unlike the conventional risk model, which only considers the probability of an event and its impact.

Our method is based on multiple fuzzy inference system MFIS. The first fuzzy inference system FIS1 calculates the overall probability of the realization of threats on the system. The second fuzzy inference system FIS2 calculates the overall probability of damage to the system based on risk factors. The third step of the fuzzy inference system is to calculate the IS risk level based on the output data FIS1, FIS2. The proposed method can be used as a tool for assessing information security and risk analysis in any system.

In information security and risk analysis, the concept of symmetry plays an important role, which can be considered from the point of view of balance and harmony in information security management. Symmetry in this context can be associated with the balance between security and availability of data and resources. Just as symmetry in nature creates harmony and balance, in information security there is a need to find a balance between security measures that may be too strict and restrictive for users and the availability of data and resources that ensures the effective operation of the system.

Symmetry can also be associated with understanding symmetrical threats that can impact information security. Risk analysis involves identifying such threats and developing symmetrical countermeasures that can ensure balance and harmony in security. When information security incidents occur, symmetry can also be important in the context of the response. A symmetric response to incidents may include similar recovery measures to restore balance and functionality to the system.

Thus, there is a clear connection between the concept of symmetry and information security risk analysis, which manifests itself as the desire for balance and harmony in approaches to security and risk management.

In this paper, we have paid little attention to risk management planning, resolution, and control. More research should be conducted on risk management planning. In addition, risk needs to be re-monitored regularly to track the status of identified risks.