Information Security Risk Assessment Model Based on Computing with Words

  • Oleg Tymchuk
  • Maryna Iepik
  • Artyom Sivyakov
Keywords: risk, risk assessment, risk factor, information security, IT service, discrete interval type-2 fuzzy set, computing with words


The basis for company IT infrastructure security is information security risks assessment of IT services. The increased complexity, connectivity and rapid changes occurring in IT services make it impossible to apply traditional models of quantitative/qualitative risk assessment. Existing quantitative assessment models are time-consuming, at the same time, qualitative assessment models do not take into account the subjective expert assessments and the uncertainty of risk factors. This paper presents the new information security risk assessment model for IT services based on computing with words. The model methodology is based on OWASP risk rating methodology for web applications. To evaluate risk factors, it is proposed to use dictionary consisting of 16/32 granular terms (words). Problems of uncertainty in perceptual assessments of risk factors are taken into account using methods of the theory of discrete interval type-2 fuzzy sets and systems.


Wangen, G.: An initial insight into Information Security Risk Assessment practices. In: 2016 Federated Conference on Computer Science and Information Systems (FedCSIS), vol. 8, pp. 999–1008. IEEE, Gdansk, Poland (2016).

Lee, M.-C.: Information Security Risk Analysis Methods and Research Trends: AHP and Fuzzy Comprehensive Method. International Journal of Computer Science & Information Technology (IJCSIT), 6 (1), 29-45 (2014).

OWASP Risk Rating Methodology. (2017). [Online; accessed 05-May-2017]

Common Vulnerability Scoring System. (2017). [Online; accessed 05-May-2017]

Caralli, R.A., Stevens, J.F., Young, L.R. and Wilson, W.R.: Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Tech. report CMU. Software Engineering Institute (2007).

ISO/IEC 27005:2011: Information Technology, Security Techniques, Information Security Risk Management. 2nd edn. (2011).

Song, Y., Shen, Y., Zhang, G. and Hu, Y.: The information security risk assessment model based on GA - BP. In: 2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS), pp. 119-122. IEEE, Beijing, China (2016).

Wang, J., Fan, K., Mo, W., Xu, D.: A Method for Information Security Risk Assessment Based on the Dynamic Bayesian Network. In: 2016 International Conference on Networking and Network Applications, pp. 279-283. IEEE, Hakodate, Japan (2016)

IEC 31010:2009: Risk management, Risk assessment techniques. 1st edn. (2009).

Mendel, J.M, John, R.I.B.: Type-2 Fuzzy Sets Made Simple. IEEE Transactions on Fuzzy Systems, 10 (2), 117-127 (2002).

Mendel, J.M., Wu, D.: Perceptual Computing: Aiding People in Making Subjective Judgments. 1st edn. WileyIEEE (2010).

Petrenko, T., Tymchuk, O.: Package library and toolbox for discrete interval type-2 fuzzy logic systems. Proceedings of the 18th International Conference on Soft Computing (MENDEL), pp. 233-238. Brno, Czech Republic (2012).

How to Cite
Tymchuk, O., Iepik, M. and Sivyakov, A. 2017. Information Security Risk Assessment Model Based on Computing with Words. MENDEL. 23, 1 (Jun. 2017), 119-124. DOI:
Research articles