An analysis of methods for assessing information security risks of financial institutions

The paper presents an analysis of the existing methods for assessing information security risks, their features, advantages and disadvantages, as well as determines the possibility of using such techniques for assessing information security risks in financial institutions. Criteria for comparing information security risk assessment methods have been formed, the advantages and disadvantages of the methods are described. It is shown that, despite the requirements of regulators for assessing information security risks, most of the regulatory documents deal with operational risks. The evaluation of information security risks of credit and financial institutions does not have sufficient regulation and formalization.The authors substantiate the necessity of developing a method for assessing information security risks for credit and financial organizations, taking into account the features of risk assessment inherent to the mentioned organizations. The paper considers the need to create lists of existing threats to the credit and financial sector and their linking to existing vulnerabilities to optimize the process of assessing information security risks. The development of a methodology for assessing information security risks will increase the degree of compliance of credit and financial institutions with the requirements of international, state and industry standards through an optimal set of protection measures and models for evaluating information security risks.

1. Berdyugin A. Risk management of information security violation in conditions of electronic banking. Voprosy kiberbezopasnosti, 2018, no. 1, pp. 28–38. (in Russian). doi: 10.21681/2311-3456-2018-1-28-38

2. Belyaev E.A., Emelyanova O.A., Isaev A.S. Problems of applying the metodological documents of the Bank of Russia in assessing information security risks of financial institutions. Scientific and Technical Volga region Bulletin, 2020, no. 4, pp. 84–86. (in Russian)

3. Baranova E.C., Murzakova A.A., Murzakova E.A. Modern software tools for information security risks management ISO/IEC 27005. Journal of Information Technologies and Computing Systems, 2019, no. 2, pp. 75–83. (in Russian). doi: 10.14357/20718632190208

4. Supriyadi Y., Hardani C.W. Information system risk scenario using COBIT 5 for risk and NIST SP 800-30 Rev. 1 a case study. Proc. 3rd International Conference on Information Technology, Information Systems and Electrical Engineering (ICITISEE). Yogyakarta, Indonesia, 2018, pp. 287–291. doi: 10.1109/ICITISEE.2018.8721034

5. Mishhenko V.I., Shilov A.K. Risk management information security in automated systems management. Information Systems and Technologies, 2015, no. 2, pp. 138–142. (in Russian)

6. Oppliger R. Quantitative risk analysis in information security management: A modern fairy tale. IEEE Security and Privacy, 2015, vol. 13, no. 6, pp. 18–21. doi: 10.1109/MSP.2015.118

7. Varela-Vaca Á.J., Parody L., Casca R.M., Gómez-López M.T. Automatic verification and diagnosis of security risk assessments in business process models. IEEE Access, 2019, vol. 7, pp. 26448–26465. doi: 10.1109/ACCESS.2019.2901408

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License