Improving the Courses of Educational Programs on Information Security Smart Grid

—Smart Grids (SGs) represent a new concept in the development of electric power infrastructure in a digital economy. Existing courses, educational programs in such a situation do not always meet the requirements of the new concept and do not allow the formation of the necessary new competencies. This article provides recommendations for improving educational activities based on the risk analysis of the electricity company and compiling a competency map for an educational program for training personnel in the field of security risk management for SG.

In this regard, the problem arises of determining the goals of improving the professional level of students, selecting the content of teaching materials of the educational process, assessing educational results and matching competencies with the modern level of activity of enterprises and organizations in the field of information security in the electric power industry based on the Smart Grid concept.
The aim of the article is to improve the courses of educational programs in information security based on ensuring the completeness and complexity of the competencies of graduates in the field of IS Smart Grid management.

FIELD OF INFORMATION SECURITY MANAGEMENT
The concept of a "skills-based approach" (or "competencybased approach") has become widespread in connection with the solution of problems of improving the education of Russia, as well as the transition to the implementation of federal educational standards of higher education. Curriculum on a skills-based approach can be considered as a set of principles, goals of education, selection of the content of education, organization of the educational process and assessment of educational results.
In this regard, the implementation of the skills-based approach to training specialists in the field of information security management and the study of trends in this area will allow domestic information security specialists to increase their competitiveness.
Of interest is the vector of development of training in the field of information security management, which is based on the following courses: CISSP (Certified Information Systems Professional); CSSLP (Certified Secure Software Lifecycle Professional); CISM (Certified Information Security Manager); CISA (Certified Information Systems Auditor).
The training materials for these courses have been tested at Bauman Moscow State Technical University, at Financial University under the Government of the Russian Federation when conducting appropriate certification courses for information security specialists [4].
A graduate of the courses should have professional competences: to know the basic methods of information security management, be able to improve methods of information security, have the skills to assess the effectiveness of information security in organizations. At the same time, the following seven main sections can be distinguished in certified courses [4,5,6,9,12]: IS management; secure access; network security; cryptographic information security; development of safe programs; modeling and conformity assessment; business continuity and recovery.
In Smart Grid information systems, which are an innovative field, this knowledge and skills, together with their ability to adequately and successfully apply them, can be formed only directly when solving the corresponding problems in the framework of practical activities. They cannot be fully acquired in the course of obtaining education, since in educational institutions there are practically no tasks from the real practice of managing information security of modern companies, including Smart Grid. It should be noted that the threat and risk are determined not abstractly, but relatively specifically protected resources [4, p. 9]. However, this paradox is partially solved by the creation of pilot laboratories, the development of cases, the widespread use of simulation of the main and supporting and auxiliary business processes.
The focus of production of something new in the electric power industry is shifting in modern conditions to the creation of innovative smart grids. The introduction of the Smart Grid concept provides for the development of smart grid technology and means a fundamental reorganization of the electric energy services market [2,10]. Federal Grid Company of Unified Energy System (FGC UES, PJSC) is one of the largest enterprises in the electric power industry, rendering services in the transmission and distribution of electric energy, in connection to electric networks and in the collection, transmission and processing of technological information, including measurement and accounting data [13].
A network operating on the basis of the Smart Grid concept is able to detect the damaged area itself, de-energize it and automatically power consumers who are briefly left without power. Controllers with freely programmable logic implement algorithms for configuring power supply schemes for various emergencies and provide network automation.
The methods of creating information systems cannot be separated from the main goals of entrepreneurial activity and cannot be unrelated to environmental influences and limitations [3]. To effectively use information systems, an entrepreneur must understand the socio-economic risks and limitations of technology development, implementation and use of systems (Fig. 1).
Business information systems should reduce risks by increasing the effectiveness of managers' actions, based on mathematical models of risk optimization and methods for managing cyber risks at various levels [8,10,11]. The shortage of specialists in the field of information security, who in the digital economy are ready to solve the key tasks of the coming decade, is focused on innovative products and the creation of new markets and the globalization of companies. Systems for training specialists for information security management should begin to train specialists with knowledge and competencies in several subject areas who can work with both internal and external risks, both operational and IT risks (cyber risks) and are able to anticipate future transformations.
The main subject of the study is the need to analyze exactly what competencies and qualifications are needed to ensure the information security of companies and how this will affect the training system for its personnel. For the world's leading electricity companies, innovation is an important source of income. New technologies bring energy companies not only new opportunities but also create new threats and risks. Therefore, the introduction of a new system of smart metering devices (Smart Meters), allowing remote transmission of energy consumption data of a client, has opened up many new ways of theft of electricity [7].
The competency clusters and processes are identified on the basis of the analysis of the interaction scheme of the power company divisions in the operational risk management system and their IS risks (cyber risks), based on expert estimates and taking into account the competence clusters used in the practice of leading companies from the standpoint of information security of the smart energy network [1].
The operational risk management system in an electric power company consists of the following elements: operational risk management services (ORMS); a specialized unit of the organization that performs IS risk management procedures (IS service); divisions -owners of the organization's business processes and divisions supporting the organization's business processes (centers of competence); classifiers used in the operational risk and information security management system; an event database containing information on operational risk and IS risk events and losses from all types of risks; benchmarks of the electricity company and a system of measures aimed at improving the quality of the management system; automated information system. In Fig. 2, which reflects the interaction of company departments in the context of the integration of information security risks, the following conventions are adopted: 1 -the information security service (ISS) ensures the identification of IS incidents (IS risk events) and the identification of sources, threats and vulnerabilities of the threat (attack) implementation, the identification of business processes, systems affected by the incident, makes an immediate response to the incident in accordance with the procedure established by the company and transmits information about the incident to the business unit and to the ORMS; 2 -business units respond to an incident: they suspend business processes, block accounts, etc. and transmit the consequences of the incident to the ORMS; 3 -the operational risk management system determines the extent and degree of impact of the incident (IS risk event) on other risks and business processes, classifies the incident according to the operational risk methodology and reflects it in the event database; 4 -the operational risk management system determines, together with business units and the operational risk management system, incident losses (IS risk events); defines measures to minimize other risks depending on the realized risk of information security;

