Information Security Risk Assessment Methods: A Literature Review

Verified

Added on 2022/08/13

AI Summary

This literature review examines various methods for assessing information security risks. It begins by highlighting the importance of risk management in the context of computer security, emphasizing that risk assessment is a crucial part of the process. The review contrasts quantitative and qualitative approaches to risk analysis, noting the limitations of each. Quantitative methods use numerical values, while qualitative methods rely on adjectives. The review also discusses the significance of identifying threats, defining business impacts, and determining security measure costs. It highlights the need for expert judgment and historical data in assessing relationships between these factors. The review suggests a model that uses simple matrixes to reflect relationships and emphasizes the importance of expert decisions based on historical data and the assessment of security risks.

Running head: LITERATURE REVIEW
Information Security Risk Assessment Methods
Name of the Student
Name of the University
Author’s Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1LITERATURE REVIEW
Literature Review
According to Soomro, Shah & Ahmed, (2016), computer security management method
deals with the set of basic measures taken regularly within a closed circle. Such precautions are
based on the company's security policy. Nonetheless, numerous strategies often point out the
data security risk management as the most general factor of the entire business security process.
These solutions are mostly focused on material reported by the Basel Committee, which
underlines the growing significancent of information security risk particularly in financial
business. The meanings given in the literature sources for security risk management differ.
Nonetheless, they all point to the importance of risk assessment methods aimed at the quantity
performance values which define the level of risk.
Risk Assessment Problem
According to Ergu et al., (2014), there are two methods of approaches for risk analysis.
Methods in the quantitative risk analysis utilize analytical and statistical tools to reflect risk.
Danger is evaluated using adjectives in the qualitative techniques of risk analysis, instead of
using statistics. Methods of risk analysis using very complex quantitative methods are not
convenient to use for administrators of information security threats, and thus are not widely used
in the business practice. The author Cagliano, Grimaldi & Rafele, (2015), argued on the other
side, qualitative approaches do not give adequate outputs of knowledge to be effective tools for
the risk management phase. To handle it successfully, the danger has to be routinely calculated.
Assessment of the security risk identifies the level of security risk within the company.
Quantitative risk analysis aims to attach numerical values to danger components such as
potential damage and the likelihood and to security controls such as effectiveness and cost so

2LITERATURE REVIEW
this can also help measure the cost-effectiveness of the risk management method. Nonetheless, it
can be difficult to explain expenditures since information security sometimes offers non-
financial benefits rather than the increase in the revenue or the cost reduction.
The Risk Assessment Model
As per the author Webb et al., (2014), the methods take advantage of the quantitative
methods but do not seem to satisfy all the criteria identified for standalone strategies that
complement the cycle of information security risk management significantly. Such complex
problem involves approaches somewhat more advanced and scalable. Nevertheless, it must be
noted that the analytical methods should never overshadow the simplicity of the method so as not
to make it virtually unusable. The approach suggested takes advantage of the creation of simple
matrixes. Three matrixes were used to reflect the relationship between the security threats and its
business impact, and the security measures including the cost as well.
Threats Identification
According to the author Taylor, (2015), the detection of device risks also relies on the
specifics of the security policy. It is important to depend on the identification process on the
management requirements regarding the planned product knowledge performance for the
purposes of the proposed model. In other terms, the risks detected will meet the risk analysis
objectives specified. Choosing the necessary level of peculiarity is also very important. The
defined collection of risks should be comprised of comparable level items.
Security Measures Identification

3LITERATURE REVIEW
According to Silva et al., (2014), the security measures in the device are easily
identifiable. Nevertheless, the guidelines in the model for their detection will follow the
particularity of the selected category of risks. In other terms, the safety measures defined will
comply with the risks selected. There is no general rule for defining the collection of
interventions, since such recognition must arise from the objectives of the study and the danger
Definition of Business Impacts
Through the use of professional opinion strongly supported by the historical data will
define the market impacts. As per the author Naudet, Mayer & Feltus, (2016), measuring it is
very complicated as the effect is always made up of two main elements. The first is the financial
loss coping with the recognition of the hazard and the second is the psychological loss which can
have a very long-term effect on the company operation. Therefore, all aspects as well as the type
of business for any particular given case must be taken into account in the expert judgment. In
fact, financial institutions are susceptible to certain risks as their performance often depends on
minimizing moral losses. The level of business effect will follow the importance of the results of
the attack on business continuity.
Definition of Security Measures Costs
The effect of the security measures must be defined and taken into the account in their
uniform type according to the criteria of a specific case analysis. The preferred form of
standardization is the one that delivers values within the time frame.
Relationship Values Assessment
The expert may determine the partnership values in two ways:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4LITERATURE REVIEW
 As the result of the historical data production
 As the result of the expert knowledge.
There is no universal rule that allows for optimal evaluations of values. These strategies
contain these benefits and inconveniences. In the case of computer security, the historical data
often show some form of inaccuracy because of the rapid security threats and the implementation
of steps. The author Chen, Ramamurthy & Wen, (2015) argues on the judgment of the arbitral
authority may be too arbitrary, or may arise from confusion or lack of knowledge. There are,
however, few approaches for the application of many specialist evaluations and it suggests that
such strategies should be applied in the event. The aim of the methodology is to suggest an easy-
to-use model for market, scalable and take advantage of some simple quantitative methods.
There is also the possibility to use the model throughout multiple modes which handles more
than one collection of matrixes. It must also be noted that the usefulness of the model and its
operational implementation largely rely on the correct expert decisions. The key point is that
these assessments must be based primarily on the historical data associated with the realizations
of security risk and their business consequences and not only on the expertise of the specialists.

5LITERATURE REVIEW
References
Cagliano, A. C., Grimaldi, S., & Rafele, C. (2015). Choosing project risk management
techniques. A theoretical framework. Journal of risk research, 18(2), 232-248.
Chen, Y. A. N., Ramamurthy, K. R. A. M., & Wen, K. W. (2015). Impacts of comprehensive
information security programs on information security culture. Journal of Computer
Information Systems, 55(3), 11-19.
Ergu, D., Kou, G., Shi, Y., & Shi, Y. (2014). Analytic network process in risk assessment and
decision analysis. Computers & Operations Research, 42, 58-74.
Naudet, Y., Mayer, N., & Feltus, C. (2016, August). Towards a systemic approach for
information security risk management. In 2016 11th International Conference on
Availability, Reliability and Security (ARES) (pp. 177-186). IEEE.
Silva, M. M., de Gusmão, A. P. H., Poleto, T., e Silva, L. C., & Costa, A. P. C. S. (2014). A
multidimensional approach to information security risk management using FMEA and
fuzzy theory. International Journal of Information Management, 34(6), 733-740.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more
holistic approach: A literature review. International Journal of Information
Management, 36(2), 215-225.
Taylor, R. G. (2015). Potential problems with information security risk assessments. Information
Security Journal: A Global Perspective, 24(4-6), 177-184.

6LITERATURE REVIEW
Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for
information security risk management. Computers & security, 44, 1-15.