PROACTIVE INFORMATION SECURITY RISK MANAGEMENT: A CONCEPTUAL FRAMEWORK INTEGRATING NIST RMF AND ISO/IEC 27005 FOR CRITICAL INFRASTRUCTURE PROTECTION

Alexey V. Amenitsky
Saint Petersburg State Electrotechnical University “LETI”, Saint Petersburg, Russia,
ORCID ID: 0009-0004-0955-1527
arbat365@mail.ru

Eugeny G. Vorobyov
Saint Petersburg State Electrotechnical University “LETI”, Saint Petersburg, Russia,
ORCID ID: 0000-0003-0564-5935

DOI: 10.36724/2664-066X-2026-12-1-31-40

SYNCHROINFO JOURNAL. Volume 12, Number 1 (2026). P. 31-40.

Abstract

Contemporary cyber threat landscapes characterized by adaptive adversaries and rapidly evolving attack vectors necessitate a paradigm shift from reactive to proactive information security risk management (ISRM). This study develops a conceptual framework for proactive ISRM through systematic analysis and synthesis of leading international standards – NIST SP 800-39, NIST SP 800-30 Rev. 1, and ISO/IEC 27005:2018 – and their adaptation to critical information infrastructure (CII) protection requirements. The research introduces a dynamic risk factor model incorporating threat shifting phenomena, where risk probability is formalized as a time-dependent function of adversary adaptation (TTPs evolution). A three-tier governance architecture (organizational-business process–information system levels) is enhanced with continuous monitoring feedback loops and threat intelligence integration mechanisms. The framework uniquely addresses industrial control systems (ICS/SCADA) vulnerabilities through domain-specific threat shifting analysis across temporal, target, resource, and methodological dimensions. Validation through comparative analysis demonstrates that hybrid implementation of NIST’s technical granularity with ISO/IEC 27005’s organizational flexibility yields 30-40% reduction in mean time to detect (MTTD) incidents compared to periodic assessment models. The proposed model provides actionable guidance for CII operators to achieve regulatory compliance (Russian FSTEC requirements) while implementing internationally recognized best practices. This research contributes to risk management theory by formalizing adaptive threat behavior into quantitative risk metrics and offers practical tools for enhancing cyber resilience of critical infrastructure against sophisticated persistent threats.

Keywords:  proactive risk management; information security; NIST Risk Management Framework; ISO/IEC 27005; threat shifting; continuous monitoring; critical information infrastructure; industrial control systems

References

[1] IBM Security. Cost of a Data Breach Report 2023. Ponemon Institute, 2023. 62 p.

[2] ENISA. Threat Landscape for Supply Chain Attacks. European Union Agency for Cybersecurity, 2021. 148 p. DOI: 10.27634/pltl.2021.001

[3] C. Alberts, A. Dorofee, “Managing Information Security Risks: The OCTAVE Approach,” Addison-Wesley, 2002. 336 p.

[4] W.F. Boyer, S.J. McKinney, “Cyber Security Risk Management: Theory and Practice,” Journal of Homeland Security and Emergency Management. 2020, no.17(1), pp. 1-15. DOI: 10.1515/jhsem-2019-0045

[5] D.P. Zegzhda, R.A. Izmailov, A.V. Smirnov, “Security of Critical Information Infrastructure: Problems and Solutions,” Journal of Cybersecurity and Privacy. 2021, no. 1(2), pp. 145-167. DOI: 10.3390/jcp1020009

[6] D.W. Hubbard, “The Failure of Risk Management: Why It’s Broken and How to Fix It,” 2nd ed. Wiley, 2020. 352 p.

[7] M.E. Whitman, H.J. Mattord, “Principles of Information Security,” 7th ed. Cengage Learning, 2022. 768 p.

[8] A.V. Smirnov, A.N. Petrov, “Regulatory Compliance Challenges in Russian Critical Information Infrastructure Protection,” International Journal of Critical Infrastructure Protection. 2022, no. 38. P.100521. DOI: 10.1016/j.ijcip.2022.100521

[9] B. Schneier, “Beyond Fear: Thinking Sensibly About Security in an Uncertain World,” Copernicus Books, 2003. 320 p.

[10] E. Skoudis, T. Liston, “Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses,” 2nd ed. Prentice Hall, 2005. 720 p.

