The article notes that the methodology for assessing information security (IS) risks has a number of significant limitations, in particular, the method of expert assessments is used. As the practice of IS shows, the method of expert assessments has a number of limitations, which as a result makes it impossible to form a necessary and sufficient list of measures to protect information. The article describes in detail the mathematical approaches underlying the methodology for predicting the dynamics of the probability of a computer attack from the intruder point of view based on statistical data, in particular, the Theory of the provisions of criminology, and the Theory of diffusion of innovations. Separately, the importance of forming a model of the intruder for determining the sources of publicly available information for calculating the probability of an accident is noted. A detailed description of the methodology for predicting the dynamics of the probability of conducting a spacecraft from the point of view of the violator based on statistical data is given. As well as an assessment of its adequacy based on data on more than 700 thousand loans to the credit and financial sector for 2017-2018.