The article proposes a process-oriented methodology for assessing enterprise information security, which serves as an integral indicator of business process security Q based on a multi-level system of mathematical models. The proposed approach combines risk-oriented analysis, stochastic modelling, fuzzy set methods, and optimisation of the distribution of protection resources, ensuring the linkage of security indicators to the enterprise's functional business processes. The simulation model allows the reproduction of the dynamics of cyberattack flows and the assessment of the impact of variable threat intensity on the stability of business processes in near real time. Experimental validation of the methodology on depersonalised incident logs and simulated attack scenarios showed that the integration of the optimisation module provides an increase in the integral security indicator Q by 12-27% depending on the intensity of threats, and also contributes to the rational redistribution of cybersecurity resources in favour of the most critical business processes. A comparative analysis with the Classical Risk Matrix, NIST SP 800-30, and ISO/IEC 27005 confirmed the proposed model's higher accuracy and adaptability in a dynamic cyber environment. Machine learning methods are used as an auxiliary adaptive mechanism to refine model parameters, rather than as the primary risk assessment tool. The results obtained demonstrate the practical applicability of the process-oriented simulation and optimisation model for improving the resilience of enterprise business processes and reducing residual cyber risk.