Analysis of reference frameworks on information security risk management

Abstract

In a world increasingly dependent on technological infrastructure, organizations face multiple risks to information security, which can affect their performance and sustainability. Managing them has become an essential tool to identify, assess and mitigate threats, which is why several risk management frameworks have been developed to help organizations deal with these incidents effectively. In the present investigation, a study was carried out on the cybersecurity risk management frameworks, focusing precisely on NIST, COBIT and ISO/IEC 27005, which offer different points of view about risk assessment, but with the aim of same objective, to contribute to information security in organizations.
A general characterization of these frameworks was made, they were compared in terms of different criteria and the main limitations of each of these were also exposed. The theoretical methods that helped shape the exploratory study carried out were historical-logical, analytical-synthetic, inductive-deductive and systemic-structural-functional. This study helps to understand the strengths and weaknesses of these widely used models to contribute to a subsequent evaluation of the impact of cybersecurity in Cuban organizations.