Litcius/Paper detail

Strategic Approaches in Network Communication and Information Security Risk Assessment

Nadher Alsafwani, Yousef Fazea, Fuad Alnajjar

2024Information13 citationsDOIOpen Access PDF

Abstract

Risk assessment is a critical sub-process in information security risk management (ISRM) that is used to identify an organization’s vulnerabilities and threats as well as evaluate current and planned security controls. Therefore, adequate resources and return on investments should be considered when reviewing assets. However, many existing frameworks lack granular guidelines and mostly operate on qualitative human input and feedback, which increases subjective and unreliable judgment within organizations. Consequently, current risk assessment methods require additional time and cost to test all information security controls thoroughly. The principal aim of this study is to critically review the Information Security Control Prioritization (ISCP) models that improve the Information Security Risk Assessment (ISRA) process, by using literature analysis to investigate ISRA’s main problems and challenges. We recommend that designing a streamlined and standardized Information Security Control Prioritization model would greatly reduce the uncertainty, cost, and time associated with the assessment of information security controls, thereby helping organizations prioritize critical controls reliably and more efficiently based on clear and practical guidelines.

Topics & Concepts

Risk analysis (engineering)Information securityInformation security managementSecurity managementSecurity controlsPrioritizationRisk assessmentControl (management)Computer scienceRisk managementPrincipal (computer security)Process (computing)IT risk managementFactor analysis of information riskSecurity information and event managementComputer securityBusinessInformation systemProcess managementRisk management information systemsManagement information systemsCloud computing securityEngineeringFinanceArtificial intelligenceOperating systemElectrical engineeringCloud computingInformation and Cyber SecurityInformation Technology Governance and StrategySoftware Engineering Research