Integrated information security risk management model based on ahp and bayesian networks

• Published in: Sučasnij stan naukovih doslìdženʹ ta tehnologìj v promislovostì (Online) no. 3(33); pp. 166 - 179
• Main Authors: Timoshyn, Anatolii, Kalienichenko, Lidia, Gnusov, Yurii, Khavina, Inna, Tsuranov, Mykhailo, Dovhan, Iryna
• Format: Journal Article
• Language: English
• Published: 25.09.2025
• ISSN: 2522-9818; 2524-2296; 2524-2296
• DOI: 10.30837/2522-9818.2025.3.166

The subject of the study is information security risk management in a modern digital environment, where the integration of strategic and tactical approaches is necessary to ensure adaptive protection. The purpose of the work is to develop a hybrid model of cyber risk management by combining methodological analysis, expert assessments, probabilistic modeling and technical monitoring. The objectives of the study are: (1) analysis of the complementarity of the CRAMM methodology and SIEM systems; (2) construction of a procedure for quantitative prioritization of threats and vulnerabilities based on the analytical hierarchy process (AHP); (3) integration of the obtained estimates into Bayesian networks (BN) for probabilistic risk forecasting; (4) implementation of the proposed approach using modern automation tools. The methods used in the work include: CRAMM methodology for identifying assets, threats and vulnerabilities; Thomas Saati's AHP for quantitative assessment of priorities based on expert judgments with measurement of consistency using the Kendall concordance coefficient; mathematical modeling of causal relationships using Bayesian networks (BN); and the use of SIEM-class systems for operational monitoring of security events. The practical implementation of the approach was carried out using Python, in particular the Numpy, SciPy, pgmpy libraries, and the Streamlit web interface. Results. An integrated approach was developed that combines CRAMM, AHP, BN, and SIEM into a single adaptive risk management system. It is shown that AHP allows you to transform subjective expert assessments into objective weighting factors, which increases the reliability of the analysis. Based on these data, a Bayesian network was built to assess the risk of financial losses, which takes into account the presence of a threat, vulnerability, and a possible incident. The model is implemented programmatically, demonstrating the process of factoring the joint distribution and marginalizing latent variables to obtain posterior probabilities. The web interface based on Streamlit ensures the ease of use of the tool by non-professional users. Conclusions. The proposed hybrid approach allows for the effective combination of strategic planning (CRAMM), expert assessments (AHP), probabilistic modeling (BN) and operational monitoring (SIEM), forming a proactive, scientifically sound risk management system. Such integration provides a high level of adaptability and accuracy in a dynamic threat landscape, which makes the model practically applicable for organizations of various levels.