Information Security Risk Management

06.04.2026

Ruslan Rakhmetov, Security Vision

When selecting and implementing information security measures, their feasibility and effectiveness in minimizing cyber risks are often discussed, and information security risk analysis is a fundamental process for building a corporate information security management system (ISMS). Various cyberattacks and cyberincidents serve as examples of cyber risks, while cyber risks themselves are specific cases of general risks an organization may face. In this article, we will describe the basic concepts of a risk-based approach to cybersecurity, discuss cyber risk management methods, and list various risk management methodologies and standards.

Information security risk management provides an opportunity to lay a solid foundation for building a comprehensive information security management system and justify the necessary expenditures on various organizational and technical security measures using financial arguments. In other words, a risk-based approach to cybersecurity helps communicate the financial language of investments, costs, and damages to senior management and decision makers. Cyber threat modeling, process, and technical measures also contribute to building an information security management system, but moving to a more mature level of cyber risk management allows for:

logically link technical terms (threats, incidents, vulnerabilities, etc.) with business terms and monetary units;
to form a prioritized list of cyber threats based on an assessment of information security risks and using qualitative/quantitative verifiable methods that eliminate subjectivity in assessing cyber threats;
justify the costs of the cybersecurity system using a financial assessment of the damage and the cost-effectiveness of protective measures, select appropriate and proportionate countermeasures to the threats, and evaluate the effectiveness of the ISMS from a financial perspective.

Let's give a general definition: risk is an uncertainty (in the form of an event or condition) that, if it occurs, will impact the interests of the organization (achievement of business goals, revenue, project implementation, provision of services, performance of government functions, etc.).

The realization of a risk can lead to damage (losses), which can be of two types:

direct damage – immediate, obvious and easily predictable losses to the company (production downtime, theft of money and intellectual property, data encryption and infrastructure failure);
Indirect damage – qualitative losses (demotivation of staff, decreased efficiency of activities and processes, loss of clients) and indirect losses (lost profits, disruption of the sale of the company or its listing on the stock exchange, loss of business reputation – i.e., a decrease in the value of goodwill).

Let us list the main types of risks:

Market – risks associated with the economy, for example, rising prices for raw materials, falling demand for goods, macroeconomic problems;
Legal – related to violation of legal requirements, for example, fines, penalties, claims;
Production – related to the production of goods and services, for example, equipment failure or accidents at a plant;
Financial – associated with the possible loss of financial resources, including credit risk, investment risk, liquidity risk;
Tax – related to taxation and tax accounting;
Organizational – related to the management of the organization and business, for example, management errors, incorrectly chosen strategy and wrong decisions, personnel problems;
Operational – related to errors in information systems, for example, technical failures, unavailability of services, errors in the operation of business applications;
Cyber risks are those associated with the implementation of cyber threats.

We'll discuss cyber risks in more detail below, beginning with a definition: cyber risk (information security risk) is the potential for a specific threat to exploit asset vulnerabilities to cause damage to an organization. The magnitude of cyber risk depends on the threat, vulnerability, and damage – and since damage is expressed in monetary terms, it becomes possible to financially assess the level of information security risk.

The logic for calculating the amount of information security risk can be expressed by a conceptual formula:

RiskAmount = ProbabilityOfEvent * DamageAmount,

Where

EventProbability = ThreatProbability * VulnerabilityMagnitude

Let's list the main methods of handling cyber risks:

