Information Security Risk Management
Discussion
As observed at the 4th International Conference on Global e-Security in London in June 2008, Information Security Risk Management (ISRM) is a major concern of organizations worldwide. Although the number of existing ISRM methodologies is enormous, in practice a lot of resources are invested by organizations in creating new ISRM methodologies in order to capture more accurately the risks of their complex information systems. This is a crucial knowledge-intensive process for organizations, but in most cases it is addressed in an ad hoc manner. The existence of a systematic approach for the development of new or improved ISRM methodologies would enhance the effectiveness of the process (Papadaki et al, 2008). In this review, we examine existing ISRM methodologies, analyse trends in the development of new or improved methods and highlight gaps in research on the subject. The overarching research questions that form the foundations for this study were consequently formulated as follows:
RQ1: What information security risk management methodologies are currently being used in the industry?
RQ2: What evidence has been presented in ISRM research regarding the benefits and limitations of these methodologies?
RQ3: How much effort has been devoted to making these methodologies more SME-friendly?
RQ4: What are the prospects of the concept of Evidence-Based Risk Management in ISRM?
In responding to these research questions, our review beams the searchlight of critical analysis on the ISRM methodologies covered in existing literature with a view to providing a compendium for practitioners, researchers and other stakeholders in the ISRM arena.
The following ISRM methodologies were covered in the primary studies selected for this review:
……………..
……………..
……………..
With respect to RQ1, we limited our scope to ISRM methodologies on which primary studies had been undertaken from January 1995 to October 2012 on the premise that prior to the adoption of
As observed at the 4th International Conference on Global e-Security in London in June 2008, Information Security Risk Management (ISRM) is a major concern of organizations worldwide. Although the number of existing ISRM methodologies is enormous, in practice a lot of resources are invested by organizations in creating new ISRM methodologies in order to capture more accurately the risks of their complex information systems. This is a crucial knowledge-intensive process for organizations, but in most cases it is addressed in an ad hoc manner. The existence of a systematic approach for the development of new or improved ISRM methodologies would enhance the effectiveness of the process (Papadaki et al, 2008). In this review, we examine existing ISRM methodologies, analyse trends in the development of new or improved methods and highlight gaps in research on the subject. The overarching research questions that form the foundations for this study were consequently formulated as follows:
RQ1: What information security risk management methodologies are currently being used in the industry?
RQ2: What evidence has been presented in ISRM research regarding the benefits and limitations of these methodologies?
RQ3: How much effort has been devoted to making these methodologies more SME-friendly?
RQ4: What are the prospects of the concept of Evidence-Based Risk Management in ISRM?
In responding to these research questions, our review beams the searchlight of critical analysis on the ISRM methodologies covered in existing literature with a view to providing a compendium for practitioners, researchers and other stakeholders in the ISRM arena.
The following ISRM methodologies were covered in the primary studies selected for this review:
……………..
……………..
……………..
With respect to RQ1, we limited our scope to ISRM methodologies on which primary studies had been undertaken from January 1995 to October 2012 on the premise that prior to the adoption of