A Comparative Study of Risk Assessment Methodologies for Information Systems



In todays dynamic and changing economic environment, businesses are subjected to greater risks than ever before. As a result of this, IT Project Leaders/Managers/Director/Senior Technical Staff should be in a position to identify the business risks that an organization faces and the risk management policies that an organization has to effectively manage those risks. These risks may be related with the Finance, Accounting, Information Systems and their security etc. Here, in this paper, we are emphasizing on Information Systems Security risks. Risk assessment is currently used as a key technique for managing Information Systems Security. Every organization is implementing the risk management methods. Risk assessment is a part of this superset, Risk Management. There are various information security risk assessment methods available that can be implemented by the organization, and each has different approaches to assess the information security risks. Organizations find it difficult to select an information security risk assessment method; therefore there is a need for a critical review of existing risk assessment methodologies. This paper presents a brief discussion on the top risk assessment methodologies, particularly COBRA, CORAS, CRAMM, OCTAVE, SOMAP, and NIST Guide, along with strengths and weaknesses of each one. After that a comparative study is also done on the basis of the review results. Further research directions may also be taken by the weaknesses section. This work provides an evaluation to determine whether an information security risk assessment method is in line with information technology governance or not. The research paper will help the Senior IT Personnel to provide their recommendations for using a risk assessment methodology based on the specific requirements of an organization.

Full Text:


DOI: https://doi.org/10.11591/eei.v1i2.231


  • There are currently no refbacks.

Bulletin of EEI Stats