Application of Fuzzy Logic in the Process of Information Security Risk Assessment

Risk assessment is a demanding process of information security risk management. Organizations often do not employ sufficiently experienced and qualified employees in handling information security risks. This paper focuses on a fuzzy logic application in the process of information security risk assessment based on a matrix method of the ISO/IEC 27005 standard and regulations according to the Cyber Security Regulation No. 316/2014 introduced in the Czech Republic. The method and the regulations are combined to form a risk assessment matrix which is processed in the QtFuzzyLite software. The result is a fuzzy logic system designed for organizations that need to simplify and specify risk assessment where likelihood of threat occurrence, threat consequence value and asset vulnerability level are vague and difficult to estimate. These variables directly affect the information security risk value. The paper discusses the possibility of utilizing the fuzzy logic system as a decision support tool in Slovak organizations.