International Journal of Information Engineering and Electronic Business (IJIEEB)
IJIEEB Vol. 18, No. 3, 8 Jun. 2026
Cover page and Table of Contents: PDF (size: 1412KB)
Methodological Approaches to Assessing Enterprise Information Security Using a Process-Oriented Approach
PDF (1412KB), PP.37-51
Views: 0 Downloads: 0
Author(s)
Yuliia Kostiuk
1
Volodymyr Sokolov
1
Pavlo Skladannyi
1
Karyna Khorolska
1,*
Index Terms
Information Security, Business Processes, Process-Oriented Approach, Simulation Modelling, Risk Assessment, Integral Security Indicator, Resource Optimisation
Abstract
The article proposes a process-oriented methodology for assessing enterprise information security, which serves as an integral indicator of business process security Q based on a multi-level system of mathematical models. The proposed approach combines risk-oriented analysis, stochastic modelling, fuzzy set methods, and optimisation of the distribution of protection resources, ensuring the linkage of security indicators to the enterprise's functional business processes. The simulation model allows the reproduction of the dynamics of cyberattack flows and the assessment of the impact of variable threat intensity on the stability of business processes in near real time. Experimental validation of the methodology on depersonalised incident logs and simulated attack scenarios showed that the integration of the optimisation module provides an increase in the integral security indicator Q by 12-27% depending on the intensity of threats, and also contributes to the rational redistribution of cybersecurity resources in favour of the most critical business processes. A comparative analysis with the Classical Risk Matrix, NIST SP 800-30, and ISO/IEC 27005 confirmed the proposed model's higher accuracy and adaptability in a dynamic cyber environment. Machine learning methods are used as an auxiliary adaptive mechanism to refine model parameters, rather than as the primary risk assessment tool. The results obtained demonstrate the practical applicability of the process-oriented simulation and optimisation model for improving the resilience of enterprise business processes and reducing residual cyber risk.
Cite This Paper
Yuliia Kostiuk, Volodymyr Sokolov, Pavlo Skladannyi, Karyna Khorolska, "Methodological Approaches to Assessing Enterprise Information Security Using a Process-Oriented Approach", International Journal of Information Engineering and Electronic Business(IJIEEB), Vol.18, No.3, pp. 37-51, 2026. DOI:10.5815/ijieeb.2026.03.03
Reference
[1]S. Drissi, M. Chergui and Z. Khatar, "A Systematic Literature Review on Risk Assessment in Cloud Computing: Recent Research Advancements," in IEEE Access, vol. 13, pp. 76289-76307, 2025, https://doi.org/10.1109/ACCESS.2025.3561123
[2]Sabri, A. Q., & Dahlan, H. B. M. (2025). Decision-Making Model for Risk Assessment in Cloud Computing Using the Enhanced Hierarchical Holographic Modelling. Computers, 14(11), 491. https://doi.org/10.3390/computers14110491.
[3]Yuan, Z., Gao, X., Wu, F., Xu, R., & Xiang, J. (2025). Construction and optimisation of an information security risk assessment model based on intelligent algorithms. IET Conference on Cybersecurity and Privacy 2025, 1-6. https://doi.org/10.1049/icp.2025.3127
[4]Karatzinis, G. D., & Boutalis, Y. S. (2025). A Review Study of Fuzzy Cognitive Maps in Engineering: Applications, Insights, and Future Directions. Eng, 6(2), 37. https://doi.org/10.3390/eng6020037
[5]Gampel, A., & Eveleigh, T. (2025). Model-based systems engineering cybersecurity risk assessment for industrial control systems leveraging NIST Risk Management Framework methodology. Journal of Cyber Security and Risk Auditing, 2025(4), 204-221. https://doi.org/10.63180/jcsra.thestap.2025.4.2
[6]Wang, Kewei & Hu, Changzhen & Shan, Chun. (2025). Process-oriented Security Assessment of Network Services. Computer Networks. 264. 111225. https://doi.org/10.1016/j.comnet.2025.111225.
