Analysis of methods for assessing and managing cyber risks and information security
DOI:
https://doi.org/10.30837/rt.2021.3.206.01Keywords:
cyber and information security, risk assessment, risk management, information security management system, risk processing, security measures, risk assessment methodsAbstract
Global trends to increase the threats to information and cybersecurity, increasing the level of vulnerability of information and telecommunications systems (ITS) necessitate the development and implementation of new standards and regulations on information security, the introduction of new technologies and best practices in information security. The main approach to information and cybersecurity in ITS is the Risk-Based Protection Strategy. The main task of information risk management (IR) is to identify and assess objectively the most significant risks for the company's business, as well as the need to use risk controls to increase the efficiency and profitability of the company's economic activities. It is believed that quality risk management allows you to use the optimal efficiency and cost of risk control and information protection measures, adequate to the current goals and objectives of the company's business. The paper presents results of solving the current problem of finding optimal methods for assessing the risks of information and cybersecurity. Criteria for selecting the best methods of risk assessment are proposed. The analysis of known methods of risk assessment for compliance with these criteria is performed. Proposals have been formulated to create promising methods for risk assessment, their application to modern information security management systems, especially those designed for critical infrastructure, will most effectively address the problems of information and cybersecurity, as well as privacy.
References
NIST Special Publication 800-37, Revision 2. Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy, 2018.
Методи захисту системи управління інформаційною безпекою. Вимоги (ISO/IEC 27001:2013; Cor 1:2014, IDT). ДСТУ ISO/IEC 27001:2015.
NIST Special Publication 800-30. Risk Management Guide for Information Technology Systems.
CRAMM user guide, Risk Analysis and Management Method, United Kingdom Central Computer and Telecommunication Agency (CCTA), UK, 2001.
Методология OCTAVE для оценки информационных рисков [Електроный ресурс]. Режим доступу: http://www.risk24.ru/octave.htm.
COBIT 5: A Business Framework for the Governance and Management of Enterprise ISACA, 2012.
MEHARI 2007: Concepts and Mechanisms, Club de la Sécurité de l'Information Français.
MEHARI 2007: Knowledge Bases, Club de la Sécurité de l'Information Français.
Спицнадель В.Н. Основы системного анализа: учеб. пос. / В.Н. Спицнадель. СПб.: Изд. дом «Бизнеспресса», 2000. 326 с.
Magerit v2 2006: Book I: The method, Ministerio de Administraciones Publicas, Spain.
Magerit v2 2006: Book III: Techniques, Ministerio de Administraciones Publicas, Spain.
Потій О.В., Лєншин А.В. Дослідження методів оцінки ризиків безпеці інформації та розробка пропозицій з їх вдосконалення на основі системного підходу // Зб. наук. праць Харків. ун-ту Повітряних Сил. 2010. Вип. 2(24). C. 85-91.
Аналіз методів оцінки ризиків інформаційної безпеки [Електроний ресурс]. Режим доступу: https://www.securitylab.ru/blog/personal/secinsight/19205.php.
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).