Ignoring is a bad practice to ignore identified difficulties that require resolution, so ignoring cannot be considered a risk management technique as such.
Acceptance – a decision, agreed upon and documented by responsible employees (managers), that if realized, the identified risk will result in certain consequences and damage, but its magnitude will not be significant for the company (this threshold is called risk appetite and determines the risks the company is willing to accept to achieve its goals). For example, accepting the risk of short-term downtime of a non-critical system due to the installation of an incorrect update that can be rolled back.
Avoid – if the identified risk would have significant consequences (this threshold is called the risk tolerance level, exceeding which would cause significant damage to the company), then an agreed-upon and documented decision is made that the business activity associated with this risk will not be conducted. For example, the risk of imposing turnover fines for incorrect processing of personal data in an information system can be avoided by refusing to process such data in it, and the risk of a DDoS attack on a critical system can be avoided by refusing to publish it directly online (and making it accessible only through a local connection, for example).
Transfer – if a process can be outsourced or performed by a contractor/supplier, then the risk is considered to be transferred to the counterparty, although penalties, liability to clients, and the consequences of the risk materialization will still fall on the original company. For example, a company may host some of its services in the cloud, in which case the cloud provider will be responsible for the continuous operation and updates of infrastructure components, virtualization systems, operating systems, and software. Cyber insurance is also a prime example of risk transfer, but this type of insurance is relatively new, and its application presents many subtle nuances.
Minimize – a decision is made to allocate resources for the implementation, administration, and operation of specific information security measures and tools (technical, physical, organizational) to minimize the identified risk to a certain level. Reducing the probability of risk occurrence to zero is impossible, and even after implementing all countermeasures, some residual risk (which can be insured) remains.

Additional methods of handling cyber risks are sometimes also indicated:

Risk at an acceptable level retention – the risk is not minimized, but measures are taken to control the risk level so that it does not exceed a certain level.
Risk Remediation is the elimination of one or all components of a threat: the source (external or internal intruder), vulnerability (deficiency, error in a system, process, or security tool), or method of implementing a cyber threat.
Risk capitalization – the use of identified risks to create opportunities for business growth and the development of competitive advantages.

In addition, there are also such concepts as:

total risk, which is present if no protective measures are implemented at all;
residual risk, which is present if threats are realized despite the implemented protective measures (residual risk can be insured).

A cyber risk assessment is conducted for each information system under consideration and for each identified threat (a list of cyber threats can be derived from a developed threat model: DDoS, data leakage, ransomware attack, etc.). Risk assessment methods are divided into qualitative and quantitative:

1) Qualitative information security risk assessment involves the use of assessment characteristics to describe risk components. Examples of qualitative assessment methods include the construction of a "traffic light model," brainstorming, expert assessment, and the Delphi method (an anonymous expert survey conducted in several iterations until consensus is reached). For example, when constructing a "traffic light model," a qualitative assessment is performed using an assessment of the threat's impact on the business (threat severity: low, medium, high) and the likelihood of the threat scenario's occurrence (low, medium, high). The intersection of the threat severity and the likelihood of the scenario's occurrence yields the final risk level for a specific risk (low risk, medium risk, high risk).

Управление рисками ИБ_en табл.png

2) Quantitative assessment of information security risks allows one to calculate the predicted level of damage in monetary terms over a certain period (for example, 1 year), to evaluate the economic efficiency of implementing information security systems and involves the use of the following statistical data:

the number of incidents of each type (corresponding to a particular threat) over the past several years;
damage from each incident;
estimated value of information (asset, information system);
assessment of the danger of a threat and the effectiveness of a security solution;
total cost of ownership of information security system.

The following characteristics are used to quantify cyber risks:

ALE – annual loss expectancy, expected annual losses, i.e. damage from all incidents over 1 year (as a result of the implementation of a certain threat);
SLE – single loss expectancy, expected one-time losses, i.e. damage from one incident (as a result of the implementation of a certain threat);
AssetValue – the value of an asset (information system), can be specified in the company’s commercial secret policy;
EF – exposure factor, the factor of openness to a threat, i.e. what part of the asset will be destroyed by a certain threat if it is successfully implemented (in case of complete destruction, the value = 1.0, i.e. 100%);
ARO – annualized rate of occurrence, the average number of incidents per year according to statistical data.

The SLE value is calculated as the product of the estimated asset value and the EF value:

SLE = AssetValue *EF

The ALE value is calculated as the product of SLE and ARO:

ALE=SLE*ARO

The resulting ALE value in monetary terms characterizes the level of cyber risk for one year for a specific asset (information system) for a specific threat.

