As observed at the 4th International Conference on Global e-Security in London in June 2008, Information Security Risk Management (ISRM) is a major concern of organizations worldwide. Although the number of existing ISRM methodologies is enormous, in practice a lot of resources are invested by organizations in creating new ISRM methodologies in order to capture more accurately the risks of their complex information systems. This is a crucial knowledge-intensive process for organizations, but in most cases it is addressed in an ad hoc manner. The existence of a systematic approach for the development of new or improved ISRM methodologies would enhance the effectiveness of the process (Papadaki et al, 2008). In this review, we examine existing ISRM methodologies, analyse trends in the development of new or improved methods and highlight gaps in research on the subject. The overarching research questions that form the foundations for this study were consequently formulated as follows:
RQ1:What information security risk management methodologies are currently being used in the industry? RQ2: What evidence has been presented in ISRM research regarding the benefits and limitations of these methodologies? RQ3: How much effort has been devoted to making these methodologies more SME-friendly? RQ4: What are the prospects of the concept of Evidence-Based Risk Management in ISRM?
In responding to these research questions, our review beams the searchlight of critical analysis on the ISRM methodologies covered in existing literature with a view to providing a compendium for practitioners, researchers and other stakeholders in the ISRM arena.
The following ISRM methodologies were covered in the primary studies selected for this review: ……………..
With respect to RQ1, we limited our scope to ISRM methodologies on which primary studies had been undertaken from January 1995 to October 2012 on the premise that prior to the adoption of BS7799 as ISO 17799 and its revision to ISO 27001:2005, the ISRM industry lacked an internationally recognized standard. The proliferation of ISRM methodologies and products in the last decade has coincided with the adoption of different standards in different countries, largely driven by the need to improve upon existing methodologies, as well as the continuous attempts to meet specific information security requirements for diverse industries and organizations, both public and private, operating in contrasting organizational cultures, in an information technology-driven global village.
In all, 25 ISRM methodologies are discussed in the 42 selected studies we reviewed. The European Network and Information Security Agency (ENISA) is the EU’s response to cyber security issues of the European Union. It is the 'pace-setter' for Information Security in Europe, and a centre of expertise (http://www.enisa.europa.eu). The ENISA website not only has an inventory of ISRM methodologies that is regularly being updated, it also has a facility for comparing them one against another. The same facility also allows users to compare the ISRM tools built on the existing methodologies (http://rm-inv.enisa.europa.eu/comparison.html?menu1=&menu2=&Button=+Go+).
Addressing RQ2, we noted that the ISRM methods discussed in the selected primary studies were based on either qualitative or quantitative approaches, with a few cases of a hybrid implementation. None of our selected studies explicitly delved into the strengths and weaknesses of existing methodologies as such, with a few venturing as far as comparative analysis of key features of the methodologies covered in their respective studies.
The quantitative approach to risk assessment is based on exact numerical values, where function variables have precise values. The value of a resource is typically displayed in monetary units. Vulnerabilities, threats and impacts in the event of realization are displayed as...