İstanbul Ticaret Üniversitesi Fen Bilimleri Dergisi 1305-7820 2587-165X Istanbul Ticaret University 10.55071/ticaretfbd.1579978 Multiple Criteria Decision Making Çok Ölçütlü Karar Verme A DECISION SUPPORT MODEL FOR CYBERSECURITY RISK ASSESSMENT IN MARITIME TRANSPORTATION BASED ON SPHERICAL FUZZY INFORMATION KÜRESEL BULANIK BİLGİYE DAYALI DENİZ TAŞIMACILIĞINDA SİBER GÜVENLİK RİSK DEĞERLENDİRMESİ İÇİN BİR KARAR DESTEK MODELİ https://orcid.org/0000-0003-4285-6854 Tatar Veysel ARTVİN ÇORUH ÜNİVERSİTESİ 12 27 2024 23 46 462 487 11 05 2024 11 29 2024 Copyright © 2002, İstanbul Commerce University Journal of Science 2002 İstanbul Commerce University Journal of Science

The increasing technological innovations in the maritime industry, which plays an important role in the global supply chain, have the potential to introduce significant risks in terms of cyber threats. Therefore, this study proposes a cybersecurity risk assessment approach using spherical fuzzy (SF) set information based on the Fine-Kinney method to prioritize potential cyber threats/hazards for navigation systems in maritime transportation. The Fine-Kinney risk parameters (probability (P), exposure (E) and consequence (C)) are weighted using SF-based the LOgarithmic DEcomposition of Criteria Importance (LODECI) approach. The ranking of potential cybersecurity threats/hazards is evaluated using SF-based the Alternative Ranking Technique based on Adaptive Standardized Intervals (ARTASI), which provides more adaptability in managing the uncertainty present in expert assessments. The integration of these methodologies with the employment of SF sets results in the formulation of the proposed hybrid SF-LODECI-SF-ARTASI based on Fine-Kinney risk assessment model. Upon evaluation of the proposed model, it becomes evident that the most significant cyber threat/hazard that can impact the cyber security of critical systems on a ship is CYB1 "Accessing the AIS network to obtain vessel position, speed and route information." In general, when the top five most important cybersecurity threats are analyzed, it is determined from the results that the most vulnerable systems to cyber threats/hazards are AIS, GPS and ECDIS, respectively. Finally, a comparative analysis is conducted using an alternative methodology to test the results of the model.

Küresel tedarik zincirinde önemli bir rol oynayan denizcilik sektöründeki artan teknolojik yenilikler, siber tehditler açısından önemli riskler getirme potansiyeline sahiptir. Bu nedenle, bu çalışma, deniz taşımacılığındaki navigasyon sistemleri için olası siber tehditleri/tehlikeleri önceliklendirmek için Fine-Kinney yöntemine dayalı küresel bulanık (SF) küme bilgilerini kullanan bir siber güvenlik risk değerlendirme yaklaşımı önermektedir. Fine-Kinney risk parametreleri (olasılık (P), maruz kalma (E) ve sonuç (C)), SF tabanlı Kriter Öneminin Logaritmik Ayrıştırılması (LODECI) yaklaşımı kullanılarak ağırlıklandırılır. Olası siber güvenlik tehditlerinin/tehlikelerinin sıralaması, uzman değerlendirmelerinde mevcut olan belirsizliği yönetmede daha fazla uyarlanabilirlik sağlayan SF tabanlı Adaptif Standartlaştırılmış Aralıklara Dayalı Alternatif Sıralama Tekniği (ARTASI) kullanılarak değerlendirilir. Bu metodolojilerin SF setlerinin kullanımı ile entegrasyonu, Fine-Kinney risk değerlendirme modeline dayalı olarak önerilen hibrit SF-LODECI-SF-ARTASI modelinin formüle edilmesiyle sonuçlanmıştır. Önerilen model değerlendirildiğinde, bir gemideki kritik sistemlerin siber güvenliğini etkileyebilecek en önemli siber tehdit/tehlikenin CYB1 “Gemi konumu, hızı ve rota bilgilerini elde etmek için AIS ağına erişim” olduğu ortaya çıkmaktadır. Genel olarak, en önemli beş siber güvenlik tehdidi analiz edildiğinde, sonuçlardan siber tehditlere/tehlikelere karşı en savunmasız sistemlerin sırasıyla AIS, GPS ve ECDIS olduğu tespit edilmektedir. Son olarak, modelin sonuçlarını test etmek için alternatif bir metodoloji kullanılarak karşılaştırmalı bir analiz gerçekleştirilmiştir.