2.1) To take into account the expert opinion of the risk manager, the values of SLE and ARO can be calculated using the PERT method (Project Evaluation and Review Technique (a method for evaluating projects under uncertainty)). For this, the damage value is calculated for a one-time loss in the pessimistic (P), most probable (MP), and optimistic (O) scenarios (in monetary terms):

SLEpert = (P + 4N + O) / 6

(where 4H is the weight "4" for the most likely scenario).

The PERT method is used to calculate ARO in a similar manner. Accordingly, ALEpert = SLEpert * AROpert

2.2) The economic efficiency of implementing information security systems can be assessed using the following logical formula:

(Value of safeguards for the company) = (ALE before implementing safeguards) – (ALE after implementing safeguards) – (Annual costs of implementing safeguards)

In addition, you can use the calculation of the ROSI coefficient (Return on Security Investment), which characterizes the economic efficiency of information security systems. A ROSI greater than 1 indicates that the investment in an information security system is justified, and the higher the ROSI value, the greater the economic efficiency of using a particular information security system.

To calculate the ROSI parameter, you can use the formula:

ROSI = (ALE*MF – TCO) / TCO

Where :

MF – Mitigation Factor, risk reduction factor (coefficient) using information security systems (in %);
TCO – Total Cost of Ownership, the total cost of ownership of the information security system (for the period under consideration – 1 year), including: the cost of the information security system (subscription or perpetual license), the payroll of administrators/engineers, the costs of implementation, support, and updating (costs can be one-time or regular).

2.3) Another method for quantitatively assessing cyber risks is the Monte Carlo method, which allows for multiple iterations of scenarios using random variables to account for possible changes and variations in the data. The Monte Carlo method is characterized by the following features:

for its operation, historical data is required, at least data on the number of incidents by year and the damage caused by them;
allows you to model consequences with a certain probability (the more data, the more accurate);
allows us to estimate the number of incidents and damage from them in the future;
allows you to build trend lines;
what-if analysis: how a countermeasure (ISP) will affect the level of risk over a given period, taking into account data on how the countermeasure reduces the likelihood of an incident (prescriptive or preventive countermeasures) or how the countermeasure reduces the level of consequences (deterrent, corrective, restorative, investigative, compensatory countermeasures).

To implement a cyber risk management process in a company, it is advisable to use various risk management methodologies and frameworks. One of the main methodological documents is the ISO/IEC 27005:2022 standard "Information security, cybersecurity and privacy protection. Guidance on managing information security risks". In Russia, this document is being prepared for release in the form of the GOST R ISO/IEC 27005 standard "Information security, cybersecurity, and privacy protection. Guidelines for information security risk management". The risk management process according to the ISO/IEC 27005 standard consists of several steps (processes) that correspond to the PDCA ( Plan - Do - Check - Act ) approach, the Deming cycle:

1. Define the context.

2. Risk assessment:

2.1. Risk identification;

2.2. Risk analysis;

2.3. Risk assessment.

3. Processing information security risks:

3.1. Risk modification (minimization);

3.2. Risk retention (acceptance);

3.3 Risk avoidance;

3.4 Transfer of risk.

4. Risk coordination.

5. Implementation of the developed risk treatment plan.

6. Continuous monitoring and review of risks.

7. Support and improvement of the information security risk management process.

Other risk management methodologies include:

1) GOST R IEC 31010-2021 "Reliability in Engineering. Risk Assessment Methods", which corresponds to the IEC 31010:2019 "Risk Management – Risk assessment techniques";

2) NIST Risk Management Framework of the NIST Institute (National Institute of Standards and Technology, USA) includes a set of interrelated publications:

NIST SP 800-39 "Managing Information Security Risk"
NIST SP 800-37 "Risk Management Framework for Information Systems and Organizations";
NIST SP 800-30 "Guide for Conducting Risk Assessments"

3) FAIR Methodology (Factor Analysis of Information Risk);

4) COSO ERM (Enterprise Risk Management) framework;

5) FMEA (Failure Modes and Effect Analysis) methodology;

6) CRAMM methodology (Central Computing and Telecommunications Agency Risk Analysis and Management Method).