Logo PTI
Polish Information Processing Society
Logo FedCSIS

Annals of Computer Science and Information Systems, Volume 8

Proceedings of the 2016 Federated Conference on Computer Science and Information Systems

An initial insight into Information Security Risk Assessment practices

DOI: http://dx.doi.org/10.15439/2016F158

Citation: Proceedings of the 2016 Federated Conference on Computer Science and Information Systems, M. Ganzha, L. Maciaszek, M. Paprzycki (eds). ACSIS, Vol. 8, pages 9991008 ()

Full text

Abstract. Much of the debate surrounding risk management in information security (InfoSec) has been at the academic level, where the question of how practitioners view predominant issues is an essential element often left unexplored. Thus, this article represents an initial insight into how the InfoSec risk professionals see the InfoSec risk assessment (ISRA) field. We present the results of a 46-participant study where have gathered data regarding known issues in ISRA. The survey design was such that we collected both qualitative and quantitative data for analysis. One of the key contributions from the study is knowledge regarding how to handle risks at different organizational tiers, together with an insight into key roles and knowledge needed to conduct risk assessments. Also, we document several issues concerning the application of qualitative and quantitative methods, together with drawbacks and advantages. The findings of the analysis provides incentives to strengthen the research and scientific work for future research in InfoSec management.


  1. Information technology, Security techniques, ISMS, Overview and vocabulary, International Organization for Standardization Norm, ISO/IEC 27000:2014. [Online]. Available: http://dx.doi.org/10.3403/30236519
  2. B. Blakley, E. McDermott, and D. Geer, “Information security is information risk management,” in Proceedings of the 2001 workshop on New security paradigms. ACM, 2001, pp. 97–104.
  3. Information technology, Security techniques, Information Security Risk Management, International Organization for Standardization Std., ISO/IEC 27005:2011.
  4. A. Syalim, Y. Hori, Kouchi, and K. Sakurai, “Comparison of risk analysis methods: Mehari, magerit, nist800-30 and microsoft’s security management guide,” International Conference on Availability, Reliability and Security, pp. 726–731, 2009.
  5. W. Bornman and L. Labuschagne, “A comparative framework for evaluating information security risk management methods,” in Information Security South Africa Conference, 2004.
  6. “Inventory of risk assessment and risk management methods,” European Network and Information Security Agency (ENISA), Tech. Rep., 2006.
  7. G. Wangen, C. Hallstensen, and E. Snekkenes, “A framework for estimating information security risk assessment method compcomplete - core unified risk framework,” in [Under Revision]. .., 2016.
  8. G. Wangen and E. Snekkenes, “A taxonomy of challenges in information security risk management,” in Proceeding of Norwegian Information Security Conference / Norsk informasjonssikkerhetskonferanse - NISK 2013 - Stavanger, vol. 2013. Akademika forlag, 2013.
  9. S. Fenz, J. Heurix, T. Neubauer, and F. Pechstein, “Current challenges in information security risk management,” Information Management & Computer Security, vol. 22, no. 5, pp. 410–430, 2014.
  10. G. Wangen, “An initial insight into infosec risk management practices,” in Proceeding of Norwegian Information Security Conference / Norsk informasjonssikkerhetskonferanse - NISK 2015 - Aalesund, vol. 2015. Open Journal Systems, 2015.
  11. A. G. Kotulic and J. G. Clark, “Why there aren’t more information security research studies,” Information & Management, vol. 41, no. 5, pp. 597–607, 2004. [Online]. Available: http://dx.doi.org/10.1016/j.im.2003.08.001
  12. G. A. Churchill Jr, “A paradigm for developing better measures of marketing constructs,” Journal of marketing research, pp. 64–73, 1979.
  13. E. Vittinghoff, D. V. Glidden, S. C. Shiboski, and C. E. McCulloch, Regression methods in biostatistics: linear, logistic, survival, and repeated measures models. Springer Science & Business Media, 2011.
  14. G. Locke and P. Gallagher, “800-39 nist sp, managing information security risks - organization, mission, and information systems view,” National Institute of Standards and Technology: U.S. Department of Commerce, Tech. Rep., 2008.
  15. S. Fenz and A. Ekelhart, “Verification, validation, and evaluation in information security risk management,” Security Privacy, IEEE, vol. 9, no. 2, pp. 58–65, 2011.
  16. S. Ozkan and B. Karabacak, “Collaborative risk method for information security management practices: A case context within turkey,” International Journal of Information Management, vol. 30, no. 6, pp. 567–572, 2010. [Online]. Available: http://dx.doi.org/10.1016/j.ijinfomgt.2010.08.007
  17. A. Jaquith, Security metrics: replacing fear, uncertainty, and doubt. Addison-Wesley Upper Saddle River, 2007.
  18. Y. Zhiwei and J. Zhongyuan, “A survey on the evolution of risk evaluation for information systems security,” Energy Procedia, vol. 17, pp. 1288–1294, 2012.
  19. G. F. Loewenstein, E. U. Weber, C. K. Hsee, and N. Welch, “Risk as feelings.” Psychological bulletin, vol. 127, no. 2, p. 267, 2001.
  20. N. N. Taleb, The Black Swan: The Impact of the Highly Improbable, 2nd ed. Random House LLC, 2010.
  21. G. Wangen and A. Shalaginov, Risks and Security of Internet and Systems: 10th International Conference, CRiSIS 2015, Mytilene, Lesbos Island, Greece, July 20-22, 2015, Revised Selected Papers. Cham: Springer International Publishing, 2016, ch. Quantitative Risk, Statistical Methods and the Four Quadrants for Information Security, pp. 127–143. [Online]. Available: http://dx.doi.org/10.1007/978-3-319-31811-0_8
  22. T. Aven, W. Røed, and H. S. Wiencke, Risikoanalyse (Norwegian Ed). Prinsipper og metoder, med anvendelser. Oslo: Universitetsforlaget, 2008.
  23. N. N. Taleb, Antifragile: things that gain from disorder. Random House LLC, 2012.