An initial insight into Information Security Risk Assessment practices

Wangen, Gaute

Wangen, Gaute

Chapter

Accepted version

View/Open

Wangen+9+IEEE_FEDCSIS_RA_Survey.pdf (229.5Kb)

URI

http://hdl.handle.net/11250/2484060

Date

2016

Metadata

Show full item record

Collections

Institutt for informasjonssikkerhet og kommunikasjonsteknologi [1524]
Publikasjoner fra CRIStin - NTNU [18067]

Abstract

Much of the debate surrounding risk management in information security (InfoSec) has been at the academic level, where the question of how practitioners view predominant issues is an essential element often left unexplored. Thus, this article represents an initial insight into how the InfoSec risk professionals see the InfoSec risk assessment (ISRA) field. We present the results of a 46-participant study where have gathered data regarding known issues in ISRA. The survey design was such that we collected both qualitative and quantitative data for analysis. One of the key contributions from the study is knowledge regarding how to handle risks at different organizational tiers, together with an insight into key roles and knowledge needed to conduct risk assessments. Also, we document several issues concerning the application of qualitative and quantitative methods, together with drawbacks and advantages. The findings of the analysis provides incentives to strengthen the research and scientific work for future research in InfoSec management.

Publisher

Institute of Electrical and Electronics Engineers (IEEE)