Modelling of Fuzzy Expert System for an Assessment of Security Information Management System UIS (University Information System)

: Several methodologies based on the international standard ISO/IEC 27001 have been developed for modelling information security management systems within higher education. This paper transformed the ISO/IEC 27001 standard into a questionnaire, which was sent digitally to about 100 universities in Bosnia and Herzegovina, and to the EU, Norway and the USA. The questions are arranged by levels, and the levels have their numerical weights, derived from individual questions in the levels themselves. Otherwise, the questions are asked with Yes or No and thus are reduced to binary variables. The rules necessary for the functioning of the system have been calculated. The fuzzy logic method represents a new approach to the problems of managing complex systems, which is very difficult to describe with a certain mathematical model, as well as in systems with a large number of inputs and outputs where there are unclear interactions. Risk assessment is a major part of the ISMS process. Traditional risk calculation models are based on the application of probability and classical set theory. Here, we have converted the risk assessment into a system rating of 5 to 10 numerically or from five to ten descriptively. We perform fuzzy optimization by finding the values of the input parameters of a complex simulated system, which results in the desired output. We use the fuzzy logic controller to execute fuzzy inference rules from the fuzzy rule database in determining congestion parameters, obtaining warning information and appropriate action. Simulating the situation of an advanced system that evaluates the protection quality of such a system with fuzzy logic, we use MATLAB. The paper combines the original Visual Basic programming language and MATLAB's Fuzzy Toolbox, to solve the complex problem of assessing compliance with the ISO/IEC 27001 standard, as one of the main standards for information systems security modelling. University information systems were used, but it is also applicable to all other information systems. The evaluation has been done for several universities and it has been proven that the system evaluates correctly, but these universities must not be publicly named. There was no such approach in the use of fuzzy logic and on such systems, and that is the originality of this work.


INTRODUCTION
The need for information security management has become not only a part of the legal obligation of business entities but also a question of the general long-term and stable functionality of each organization. Information has become the most sought after "part" on the market, due to the dominant electronic form of information processing, transmission and storage. [1].
Every organization aims to convince its clients and business partners that information is handled responsibly and that it is used professionally and safely. No one wants to work with a company that does not give the impression of a trusted partner, and this is only possible if you show that you always take care of what you have at your disposal.
Risk assessment is one of the most critical steps in the implementation of ISMS, not only because the result of risk assessment is the basis for planning and conducting the necessary controls but also because of the procedure and methodology of conducting the assessment. To be able to approach the risk assessment, the consultants, employees of the company, must be well aware of the mechanisms and relations of endangering information security. This paper is based on the unusual use of intelligence because it is related to the area that research generally does not use. The ISO/IEC 27001 [2] standard dealing with the information security system has been fully translated into a large number of questions, which are answered with yes or no. The security system is divided into five levels that have their own weight arising from the number and importance of decisions within a particular level. To examine the system, a questionnaire was made with all the questions and additional questions, related to the quality of the information system. The University Information System was chosen as the target system, because it is open, unlike the system of banks, ministries, insurance companies, health care, etc. to be able to make an assessment. The concept of fuzzy logic is very popular in traditional sectors such as engineering, medicine, stock exchange, aircraft control, weather forecasting and other decision-making areas of the IT industry, as well as outside the IT industry. The ISO/IEC 27001 standard is a very complex standard and its full application gives high results in reducing the risk of using such information systems. It uses a lot of variables that are not so easy to simplify and get an accurate result. This is usually done traditionally.
The standard list specific requirements are important when establishing, implementing, monitoring, reviewing, maintaining and improving information security management system. It is intended for safety requirements of general character and does not consider the specific safety requirements for the organization of the same type and can be applied to businesses of various types and sizes. [3] Fuzzy logic is used to help create models that are used in assessment of information security management systems, because fuzzy logic also helps to create an approach based on the model used in the law itself [4]. At the end of this paper, the model is presented together with the assessment of information security systems. It is very easy to explain and understand the process of reasoning and decision making. The paper arose as a need to turn a complex standard for information security systems into a decision-making mechanism [5].
The paper is further processed: Section 2 provides an overview of related works. Section 3 presents design methodology together with the design of the linguistic variables (Subsection 3.1) and the design of the Fuzzy rules (Subsection 3.2). Section 4 concludes the paper and references are shown at the end of the paper.

