Analysis of methods for assessing and managing cyber risks and information security

Authors

DOI:

https://doi.org/10.30837/rt.2021.3.206.01

Keywords:

cyber and information security, risk assessment, risk management, information security management system, risk processing, security measures, risk assessment methods

Abstract

Global trends to increase the threats to information and cybersecurity, increasing the level of vulnerability of information and telecommunications systems (ITS) necessitate the development and implementation of new standards and regulations on information security, the introduction of new technologies and best practices in information security. The main approach to information and cybersecurity in ITS is the Risk-Based Protection Strategy. The main task of information risk management (IR) is to identify and assess objectively the most significant risks for the company's business, as well as the need to use risk controls to increase the efficiency and profitability of the company's economic activities. It is believed that quality risk management allows you to use the optimal efficiency and cost of risk control and information protection measures, adequate to the current goals and objectives of the company's business. The paper presents results of solving the current problem of finding optimal methods for assessing the risks of information and cybersecurity. Criteria for selecting the best methods of risk assessment are proposed. The analysis of known methods of risk assessment for compliance with these criteria is performed. Proposals have been formulated to create promising methods for risk assessment, their application to modern information security management systems, especially those designed for critical infrastructure, will most effectively address the problems of information and cybersecurity, as well as privacy.

References

NIST Special Publication 800-37, Revision 2. Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy, 2018.

Методи захисту системи управління інформаційною безпекою. Вимоги (ISO/IEC 27001:2013; Cor 1:2014, IDT). ДСТУ ISO/IEC 27001:2015.

NIST Special Publication 800-30. Risk Management Guide for Information Technology Systems.

CRAMM user guide, Risk Analysis and Management Method, United Kingdom Central Computer and Telecommunication Agency (CCTA), UK, 2001.

Методология OCTAVE для оценки информационных рисков [Електроный ресурс]. Режим доступу: http://www.risk24.ru/octave.htm.

COBIT 5: A Business Framework for the Governance and Management of Enterprise ISACA, 2012.

MEHARI 2007: Concepts and Mechanisms, Club de la Sécurité de l'Information Français.

MEHARI 2007: Knowledge Bases, Club de la Sécurité de l'Information Français.

Спицнадель В.Н. Основы системного анализа: учеб. пос. / В.Н. Спицнадель. СПб.: Изд. дом «Бизнеспресса», 2000. 326 с.

Magerit v2 2006: Book I: The method, Ministerio de Administraciones Publicas, Spain.

Magerit v2 2006: Book III: Techniques, Ministerio de Administraciones Publicas, Spain.

Потій О.В., Лєншин А.В. Дослідження методів оцінки ризиків безпеці інформації та розробка пропозицій з їх вдосконалення на основі системного підходу // Зб. наук. праць Харків. ун-ту Повітряних Сил. 2010. Вип. 2(24). C. 85-91.

Аналіз методів оцінки ризиків інформаційної безпеки [Електроний ресурс]. Режим доступу: https://www.securitylab.ru/blog/personal/secinsight/19205.php.

Published

2021-09-24

How to Cite

Potii, O. ., Gorbenko, Y. ., Zamula, O. ., & Isirova, K. . (2021). Analysis of methods for assessing and managing cyber risks and information security. Radiotekhnika, 3(206), 5–24. https://doi.org/10.30837/rt.2021.3.206.01

Issue

Section

Articles