A Taxonomy of Challenges in Information Security Risk Management

Risk Management is viewed by many as the cornerstone of information security and is used to determine what to protect and how. How to approach risk management for information security is an ongoing debate as there are several difficulties in existing approaches. The problems and challenges within the discipline are not easily visible being dispersed throughout literature. There is therefore a need for an overview for both industry and researchers to obtain a holistic picture of the research area and to contribute in making progress. In this paper, we present a taxonomy of identified problems from literature within information security risk management, and highlight some of the important prevailing issues that are contributing to lack of progress within the research field.

[1]  Yu Zhiwei,et al.  A Survey on the Evolution of Risk Evaluation for Information Systems Security , 2012 .

[2]  Joni Hersch,et al.  SMOKING, SEAT BELTS, AND OTHER RISKY CONSUMER DECISIONS: DIFFERENCES BY GENDER AND RACE , 1996 .

[3]  Junaid Ahsenali Chaudhry,et al.  A Survey of Information Security Risk Analysis Methods , 2012, Smart Comput. Rev..

[4]  Janne Merete Hagen Human Relationships: A Never-Ending Security Education Challenge? , 2009, IEEE Security & Privacy.

[5]  Stefan Fenz,et al.  AURUM: A Framework for Information Security Risk Management , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[6]  Edgar R. Weippl,et al.  Security Ontologies: Improving Quantitative Risk Analysis , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[7]  Vicki M. Bier Challenges to the Acceptance of Probabilistic Risk Analysis , 1999 .

[8]  David Hillson,et al.  Extending the risk process to manage opportunities , 2002 .

[9]  H. Campbell Risk assessment: subjective or objective? , 1998 .

[10]  Daniel E. Geer,et al.  Information security is information risk management , 2001, NSPW '01.

[11]  Melissa L. Finucane,et al.  Risk as Analysis and Risk as Feelings: Some Thoughts about Affect, Reason, Risk, and Rationality , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[12]  P. Slovic Perception of risk. , 1987, Science.

[13]  Jason Edwin Stamp,et al.  A classification scheme for risk assessment methods. , 2004 .

[14]  Douglas W. Hubbard,et al.  The Failure of Risk Management: Why It's Broken and How to Fix It , 2009 .

[15]  Louis Anthony Cox,et al.  What's Wrong with Risk Matrices? , 2008, Risk analysis : an official publication of the Society for Risk Analysis.

[16]  Atif Ahmad,et al.  Information Security Risk Assessment: Towards a Business Practice Perspective , 2010, AISM 2010.

[17]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[18]  James Shanteau,et al.  Why study expert decision making? Some historical perspectives and comments. , 1992 .

[19]  Christopher K. Hsee,et al.  Risk as Feelings , 2001, Psychological bulletin.

[20]  D. Hubbard,et al.  Toward Risk Assessment of Large-Impact and Rare Events , 2010 .

[21]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[22]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[23]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[24]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[25]  Carrison K. S. Tong,et al.  Implementation of ISO17799 and BS7799 in picture archiving and communications system: local experience in implementation of BS7799 Standard , 2003, CARS.

[26]  Bilge Karabacak,et al.  Collaborative risk method for information security management practices: A case context within Turkey , 2010, Int. J. Inf. Manag..

[27]  Kouichi Sakurai,et al.  Comparison of Risk Analysis Methods: Mehari, Magerit, NIST800-30 and Microsoft's Security Management Guide , 2009, 2009 International Conference on Availability, Reliability and Security.

[28]  Stuart E. Schechter,et al.  Computer Security Strength & Risk , 2004 .

[29]  Harri Oinas-Kukkonen,et al.  A review of information security issues and respective research contributions , 2007, DATB.

[30]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[31]  Herbert J. Mattord,et al.  Roadmap to Information Security: For IT and Infosec Managers , 2011 .