RELATED WORKS
The word Fuzzy is of English origin and denotes a vague and obscure term. Professor L. A. Zadeh from University of Berkley, USA was the creator of the Fuzzy Logic concept in 1964. In his first article "Fuzzy sets", published in 1965 [6]. E. Mamdani was called the first Fuzzy controller of the 70's in the UK. The Mamdani system was extremely reliable and based on a qualitatively new way of management. The great reliability of such a model has been proven, so it was used in all concepts of designing and implementing algorithms with Fuzzy Logic. Fuzzy also helps solve a variety of real problems using the Fuzzy system as a fuzzy data management system. J. M. Mendal proved that an incomprehensible logic system is a nonlinear mapping of input data vector into a scalar output [7]. Davidson and Hayward in 2003 pointed to different rules used in FIS systems of such logic [8].
The initiative for the widespread use of Fuzzy logic as an engineering patch originated in Japan. Professors Toshiro Terano of the Tokyo Institute of Technology and KyodiAsai of Osaka are considered pioneers of Fuzzy technology in Japan. [9]. In 1995, the Japanese government funded projects with 50 large companies within the International Laboratory for Fuzzy Engineering (LIFE). Professor Bart Kosko, of the University of Southern California, is one of the pioneers of Fuzzy technology in the United States [10].
People change and adapt to their environment while they are alive. In his famous work "Human Knowledge", Bertrand Russell, an English philosopher, explains the ambiguity of the meaning of the word red. Also an outstanding British physicist, chemist and philosopher, Michael Poloni, in his book "Personal Knowledge", studies the possibilities and limits of human knowledge. We cannot represent the rule of bicycling mathematically, because we have to establish balance in the beginning. Then we come to learn the system, where Fuzzy logic is distinct, as in more recent times Neural Networks. Today, Fuzzy technologies are represented all over the world, but mostly in the USA, China, Canada, Germany, France, Japan and South Korea, and also in Russia.
The perception of the world around us is interwoven with concepts that are not completely clear, that is, they do not have clearly defined boundaries. Terms: very high, much bigger, low, heavy, etc. are correct to some extent, but they are also inaccurate to some extent. Terms expressed in this way cannot be converted into binary states [11].
Such terms are said to be fuzzy or imprecise. Natural languages, which are at a much higher level than programming languages, are Fuzzy, while programming languages are not. A set is any well-defined collection of objects. An object in the set is called an element or member of that set. It starts from the position that some element x from the observed universal set X belongs or does not belong to concrete set A. In the elements a i (i = 1, 2, 3, …, n) of the set A, subset of universal set X, then set A can be represented for all elements x X  by its characteristic functionas in Eq. (1).
A set A is well described by a function called characteristic function.
The Fuzzy Inference System (FIS) is used as the best tool in the hands of one who applies the Fuzzy Logical Decision-Making System. By introducing this system into MATLAB software, we use the Fuzzy Logic Toolbox. Fuzzy logic uses transformation from multiple independent variables to just one output using a fuzzy logic toolbox in MATLAB. There are many rules in the FIS itself that are based on "if-then" conditions. These rules are easy to learn and can be applied to any obscure high-input system. Three common inference systems are known: These are: 1. Mamdani Fuzzy models, 2. Sugeno Fuzzy Models and 3. Tsukamoto Fuzzy models [12].
In this paper, we use the Mamdani Fuzzy model, because it is the best model for this type of fuzzification. The authors studied the Mamdani-type inference system, whose great advantage is that intuition can be built into the system. In this way, the operation of the system is much closer to human thinking. However, the result of conventional Mamdani-type evaluation is a complex shape membership function, whose defuzzification is a computationally intensive task [13].
Mamdani is intuitive, well-suited to human input, has a more understandable basis of rules and is widely accepted. Sugeno is not rule-based and works well for PID controller and adaptive techniques and is better for mathematical analysis [14].
Fuzzy logic is also an outstanding with Boolean logic which introduces only partial truth. In classical logic, we used some binary terms or mathematical terms for the degree of truth. In the same problem, we use fuzzy logic or combine both theories [15]. Plato was the first to mention fuzzy logic theory in relation to the Boolean logic [16]. Lotfy Zadeh indicated that fuzzy theory could be used for any kind of problem.

