The State of Risk Assessment Practices in Information Security: An Exploratory Investigation

Risk in Information Systems Security can be defined as a function of a given threat source's exercising a particular vulnerability and the resulting impact of that adverse event on the organization. Risk management is the process of identifying and assessing risk and taking steps to reduce it to an acceptable level given the costs involved in doing so. The major activity within risk management is the risk assessment process. The objective of this research is to assess the current state of practice in conducting risk assessments for information security policy management. Results from an exploratory survey of U.S. headquartered firms indicate that increased frequency of conducting risk assessments, the use of quantitative measures of likelihood of loss, and more complete asset inventories correspond with higher levels of user satisfaction and perceived usefulness, although many companies choose not to engage in this level of practice or to only go part way. Additionally, respondents reported substantial difficulty in identifying threats and estimating loss, indicating that much can be done to improve the current state of practice.

[1]  Peter B. Seddon A Respecification and Extension of the DeLone and McLean Model of IS Success , 1997, Inf. Syst. Res..

[2]  Ephraim R. McLean,et al.  Information Systems Success: The Quest for the Dependent Variable , 1992, Inf. Syst. Res..

[3]  Gerald V. Post,et al.  A Stochastic Dominance Approach to Risk Analysis of Computer Systems , 1986, MIS Q..

[4]  Zbigniew Ciechanowicz Risk analysis: requirements, conflicts and problems , 1997, Comput. Secur..

[5]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[6]  J Sharit,et al.  A Modeling Framework for Exposing Risks in Complex Systems , 2000, Risk analysis : an official publication of the Society for Risk Analysis.

[7]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[8]  Suzanne Rivard,et al.  Toward an Assessment of Software Development Risk , 1993, J. Manag. Inf. Syst..

[9]  Suzanne Rivard,et al.  An Integrative Contingency Model of Software Project Risk Management , 2001, J. Manag. Inf. Syst..

[10]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[11]  Arun Rai,et al.  Assessing the Validity of IS Success Models: An Empirical Test and Theoretical Analysis , 2002, Inf. Syst. Res..

[12]  B Wahlström,et al.  Applications of probabilistic risk assessments: the selection of appropriate tools. , 1991, Risk analysis : an official publication of the Society for Risk Analysis.

[13]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[14]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[15]  Jan H. P. Eloff,et al.  TOPM: a formal approach to the optimization of information technology risk management , 1994, Comput. Secur..

[16]  Houston H. Carr,et al.  Risk Analysis for Information Technology , 1991, J. Manag. Inf. Syst..

[17]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[18]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[19]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..