The article is an analysis of the key stages of the development of a secure enterprise information system. The focus is on highlighting the stages of determining information security objectives, risk assessment, vulnerability identification, as well as the process of making informed decisions in the context of information system security. The article provides detailed recommendations for creating reports on the completed risk analysis and the process of making informed decisions based on the results obtained. As part of the work, the analysis of the processes of compiling a matrix of the probability of the occurrence of threats, building a model of the violator and the stages of building a threat model was also carried out, providing an understanding of effective recommendations for assessing and managing the risks of information security of the enterprise and forecasting threats. The definitions of all the terms used and examples of the access matrix, the threat probability matrix are also given. The components of the intruder models and threat models are indicated. The most common errors in the process of creating a risk analysis report and presenting it to management are noted. The presented analysis serves as an important resource for information security specialists and business managers who are interested in building a reliable and secure information system.

1. Open Technologies. Sozdanie sistem informatsionnoi bezopasnosti [Creation of information security systems]. Available at: https://www.ot.ru/services/creation-of-information-security/ (accessed 04.12.2023).

2. Matritsa veroyatnostei (riskov) i vliyaniya upravleniya proektov [Matrix of probabilities (risks) and impact of project management] Available at: https://habr.com/ru/articles/680524/ (accessed 04.12.2023).

3.??Terenin A. Model' tipovogo zloumyshlennika i okhrana informatsii [The model of a typical attacker and information security]. Available at: https://wiseeconomist.ru/poleznoe/57236-model-tipovogo-zloumyshlennika-oxrana-informacii (accessed 04.12.2023).

4. GOST R 57580.1–2017. Bezopasnost' finansovykh (bankovskikh) operatsii. Zashchita informatsii finansovykh organizatsii. Bazovyi sostav organizatsionnykh i tekhnicheskikh mer [State Standard R 57580.1–2017. Security of financial (banking) operations. Information protection of financial organizations. Basic set of organizational and technical measures]. Moscow, Standartinform Publ., 2017. 61 p.

5. Yasenev V.N. Konspekt lektsii po informatsionnoi bezopasnosti [Lecture notes on information security]. National Research Lobachevsky State University of Nizhni Novgorod, 2017. 253 p.

6. Information Center LLC. Pishem model' ugroz [Writing a threat model]. Available at: https://www.google.com/amp/s/habr.com/ru/amp/publications/ 457516/ (accessed 04.12.2023).

7. Drobotun E.B., Tsvetkov O.V. Postroenie modeli ugroz bezopasnosti informatsii v avtomatizirovannoi sisteme upravleniya kriticheski vazhnymi ob"ektami na osnove stsenariev deistvii narushitelya [Modeling information security threats in the automated control system for crucial objects on the basis of attack scenarios]. Programmnye produkty i sistemy = Software and Systems, 2016, no. 3, pp. 42–50. DOI: 10.15827/0236-235X.115.042-050.

8. Sukhanov A. Analiz riskov v upravlenii informatsionnoi bezopasnost'yu [Risk analysis in information security management]. Bait, 2008, no. 11, pp. 25–29. (In Russian).

9. Emel'yannikov M. Informatsionnye sistemy personal'nykh dannykh [Information systems of personal data]. Zhurnal «Cio», 2008, no. 10, pp. 17–20. (In Russian).

10. Selischev V.A., Chechuga O.V., Nasedkin M.N. Postroenie sistemy informatsionnoi bezopasnosti predpriyatiya [Building of the system information safety of the enterprise]. Izvestiya Tul'skogo gosudarstvennogo universiteta. Tekhnicheskie nauki = News of the Tula state university. Technical sciences, 2009, no. 1-2, pp. 137–144.

11. Biryukov D., Tokareva E. Mezhdunarodnyi standart ISO/IEC 27001:2013. Vzglyad v budushchee industrii IB [International standard ISO/IEC 27001:2013. A look into the future of information security industry]. Informatsionnaya bezopasnost' = Information Security, 2013, no. 2, pp. 52–55. (In Russian). Available at: https://lib.itsec.ru/articles2/pravo/mezhdunarodnyy-standart-iso-iec-270012013.-vzglyad-v-buduschee-industrii-ib (accessed 05.12.2023).

12.??Biryukov A.A. Informatsionnaya bezopasnost': zashchita i napadenie [Information security: protection and attack]. Moscow, DMK Press, 2013. 474 p.

13. AEGIS. White paper on research and innovation in cybersecurity. AEGIS Consortium, 2018.

14. Mani V. Cybersecurity and fintech at a crossroads. ISACA Journal, 2019, vol. 2, pp. 1–7.

15. Dupont B. The cyber-resilience of financial institutions: significance and applicability. Journal of Cybersecurity, 2019, vol. 5 (1), pp. 1–17.

16. Rubio J.E., Alcaraz C., Roman R., Lopez J. Current cyber-defense trends in industrial control systems. Computer Security, 2019, vol. 87, p. 101561.

17. Rubio J.E., Alcaraz C., Roman R., Lopez J. Analysis of intrusion detection systems in industrial ecosystems. 14th International Conference on Security and Cryptography (SECRYPT 2017), 2017, vol. 6, pp. 116–128.

18. Ahmad A., Maynard S.B., Desouza K.C., Kotsias J., Whitty M.T., Baskerville R.L. How can organizations develop situation awareness for incident response: a case study of management practice. Computer Security, 2021, vol. 101, p. 102122.

19. Sion L., Yskout K., Landuyt D. van, Joosen W. Solution-aware data flow diagrams for security threat modeling. SAC ’18: Proceedings of the 33rd Annual ACM Symposium on Applied Computing. ACM, 2018, pp. 1425–1432. DOI: 10.1145/3167132.3167285.

20. Sion L., Yskout K., Landuyt D. van, Joosen W. Risk-based design security analysis. SEAD ’18: Proceedings of the 1st International Workshop on Security Awareness from Design to Deployment. ACM, 2018, pp. 11–18. DOI: 10.1145/3194707.3194710.