International Journal of Open Information Technologies

The article proposes an innovative educational approach to the training of students in the field of study 10.03.01 "Information Security" and specialty 10.05.01 "Computer Security", based on the Pareto-oriented multifactor threat model. It is shown that the aggregation of the Threat Data Bank of the FSTEC of Russia into a stable 16-factor core makes it possible to focus the educational process on the most critical classes of risks, which form up to 96% of the total losses. A quantitative model for assessing the professional competencies of students and a questionnaire tool for diagnosing the level of training have been developed. The results demonstrate that the synergy of the factor model, high-quality teaching and practice-oriented tools forms the engineering thinking necessary for the graduate to justify investments in information security and build adequate protection systems.

World Economic Forum. (2025). Global Cybersecurity Outlook 2025. Geneva: WEF.

ENISA. (2022). European Cybersecurity Skills Framework (ECSF): Role Profiles and Training Curricula.

https://www.enisa.europa.eu/topics/education/european-cybersecurity-

skills-framework

Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1–13. https://doi.org/10.1016/j.ejor.2015.12.023

Liu, X., Zhang, Y., & Wang, H. (2023). Cybersecurity education in China: Current status and future directions. International Journal of Information Security, 22(3), 567–582. https://doi.org/10.1007/s10207-022-00645-9

Tikhonov, V. A., & Bezborodov, Y. M. (2024). Comparative analysis of approaches to the training of information security specialists in Russia and abroad. Information Security Problems, 2(60), 45–53. https://doi.org/10.21681/2311-3456-2024-2-45-53

Hubbard, D. W., & Seiersen, R. (2023). How to Measure Anything in Cybersecurity Risk (2nd ed.). Wiley.

Miloslavskaya, N. G., & Tolstoy, A. I. (2023). Features of the Russian regulatory base in information protection and their impact on educational programs. Information Technologies and Security, 30(4), 112–125. https://doi.org/10.26583/bit.2023.4.09

Rosstat. (2024). Small and Medium-Sized Enterprises in Russia. https://rosstat.gov.ru

RAEC. (2024). Research of the Information Security Market in Russia. https://raec.ru

Positive Technologies. (2024). State of Industrial and Corporate Cybersecurity in Russia.

Rashid, A., Chivers, H., Danezis, G., et al. (2021). The Cyber Security Body of Knowledge (CyBOK). University of Bristol. https://www.cybok.org

Verizon. (2025). Data Breach Investigations Report.

FSTEC of Russia. (2025). Databank of Information Security Threats.

ISO/IEC. (2022). ISO/IEC 27001:2022 Information Security Management Systems.

Biggs, J., & Tang, C. (2022). Teaching for Quality Learning at University (5th ed.). Open University Press.

Tukey, J. W. (1977). Exploratory Data Analysis. Addison-Wesley.

Slocum, T. A., et al. (2008). Thematic Cartography and Geovisualization. Prentice Hall.

Cox, L. A. (2008). Some limitations of risk = threat × vulnerability × consequence for risk analysis. Risk Analysis, 28(6), 1749–1761.

Kaplan, S., & Garrick, B. J. (1981). On the quantitative definition of risk. Risk Analysis, 1(1), 11–27.

Jain, A. K. (2010). Data clustering: 50 years beyond k-means.Pattern Recognition Letters, 31(8), 651–666. https://doi.org/10.1016/j.patrec.2009.09.011

Caliński, T., & Harabasz, J. (1974). A dendrite method for cluster analysis. Communications in Statistics — Theory and Methods.

Gagolewski, M., Bartoszuk, M., & Cena, A. (2022). Are cluster validity measures (in)valid? Information Sciences.