[7]Rosado, David & Sánchez Crespo, Luis EnriQue & Varela Vaca, Angel & Parra, Antonio & Gómez López, María Teresa & Gasca, Rafael & Fernández-Medina, Eduardo. (2024). Enabling security risk assessment and management for business process models. Journal of Information Security and Applications. 84. 103829. https://doi.org/10.1016/j.jisa.2024.103829.
[8]Dedousis, Panagiotis & Raptaki, Melina & Stergiopoulos, George & Gritzalis, Dimitris. (2022). Towards an Automated Business Process Model Risk Assessment: A Process Mining Approach. 35-46. https://doi.org/10.5220/0011135600003283.
[9]Shevchenko, S., Zhdanova, Y., Kryvytska, O., Shevchenko, H., Spasiteleva, S. Fuzzy cognitive mapping as a scenario approach for information security risk analysis. In: CPITS-II 2024, CEUR-WS, Vol. 3826, pp. 356-362.
[10]Kostiuk, Y., Skladannyi, P., Samoilenko, Y., Khorolska, K., Bebeshko, B., & Sokolov, V. A system for assessing the interdependencies of information system agents in information security risk management using cognitive maps. Workshop on the Third International Conference on Cyber Hygiene & Conflict Management in Global Information Networks (CH&CMiGIN’24), 24-27 January 2024. Aachen: CEUR-WS, 2024. Vol. 3925, pp. 249-264. ISSN 1613-0073.
[11]Mejias, Roberto & Greer, Joshua & Greer, Gabrila & Shepherd, Morgan & Reyes, Raul. (2025). A Model for Information Security Vulnerability Awareness. Computers & Security. 151. 104305. https://doi.org/10.1016/j.cose.2024.104305.
[12]Li, B., Yang, F., & Zhang, S. (2024). Context-Aware Risk Attribute Access Control. Mathematics, 12(16), 2541. https://doi.org/10.3390/math12162541
[13]Nabi, F., Tao, X. & Yong, J. Security aspects in modern service component-oriented application logic for social e-commerce systems. Soc. Netw. Anal. Min. 11, 22 (2021). https://doi.org/10.1007/s13278-020-00717-9
[14]Ferreira, Daniel & S. Mamede, HenriQue. (2022). Predicting Cybersecurity Risk - A Methodology for Assessments. ARIS2 - Advanced Research on Information Systems Security. 2. 50-63. https://doi.org/10.56394/aris2.v2i2.23.
[15]Skladannyi, P. M., Kostiuk, Y. V., Mazur, N. P., & Pitaichuk, M. A. (2025). Research on the characteristics and performance of access protocols to cloud computing environments based on universal testing. Telecommunications and Information Technologies, 1(86), 61-74. https://doi.org/10.31673/2412-4338.2025.014649
[16]Onwubuariri, Ebere & Adelakun, Beatrice & Olaiya, Omolara & Ziorklui, Joseph. (2024). AI-Driven risk assessment: Revolutionising audit planning and execution. Finance & Accounting Research Journal. 6. 1069-1090. https://doi.org/10.51594/farj.v6i6.1236.
[17]Raptaki, M., Stergiopoulos, G. & Gritzalis, D. Automated cybersecurity impact propagation across business processes using process mining techniques. Int. J. Inf. Secur. 24, 129 (2025). https://doi.org/10.1007/s10207-025-01040-0
[18]Kostiuk, Y., Skladannyi, P., Rzaeva, S., Samoilenko, Y., & Korshun, N. (2025). Intelligent control and security systems in cyber-physical and cloud environments of Smart Grid. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, TechniQue», 2(30), 125-156. https://doi.org/10.28925/2663-4023.2025.30.956
[19]Aregbesola, G. D., Asghar, I., Akbar, S., & Ullah, R. (2025). Fuzzy Logic Model for Informed Decision-Making in Risk Assessment During Software Design. Systems, 13(9), 825. https://doi.org/10.3390/systems13090825
[20]Zhang, Z. Application of Fuzzy Decision Support Systems in Risk Assessment of Southeast Asian Labour Market. Int J Comput Intell Syst 17, 153 (2024). https://doi.org/10.1007/s44196-024-00556-y
[21]Ab Rahim, M. S., Reniers, G., Yang, M., & Siwayanan, P. (2025). Integrating Process Safety and Process Security Risk Management: Practitioner Insights for a Resilience-Oriented Framework. Processes, 13(2), 392. https://doi.org/10.3390/pr13020392.
