AI-enhanced Cybersecurity Risk Assessment with Multi-Fuzzy Inference
DOI:
https://doi.org/10.5614/itbj.ict.res.appl.2025.19.1.1Keywords:
cybersecurity risk assessment, fuzzy logic, multi-fuzzy inference system, expert validation, adaptive decision supportAbstract
The pace and complexity of modern cyber-attacks expose the limits of traditional ?impact likelihood? risk matrices, which compress uncertainty into coarse categories and miss inter-dependent threat dynamics. We propose a three-layer multi-fuzzy inference system (MFIS) that models general infrastructure vulnerabilities and access-control weaknesses separately, then fuses them into a single, continuous 0-25 risk score. The framework was validated on three representative scenarios?catastrophic/continuous, serious/frequent, and minor/few attacks?encompassing sixteen threat criteria. Compared with a crisp 5 5 matrix, MFIS cut mean-absolute error and root-mean-square error by 90 to 99% and reproduced expert-panel judgments to within 0.55 points across all scenarios. Nine independent practitioners rated the prototype highly on usability (100% agreement), credibility (100%) and actionability (100%), with 78% willing to recommend adoption. These results demonstrate that MFIS delivers fine-grained, expert-aligned assessments without adding operational complexity, making it a viable drop-in replacement for time- or resource-constrained organizations. By capturing partial memberships and cross-domain interactions, MFIS offers a more faithful, adaptive and explainable basis for prioritizing cyber-defense investments and can be extended to emerging threat domains with modest rule-base updates.
Downloads
References
Cox Jr., L.A., What?s wrong with risk matrices? Risk Analysis: An International Journal, 28(2), pp. 497-512, 2008.
Thomas, P., Bratvold, R.B. & Eric Bickel, J., The Risk of Using Risk Matrices. SPE Economics & Management, 6(02), pp.56-66, 2014.
Shu, X., Tian, K., Ciambrone A. &Yao, D., Breaking the Target: An Analysis of Target Data Breach and Lessons Learned, arXiv preprint arXiv: 1701.04940. 18 January 2017.
Daswani, N. & Elbayadi, M., The Equifax Breach, in Big Breaches: Cybersecurity Lessons for Everyone, pp. 75-95. Berkeley, CA: Apress. 2021 Feb 2025. doi: 10.1007/978-1-4842-6655-7_4
Dearden, T., Who Responded to Equifax? Self-Protection Strategies When Guardians Fail, Victims and Offenders, 16(8), pp.1149-1160, 2021.
Beerman, J., Berent, D., Falter, Z. & Bhunia, S., A Review of Colonial Pipeline Ransomware Attack, IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW), pp. 8-15, 2023. doi: 10.1109/CCGridW59191.2023.00017
Natsheh, E., Dissimilarity Clustering Algorithm for Designing the PID-like Fuzzy Controllers, Journal of Information and Organizational Sciences. 45(1), pp. 267-86, 2021. doi: 10.31341/jios.45.1.12
Natsheh, E., Enhancing Field-Controlled DC Motors with Artificial Intelligence-Infused Fuzzy Logic Controller, Journal of Applied Data Sciences, 6(1), pp.455-69, 2025. doi: 10.47738/jads.v6i1.508
Natsheh, E., A Survey on Fuzzy Reasoning Applications for Routing Protocols in Wireless Ad Hoc Networks. International Journal of Business Data Communications and Networking, 4(2), pp. 22-37, 2008.
Natsheh, E., Jantan, A.B., Khatun, S. & Subramaniam, S., Fuzzy Reasoning Approach for Local Connectivity Management in Mobile Ad Hoc Networks, International Journal of Business Data Communications and Networking (IJBDCN), 2(3), pp.1-8, 2006.
Natsheh, E., Jantan, A.B., Khatun S. & Subramaniam, S., Intelligent Reasoning Approach for Active Queue Management in Wireless Ad Hoc Networks, in Intelligent Information Technologies: Concepts, Methodologies, Tools, and Applications, pp. 1066-1083, IGI Global Scientific Publishing, 2008.
Alali, M., Almogren, A., Hassan, M.M., Rassan, I.A. & Bhuiyan, M.Z., Improving Risk Assessment Model of Cyber Security Using Fuzzy Logic Inference System, Computers & Security. 74, pp. 323-339, 2018.
Alampalayam, S.K. & Natsheh, E.F., Multivariate fuzzy analysis for Mobile ad hoc Network threat Detection, International Journal of Business Data Communications and Networking (IJBDCN), 4(3), pp.1-30, 2008.
