Development of an optimal options-forming method for information security risk treatment based on quantitative assessment models

Authors

DOI:

https://doi.org/10.15587/2706-5448.2025.340229

Keywords:

risk analysis, risk treatment, risk management, information security, economic efficiency, ABC analysis

Abstract

The object of the research is the processes of forming optimal options for information security risk treatment of the organization. One of the most problematic areas is the choice of means and measures of protection from the set of available options for information security risk treatment that will allow reducing information security risks in a way that is not detrimental to the organization. The available models and methods are cumbersome, which makes their practical use impossible, and also do not take into account the economic features of implementing means and measures of protection.

The research used methods of investment theory, which allowed it to assess the effectiveness of reducing information security risks due to the implementation of a set of means and/or measures of information protection, and the ABC analysis method, which allowed it to identify the most effective ones among them by dividing them into groups. This approach simplified the process of assessing information security risks and choosing the optimal set of means and measures of protection. The proposed method involves calculating the indicators of net present value and payback period of the project, which allows the owner of the organization to assess the economic efficiency of implementing a set of means and measures of protection, as well as to understand when the costs of the information protection system will pay off.

The obtained method, that significantly simplified the process of reducing information security risks at a break-even price. This is due to the fact that the proposed method has a number of features in the formation of options for information security risk treatment, particularly. It involves assessing the effectiveness of the implementation of each of the means and/or measures of protection and ranking them by effectiveness by dividing them into groups. This enables the creation of a risk-oriented information security system. Compared to similar known models and methods, this enables a simplified procedure for information security risk treatment in practice.

Author Biographies

Yurii Kopytin, e-Governance Academy Representative Office in Ukraine

Senior Expert in Information Technology Management

Maryna Kopytina, State University of Intelligent Technologies and Telecommunications

PhD Student

Department of Management and Marketing

Volodymyr Korchynskyi, State University of Intelligent Technologies and Telecommunications

Doctor of Technical Sciences

Department of Cybersecurity and Technical Protection of Information

References

  1. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (2022). Official Journal of the European Union. Available at: https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng
  2. NIS2 Technical Implementation Guidance (2025). ENISA. Available at: https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance
  3. ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection – Information security controls (2022). International Organization for Standardization. Available at: https://www.iso.org/standard/75652.html
  4. IEC 31010:2019 Risk management – Risk assessment techniques (2019). International Organization for Standardization. Available at: https://www.iso.org/standard/72140.html
  5. Stefani, E., Costa, I., Gaspar, M. A., Goes, R. de S., Monteiro, R. C., Petrili, B. R. et al. (2025). Information Security Risk Framework for Digital Transformation Technologies. Systems, 13 (1), 37. https://doi.org/10.3390/systems13010037
  6. Kononovych, V., Kopytin, Yu. (2010). Vykorystannia ABC analizu dlia optymizatsii system zakhystu informatsii. Pravove, normatyvne ta metrolohichne zabezpechennia systemy zakhystu informatsii v Ukraini, 2 (21), 26–35. Available at: https://ela.kpi.ua/handle/123456789/9099
  7. Brho, M., Jazairy, A., Glassburner, A. V. (2025). The finance of cybersecurity: Quantitative modeling of investment decisions and net present value. International Journal of Production Economics, 279. https://doi.org/10.1016/j.ijpe.2024.109448
  8. Ofori-Yeboah, A., Addo-Quaye, R., Oseni, W., Amorin, P., Agangmikre, C. (2021). Cyber Supply Chain Security: A Cost Benefit Analysis Using Net Present Value. 2021 International Conference on Cyber Security and Internet of Things (ICSIoT). France: IEEE, 49–54. https://doi.org/10.1109/icsiot55070.2021.00018
  9. Kononovich, V., Kononovich, I., Kopytin, Yu., Staikutsa, S. (2014). Influence of delays decision action for information protection on information security risks. Ukrainian Scientific Journal of Information Security, 20 (1), 83–91. Available at: http://nbuv.gov.ua/UJRN/bezin_2014_20_1_16
  10. Kravchenko, V. (2022). Chysta potochna vartist (NPV). LivingFo. Available at: https://livingfo.com/chysta-potochna-vartist-npv/
  11. Roziasnennia shchodo rozrakhunkiv prohnozovanykh pokaznykiv efektyvnosti investytsiinykh prohram subiektiv hospodariuvannia u sferi teplopostachannia, tsentralizovanoho vodopostachannia ta vodovidvedennia (2013). Roziasnennia n0079866-13. Natsionalna komisiia, shcho zdiisniuie derzhavne rehuliuvannia u sferi komunalnykh posluh. Available at: https://zakon.rada.gov.ua/rada/show/n0079866-13#Text
  12. Kopytin, Yu. (2014). Developing a model of information security risk assessment based on colored Petri net. Ukrainian Scientific Journal of Information Security, 20 (3), 293–299. https://doi.org/10.18372/2225-5036.20.7558
Development of an optimal options-forming method for information security risk treatment based on quantitative assessment models

Downloads

Published

2025-10-30

How to Cite

Kopytin, Y., Kopytina, M., & Korchynskyi, V. (2025). Development of an optimal options-forming method for information security risk treatment based on quantitative assessment models. Technology Audit and Production Reserves, 5(2(85), 47–55. https://doi.org/10.15587/2706-5448.2025.340229

Issue

Vol. 5 No. 2(85) (2025): Information and control systems

Section

Systems and Control Processes

License

Copyright (c) 2025 Yurii Kopytin, Maryna Kopytina, Volodymyr Korchynskyi

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The consolidation and conditions for the transfer of copyright (identification of authorship) is carried out in the License Agreement. In particular, the authors reserve the right to the authorship of their manuscript and transfer the first publication of this work to the journal under the terms of the Creative Commons CC BY license. At the same time, they have the right to conclude on their own additional agreements concerning the non-exclusive distribution of the work in the form in which it was published by this journal, but provided that the link to the first publication of the article in this journal is preserved.