 Cybersecurity maritime transportation risk assessment spherical fuzzy sets ARTASI Siber güvenlik deniz taşımacılığı risk değerlendirmesi küresel bulanık kümeler ARTASI Afenyo, M., & Caesar, L. D. (2023). Maritime cybersecurity threats: Gaps and directions for future research. Ocean & Coastal Management, 236, 106493. Akram, M., Alsulami, S., Khan, A., & Karaaslan, F. (2020). Multi-criteria group decision-making using spherical fuzzy prioritized weighted aggregation operators. International Journal of Computational Intelligence Systems, 13(1), 1429-1446. Alcaide, J. I., & Llave, R. G. (2020). Critical infrastructures cybersecurity and the maritime sector. Transportation Research Procedia, 45, 547-554. Ali, J., & Garg, H. (2023). On spherical fuzzy distance measure and TAOV method for decision-making problems with incomplete weight information. Engineering Applications of Artificial Intelligence, 119, 105726. Ashraf, S., & Abdullah, S. (2019). Spherical aggregation operators and their application in multiattribute group decision‐making. International Journal of Intelligent Systems, 34(3), 493-523. Ayvaz, B., Tatar, V., Sağır, Z., & Pamucar, D. (2024). An integrated Fine-Kinney risk assessment model utilizing Fermatean fuzzy AHP-WASPAS for occupational hazards in the aquaculture sector. Process Safety and Environmental Protection, 186, 232-251. Baltic and International Maritime Council (BIMCO), (2020). The Guidelines on Cyber Security Onboard Ships- Version 4. https://www.bimco.org/about-us-and-our-members/publications/the-guidelines-on-cyber-security-onboard-ships Bayazit, O., & Kaptan, M. (2023). Evaluation of the risk of pollution caused by ship operations through bow-tie-based fuzzy Bayesian network. Journal of Cleaner Production, 382, 135386. Ben Farah, M. A., Ukwandu, E., Hindy, H., Brosset, D., Bures, M., Andonovic, I., & Bellekens, X. (2022). Cyber security in the maritime industry: A systematic survey of recent advances and future trends. Information, 13(1), 22. Bolbot, V., Kulkarni, K., Brunou, P., Banda, O. V., & Musharraf, M. (2022a). Developments and research directions in maritime cybersecurity: A systematic literature review and bibliometric analysis. International Journal of Critical Infrastructure Protection, 39, 100571. Bolbot, V., Methlouthi, O., Banda, O. V., Xiang, L., Ding, Y., & Brunou, P. (2022b). Identification of cyber-attack scenarios in a marine Dual-Fuel engine. Trends in Maritime Technology and Engineering, 503-510. Bolbot, V., Theotokatos, G., Boulougouris, E., & Vassalos, D. (2020). A novel cyber-risk assessment method for ship systems. Safety Science, 131, 104908. Chaal, M., Ren, X., BahooToroody, A., Basnet, S., Bolbot, V., Banda, O. A. V., & Van Gelder, P. (2023). Research on risk, safety, and reliability of autonomous ships: A bibliometric review. Safety science, 167, 106256. European Maritime Safety Agency (EMSA), (2023). Guidance on how to address cybersecurity onboard ships during audits, controls, verifications and inspections- MARSEC Doc. 9209. https://www.emsa.europa.eu/publications/inventories/item/5074-guidance-on-how-to-address-cybersecurity-onboard-ships-during-audits,-controls,-verifications-and-inspections.html Gul, M., Guven, B., & Guneri, A. F. (2018). A new Fine-Kinney-based risk assessment framework using FAHP-FVIKOR incorporation. Journal of Loss Prevention in the Process Industries, 53, 3-16. Gul, M., Mete, S., Serin, F., Celik, E. (2021a). Fine–Kinney Occupational Risk Assessment Method and Its Extensions by Fuzzy Sets: A State-of-the-Art Review. Fine–Kinney-Based Fuzzy Multi-Criteria Occupational Risk Assessment: Approaches, Case Studies and Python Applications, 1-11, Springer, Cham. Gul, M., Mete, S., Serin, F., Celik, E. (2021b). Fine–Kinney-Based Occupational Risk Assessment Using Intuitionistic Fuzzy TODIM. Fine–Kinney-Based Fuzzy Multi-Criteria Occupational Risk Assessment: Approaches, Case Studies and Python Applications, 69-89, Springer, Cham. Haugli-Sandvik, M., Lund, M. S., & Bjørneseth, F. B. (2024). Maritime decision-makers and