Information Security Risk Assessment (ISRA): A Systematic Literature Review
Downloads
Background: Information security is essential for organisations, hence the risk assessment. Information security risk assessment (ISRA) identifies, assesses, and prioritizes risks according to organisational goals. Previous studies have analysed and discussed information security risk assessment. Therefore, it is necessary to understand the models more systematically.
Objective: This study aims to determine types of ISRA and fill a gap in literature review research by categorizing existing frameworks, models, and methods.
Methods: The systematic literature review (SLR) approach developed by Kitchenham is applied in this research. A total of 25 studies were selected, classified, and analysed according to defined criteria.
Results: Most selected studies focus on implementing and developing new models for risk assessment. In addition, most are related to information systems in general.
Conclusion: The findings show that there is no single best framework or model because the best framework needs to be tailored according to organisational goals. Previous researchers have developed several new ISRA models, but empirical evaluation research is needed. Future research needs to develop more robust models for risk assessments for cloud computing systems.
Keywords: Information Security Risk Assessment, ISRA, Security Risk
L. Kuzminykh, B. Ghita, V. Sokolov, and T. Bakhshi, "Information security risk assessment,” Encyclopedia, 2021, doi: 10.3390/encyclopedia1030050.
R. Hoffmann, J. Napiórkowski, T. Protasowicki, and J. Stanik, "Risk based approach in scope of cybersecurity threats and requirements,” Procedia Manuf., vol. 44, pp. 655–662, 2020, doi: https://doi.org/10.1016/j.promfg.2020.02.243.
P. Shamala, R. Ahmad, and M. Yusoff, "A conceptual framework of info structure for information security risk assessment (ISRA),” J. Inf. Secur. Appl., vol. 18, no. 1, pp. 45–52, 2013, doi: 10.1016/j.jisa.2013.07.002.
G. Strupczewski, "Defining cyber risk,” Saf. Sci., vol. 135, p. 105143, 2021, doi: https://doi.org/10.1016/j.ssci.2020.105143.
P. Shedden, W. Smith, and A. Ahmad, "Information security risk assessment: Towards a business practice perspective,” Proc. 8th Aust. Inf. Secur. Manag. Conf., no. November, pp. 119–130, 2010, doi: 10.4225/75/57b6769334787.
L. Pan and A. Tomlinson, "A systematic review of information security risk assessment,” Int. J. Saf. Secur. Eng., vol. 6, no. 2, pp. 270–281, 2016, doi: 10.2495/SAFE-V6-N2-270-281.
N. C. Pa, B. A. Jnr, R. N. Haizan Nor, and M. A. A. Murad, "Risk assessment of it governance: A systematic literature review,” J. Theor. Appl. Inf. Technol., vol. 71, no. 2, pp. 184–193, 2015.
P. Rahayu, D. I. Sensuse, B. Purwandari, I. Budi, F. Khalid, and N. Zulkarnaim, "A systematic review of recommender system for e-portfolio domain,” in ACM International Conference Proceeding Series, 2017, pp. 21–26, doi: 10.1145/3029387.3029420.
R. R. Suryono, B. Purwandari, and I. Budi, "Peer to Peer (P2P) Lending Problems and Potential Solutions: A Systematic Literature Review,” Procedia Comput. Sci., vol. 161, pp. 204–214, 2019, doi: https://doi.org/10.1016/j.procs.2019.11.116.
B. Kitchenham and P. Brereton, "A systematic review of systematic review process research in software engineering,” Information and Software Technology, vol. 55, no. 12. 2013, doi: 10.1016/j.infsof.2013.07.010.
V. Agrawal, "A Comparative Study on Information Security Risk Analysis Methods,” J. Comput., vol. 13, no. 1, pp. 57–67, 2017, doi: 10.17706/jcp.12.1.57-67.
O. Ali, A. Shrestha, A. Chatfield, and P. Murray, "Assessing information security risks in the cloud: A case study of Australian local government authorities,” Gov. Inf. Q., vol. 37, no. 1, 2020, doi: 10.1016/j.giq.2019.101419.
A. P. H. De Gusmí£o, L. C. E Silva, M. M. Silva, T. Poleto, and A. P. C. S. Costa, "Information security risk analysis model using fuzzy decision theory,” Int. J. Inf. Manage., vol. 36, no. 1, pp. 25–34, 2016, doi: 10.1016/j.ijinfomgt.2015.09.003.
M. Al Fikri, F. A. Putra, Y. Suryanto, and K. Ramli, "Risk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique in Profit-Based Organisation: Case Study of ZZZ Information System Application in ABC Agency,” Procedia Comput. Sci., vol. 161, pp. 1206–1215, 2019, doi: https://doi.org/10.1016/j.procs.2019.11.234.
R. Goel, A. Kumar, and J. Haddow, "PRISM: a strategic decision framework for cybersecurity risk assessment,” Inf. Comput. Secur., vol. 28, no. 4, pp. 591–625, 2020, doi: 10.1108/ICS-11-2018-0131.
E. Hariyanti, A. Djunaidy, and D. O. Siahaan, "A Conceptual Model for Information Security Risk Considering Business Process Perspective,” 2018, doi: 10.1109/ICSTC.2018.8528678.
A. P. Henriques de Gusmí£o, M. Mendonça Silva, T. Poleto, L. Camara e Silva, and A. P. Cabral Seixas Costa, "Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory,” Int. J. Inf. Manage., vol. 43, no. January, pp. 248–260, 2018, doi: 10.1016/j.ijinfomgt.2018.08.008.
L. Hezla, A. V.P, P. V.G, S. N.B, N. Hezla, and D. L, "The Role of Organisational Failure Mode, Effects & Analysis(FMEA) in Risk Management and Its Impact on the Company's Performance,” in Proceedings of the 2020 International Conference on Big Data in Management, 2020, pp. 108–112, doi: 10.1145/3437075.3437082.
