AUTOMATION OF COGNITIVE MODELING OF INFORMATION SECURITY RISKS: EXPERIENCE OF USING MENTAL MODELER AND FCM EXPERT
DOI:
https://doi.org/10.35546/kntu2078-4481.2026.1.52Keywords:
information security risks, cyber risks, cognitive modeling, fuzzy cognitive maps (FCM), MENTAL MODELER, FCM EXPERTAbstract
A fundamental element of any security architecture is risk assessment. It allows you to systematize potential threats and vulnerabilities, as well as predict the destructive impact on the confidentiality, integrity and availability of information assets, which is critical for the development of effective protection measures. This work pays special attention to the issue of cognitive risk modeling using specialized software tools, in particular, Mental Modeler and FCM Expert solutions, which allow you to visualize and mathematically substantiate complex relationships in protection systems. The analysis of scientific sources conducted in the work allowed to systematize theoretical foundations and existing practical solutions for risk assessment, in particular the use of SWOT analysis, expert assessment methods, game theory apparatus, fuzzy logic, as well as modern machine learning methods and clustering algorithms. It was established that in conditions of high uncertainty and dynamism of cyberspace, fuzzy cognitive maps (Fuzzy Cognitive Maps – FCM) are one of the most promising approaches. They provide a unique opportunity to combine qualitative expert assessment with quantitative analysis methods, allowing to model various scenarios of events for making informed management decisions. The practical significance of the study lies in demonstrating the possibilities of automating modeling processes using Mental Modeler and FCM Expert. The paper describes in detail the developed architecture of the cognitive model of a conditional organization, which covers key threat vectors, technical and organizational vulnerabilities, as well as existing countermeasures. Based on this model, a simulation of a phishing attack scenario was implemented. A comparative analysis of the results obtained in the two software environments allowed us to clearly distinguish their functional roles. It was found that Mental Modeler was effective for the initial structuring of expert knowledge and rapid visualization of qualitative trends and is optimal for the brainstorming stage. At the same time, FCM Expert achieved a deeper mathematical verification of the scenario by calculating the absolute values of system stabilization, reducing the subjectivity of expert assessment. The results of the study are not only theoretical, but also educational. The materials and developed models were successfully tested in the educational process during the teaching of the discipline “Risk Theory” for applicants for the specialty F5 “Cybersecurity and Information Protection”. This confirms the adaptability of the proposed methods for training specialists capable of operating complex analytical tools in conditions of real challenges to digital security.
References
World Economic Forum. (2026). Global cybersecurity outlook 2026: Insight report. https://www.weforum.org/publications/global-cybersecurity-outlook-2026/
UK Government. (2025). Cyber security breaches survey 2025. https://www.gov.uk/government/statistics/cybersecurity-breaches-survey-2025/cyber-security-breaches-survey-20254
Shevchenko, S., Zhdanova, Y., Shevchenko, H., Nehodenko, O., & Spasiteleva, S. (2023). Information security risk management using cognitive modeling. In Cybersecurity Providing in Information and Telecommunication Systems (Vol. 3550, pp. 297–305). https://ceur-ws.org/Vol-3550/short15.pdf
Felix, G., Napoles Ruiz, G., Falcon, R., Froelich, W., Vanhoof, K., & Bello, R. (2017). A review on methods and software for fuzzy cognitive maps. Artificial Intelligence Review, 52(3), 1707–1737. https://doi.org/10.1007/s10462-017-9575-1
Карпович, І., Гладка, О., & Бухало, Ю. (2021). Технології моделювання і оцінки ризиків інформаційної безпеки. Технічні науки та технології, 1(23), 62–68. https://doi.org/10.25140/2411-5363-2021-1(23)-62-68
Шевченко, С. М., Жданова, Ю. Д., Спасітєлєва, С. О., & Складанний, П. М. (2020). Проведення SWOT-аналізу оцінювання інформаційних ризиків як засіб формування практичних навичок студентів спеціальності 125 Кібербезпека. Кібербезпека: освіта, наука, техніка, 2(10), 158–168. https://doi.org/10.28925/2663-4023.2020.10.158168