DESIGN METHODOLOGY
Most of the cited papers analyze the issues from the perspective of technical and organizational solutions to maximize the availability of information resources of business systems and their impact on business results. Some of the authors analyzed certain information security policies and standards for smaller business domain segments. Fuzzy logic was used to identify and assess operational risk management according to ISO/IEC 27001: 2013 [17]. In his paper Harmanjit Singh [18] dealt with the Fuzzy logic for predicting voting results and the quality of candidates for elections. No one has dealt with the issue of evaluation of information systems for information security management of educational institutions, and especially not in the way presented in the paper. In this fuzzy system, five parameters are used as linguistic variables that affect the grade for UIS (University Information System). Levels are built from grouped questions and answers. The arguments taken for this research are: Level 1: Level of direct decision on information security management Level 2: Level of management based on defined security procedures Level 3: Level of measurable aspects of information security management Level 4: Level of optimal information security management Level 5: Level of strategic information security management All of these input variables affect the rating of the overall evaluation system and are also part of the system used to predict the rating for the UISUIS, in case of public opinion.
To create a reference model of information security management within higher education, the basic elements of the model were initially determined at all levels. In determining the basic elements of the reference model, it was important to include all aspects concerning the identified levels, which correspond to the complexity of the applied measures. The elements of the model represent, directly or indirectly, the achieved level of development and functioning of information security management within higher education. Based on these elements, which are grouped into five different levels of functioning, research will be conducted on the achieved level of development and functioning of information security management at each of the surveyed universities. Definition 1. Let X be a domain. Fuzzy values on the domain X characterize the set A on X and the function affiliation as in Eq. (2).

 
In this way, every element x X  has a degree of belonging to fuzzy set A, At Level 1 we see that Level 1.2 is more important than Level 1.1 and Level 1.3. If we treat this numerical weight for each floor level, such as binary system positioning, then we can convert the whole level to a weight number as the best description of use of any of the levels and give adequate inputs for FIS (fuzzy interface system) A special program has been created in Visual Basic to determine the numerical weights for individual levels.
From that program, subroutines can be called to calculate levels and prepare them for input, in which MATLAB commands for FIS can also be called. This prepares the values of the input variables as in Fig. 1.
The program in Fig. 1 contains pre-defined subroutines for each level of information security management system within higher education. We will only show the program for Level 1 because other programs are similar, only they have more questions, and thus more checkboxes, which are set by weight and make up the numerical value of the whole level and its impact on the complete system. Fig. 2 shows the program for Level 1, which is the simplest because it contains three checkboxes, with different levels, which are selected by weight and so that they represent the binary value of the weight of a number, if they are included and thus affect the system. The more results are included, the higher the numerical number, and therefore the better the score, because it meets the set conditions. The numerical weight for Level 1 is n1

Design of the Linguistic Variables
In this Fuzzy system, the five parameters (Level 1, 2, 3, 4, 5) are input variables and derive from the ISO/IEC 27001 standard, which is converted into a huge number of questions. System evaluation is an output variable. For ease of calculation, all input variables are reduced to grades from five to ten. All of these input variables affect the evaluation of the university information system. Fig. 3 shows the created Fuzzy expert system for this problem and its input and output variables. In this phase, fuzzy rules are selected, the number and form of which depend on the quality of the information available. This is the key phase of this method. By applying these rules, the explicit values (sharpness) of all input variables are associated with as many values of the membership functions of each output variable as the selected rules [18].
In the aggregation phase, the values of the membership functions obtained in the previous phase are combined for each output variable; therefore, the output variable gets one fuzzy set with defined membership functions. Aggregation is when we unify the outputs of each rule by joining the parallel threads. It is only a matter of taking all the fuzzy sets that represent the output of each rule and combining them into a single fuzzy set in preparation for the final step, defuzzification. Aggregation only occurs once for each output variable [19,20]. The fuzzified converts the exact value into a degree of affiliation by applying the appropriate affiliation function. Function affiliation determines with what certainty the exact value is associated with an appropriate linguistic value.
The fuzzification process takes place in the following three steps: 1. the value of the input quantity is measured to obtain a rigid input; 2. measuring the scaling of the input quantity to the area is applied; 3. the input functions of affiliation are applied, in which the area of action is converted into fuzzy sets with certain labels and in that way, fuzzy inputs are obtained.
The affiliation function represents the defining curve mapping points (individual measurements) from the input vector into the corresponding value from the interval 0 to Max.
Affiliation functions can take many forms. Some of the most commonly used shapes are triangular, trapezoidal and Gaussian curves Fig. 4. gaussmf: Gaussian curve built-in membership function is used to define the variable. The weight is calculated by the following Eq. (4). where the first number is σ = 3.567 for mf2 in Fig. 4 and the second parameter is the value of x where the Gaussian curve for mf2 is maximal. Membership values are computed for each input value in x. We used the same function for each membership function for input and output values. We have only different values for parameters instead of a function for each membership function.

