Modelling of Fuzzy Expert System for an Assessment of Security Information Management System UIS (University Information System)

Several methodologies based on the international standard ISO/IEC 27001 have been developed for modelling information security management systems within higher education. This paper transformed the ISO/IEC 27001 standard into a questionnaire, which was sent digitally to about 100 universities in Bosnia and Herzegovina, and to the EU, Norway and the USA. The questions are arranged by levels, and the levels have their numerical weights, derived from individual questions in the levels themselves. Otherwise, the questions are asked with Yes or No and thus are reduced to binary variables. The rules necessary for the functioning of the system have been calculated. The fuzzy logic method represents a new approach to the problems of managing complex systems, which is very difficult to describe with a certain mathematical model, as well as in systems with a large number of inputs and outputs where there are unclear interactions. Risk assessment is a major part of the ISMS process. Traditional risk calculation models are based on the application of probability and classical set theory. Here, we have converted the risk assessment into a system rating of 5 to 10 numerically or from five to ten descriptively. We perform fuzzy optimization by finding the values of the input parameters of a complex simulated system, which results in the desired output. We use the fuzzy logic controller to execute fuzzy inference rules from the fuzzy rule database in determining congestion parameters, obtaining warning information and appropriate action. Simulating the situation of an advanced system that evaluates the protection quality of such a system with fuzzy logic, we use MATLAB. The paper combines the original Visual Basic programming language and MATLAB's Fuzzy Toolbox, to solve the complex problem of assessing compliance with the ISO/IEC 27001 standard, as one of the main standards for information systems security modelling. University information systems were used, but it is also applicable to all other information systems. The evaluation has been done for several universities and it has been proven that the system evaluates correctly, but these universities must not be publicly named. There was no such approach in the use of fuzzy logic and on such systems, and that is the originality of this work.