An Evaluation of Information Security and Risk Management Theories

1902 Words4 Pages

An abundance of information security and risk management theories are prevalent; however, it can be difficult to identify valid and applicable theories. In the reading to follow, several information security and risk management theories are evaluated. These theories are presented and employed via various frameworks, models, and best practice guidelines. An assessment of sufficient research pertaining to these theories is addressed, along with a consideration of the challenges that arise from a lack of research.

Theories

The evolution and understanding of the importance of information security and risk management originates from the awareness for the potential of IT in business functions and as a business enabler. This was then followed by the realization that the risks brought about by this boundless facilitator must be appropriately understood and addressed. The essence of information security and risk management is to identify low vs. high-risk systems and processes, followed by appropriately addressing those risks.

Risk Management Theory. The Risk Management Theory has been around for quite some time. According to Hong, Chi, Chao, and Tang (2003), risks pertaining to IT security can be measured and evaluated by means of assessing potential attack vectors, and susceptibilities to the organization’s systems and processes. The authors suggest that the outcome of this evaluation allows for the identification of essential security programs and the employment of IT security controls to mitigate these risks. The intended outcome of utilizing this theory is to manage risks until they are at a permissible state. The Risk Management Theory, while broad in nature, does not encompass enough of the information security and risk...

... middle of paper ...

...for-Information-Security-Introduction.pdf

ISACA (2012c). ISACA issues COBIT 5 governance framework [Press Release]. Retrieved from http://www.isaca.org/About-ISACA/Press-room/News-Releases/2012/Pages/ISACA-Issues-COBIT-5-Governance-Framework.aspx

Lalonde, C., & Boiral, O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management, 14(4), 272-300. doi:10.1057/rm.2012.9

Leitch, M. (2010). ISO 31000:2009 - The new international standard on risk management. Risk Analysis: An International Journal, 30(6), 887-892. doi:10.1111/j.1539-6924.2010.01397.x

Purdy, G. (2010). ISO 31000:2009 - Setting a new standard for risk management. Risk Analysis: An Official Publication of the Society for Risk Analysis, 30(6), 881-886. doi:10.1111/j.1539-6924.2010.01442.x

Winkler, V. (2011). Securing the cloud. Boston: Syngress. doi:10.1016/B978-1-59749-592-9.00001-4

More about An Evaluation of Information Security and Risk Management Theories

Open Document