INTEGRATED INFORMATION SECURITY RISK ASSESSMENT BASED ON BAYESIAN NETWORKS AND MATURITY AUDIT
DOI:
https://doi.org/10.28925/2663-4023.2026.32.1203Keywords:
information security; cybersecurity; information security risks; cyber risks; information protection; Microsoft Security Assessment Tool (MSAT); GeNIe Modeler software package; Bayesian networks (BN).Abstract
A fundamental element of any security architecture is risk assessment, which allows you to systematize potential threats and predict their impact on the confidentiality, integrity and availability of information assets. This study highlights the issue of probabilistic risk modeling using specialized tools, in particular Bayesian networks (BN) and the Microsoft Security Assessment Tool (MSAT). This approach allows not only to visualize the topology of threats, but also to mathematically substantiate the cause-and-effect relationships between vulnerabilities and possible losses. The conducted analysis of scientific sources allowed us to systematize existing methods, from classic questionnaires to complex mathematical models for assessing information security risks, in particular SWOT analysis, expert method, normative method, game theory, fuzzy cognitive maps, as well as the use of neural network models. The practical significance of the study lies in the development and testing of a comprehensive methodology for assessing the security of a hypothetical organization. This methodology is based on quantitative modeling using the GeNIe Modeler software package and a qualitative audit of the maturity of the security system using the Microsoft Security Assessment Tool. Comparative analysis showed that MSAT is a reliable tool for identifying gaps in compliance and organizational protection, while Bayesian networks provide a deeper quantitative analysis of the criticality of risks, allowing modeling the effectiveness of implementing specific countermeasures. The results of the study have both theoretical and applied significance. The developed models and methodological recommendations were implemented in the educational process when training specialists in the specialty F5 "Cybersecurity and Information Protection" at the Borys Grinchenko Kyiv Metropolitan University. This confirms the feasibility of using combined intelligent systems for making informed decisions in the field of digital infrastructure risk management.
Downloads
References
Shevchenko, S. M., Zhdanova, Y. D., Spasiteleva, S. O., & Skladannyi, P. M. (2020). Conducting SWOT analysis of information risk assessment as a means of forming practical skills of cybersecurity students. Cybersecurity: Education, Science, Technique, 2(10), 158–168. https://doi.org/10.28925/2663-4023.2020.10.158168
Shevchenko, H., Shevchenko, S., Zhdanova, Y., Spasiteleva, S., & Nehodenko, O. (2021). Information security risk analysis using SWOT. In Cybersecurity Providing in Information and Telecommunication Systems (Vol. 2923, pp. 309–317). http://ceur-ws.org/Vol-2923/paper34.pdf
Dziuba, L., & Chmyr, O. (2022). Information security risk assessment using mathematical statistics methods. Bulletin of Lviv State University of Life Safety, 26, 47–54. https://doi.org/10.32447/20784643.26.2022.06
Shevchenko, S., Zhdanova, Y., & Kiia, O. (2025). Semi-automated tool for multi-standard cybersecurity maturity assessment based on NIST CSF 2.0, ISO/IEC 27001:2022, COBIT 2019, and CIS Controls v8. Cybersecurity: Education, Science, Technique, 3(31), 43–60. https://doi.org/10.28925/2663-4023.2025.31.1004
Shevchenko, S., Zhdanova, Y., Shevchenko, H., Nehodenko, O., & Spasiteleva, S. (2023). Information security risk management using cognitive modeling. In Cybersecurity Providing in Information and Telecommunication Systems (Vol. 3550, pp. 297–305). https://ceur-ws.org/Vol-3550/short15.pdf
Shevchenko, S., Zhdanova, Y., Kryvytska, O., Shevchenko, H., & Spasiteleva, S. (2024). Fuzzy cognitive mapping as a scenario approach for information security risk analysis. In Cybersecurity Providing in Information and Telecommunication Systems II (Vol. 3826, pp. 356–362). https://ceur-ws.org/Vol-3826/short28.pdf
Shevchenko, S., Zhdanova, Y., Skladannyi, P., & Petrenko, T. (2024). Fuzzy cognitive maps as a tool for visualization of incident response scenarios in security systems. Cybersecurity: Education, Science, Technique, 2(26), 419–429. https://doi.org/10.28925/2663-4023.2024.26.707
Bone, J. (2024). Cognition in cybersecurity situational awareness. https://doi.org/10.13140/RG.2.2.23490.59842
Shevchenko, S. M., Zhdanova, Y. D., & Harkushenko, A. M. (2025). Cognitive modeling of scenarios for cybersecurity risk forecasting. In Technical, agricultural and mathematical sciences: Scientific trends, problems and ways of their development (pp. 178–196). Primedia eLaunch. https://isg-konf.com
Kostiuk, Y., Skladannyi, P., Samoilenko, Y., Khorolska, K., Bebeshko, B., & Sokolov, V. (2025). A system for assessing interdependencies of information system agents in risk management using cognitive maps. In Cyber Hygiene & Conflict Management in Global Information Networks 2024 (Vol. 3925, pp. 249–264).
