An Initial Insight Into InfoSec Risk Management Practices

Abstract

Much of the debate surrounding risk management in information security (InfoSec) has been at the academic level, and how practitioners view predominant issues is an important element often left unexplored. Thus, this article represents an initial insight into the InfoSec risk professionals view of the field through the results of a 46-participant online study. We analyze known issues regarding InfoSec risk management (ISRM), especially concerning risk management program development and maintenance, contributions to business, and challenges within the research field. One of the key findings from this study was that risk communication is a key skill that likely needs more emphasis in InfoSec training. Also, we document several issues concerning security measurements and return on investment for the ISRM program, together with other relevant paths for future research.