The risk-based approach (RBA) provides certain advantages in the construction and operation of information security management systems, therefore, the most frequently applied standards in this area are based on it. But the practical application of RBA for protection against cyber threats is fraught with a number of difficulties and limits. It is shown that application of a detailed risk assessment to assess the information security in organization intensively using the Internet and other IT in its activities, require a lengthy work to investigate vulnerabilities, calculating the private risks, reducing them into risks of threat. Taking into account the extremely high labor costs of this procedure, it is relevant to solve the problem by assessing high-level risks. Four verbal specifications of the attacker are introduced, describing various aspects of his behavior and skills, the socio-psychological context of his actions, the target settings of these actions, affecting the choice of the attacker's strategy, methods and ways to implement information threats. On the basis of these specifications reflexive risk models are formed. These are mathematical models whose structure and parameters reflect the characteristics of the attacker contained in its specification. Each of these models can be tailored to its own security policy to minimize losses to the organization. The study of reflexive models in a number of cases made it possible to determine the maximum volume of investments in the information security system and reveal the limitations in the application of the RBA to the construction of the information security system
