To read the full version of this content please select one of the options below:

Current challenges in information security risk management

Stefan Fenz (Department of Research, Vienna University of Technology and SBA Research, Vienna, Austria)
Johannes Heurix (Research Department, Vienna University of Technology and SBA Research, Vienna, Austria)
Thomas Neubauer (Xylem Technologies, Vienna, Austria)
Fabian Pechstein (Research Department, Vienna University of Technology and SBA Research, Vienna, Austria)

Information Management & Computer Security

ISSN: 0968-5227

Article publication date: 10 November 2014

Downloads
10048

Abstract

Purpose

The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management approaches regarding their capability of supporting cost-efficient decisions without unnecessary security trade-offs, outline current fundamental problems in risk management based on industrial feedback and academic literature and provide potential solutions and research directions to address the identified problems. Despite decades of research, the information security risk management domain still faces numerous challenges which hinder risk managers to come up with sound risk management results.

Design/methodology/approach

To identify the challenges in information security risk management, existing approaches are compared against each other, and as a result, an abstracted methodology is derived to align the problem and solution identification to its generic phases. The challenges have been identified based on literature surveys and industry feedback.

Findings

As common problems at implementing information security risk management approaches, we identified the fields of asset and countermeasure inventory, asset value assignment, risk prediction, the overconfidence effect, knowledge sharing and risk vs. cost trade-offs. The reviewed risk management approaches do not explicitly provide mechanisms to support decision makers in making an appropriate risk versus cost trade-offs, but we identified academic approaches which fulfill this need.

Originality/value

The paper provides a reference point for professionals and researchers by summing up the current challenges in the field of information security risk management. Therefore, the findings enable researchers to focus their work on the identified real-world challenges and thereby contribute to advance the information security risk management domain in a structured way. Practitioners can use the research results to identify common weaknesses and potential solutions in information security risk management programs.

Keywords

Acknowledgements

This publication has been funded by the Vienna Science and Technology Fund (WWTF) through project ICT12-019 and SBA Research.

Citation

Fenz, S., Heurix, J., Neubauer, T. and Pechstein, F. (2014), "Current challenges in information security risk management", Information Management & Computer Security, Vol. 22 No. 5, pp. 410-430. https://doi.org/10.1108/IMCS-07-2013-0053

Publisher

:

Emerald Group Publishing Limited

Copyright © 2014, Emerald Group Publishing Limited