[22]Kostiuk, Y., Skladannyi, P., Sokolov, V., Hulak, N., & Korshun, N. Models and algorithms for analysing information risks during the security audit of personal data information systems. Workshop on Third International Conference on Cyber Hygiene & Conflict Management in Global Information Networks (CH&CMiGIN’24), 24-27 January 2024. Aachen: CEUR-WS, 2024. Vol. 3925, pp. 155-171. ISSN 1613-0073.
[23]Cheimonidis, P., & Rantos, K. (2025). A Dynamic Risk Assessment and Mitigation Model. Applied Sciences, 15(4), 2171. https://doi.org/10.3390/app15042171
[24]Islam, S., Basheer, N., Papastergiou, S. et al. Intelligent dynamic cybersecurity risk management framework with explainability and interpretability of AI models for enhancing security and resilience of digital infrastructure. J Reliable Intell Environ 11, 12 (2025). https://doi.org/10.1007/s40860-025-00253-3.
[25]Abioye, T. E., Arogundade, O. T., Misra, S., Adesemowo, K., & Damaševičius, R. (2021). Cloud-Based Business Process Security Risk Management: A Systematic Review, Taxonomy, and Future Directions. Computers, 10(12), 160. https://doi.org/10.3390/computers10120160
[26]Abbasian, Hadi & Yousefi Zenouz, Reza & Amirkhani, Abdollah & Shirzadeh, Masoud & Abdollahiasl, Akbar & Nikfar, Shekoufeh & Siahi-Shadabad, Mohammadreza & Kebriaeezadeh, Abbas. (2024). Risk Assessment for Complex Systems Based on Fuzzy Cognitive Maps: A Case of the Biopharmaceutical Industry. Complexity. 2024. https://doi.org/10.1155/2024/4369401.
[27]Liu, P. (2025). An enhanced fuzzy cognitive map for human risk assessment in maritime transportation: Integrating causal mining and expert elicitation. Advanced Engineering Informatics, 68, 103624. https://doi.org/10.1016/j.aei.2025.103624
[28]Kostiuk Y., Skladannyi P., Sokolov V., Zhyltsov O., Ivanichenko Y. Effectiveness of Information Security Control using Audit Logs. Proceedings of the Workshop on Cybersecurity Providing in Information and Telecommunication Systems (CPITS 2025), 2025. Aachen: CEUR, Vol. 3991, pp. 524-538. ISSN 1613-0073.
[29]Y. Chen et al., "Analysis of Data Export Business Processes Based on Petri Nets," 2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Sanya, China, 2024, pp. 2486-2491, https://doi.org/10.1109/TrustCom63139.2024.00345.
[31] Schuerkamp, Ryan & Giabbanelli, Philippe. (2023). Extensions of Fuzzy Cognitive Maps: A Systematic Review. ACM Computing Surveys. 56. https://doi.org/10.1145/3610771.
[30]Kostiuk, Y., Skladannyi, P., Korshun, N., Bebeshko, B., & Khorolska, K. (2024). Integrated protection strategies and adaptive resource distribution for secure video streaming over a Bluetooth network. In Cybersecurity Providing in Information and Telecommunication Systems II (CPITS-II 2024), CEUR Workshop Proceedings, Vol. 3826, pp. 129-138. Aachen: CEUR-WS.
[31]Brancati, F., Mongelli, D., Mariotti, F. et al. A cybersecurity risk assessment methodology for industrial automation control systems. Int. J. Inf. Secur. 24, 76 (2025). https://doi.org/10.1007/s10207-025-00990-9
[32]D. Naouar, J. E. Hachem, J.-L. Voirin, J. Foisil and Y. Kermarrec, "Towards the Integration of Cybersecurity Risk Assessment into Model-based Requirements Engineering," 2021 IEEE 29th International Requirements Engineering Conference (RE), Notre Dame, IN, USA, 2021, pp. 334-344, https://doi.org/10.1109/RE51729.2021.00037.
