We consider the modern approaches to estimating risks to information security of corporate information system. The analysis of software systems intended for estimation of such risks is carried out. We present an approach to risk analysis based on construction of formal models of precedents of cyber attacks. Mathematical foundations of the presented approach are stated. Finally we describe software system RiskPanel which is an implementation of our approach.