Sergey Glushenko – Assistant Professor, Department of Economic Informatics and Automation of Management, Rostov State Economic University.  
Address: 69, Bolshaya Sadovaya str., Rostov-on-Don, 344002, Russian Federation.
E-mail: www.555.sergey@mail.ru

The article explains the importance of the application of risk analysis in the management system of information security (IS), and studies the most widespread methods of risk assessment NIST and CRAMM, as well as settles the limitations and drawbacks of these approaches. Risk assessment of a company’s information security is proposed to be carried out by using the theory of fuzzy logic. Application of fuzzy models allows taking into account both quantitative and qualitative characteristics, as well as represent fuzzy descriptions using fuzzy sets and linguistic variables. The proposed methodology has been the basis for developing a fuzzy production model (FPM), which identifies seven input linguistic variables characterizing risk factors, and four output linguistic variables characterizing the risks of different areas of information security. The model contains four rule bases and allows linguistic analysis of information security risks of the organization. FPM allows removing restrictions on the number of input variables taken into account and integrating both qualitative and quantitative approaches to risk assessment.
Implementation of the rule base fuzzy modeling process is carried out by applying specialized package Fuzzy Logic Toolbox from software MATLAB. The mechanism for obtaining risk assessments based on the Mamdani algorithm allows obtaining the numerical value of risk, linguistic description of risk, as well as expert’s level of confidence in the occurrence of a risk event. The simulation results can be used by IT- managers for identifying risks priorities (very high, high, medium, low, very low), and selecting an action plan to reduce the impact of the most dangerous threats to the organization’s information security.