cyber security: deck officers’ perception of cyber risks towards IT and OT systems. International Journal of Information Security, 23, 1721–1739. Ilbahar, E., Karaşan, A., Cebi, S., & Kahraman, C. (2018). A novel approach to risk assessment for occupational health and safety using Pythagorean fuzzy AHP & fuzzy inference system. Safety Science, 103, 124-136. International Maritime Organisation (IMO), (2022). Guidelines On Maritime Cyber Risk Management, MSC-FAL.1/Circ.3/Rev.2. Kahraman, C., and Kutlu Gündoğdu, F. (2018). From 1D to 3D membership:spherical fuzzy sets. BOS / SOR 2018 Conference, Warsaw, Poland. Kechagias, E. P., Chatzistelios, G., Papadopoulos, G. A., & Apostolou, P. (2022). Digital transformation of the maritime industry: A cybersecurity systemic approach. International Journal of Critical Infrastructure Protection, 37, 100526. Kutlu Gündoğdu, F., & Kahraman, C. (2020). A novel spherical fuzzy analytic hierarchy process and its renewable energy application. Soft Computing, 24, 4607-4621. Kutlu Gündoğdu, F., and Kahraman, C. (2019). A novel fuzzy TOPSIS method using emerging interval-valued spherical fuzzy sets. Engineering Applications of Artificial Intelligence, 85, 307-323. Pala, O. (2024). Assessment of the social progress on European Union by logarithmic decomposition of criteria importance. Expert Systems With Applications, 238, 121846. Pamucar, D., Simic, V., Görçün, Ö. F., & Küçükönder, H. (2024). Selection of the best Big Data platform using COBRAC-ARTASI methodology with adaptive standardized intervals. Expert Systems with Applications, 239, 122312. Park, C., Kontovas, C., Yang, Z., & Chang, C. H. (2023). A BN driven FMEA approach to assess maritime cybersecurity risks. Ocean & Coastal Management, 235, 106480. Ribeiro, C. V., Paes, A., & de Oliveira, D. (2023). AIS-based maritime anomaly traffic detection: A review. Expert Systems with Applications, 231, 120561. Soner, O., Kayisoglu, G., Bolat, P., & Tam, K. (2024). Risk sensitivity analysis of AIS cyber security through maritime cyber regulatory frameworks. Applied Ocean Research, 142, 103855. Svilicic, B., Kamahara, J., Celic, J., & Bolmsten, J. (2019). Assessing ship cyber risks: A framework and case study of ECDIS security. WMU Journal of Maritime Affairs, 18, 509-520. Tam, K., & Jones, K. (2019). MaCRA: A model-based framework for maritime cyber-risk assessment. WMU Journal of Maritime Affairs, 18, 129-163. Tatar, V., Yazicioglu, O., & Ayvaz, B. (2023). A novel risk assessment model for work-related musculoskeletal disorders in tea harvesting workers. Journal of Intelligent & Fuzzy Systems, 44(2), 2305-2323. Tusher, H. M., Munim, Z. H., Notteboom, T. E., Kim, T. E., & Nazir, S. (2022). Cyber security risk assessment in autonomous shipping. Maritime economics & Logistics, 24, 208-227. Uflaz, E., Sezer, S. I., Tunçel, A. L., Aydin, M., Akyuz, E., & Arslan, O. (2024). Quantifying potential cyber-attack risks in maritime transportation under Dempster–Shafer theory FMECA and rule-based Bayesian network modelling. Reliability Engineering & System Safety, 243, 109825. Wan, C., Yan, X., Zhang, D., Qu, Z., & Yang, Z. (2019). An advanced fuzzy Bayesian-based FMEA approach for assessing maritime supply chain risks. Transportation Research Part E: Logistics and Transportation Review, 125, 222-240. Wang, W., Han, X., Ding, W., Wu, Q., Chen, X., & Deveci, M. (2023). A Fermatean fuzzy Fine–Kinney for occupational risk evaluation using extensible MARCOS with prospect theory. Engineering Applications of Artificial Intelligence, 117, 105518. Wang, Y., Wang, W., Deveci, M., & Yu, X. (2024). An integrated interval-valued spherical fuzzy Choquet integral based decision making model for prioritizing risk in Fine-Kinney. Engineering Applications of Artificial Intelligence, 127, 107437. Yalçın, G. C., Kara, K., & Senapati, T. (2024). A hybrid spherical fuzzy logarithmic decomposition of criteria importance and alternative ranking technique based on Adaptive Standardized Intervals model with application. Decision Analytics Journal, 11, 100441.