There are already many models of risk assessment and more are emerging every day. They all have the same fundamental target, but most attempt to hit the target from very different approaches. Some approaches can be applied to all types of risk, while others are specific to particular risks. A particularly dangerous risk in the global economy today is the security of information. Information is a key asset for organizations, and reducing the risk of information compromise is a high priority. This study proposed a methodology for information security risk analysis in which the assets, vulnerabilities, threats, and controls of an organization are linked. The main purpose of the study is to compare and clarify the different activities, inputs, and outputs required by each model of information security risk assessment and the analysis that effectively addresses the risks of information security. At the moment, there are numerous risk analysis methodologies available, some of which are qualitative while others are more quantitative in nature. These methodologies have a common goal to estimate the overall value of risk. An organization must choose the most proper methodology based on their specific requirements.