Exiting the risk assessment maze: A meta-survey

Dimitris Gritzalis, Giulia Iseppi, Alexios Mylonas, Vasilis Stavrou

Research output: Contribution to journalReview articlepeer-review

21 Citations (Scopus)


Organizations are exposed to threats that increase the risk factor of their ICT systems. The assurance of their protection is crucial, as their reliance on information technology is a continuing challenge for both security experts and chief executives. As risk assessment could be a necessary process in an organization, one of its deliverables could be utilized in addressing threats and thus facilitate the development of a security strategy. Given the large number of heterogeneous methods and risk assessment tools that exist, comparison criteria can provide better understanding of their options and characteristics and facilitate the selection of a method that best fits an organization’s needs. This article aims to address the problem of selecting an appropriate risk assessment method to assess and manage information security risks, by proposing a set of comparison criteria, grouped into four categories. Based upon them, it provides a comparison of the 10 popular risk assessment methods that could be utilized by organizations to determine the method that is more suitable for their needs. Finally, a case study is presented to demonstrate the selection of a method based on the proposed criteria.
Original languageEnglish
Article number11
Number of pages30
JournalACM Computing Surveys
Issue number1
Publication statusPublished - 1 Jan 2018


  • Comparison
  • Criteria
  • Overview
  • Risk assessment methods


Dive into the research topics of 'Exiting the risk assessment maze: A meta-survey'. Together they form a unique fingerprint.

Cite this