Гібридний підхід до управління ризиками інформаційної безпеки

Володимир НАКОНЕЧНИЙ; Микола МОРДВИНЦЕВ; Вікторія ГУСЄВА; Владислав ЛУЦЕНКО

doi:10.17721/ISTS.2025.9.32-41

Authors

Volodymyr NAKONECHNYI Taras Shevchenko National University of Kyiv Author https://orcid.org/0000-0002-0247-5400
Mykola MORDVYNTSEV Kharkiv National University of Internal Affairs Author https://orcid.org/0000-0002-7674-3164
Viktoriia HUSIEVA Taras Shevchenko National University of Kyiv Author https://orcid.org/0009-0002-1120-1900
Vladyslav LUTSENKO Taras Shevchenko National University of Kyiv Author https://orcid.org/0000-0002-2377-1858

DOI:

https://doi.org/10.17721/ISTS.2025.9.32-41

Keywords:

information security, risk management, Monte Carlo, CRAMM, threat assessment, cybersecurity

Abstract

Background. The article explores a hybrid approach to information security risk management that combines quantitative and qualitative risk assessment methods. This approach improves accuracy, reduces subjective judgments, and enables the automation of the risk management process. The relevance of the topic is driven by the continuous increase in the number and complexity of cyber threats, which require the development and implementation of effective tools for risk management and mitigation of human factor impact.
Methods. An integrated approach was applied, based on the FAIR and Monte Carlo methods for quantitative probability assessment, and CRAMM for qualitative risk analysis. International standards ISO 31000 and ISO/IEC 27005, which regulate risk management, were taken into account. Asset identification, vulnerability assessment, and threat classification were carried out according to the best practices of information security. The methodology for developing a risk assessment model that considers various levels of potential threats was substantiated.
Results. The results confirmed the adequacy and effectiveness of the hybrid approach. The proposed model allowed for the identification of critical assets, risk level assessment, and the development of recommendations for implementing countermeasures. The Monte Carlo method was used to estimate the probability of successful attacks and calculate potential losses. CRAMM analysis helped identify system vulnerabilities and propose appropriate security measures. A comparative analysis of traditional risk assessment methods showed the advantages of the integrated approach in a dynamic information environment.
Conclusions. The proposed hybrid approach contributes to minimizing human factor influence, improving assessment accuracy, and automating risk management. This will optimize organizational resources and support strategic information protection planning. Further research may focus on developing automation tools to integrate the proposed approach into real information systems. It is recommended to continue developing the methodology to adapt it to different threat scenarios within organizations with diverse security profiles.

Downloads

Download data is not yet available.

References

Богданова, О. В., & Петренко, О. І. (2019). Якісна оцінка ефективності процесу управління ризиками в інформаційній безпеці. Наукові праці Національного університету цивільного захисту України, 2(78), 31–37.

Бучик, С. С., Шалаєв, В. О., & Мельник, С. В. (2017). Методика оцінювання інформаційних ризиків в автоматизованій системі. Проблеми створення, випробування, застосування та експлуатації складних інформаційних систем, 11, 33–43. http://nbuv.gov.ua/UJRN/Psvz_2015_11_6

Кравченко, О. М., Трощинський, І. В., & Іванов, О. В. (2022). Застосування методу Монте-Карло для оцінки ризиків в інформаційній безпеці. Наукові записки ТНТУ ім. Івана Пулюя. Серія: Інформаційні технології та комп'ютерна інженерія, 1(88), 45–52.

Юдін, О. К., & Бучик, С. С. (2015). Державні інформаційні ресурси. Методологія побудови класифікатора загроз. НАУ.

COBRA (Cloud Offensive Breach and Risk Assessment). (n. d.). Introduction to Security Risk Analysis. https://github.com/PaloAlto/Networks/cobra-tool

FAIR Institute. (2022). Factor Analysis of Information Risk (FAIR) – The FAIR Standard. https://www.fairinstitute.org/what-is-fair

Graham, J. B. (2014). Effective Risk Management for Cybersecurity and Information Technology. Auerbach Publications.

ISO/IEC 27005:2022. (2022). Information Technology – Security Techniques – Information Security Risk Management. https://www.iso.org/standard/80585.html

Major, M. (1995). A Practical Guide to the CRAMM Methodology. McGraw-Hill Book Company.

McCumber, J. (2011). Risk Management in Information Security. SANS Institute.

NIST (National Institute of Standards and Technology). (2012). Guide for Conducting Risk Assessments. Special Publication 800-30 Rev. 1. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

OCTAVE (2003). Methodology for Information Risk Assessment. https://www.itgovernance.co.uk/files/Octave.pdf

RiskWatch International. (n. d.). The RiskWatch Advantage – Risk Assessment Software. https://www.riskwatch.com/

Wheeler, E. (2014). Information Security Risk Management: Frameworks, Metrics, and Best Practices. Apress.

Wheeler, E. (2015). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Syngress.

Hybrid approach to information security risk management

Authors

DOI:

Keywords:

Abstract

Downloads

References

Downloads

Published

Issue

Section

License

How to Cite

Most read articles by the same author(s)

Author Guidelines

Make a Submission

Language

Journal indexing

Latest publications

flagCounter

International Register of Research Organizations