Tymoshyn, A., Kalienichenko, L., Hnusov, Y., Khavina, I., Tsuranov, M., & Dovhan, I. (2025). Integrated information security risk management model based on AHP and Bayesian networks. Innovative Technologies and Scientific Solutions for Industries, 3(33), 166–179. https://doi.org/10.30837/2522-9818.2025.3.166
Wang, J., Neil, M., & Fenton, N. (2020). A Bayesian network approach for cybersecurity risk assessment implementing and extending the FAIR model. Computers & Security, 89. https://doi.org/10.1016/j.cose.2019.101659
Khosravi-Farmad, M., & Ghaemi-Bafghi, A. (2020). Bayesian decision network-based security risk management framework. Journal of Network and Systems Management, 28, 1794–1819. https://doi.org/10.1007/s10922-020-09558-5
Flores, M., Heredia, D., Andrade, R., & Ibrahim, M. (2022). Smart home IoT network risk assessment using Bayesian networks. Entropy, 24(5), 668. https://doi.org/10.3390/e24050668
Chockalingam, S., Pieters, W., Teixeira, A., & van Gelder, P. (2017). Bayesian network models in cybersecurity: A systematic review. In H. Lipmaa et al. (Eds.), Secure IT Systems (pp. 105–122). Springer.
Palko, D., & Myrutenko, L. (2024). Method for comprehensive cybersecurity risk assessment in distributed information systems. Cybersecurity: Education, Science, Technique, 2(26), 487–502. https://doi.org/10.28925/2663-4023.2024.26.731
Barlybayev, A., Sharipbay, A., Shakhmetova, G., & Zhumadillayeva, A. (2024). Development of a flexible information security risk model using machine learning and ontologies. Applied Sciences, 14(21), 9858. https://doi.org/10.3390/app14219858
Bebeshko, B., Malyukov, V., Lakhno, M., Skladannyi, P., Sokolov, V., Shevchenko, S., & Zhumadilova, M. (2022). Application of game theory, fuzzy logic, and neural networks for risk assessment. Journal of Theoretical and Applied Information Technology, 100(24), 7390–7404
Bayes Server. (n.d.). Introduction to risk modeling with Bayesian networks. https://www.bayesserver.com/docs/modeling/risk/
BayesFusion. (n.d.). GeNIe Modeler: Complete modeling freedom. https://www.bayesfusion.com/genie/
Microsoft. (n.d.). Microsoft Security Assessment Tool 4.0. https://www.microsoft.com/en-us/download/details.aspx?id=12273
Bidiuk, P. I., & Kuznietsova, N. V. (2007). Main stages of construction and application of Bayesian networks. System Research & Information Technologies, 4.
Moe, S. J., Carriger, J. F., & Glendell, M. (2021). Increased use of Bayesian networks in environmental risk assessment. Integrated Environmental Assessment and Management, 17(1), 53–61. https://doi.org/10.1002/ieam.4369
Verkhovna Rada of Ukraine. (1999). Law of Ukraine “On accounting and financial reporting in Ukraine”. https://zakon.rada.gov.ua/laws/show/996-14#Text
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Світлана Шевченко, Юлія Жданова, Валерія Стороженко, Валерія Рашевська, Володимир Горбач
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