-the business unit provides information on losses in the ISS;
6 -the information security system determines the effectiveness of measures to ensure an immediate response to an incident (IS risk event); 7 -ORMS, structural divisions, and the information security service organize activities aimed at minimizing the consequences of the implementation of IS risk (cyber risk) and other types of risk; 8 -the information security service evaluates the effectiveness of measures to minimize the risk of information security (cybersecurity risk) and the level of residual risk. Taking into account the considered scheme and the competency approach proposed in [1], we present a map of the competencies of specialists in the field of information security of an intellectual network.

A.
Leadership, organizational and managerial competencies of an information security officer.
A.1. It owns modern models of organization of the company and can independently organize the process of ensuring information security.
A.2. It can act as a qualified customer of research and development.   This map shows what competencies are necessary for the implementation of the processes of an electric power innovation company. At the same time, the distribution of managerial, technological and entrepreneurial competencies is uneven. This map also shows the place and importance of the company's technological competencies to ensure information security.

B. Employee competencies in terms of communication and
The processes of changing the composition of the required competencies and qualification structure for managing and ensuring innovative activities in the context of digitalization and information security acquire a special role at the stage of transformation of electric companies.

IV. CONCLUSION
The considered approach to the formation of competencies allows you to:  ensure the completeness and comprehensiveness of the composition of competencies, since this composition of competencies, will be associated with the regulation of information processes and business processes of the company and fully comply with its description;  represent competencies in educational programs in the form of a tree with a hierarchical multi-level structure and in the chronological sequence of their implementation, according to the chronology of the implementation of relevant processes to ensure information security;  to supplement, based on the study of new business processes of successful enterprises, a set of competencies of graduates taking into account the focus of the educational program on new specific areas of knowledge and activities.