Shameli-Sendi, A., Shajari, M., Hassanabadi, M., Jabbarifar, M. & Dagenais, M., Fuzzy Multi-Criteria Decision-Making For Information Security Risk Assessment, Open Cybern. Syst. J., 6(1), pp. 26-37, 2012.
Sallam, H., Cyber Security Risk Assessment Using Multi Fuzzy Inference System, IJEIT, 4(8), pp.13-19, 2015.
Hibshi, H., Breaux, T.D., Riaz, M. & Williams, L., A Grounded Analysis of Experts? Decision-Making During Security Assessments, Journal of Cybersecurity, 2(2), 147-163, 2016.
Fehringer, G. & Barraclough, P.A., Intelligent Security for Phishing Online Using Adaptive Neuro Fuzzy Systems, International Journal of Advanced Computer Science and Applications, 8(6), pp. 1-10, 2017.
Zhang, Q., Zhou, C., Tian, Y.C., Xiong, N., Qin Y. & Hu, B., A Fuzzy Probability Bayesian Network Approach for Dynamic Cybersecurity Risk Assessment in Industrial Control Systems. IEEE Transactions on Industrial Informatics, 14(6), pp. 2497-2506, 2017. doi: 10.1109/TII.2017.2768998
Beken, S. & Emina?ao?lu, M., An Information Security Risk Assessment Model Based on Bayesian Network and Fuzzy Inference System, Ege Stratejik Ara?t?rmalar Dergisi, 10(1), pp. 13-33, 2019.
Yu, M., Ding, X., Sun, H., Yu, K. & Zhao, D., Role of Fuzzy Fractional Differential Equation in the Construction of Low Carbon Economy Statistical Evaluation System, Alexandria Engineering Journal, 59(4), pp. 2765-2775, 2020. https://doi.org/10.1016/j.aej.2020.05.031
Alshahrani, H.M., Alotaibi, S.S., Ansari, M.T., Asiri, M.M., Agrawal, A., Khan, R.A., Mohsen, H. & Hilal, A.M., Analysis and Ranking of IT Risk Factors Using Fuzzy TOPSIS-Based Approach, Applied Sciences, 12(12), 5911, 2022. doi: 10.3390/app12125911
Das, P., Illa, M., Pokhariyal, R., Latoria, A. & Saini, D.J., Role of Neural Network, Fuzzy, and IoT In Integrating Artificial Intelligence as a Cyber Security System, in IEEE Second International Conference on Electronics and Renewable Systems (ICEARS), pp. 652-658, 2023.
Abdymanapov, S.A., Muratbekov, M., Altynbek, S. & Barlybayev, A., Fuzzy Expert System of Information Security Risk Assessment on the Example of Analysis Learning Management Systems, IEEE Access, 9, pp.156556-156565, 2021. doi: 10.1109/ACCESS.2021.3129488
Costa, M.P. & Araujo, E., Fuzzy Financial Fraud Risk Governance System in an Information Technology Environment, in IEEE International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT) 2021, pp.726-732, 2021.
International Organization for Standardization, ISO/IEC 27005:2024, Information security, cybersecurity and privacy protection ? Guidance on information security risk management. Geneva: ISO. 2024.
National Institute of Standards and Technology (NIST). Guide for conducting risk assessments (NIST Special Publication 800-30 Rev. 2). Washington (DC): U.S. Department of Commerce, 2022.
European Union Agency for Cybersecurity (ENISA). ENISA Threat Landscape 2024. Athens (GR): ENISA, 2024.
Verizon. 2024 Data Breach Investigations Report. New York (NY): Verizon Enterprise Solutions,2024.
CERT-EU. CERT-EU Security Advisories (Various Issues). Brussels (BE): Computer Emergency Response Team for the European Union; 2024.
MITRE. MITRE ATT&CK Framework (Version 14). McLean (VA): MITRE Corporation,2024.
Cybersecurity and Infrastructure Security Agency (CISA). SolarWinds and related supply-chain compromise: Mitigations (Alert AA24-031A). Washington (DC): U.S. Department of Homeland Security,2024.
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). ICS-CERT monitor: Advisories 2023?2024. Washington (DC): U.S. Department of Homeland Security, 2024.
Olusanya, O.O., Jimoh, R.G., Misra, S. & Awotunde, J.B., A Neuro-Fuzzy Security Risk Assessment System for Software Development Life Cycle, Heliyon, 10(13), 2024. doi: 10.1016/j.heliyon.2024.e33495
Jos D.A., Dupski, D.S. & Amilkar, K., Framework for Security Risk Assessment (FSRA) and Fuzzy Risk Inference System (FRIS) based on Standard ISO/IEC 27002: 2022, Revista de Informica Teica e Aplicada, 31(2), pp. 43-55, 2024.
