Problems of risk management in the field of information security

Objective. The purpose of the study is to collect publicly available information to identify the main problems that hinder the effective management of information security risks in the business sector.
Method. The following research methods are used: systematization, description and analysis. The necessary data are formed on the basis of information obtained from the analysis of the regulatory framework and research in the field.
Result. In this paper, the relevance of the issue under consideration was substantiated; the significant effectiveness of the risk-based approach in information security management was noted. The key stages of the information security risk management process were described. Next, the main problems of information security risk management for all stages of the holistic process are identified.
Conclusion. The conducted research is of an overview nature. The materials presented in the paper can serve as a basis for further research on the topic, as well as for the formation of recommendations for resolving the identified problems.

1. GOST R ISO/IEC 27000-2021. Information technology. Methods and means of ensuring security. Information security management systems. General overview and terminology. Moscow: Standartinform, 2021; 24. (In Russ)

2. Anikin I.V. Methods and algorithms for quantitative assessment and management of security risks in corporate information networks based on fuzzy logic. Ministry of Education and Science of the Russian Federation. Federal State Educational Institution of Higher Education “Kazan National Research Technical University named after A.N. Tupolev-KAI” 2017; 6-46. (In Russ)

3. Jim Boehm, Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle. The risk-based approach to cybersecurity / Official website. McKinsey & Company. - URL: https://www.mckinsey.com/capabilities/riskand-resilience/our-insights/the-risk-based-approach-to-cybersecurity#/ (date of application:15.04.2023).

4. Petrenko S. A., Simonov S. V. Information risk management. Economically justified security. - Moscow: IT Company; DMK Press, 2004; 384. (In Russ)

5. GOST R ISO/IEC 27005-2010. Information technology. Methods and means of ensuring security. Information security risk management. / Electronic Fund of legal and regulatory documents. URL: https://docs.cntd.ru/document/1200084141 (date of application:17.04.2023). (In Russ)

6. Cyber Risk Resources for Practitioners. Institute of Risk Management. URL: https://www.theirm.org/media/7237/irm-cyber-risk-resources-for-practitioners.pdf (date of application: 17.04.2023).

7. NIST Special Publication 800-39. Managing Information Security Risk: Organization, Mission, and Information System View /National Institute of Standards and Technology. - URL: https:csrc.nist.gov/ publications/detail/sp/800-39/final (date of application: 17.04.2023).

8. Analysis of international documents on information security risk management. Part 1. / Expert Ruslan Rakhmetov.HABR. URL: https://habr.com/ru/articles/495236/ (date of application: 18.04.2023). (In Russ)

9. Analysis of international documents on information security risk management. Part 2. / Expert Ruslan Rakhmetov. HABR. URL: https:habr.com/ru/articles/495986/ (date of application: 18.04.2023). (In Russ)

10. GOST R 51897-2011/ISO 73:2009 Manual. Risk management. Terms and definitions. Electronic Fund of legal and regulatory documents. URL: https://docs.cntd.ru/document/1200088035 (date of application: 20.04.2023). (In Russ)

11. Risk Management. Kirill Vorotyntsev.Official website. Information Security Code. URL: https://codeib.ru/slides/slide/upravlenie-riskami-659 (date of application: 20.04.2023). (In Russ)