TY - JOUR
T1 - Exiting the risk assessment maze
T2 - A meta-survey
AU - Gritzalis, Dimitris
AU - Iseppi, Giulia
AU - Mylonas, Alexios
AU - Stavrou, Vasilis
PY - 2018/1/1
Y1 - 2018/1/1
N2 - Organizations are exposed to threats that increase the risk factor of their ICT systems. The assurance of their protection is crucial, as their reliance on information technology is a continuing challenge for both security experts and chief executives. As risk assessment could be a necessary process in an organization, one of its deliverables could be utilized in addressing threats and thus facilitate the development of a security strategy. Given the large number of heterogeneous methods and risk assessment tools that exist, comparison criteria can provide better understanding of their options and characteristics and facilitate the selection of a method that best fits an organization’s needs. This article aims to address the problem of selecting an appropriate risk assessment method to assess and manage information security risks, by proposing a set of comparison criteria, grouped into four categories. Based upon them, it provides a comparison of the 10 popular risk assessment methods that could be utilized by organizations to determine the method that is more suitable for their needs. Finally, a case study is presented to demonstrate the selection of a method based on the proposed criteria.
AB - Organizations are exposed to threats that increase the risk factor of their ICT systems. The assurance of their protection is crucial, as their reliance on information technology is a continuing challenge for both security experts and chief executives. As risk assessment could be a necessary process in an organization, one of its deliverables could be utilized in addressing threats and thus facilitate the development of a security strategy. Given the large number of heterogeneous methods and risk assessment tools that exist, comparison criteria can provide better understanding of their options and characteristics and facilitate the selection of a method that best fits an organization’s needs. This article aims to address the problem of selecting an appropriate risk assessment method to assess and manage information security risks, by proposing a set of comparison criteria, grouped into four categories. Based upon them, it provides a comparison of the 10 popular risk assessment methods that could be utilized by organizations to determine the method that is more suitable for their needs. Finally, a case study is presented to demonstrate the selection of a method based on the proposed criteria.
KW - Comparison
KW - Criteria
KW - Overview
KW - Risk assessment methods
UR - http://www.scopus.com/inward/record.url?scp=85040675478&partnerID=8YFLogxK
U2 - 10.1145/3145905
DO - 10.1145/3145905
M3 - Review article
AN - SCOPUS:85040675478
SN - 0360-0300
VL - 51
JO - ACM Computing Surveys
JF - ACM Computing Surveys
IS - 1
M1 - 11
ER -