METHODS OF ANALYZING AND ASSESSING INFORMATION SECURITY RISKS

Nurlan Tashatov; Maksadjon Onarkulov; Akbota Askarbekkizi

Physics and technology

No. 3 (2024): FarDU.Ilmiy xabarlar jurnali (Aniq va tabiiy fanlar)

METHODS OF ANALYZING AND ASSESSING INFORMATION SECURITY RISKS

Tashatov Nurlan Narkenovich^▸^▾
Onarkulov Maksadjon Karimberdiyvich^▸^▾
Askarbekkizi Akbota^▸^▾

PDF (Uzbek)

Submitted: July 15, 2024
Published: 2024-07-30

Abstract

This article evaluates information security risk management processes, emphasizing the critical role of risk assessment in safeguarding organizational assets. It details the stages of risk assessment–identification, analysis, evaluation, and treatment–and scrutinizes tools such as CRAMM, FRAP, RiskWatch, MSAT, and CORAS for their effectiveness across various organizational settings. A comparative analysis assesses each toolʼs strengths and limitations, providing guidance for organizations to select appropriate methodologies that align with ISO 31000 standards.

This study aims to help organizations adapt to evolving threats and maintain compliance by enhancing their security frameworks through suitable risk assessment practices. The insights offered serve as a strategic resource for continuous improvement in information security management.

References

International Organization for Standardization. (2018). ISO/IEC 31000: Risk management – Guidelines (ISO/IEC 31000:2018). https://www.iso.org/standard/65694.html
Волкова, Л. В., Макарова, Д. В., & Докучаев, В. А. (2021). Использование метода CRAMM для оценки информационных рисков. Телекоммуникации и информационные технологии, 8(1), 103-109.
Putra, S. J., Gunawan, M. N., Sobri, A. F., Muslimin, J. M., & Saepudin, D. (2020, October). Information Security Risk Management Analysis Using ISO 27005: 2011 For The Telecommunication Company. In 2020 8th International Conference on Cyber and IT Service Management (CITSM) (pp. 1-5). IEEE.
Wirtz, R., & Heisel, M. (2020). Model-based risk analysis and evaluation using CORAS and CVSS. In Evaluation of Novel Approaches to Software Engineering: 14th International Conference, ENASE 2019, Heraklion, Crete, Greece, May 4–5, 2019, Revised Selected Papers 14 (pp. 108-134). Springer International Publishing.
Kuzminykh, I., Ghita, B., Sokolov, V., & Bakhshi, T. (2021). Information security risk assessment. Encyclopedia, 1(3), 602-617.
Alimzhanova, Z., Tleubergen, A., Zhunusbayeva, S., & Nazarbayev, D. (2022, April). Comparative analysis of risk assessment during an enterprise information security audit. In 2022 International Conference on Smart Information Systems and Technologies (SIST) (pp. 1-6). IEEE.
Chandrinos, T. A. (2023). Analysis of frameworks/methods for information security risk management (Masterʼs thesis, Πανεπιστήμιο Πειραιώς).
Исатайұлы, С. Қ., & Алимжанова, Ж. М. Аудит информационной безопасности методами оценочного динамического моделирования. In The XIII International Science Conference «Perspective of science and practice», December 13–15, Amsterdam, Netherlands. 322 p. (p. 305).
Сидоркін, П., Горліченко, С., Некоз, В., & Шилан, М. (2023). Методи управління ризиками інформаційної безпеки CRAMM та COBIT 5 for Risk. Сучасні інформаційні технології у сфері безпеки та оборони, 47(2), 41-47.

Most read articles by the same author(s)

Quvvatali Raximov, Maksadjon Onarkulov, Danagul Karimova, USING CLOUD TECHNOLOGIES IN SOFTWARE VULNERABILITY ANALYSIS , Scientific journal of the Fergana State University: No. 3 (2024): FarDU.Ilmiy xabarlar jurnali (Aniq va tabiiy fanlar)
Maksadjon Onarkulov, Nortileu Qambar, WAYS TO PROTECT INFORMATION FROM COMPUTER VIRUSES , Scientific journal of the Fergana State University: No. 3 (2024): FarDU.Ilmiy xabarlar jurnali (Aniq va tabiiy fanlar)
Nurlan Tashatov, Aidana Orazymbetova, Israil Tojimamatov, CONSIDERATION OF MATHEMATICAL MODELS OF INTEGRITY RISK , Scientific journal of the Fergana State University: No. 3 (2024): FarDU.Ilmiy xabarlar jurnali (Aniq va tabiiy fanlar)

[1] International Organization for Standardization. (2018). ISO/IEC 31000: Risk management – Guidelines (ISO/IEC 31000:2018). https://www.iso.org/standard/65694.html

[2] Волкова, Л. В., Макарова, Д. В., & Докучаев, В. А. (2021). Использование метода CRAMM для оценки информационных рисков. Телекоммуникации и информационные технологии, 8(1), 103-109.

[3] Putra, S. J., Gunawan, M. N., Sobri, A. F., Muslimin, J. M., & Saepudin, D. (2020, October). Information Security Risk Management Analysis Using ISO 27005: 2011 For The Telecommunication Company. In 2020 8th International Conference on Cyber and IT Service Management (CITSM) (pp. 1-5). IEEE.

[4] Wirtz, R., & Heisel, M. (2020). Model-based risk analysis and evaluation using CORAS and CVSS. In Evaluation of Novel Approaches to Software Engineering: 14th International Conference, ENASE 2019, Heraklion, Crete, Greece, May 4–5, 2019, Revised Selected Papers 14 (pp. 108-134). Springer International Publishing.

[5] Kuzminykh, I., Ghita, B., Sokolov, V., & Bakhshi, T. (2021). Information security risk assessment. Encyclopedia, 1(3), 602-617.

[6] Alimzhanova, Z., Tleubergen, A., Zhunusbayeva, S., & Nazarbayev, D. (2022, April). Comparative analysis of risk assessment during an enterprise information security audit. In 2022 International Conference on Smart Information Systems and Technologies (SIST) (pp. 1-6). IEEE.

[7] Chandrinos, T. A. (2023). Analysis of frameworks/methods for information security risk management (Masterʼs thesis, Πανεπιστήμιο Πειραιώς).

[8] Исатайұлы, С. Қ., & Алимжанова, Ж. М. Аудит информационной безопасности методами оценочного динамического моделирования. In The XIII International Science Conference «Perspective of science and practice», December 13–15, Amsterdam, Netherlands. 322 p. (p. 305).

[9] Сидоркін, П., Горліченко, С., Некоз, В., & Шилан, М. (2023). Методи управління ризиками інформаційної безпеки CRAMM та COBIT 5 for Risk. Сучасні інформаційні технології у сфері безпеки та оборони, 47(2), 41-47.