[33]Rusu, D., & Mantulescu, M. (2025). Development of an Application-Based Framework for Information Security Management in SMEs. Sustainability, 17(18), 8314. https://doi.org/10.3390/su17188314
[34]Skladannyi, P., Kostiuk Y., Khorolska K., Bebeshko B., Sokolov V. Model and methodology for the formation of adaptive security profiles for the protection of wireless networks in the face of dynamic cyber threats. CSDP 2025, CEUR-WS, Vol. 4042, pp. 17-36, 2025.
[35]Agarwal, A., Verma, S. B., & Gupta, B. K. (2023). A Review of Cloud Security Issues and Challenges. ADCAIJ: Advances in Distributed Computing and Artificial Intelligence Journal, 12(1), e31459. https://doi.org/10.14201/adcaij.31459
[36]Bautista Villalpando, Luis & Abran, Alain. (2021). A Data Security Framework for Cloud Computing Services. Computer Systems Science and Engineering. 37. 203-218. https://doi.org/10.32604/csse.2021.015437.
[37]Cao, Z., Zhao, H., Wang, Y., He, C., Zhou, D., & Han, X. (2025). A Resilience Quantitative Assessment Framework for Cyber-Physical Systems: Mathematical Modelling and Simulation. Applied Sciences, 15(15), 8285. https://doi.org/10.3390/app15158285
[38]Melaku, H. M. (2023). Context-Based and Adaptive Cybersecurity Risk Management Framework. Risks, 11(6), 101. https://doi.org/10.3390/risks11060101
[39]H. M. Hersyah, M. D. Hossain, Y. Taenaka, and Y. Kadobayashi, "Fuzzyfortify: a multi-attribute risk assessment for multi-factor authentication and cloud container orchestration," Frontiers in Computer Science, vol. 7, 1557918, Jul. 2025, https://doi.org/10.3389/fcomp.2025.1557918.
[40]Kostiuk, Y., Rzaieva S., Khorolska, K., Mazur, N., Korshun, N. Architecture of the software system of confidential access to information resources of computer networks. Proceedings of the Workshop Cyber Security and Data Protection, 31 July 2025, Lviv, Ukraine (CSDP 2025), Vol. 4042, pp. 37-53. ISSN 1613-0073.
[41]Senić, A., Simić, N., Dobrodolac, M., & Stojadinović, Z. (2025). Development of a Hybrid Model for Risk Assessment and Management in Complex Road Infrastructure Projects. Applied Sciences, 15(5), 2736. https://doi.org/10.3390/app15052736
[42]Nwafor, Chioma & Nwafor, Obumneme & Brahma, Sanjukta & Acharyya, Madhusudan. (2026). A hybrid FAIR and XGBoost framework for cyber-risk intelligence and expected loss prediction. Expert Systems with Applications. 299. 129920. https://doi.org/10.1016/j.eswa.2025.129920
[43]Velasco-Loera, F., Alcaraz-Mejia, M., & Chavez-Hurtado, J. L. (2025). An Interpretable Hybrid Fault Prediction Framework Using XGBoost and a Probabilistic Graphical Model for Predictive Maintenance: A Case Study in Textile Manufacturing. Applied Sciences, 15(18), 10164. https://doi.org/10.3390/app151810164
[44]Yevseiev, S., Milov, O., Zviertseva, N., Lezik, O., Komisarenko, O., Nalyvaiko, A., Pogorelov, V., Katsalap, V., Pribyliev, Y., & Husarova, I. (2023). Development of the concept for determining the level of critical business processes security. Eastern-European Journal of Enterprise Technologies, 1(9 (121), 21-40. https://doi.org/10.15587/1729-4061.2023.274301
[45]Kostiuk, Y. (2025). Minimal Reproducibility Package for Process-Oriented Cybersecurity Model [Data set]. Zenodo. https://doi.org/10.5281/zenodo.17928968
[46]Kostiuk, Y. (2026). Process-Oriented-Cybersecurity-Model-Data [Software repository]. GitHub. https://github.com/YKostiuk-uk/Process-Oriented-Cybersecurity-Model-Data