Shevchenko, H., Shevchenko, S., Zhdanova, Y., Spasiteleva, S., & Nehodenko, O. (2021). Information security risk analysis SWOT. In Cybersecurity Providing in Information and Telecommunication Systems (Vol. 2923, pp. 309–317). http://ceur-ws.org/Vol-2923/paper34.pdf
Дзюба, Л., & Чмир, О. (2022). Оцінювання ризиків інформаційної безпеки з використанням методів математичної статистики. Вісник Львівського державного університету безпеки життєдіяльності, 26, 47–54. https://doi.org/10.32447/20784643.26.2022.06
Шевченко, С. М., Жданова, Ю. Д., & Кравчук, К. В. (2021). Модель захисту інформації на основі оцінки ризиків інформаційної безпеки для малого та середнього бізнесу. Кібербезпека: освіта, наука, техніка, 2(14), 158–175. https://doi.org/10.28925/2663-4023.2021.14.158175
Шевченко, С., Жданова, Ю., & Кія, О. (2025). Напівавтоматизований інструмент багатостандартної оцінки кіберзрілості організації на основі NIST CSF 2.0, ISO/IEC 27001:2022, COBIT 2019 та CIS Controls v8. Кібербезпека: освіта, наука, техніка, 3(31), 43–60. https://doi.org/10.28925/2663-4023.2025.31.1004
Палко, Д., & Мирутенко, Л. (2024). Метод комплексної оцінки ризиків кібербезпеки в розподілених інформаційних системах. Кібербезпека: освіта, наука, техніка, 2(26), 487–502. https://doi.org/10.28925/2663-4023.2024.26.731
Barlybayev, A., Sharipbay, A., Shakhmetova, G., & Zhumadillayeva, A. (2024). Development of a flexible information security risk model using machine learning methods and ontologies. Applied Sciences, 14(21), 9858. https://doi.org/10.3390/app14219858
Bebeshko, B., Malyukov, V., Lakhno, M., Skladannyi, P., Sokolov, V., Shevchenko, S., & Zhumadilova, M. (2022). Application of game theory, fuzzy logic and neural networks for assessing risks and forecasting rates of digital currency. Journal of Theoretical and Applied Information Technology, 100(24), 7390–7404.
Alkhalil, Z., Hewage, C., Nawaf, L., & Khan, I. (2021). Phishing attacks: A recent comprehensive study and a new anatomy. Frontiers in Computer Science, 3, 563060. https://doi.org/10.3389/fcomp.2021.563060
Stylios, C. D., & Groumpos, P. P. (2004). Modeling complex systems using fuzzy cognitive maps. IEEE Transactions on Systems, Man, and Cybernetics – Part A: Systems and Humans, 34(1), 155–162.
Shevchenko, S., Zhdanova, Y., Kryvytska, O., Shevchenko, H., & Spasiteleva, S. (2024). Fuzzy cognitive mapping as a scenario approach for information security risk analysis. In Cybersecurity Providing in Information and Telecommunication Systems II (Vol. 3826, pp. 356–362). https://ceur-ws.org/Vol-3826/short28.pdf
Шевченко, С., Жданова, Ю., Складанний, П., & Петренко, Т. (2024). Нечіткі когнітивні карти як інструмент візуалізації сценаріїв реагування на інциденти в системах безпеки. Кібербезпека: освіта, наука, техніка, 26(2), 419–429. https://doi.org/10.28925/2663-4023.2024.26.707
Шевченко, С. М., Жданова, Ю. Д., & Гаркушенко, А. М. (2025). Когнітивне моделювання сценаріїв для прогнозування кіберризиків. In Technical, agricultural and mathematical sciences: scientific trends, problems and ways of their development: collective monograph. Boston: Primedia eLaunch. (Рp. 178–196) https://isg-konf.com/uk/informationtechnologies-engineering-transport-and-construction-the-latest-technologies-in-the-development-of-sciences/
Soner, O. (2025). Modeling and analyzing cybersecurity risk propagation in ports using fuzzy cognitive maps: System sensitivity to key threat factors. Ocean & Coastal Management, 270, 107857. https://doi.org/10.1016/j.ocecoaman.2025.107857
Papageorgiou, E. I., & Salmeron, J. L. (2012). A review of fuzzy cognitive maps research during the last decade. IEEE Transactions on Fuzzy Systems, 21(1), 66–79.
Kostiuk, Y., Skladannyi, P., Samoilenko, Y., Khorolska, K., Bebeshko, B., & Sokolov, V. (2025). A system for assessing the interdependencies of information system agents in information security risk management using cognitive maps. In Cyber Hygiene & Conflict Management in Global Information Networks 2024 (Vol. 3925, pp. 249–264).
Nápoles, G., et al. (2018). FCM expert: Software tool for scenario analysis and pattern classification based on fuzzy cognitive maps. International Journal on Artificial Intelligence Tools, 27(7), 1860010.
Gray, S. A., et al. (2015). Using fuzzy cognitive mapping as a participatory approach to analyze Change, Preferred States, and Perceived Resilience of Social-Ecological Systems, Ecology and Society, 20(2).
