| Abstract [eng] |
Information security risk analysis method in process of developing information system Modern companies directly deal and depend on information systems. These companies are facing with complex issues of integrity, privacy and accessibility of information. The most effective way to shade from arising threats is information security management system. One of the most important stages of information security management system is risk management and analysis. Main information risk management and analysis tasks is to identify existing risks, estimate the possible influence towards the organization and select most suitable preventive measures for minimizing risk level. The object of the paper – security of the information systems. The aim of the paper – to create an information security risk analysis method, this could be applied in developing information system process and could increase security level. The tasks of the paper – are to determine the main risk management principles; compare the most popular methods and tools; evaluate widely spread methods of risk analysis; define main stages of new risk analysis method according to the best features of the existing methods; rate the efficiency of new method by the experiment. According to the literature analysis; comparative; extrapolation and experimental methods in the paper are introduced the main principles of security risk management and analysis; compared the most popular tools and methods of risk management and evaluation; created and evaluated the new RAISKP method of risk analysis. After determining the main risk management principles, it has been noticed that it is necessary permanently implement the below given stages for the effective risk management: risk volume description, risk evaluation, risk administration, informing about risks, risk monitoring and review. Risk management increases the stability of an organization, because each threat can be foreseen and security measures adjusted and applied. After comparing the most popular risk management methods similarities and differences were noticed. Different methods are different in achieving goals, suitability for an organization depending on size of organization, compatibility with international standards, and required knowledge for applying the technique. But techniques are very similar in philosophy of practice, procedures, requirements and aims. After comparing the most popular tools of risk management and evaluation it was noticed that most of them automates processes of reports and risk calculation; helps to foresee future threats according to accumulated knowledge base, and then helps to select most suitable preventive measures for it; determines or helps to conform suitability to international security standards. Tools are different in risk management and evaluation methods, functionality and price. After evaluation risk analyses methods was noticed that analyses can be done using qualitative and quantitative methods. Quantitative methods are more suitable when security decision make influence on financial decisions, qualitative risk analyses should be chosen when made decisions are associated with basic security creation. The investigation of existing methods of risk analyses allowed segregate the best features of them. During the survey of methods were identified the fastest and easiest stages, which with small changes were adjusted for the new RAISKP method. Practical RAISKP adjustability test allowed to evaluate method efficiency and benefits in the process of IS developing. During the test it was clear that the new risk analyses method allows foreseeing threat gaps already in the stage of projection, which helps to create a safer system. This paper can be useful for information security specialists, for information system designers, and for information system discipline students. |
