Keywords information system;information security risk management;exploit graph;risk event process modeling;fuzzy NCIC method security decision making;fuzzy multi-objective optimization;