A risk-oriented approach to the control arrangement of security protection subsystems of information systems.