Information security risk management

Aim. The work aimed to study the methods of information security risk management in the context of digital transformation of companies.

Objectives. The work discusses existing approaches to the modernization of information systems, including the gradual modernization method, business process reengineering and reengineering technologies; it analyzes current risk assessment and control methods, such as the CRAMM method, the FRAP model, the OCTAVE technique, and the Microsoft risk management method; and highlights the advantages and disadvantages of these methods, as well as proposes recommendations for their adaptation and integration into modern production processes.

Methods. The study employed general scientific methods (deduction, analysis and synthesis), as well as comparative analysis methods.

Results. The work defines the main approaches to the modernization of information systems, reveals their differences, discusses modern methods of risk assessment and control (CRAMM, FRAP model, OCTAVE method, and Microsoft risk management method), and formulates the advantages and disadvantages of each of them. In addition, recommendations are developed for the adaptation of the considered methods and their further integration into modern production processes.

Conclusions. The development of modern digital technologies has a number of significant advantages and also risks that should be taken into account by companies in the context of digital transformation. Competent information security risk management enables companies to minimize damage and costs of eliminating negative consequences. The methods investigated in the course of the study enable to increase significantly the efficiency of information security risk management of companies. An important conclusion was the recognition of the need for regular monitoring and updating of risk management approaches in response to changes in the technological environment.

1. How much do information leaks cost: Analytical report. Infowatch. Jan. 16, 2025. URL: https://www.infowatch.ru/analytics/analitika/skolko-stoyat-utechki-informatsii-analitiches-kiy-otchet (accessed on 25.01.2025). (In Russ.).

2. Bychkov A.K., Moiseenko A.S. Methods of risk assessment in the work of IT departments. In: Young researcher: Challenges and prospects. Proc. 368th Int. sci.-pract. conf. (Moscow, May 20, 2024). Moscow: Internauka; 2024:741-758. (In Russ.).

3. Shchennikov S.Yu. Business process reengineering. Expert modeling, management, planning and evaluation. Moscow: Os’-89; 2004. 288 p. (In Russ.).

4. Sokolov B.V., Zaychik E.M., Ikonnikova A.V., Potryasaev S.A. Comprehensive planning for modernization of information systems: Methodological and technical bases. Trudy SPIIRAN = SPIIRAS Proceedings. 2006;1(3):265-278. (In Russ.).

5. Chernysheva T.Yu., Udalaya T.V. Assessing the risk of informatization project based on production rules. Nauchnoe obozrenie. 2013;(5):169-172. (In Russ.).

6. Tian G., Li B., Cheng Y. Does digital transformation matter for corporate risk-taking? Finance Research Letters. 2022;49:103107. DOI: 10.1016/j.frl.2022.103107

7. Idigova L.M., Bishaev S.S. Strategic approaches in the conditions of digital transformation of management in modern companies. FGU Science. 2020;(1):97-103. (In Russ.).

8. Kuzina G.P., Mozgovoy A.I., Krylov A.N. Organization of digital transformation of Russian enterprises. Vestnik MGPU. Seriya: Ekonomika = MCU Journal of Economic Studies. 2020;(4):69-82. (In Russ.). DOI: 10.25688/2312-6647.2020.26.4.07