FUZZY MODEL FOR EVALUATING INFORMATION SECURITY PARAMETERS OF INFORMATION SYSTEMS UNDER INCOMPLETE AND QUALITATIVE DATA: CONSTRUCTION METHODOLOGY, RULE BASE TUNING, AND DEMONSTRATION CASE FOR ORGANIZATIONS.
DOI:
https://doi.org/10.54309/IJICT.2026.26.2.018Abstract
Abstract. The paper proposes an interpretable fuzzy model for evaluating information security parameters of information systems under conditions of incomplete observations, heterogeneity of sources, and the prevalence of qualitative descriptions. The model is oriented toward the practice of regular management control in organizations of the Republic of Kazakhstan, including the public sector, financial, and educational institutions. The core idea is the separation of observed indicators (technical, organizational, and human factors) from latent security parameters related to confidentiality, integrity, and availability. A Mamdani fuzzy inference mechanism, accounting for rule weights and membership discounting during data gaps, is applied to transition from fuzzy observations to numerical estimates. The input vector includes 11 features: vulnerability and patch management, segmentation, privilege management, IDS coverage, SIEM correlation maturity, backup and recovery, endpoint protection, configuration and change management, incident response, the human factor, and an explicit indicator of observability and data quality. Linguistic variables and membership functions on a normalized scale are presented, along with rule base construction principles and tuning methods: the Delphi expert procedure, quantitative elimination of contradictions, rule weight optimization based on calibration data, and sensitivity analysis. Model quality is assessed by expert consensus (Kendall's coefficient), resilience to noise and gaps (Monte Carlo, coefficient of variation), and practical validity compared to incident data and independent audits of the information security management system. A demonstration case was conducted for a typical public sector organization with a distributed branch network, showing how qualitative observations and incomplete telemetry are transformed into numerical security parameters and risk levels, and how sensitivity analysis guides the prioritization of measures. Limitations and development prospects are discussed, including integration with Zero Trust architecture and the use of multimodal AI to combine logs, network flows, and binary artifacts visualized via the Byte2Image approach.
Downloads
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 INTERNATIONAL JOURNAL OF INFORMATION AND COMMUNICATION TECHNOLOGIES

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
https://creativecommons.org/licenses/by-nc-nd/3.0/deed.en