A. Ibrahim, C. Valli, I. McAteer, and J. Chaudhry, "A security review of local government using NIST CSF: a case study,” J. Supercomput., vol. 74, no. 10, pp. 5171–5186, 2018, doi: 10.1007/s11227-018-2479-2.
B. Irvin Lamarca, "Cybersecurity Risk Assessment of the University of Northern Philippines using PRISM Approach,” in IOP Conference Series: Materials Science and Engineering, 2020, vol. 769, no. 1, doi: 10.1088/1757-899X/769/1/012066.
H. A. Jang and S. Min, "Time-dependent probabilistic model for hierarchical structure in failure mode and effect analysis,” Appl. Sci., vol. 9, no. 20, pp. 24–26, 2019, doi: 10.3390/app9204265.
M. Jouini and L. Ben Arfa Rabai, "Comparative Study of Information Security Risk Assessment Models for Cloud Computing systems,” Procedia Comput. Sci., vol. 83, no. Fams, pp. 1084–1089, 2016, doi: 10.1016/j.procs.2016.04.227.
Z. Han, S. Huang, H. Li, and N. Ren, "Risk assessment of digital library information security: A case study,” Electron. Libr., vol. 34, no. 3, pp. 471–487, 2016, doi: 10.1108/EL-09-2014-0158.
I. Lee, "Cybersecurity: Risk management framework and investment cost analysis,” Bus. Horiz., vol. 64, no. 5, pp. 659–671, 2021, doi: https://doi.org/10.1016/j.bushor.2021.02.022.
M. Mendonça Silva, T. Poleto, L. C. E. Silva, A. P. Henriques De Gusmao, and A. P. Cabral Seixas Costa, "A grey theory based approach to big data risk management using FMEA,” Math. Probl. Eng., vol. 2016, 2016, doi: 10.1155/2016/9175418.
I. Meriah and L. B. A. Rabai, "A survey of quantitative security risk analysis models for computer systems,” ACM Int. Conf. Proceeding Ser., pp. 36–40, 2018, doi: 10.1145/3292448.3292456.
A. Munteanu, "Running the risk IT - More perception and less probabilities in uncertain systems,” Inf. Comput. Secur., vol. 25, no. 3, pp. 345–354, 2017, doi: 10.1108/ICS-07-2016-0055.
A. Pratiwi, D. R. Indah, J. Jauhari, and M. A. Firdaus, "Security Capability Assessment on Network Monitoring Information System Using COBIT 5 for Information Security,” 2020, doi: 10.2991/aisr.k.200424.024.
I. M. M. Putra and K. Mutijarsa, "Designing Information Security Risk Management on Bali Regional Police Command Center Based on ISO 27005,” 2021, doi: 10.1109/EIConCIT50028.2021.9431865.
C. Schmitz and S. Pape, "LiSRA: Lightweight Security Risk Assessment for decision support in information security,” Comput. Secur., vol. 90, p. 101656, 2020, doi: 10.1016/j.cose.2019.101656.
P. Shedden, A. Ahmad, W. Smith, H. Tscherning, and R. Scheepers, "Asset identification in information security risk assessment: A business practice approach,” Commun. Assoc. Inf. Syst., vol. 39, no. 1, 2016, doi: 10.17705/1cais.03915.
A. P. Subriadi and N. F. Najwa, "The consistency analysis of failure mode and effect analysis (FMEA) in information technology risk assessment,” Heliyon, vol. 6, no. 1, 2020, doi: 10.1016/j.heliyon.2020.e03161.
J. S. Suroso and M. A. Fakhrozi, "Assessment of Information System Risk Management with Octave Allegro at Education Institution,” in Procedia Computer Science, 2018, vol. 135, doi: 10.1016/j.procs.2018.08.167.
P. Tubío Figueira, C. López Bravo, and J. L. Rivas López, "Improving information security risk analysis by including threat-occurrence predictive models,” Comput. Secur., vol. 88, 2020, doi: 10.1016/j.cose.2019.101609.
Y. C. Wei, W. C. Wu, G. H. Lai, and Y. C. Chu, "pISRA: privacy considered information security risk assessment model,” J. Supercomput., vol. 76, no. 3, pp. 1468–1481, 2020, doi: 10.1007/s11227-018-2371-0.
M. Thangavel, D. K. S. Subarnaa, P. Deepa, and E. S. Blessie, "A Review on Information Security Program Development and Management,” 2018, doi: 10.1109/ICCIC.2018.8782304.
B. Karabacak and I. Sogukpinar, "ISRAM: Information security risk analysis method,” Comput. Secur., vol. 24, no. 2, pp. 147–159, 2005, doi: 10.1016/j.cose.2004.07.004.
A. Syalim, Y. Hori, and K. Sakurai, "Comparison of risk analysis methods: Mehari, magerit, NIST800-30 and microsoft's security management guide,” Proc. - Int. Conf. Availability, Reliab. Secur. ARES 2009, pp. 726–731, 2009, doi: 10.1109/ARES.2009.75.
A. Shameli-Sendi, R. Aghababaei-Barzegar, and M. Cheriet, "Taxonomy of information security risk assessment (ISRA),” Comput. Secur., vol. 57, pp. 14–30, 2016, doi: 10.1016/j.cose.2015.11.001.
Copyright (c) 2022 The Authors. Published by Universitas Airlangga.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
All accepted papers will be published under a Creative Commons Attribution 4.0 International (CC BY 4.0) License. Authors retain copyright and grant the journal right of first publication. CC-BY Licenced means lets others to Share (copy and redistribute the material in any medium or format) and Adapt (remix, transform, and build upon the material for any purpose, even commercially).