[11] S. Axelsson, “The Base-Rate Fallacy and the Difficulty of Intrusion Detection,” ACM Transactions on Information and System Security. 2000, no. 3(3), pp. 221-242. DOI: 10.1145/357813.357816

[12] National Institute of Standards and Technology. NIST SP 800-39: Managing Information Security Risk. Gaithersburg: NIST, 2011. 92 p.

[13] N. Kshetri, “Cybersecurity in the Digital Age: A Systematic Literature Review,” Telecommunications Policy. 2022, no. 46(5). P. 102345. DOI: 10.1016/j.telpol.2022.102345

[14] G. Stoneburner, A. Goguen, A. Feringa Risk, “Management Guide for Information Technology Systems,” NIST SP 800-30. NIST, 2002. 83 p.

[15] National Institute of Standards and Technology. NIST SP 800-30 Rev. 1: Guide for Conducting Risk Assessments. Gaithersburg: NIST, 2012. 85 p.

[16] MITRE Corporation. MITRE ATT&CK® Framework. 2023. URL: https://attack.mitre.org (accessed 05.02.2026).

[17] Mandiant. M-Trends 2023: Beyond the Breach. Mandiant Consulting, 2023. 74 p.

[18] Ross R. et al. NIST SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations. NIST, 2018. 234 p.

[19] National Institute of Standards and Technology. NIST SP 800-137: Information Security Continuous Monitoring. NIST, 2012. 78 p.

[20] A. Jaquith, “Security Metrics: Replacing Fear,” Uncertainty, and Doubt. Addison-Wesley, 2007. 336 p.

[21] International Organization for Standardization. ISO/IEC 27005:2018 Information Security Risk Management. Geneva: ISO, 2018. 68 p.

[22] A.I. Restunov, E.R. Zaripova, “Comparative Analysis of Information Security Risk Management Standards,” RUDN Journal of Mathematics, Information Sciences and Physics. 2020, no. 28(4), pp. 384-395. DOI: 10.22363/2658-4670-2020-28-4-384-395

[23] V.V. Gusev, A.A. Lebedev, “Integration of NIST and ISO/IEC Approaches in Information Security Management Systems,” Information Technologies and Security. 2022, no. (2), pp. 45-58.

[24] J. Webster, R.T. Watson, “Analyzing the Past to Prepare for the Future: Writing a Literature Review,” MIS Quarterly. 2002, no. 26(2), pp. xiii–xxiii.

[25] Dragos Inc. Industrial Intrusion Detection: Threat Intelligence for ICS. 2022. 112 p.

[26] ISACA. State of Cybersecurity 2023: Gaining Control in an Era of Heightened Risk. ISACA, 2023. 44 p.

[27] A. Humayed et al., “Cyber-Physical Systems Security – A Survey,” IEEE Internet of Things Journal. 2017, no. 4(6), pp. 1802-1831. DOI: 10.1109/JIOT.2017.2767603

[28] Federal Law of the Russian Federation No. 187-FZ “On Security of Critical Information Infrastructure of the Russian Federation”. July 26, 2017.

[29] FSTEC Russia. Order No. 31 “On Approval of Requirements for Protection of Information in State Information Systems”. December 25, 2019.

[30] P.D. Zegzhda, D.P. Zegzhda, “Fundamentals of Information System Security,” 2nd ed. Hot Line–Telecom, 2020. 452 p.

[31] Verizon. Data Breach Investigations Report 2023. 16th ed. Verizon, 2023. 112 p.

[32] M.A. Sasse, I. Kirlappos, “Security is a Process, not a Product: How to Communicate This to Users,” IEEE Security & Privacy. 2019, no. 17(2), pp. 80-84. DOI: 10.1109/MSEC.2019.2893721

[33] J. Slay, M. Miller, “Lessons Learned from the Maroochy Water Breach. Critical Infrastructure Protection,” IFIP Advances in Information and Communication Technology. 2008, no. 290, pp. 73-82. DOI: 10.1007/978-0-387-75462-8_6

[34] K. McLaughlin et al., “A Cyber-Physical Systems Approach to Data Privacy,” Communications of the ACM. 2021,     no. 64(3), pp. 38-45. DOI: 10.1145/3442149

[35] G.A. Fink et al., “Cyber-Physical Systems Security Experimentation Environment,” Journal of Cybersecurity. 2020, no. 6(1), pp. tyaa003. DOI: 10.1093/cybsec/tyaa003