Abstract

Based on statistical data, a contradiction is shown between an increase in financial investments in the information security (IS) of organizations and a steady increase in the number of IS incidents caused by internal users. A conclusion is made about the cognitive vulnerability and low degree of validity of modern IS risk assessment methods. Stereotypes have been identified, the result of which are cognitive errors in assessing IS risks: the priority of technical protection of information from external threats of IS over organizational and technical protection from internal threats; distrust of the internal client, perception of it exclusively as an object of tough managerial influence, ignoring its subjective role in IS management; restriction of work with personnel within the IS management system with one-time measures and static criteria for assessing human risks and inattention to systemic measures and dynamic, situational criteria. The necessity of updating standards for IS risk management, as well as the development of new methods and tools for assessing, IS risks based on rejecting outdated stereotypes, is substantiated.

中文翻译：

---

组织信息安全风险评估方法的有效性

摘要

根据统计数据，在组织的信息安全（IS）方面的财务投资增加与内部用户引起的IS事件数量稳步增加之间存在矛盾。结论是现代IS风险评估方法的认知脆弱性和低效度。刻板印象已经被发现，其结果是在评估信息系统风险方面的认知错误：信息技术保护免受信息系统外部威胁的优先级高于组织和技术保护免受内部威胁的优先级；不信任内部客户，仅将其视为强大的管理影响力的对象，而忽略了其在IS管理中的主观作用；限制IS管理系统内人员的工作，采用一次性措施和静态标准来评估人的风险以及对系统措施和动态，情境标准的重视。证实有必要更新IS风险管理标准，以及开发新的方法和工具以基于过时的刻板印象来评估IS风险。