Application of modern methods for information security risks evaluation of a critical information infrastructure facility

   The practice of assessing IT-security risks of Critical Information Infrastructure (CII) facilities is considered. The methods of Event Tree Analysis (ETA), Fault Tree Analysis (FTA), and the International Standard ISO/IEC 27005:2022, which establishes the principles of risk management, were compared. The ways of supplementing the existing methodological requirements of the Russian Federation in the field of IT-security of CII facilities with modern methods of assessing IT-security risks are shown. A comparison of modern methods for assessing IT-security risks is carried out using the example of a water supply management system. The application of the necessary list of protection measures providing a given level of residual IT-security risks is justified. The possibility of using modern methods for assessing the IT-security risks of CII facilities in addition to the existing methodological requirements of the Russian Federation is demonstrated.

1. Varlamova D.V., Dolzhenkova A.V., Korochkina S.V. Automation in risk management. Scientific journal NRU ITMO Series “Economics and Environmental Management”, 2020, no. 4, pp. 78–86. (in Russian). doi: 10.17586/2310-1172-2020-13-4-78-86

2. Ivashchenko I.N., Goncharov M.A. Safety and Risk of Operating Facilities: Rapid Assessment Methodology. Issues of Risk Analysis, 2021, vol. 18, no. 6, pp 66-83. (in Russian). doi: 10.32686/1812-5220-2021-18-6-66-83

3. Yusup M.F.B. Application of risk management in shipyards based SNI IEC/ISO 31010:2016 on new shipbuilding projects. Maritime Park: Journal of Maritime Technology and Society, 2022, vol. 1, no. 2, pp. 75–78. doi: 10.62012/mp.v1i2.32646

4. Frantzova A. Comprehensive methodology for geological risk and multy-risk assessment. Review of the Bulgarian Geological Society, 2021, vol. 82, part 3, pp. 171–173. doi: 10.52215/rev.bgs.2021.82.3.171

5. Neto A.B.C. Risk to be considered in nuclear reactor decommissioning projects in Brazil. Brazilian Journal of Radiation Sciences, 2022, vol. 10, no. 4, pp. 1–24. doi: 10.15392/2319-0612.2022.2111

6. Lesniak A., Janowiec F., Benavides J.R. The risk of additional branch work in the construction of railway projects. Archives of Civil Engineering, 2024, vol. 70, no. 2, pp. 643–659. doi: 10.24425/ace.2024.149886

7. Nikiforova N.A. Strategic analysis: international standard ISO 31000:2018 and GOST R ISO 31000-2019. Finansovyj Biznes, 2022, no. 4 (226), pp. 41–46. (in Russian)

8. Sukmana P.P., Yoga T.P., Habibi Ch. Audit manajemen risiko sistem informasi pada Website Digo.id dengan framework Cobit 5 dan ISO 31000. Jurnal Accounting Information System (AIMS), 2023, vol. 6, no. 2, pp. 180–201. doi: 10.32627/aims.v6i2.816

9. Lavrnić I., Bašić A., Viduka D. Risk assessment of a solar attack according to ISO 31000 standard. Engineering Review, 2021, vol. 41, no. 1, pp. 120–128. doi: 10.30765/er.1566

10. Livshitz I. Practice of cyber-risks management in oil and gas projects of holding companies. Voprosy Kiberbezopasnosti, 2020, no. 1 (35), pp. 42–51. (in Russian). doi: 10.21681/2311-3456-2020-01-42-51

11. Livshits I.I., Suntsova D.I. Numerical calculation of functional safety of the components of technically complex industrial plants. Avtomatizacija v promyshlennosti, 2023, no. 7, pp. 9–15. (in Russian). doi: 10.25728/avtprom.2023.07.02

12. Yuwono M.A., Rachmawati D. Penerapan fraud risk management pada divisi pembelian PT. Lestari menggunakan ISO 31000:2018. Jurnal Akuntansi Kontemporer, 2023, vol. 15, no. 3, pp. 131–142. doi: 10.33508/jako.v15i3.4629

13. Masita I. Analysis of risk management implementation in the internal audit unit (SPI) Politeknik pelayaran surabaya using ISO 31000. Robust: Research of Business and Economics Studies, 2022, vol. 2, no. 2, pp. 113–126. doi: 10.31332/robust.v2i2

14. Livshitz I.I., Lontsikh P.A., Lontsikh N.P., Kunakov E.P., Drolova E.Y. Implementation and auditing of risk management for the oil and gas company. Proc. of the International Conference “Quality Management, Transport and Information Security, Information Technologies” (IT&QM&IS), 2017, pp. 539–543. doi: 10.1109/itmqis.2017.8085881

15. Livshitz I.I., Neklyudov A.V., Lontsikh P.A. IT security evaluation - “hybrid” approach and risk of its implementation. Journal of Physics: Conference Series, 2018, vol. 1015, no. 4, pp. 042030. doi: 10.1088/1742-6596/1015/4/042030

16. Belyaev E.A., Emelyanova O.A., Livshitz I.I. An analysis of methods for assessing information security risks of financial institutions. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2021, vol. 21, no. 3, pp. 437–441. (in Russian). doi: 10.17586/2226-1494-2021-21-3-437-441

17. Bezzateev S.V., Elina T.N., Mylnikov V.A., Livshitz I.I. Risk assessment methodology for information systems, based on the user behavior and IT-security incidents analysis. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2021, vol. 21, no. 4, pp. 553–561. (in Russian). doi: 10.17586/2226-1494-2021-21-4-553-561

18. Ezrahovich A.Y., Vladimirtsev A.V., Livshitz I.I., Lontsikh P.A., Karaseva V.A. Risk-based thinking of ISO 9001:2015 – the new methods, approaches and tools of risk management. Proc. of the International Conference “Quality Management,Transport and Information Security, Information Technologies” (IT&QM&IS), 2017, pp. 506–511. doi: 10.1109/itmqis.2017.8085872