Information security risk assessment: Towards a business practice perspective

Abstract

Information security risk assessments (ISRAs) are of great importance for organisations. Current ISRA methods identify an organisation's security risks and provide a measured, analysed security risk profile of critical information assets in order to build plans to treat risk. However, despite prevalent use in organisations today, current methods adopt a limited view of information assets during risk identification. In the context of day-to-day activities, people copy, print and discuss information, leading to the 'leakage' of information assets. Employees will create and use unofficial assets as part of their day-to-day routines. Furthermore, employees will also possess important knowledge o..