Design of the Fuzzy Rules
The fuzzy inference rules describe the behaviour of the system, i.e. the interdependence of fuzzy sets of different descriptive variables. Although the fuzzy rules seem to be free language forms, they have a limited set of language expressions and strict syntax.
The language of stage rules is very simple. Each rule is in the form IF x = A i , ..., and y = B i , THEN z = C i , i = 1, 2, ..., n. The given example of a rule represents a general form, with an arbitrary number of causes and consequences [19]. The most commonly used fuzzy inference techniques are Mamdani and Sugeno. The Mamdani fuzzy inference process takes place in four steps: fuzzification of input variables, estimation of rules, aggregation of output data, and defuzzification. Mamdani's reasoning style requires finding the center of a twodimensional shape by integrating a continuously changing function or bisector. The bisector method finds the vertical line that divides the fuzzy set into two sub-regions of equal area. Sometimes, but not always, with the centroid line.
Mamdani fuzzy system is a simple rule-based method that does not require complicated calculations and that can apply an if-then rule to control the system.
To find the optimal number of rules, a special program in Visual Basic was used to determine the rules. Using one sheet box and one text file for data output, a program that makes rules based on 5 inputs and one output was created, grading with an output score of 5 to 10. After that, the minimum number of rules that can be used in the system is selected and given an approximately correct result is given.
In this way, 1084 rules were found, and further analysis was reduced to 284 rules that give a good enough result in Fig. 5.

Figure 5 Fuzzy rules
The Rule Viewer displays a roadmap of the whole fuzzy inference process in Fig. 6. You see a single figure window with 6 small plots [19]. The output membership function is a variable that has five levels: Five, Six, Eight, Nine and Tenas in Fig. 7. For the numeric value 6, fuzzy membership gives Six. The decision must be up to the commission to say that it is a good result, or the system needs to be improved.  Fig. 8 will display the control surface generated by the fuzzy system. Upon opening the Surface Viewer, it is displayed with a three-dimensional curve representing the mapping from Level 3 and Level 4 with Evaluation 1. Twoinput single-output systems also work well, as they generate three-dimensional plots that MATLAB can adeptly manage. When we move above the three dimensions, we start to encounter problems with displaying results. Accordingly, the Surface Viewer is equipped with pop-up menus that let you select any two inputs and any output for plotting. Just below the pop-up menus are two text input fields that let you determine how many x-axis and y-axis gridlines you want to include. This allows you to keep the calculation time reasonable for complex problems. To change the x-axis or y-axis grid after the surface is in view, simply change the appropriate text field, and click on either X-grids or Y-grids, according to which text field you changed, to redraw the plot [20].

CONCLUSION
This Fuzzy system for evaluating the quality of security management system of the University Information System, discussed in this paper, is not the end in the analysis of such systems. We were able to design a system that can be used to assess the security risk associated with the use of ISO/IEC 27001 standard. This will help University information Systems meet the standard requirements. The technique for evaluating the security management of the University Information System was presented. This study also found that if each of the security levels can be increased to a maximum, then the overall safety level would be increased and the associated risk eliminated.
Fuzzy logic has particularly shown its strength in evaluating systems and decision-making processes. This paper presents its application in risk management of the use of University Information Systems. In the paper itself, the correctness of such a system has been proven by several examples. The main disadvantage of applying fuzzy logic is a large number of rules. They can be reduced by applying some of the reduction techniques without affecting the accuracy of the system.
Converting a single standard like ISO/IEC 27001 into a Fuzzy expert system is a process that requires the application of the entire standard, fuzzification, then giving a correct assessment of the system. By applying some technologies, such as FMEA analysis, it is possible to indicate and write appropriate corrective measures, which need to be performed for the system to be repaired. But it is the subject of a new research. The research presented here successfully integrates alternative presentation techniques and analysis techniques and gives an exact evaluation of risk for managing the security of the University Information System.
Researchers may find it attractive to compare the performance of a fuzzy rule-based advance system with other metaheuristics (e.g. artificial neural network, genetic algorithm, and fuzzy neural networks) or regular statistical methods (linear/nonlinear regression). A special interest would be on testing whether the fuzzy rule-based approach has any advantage in dealing with the evaluation of information security management systems.