A Systematic Review of Information Security Risk Assessment

A Systematic Review of Information Security Risk Assessment

L. Pan A. Tomlinson 

Information Security Group, Royal Holloway University of London

30 June 2016
| Citation



Many standards exist to guide the process of risk assessment, particularly in the field of information security. This leads to many, subtly different, definitions of risk analysis, evaluation and assessment. Consequently, researchers often confuse these terms and disciplines, which leads to further confusion within the community. In this sense, it is important to come to a common understanding of the processes and terminology to clarify research in this area. A common approach to achieve this goal is to carry out a literature review. This paper takes a formal approach to the literature review based on the ideas of the Cochrane group. The result is a systematic review of risk assessment in the field of information security. We present a systematic review of over 80 research papers published between 2004 and 2014. The main contribution of our paper is to construct a classification of these published papers into seven types. This classification aims to help researchers obtain a clear and unbiased picture of the terminology, developments and trends of information security risk assessment in the academic sector.


information security, ISO 27005, risk analysis, risk assessment, systematic review


[1] NIST, SP 800-30, Guide for Conducting Risk Assessments, 2012. 

[2] ISO, 27001:2005, Information technology - security techniques - information security management systems - requirements. International Organization for Standardization, 2005.

[3] ISO, 27005:2011, Information technology-security techniques-information security risk management. International Organization for Standardization, 2011.

[4] Saleh, M.S. & Alfantookh, A., A new comprehensive framework for enterprise information security risk management. Applied Computing and Informatics, 9(2), pp. 107–118, 2011. http://dx.doi.org/10.1016/j.aci.2011.05.002

[5] Shameli-Sendi, A., Aghababaei-Barzegar, R. & Cheriet, M., Taxonomy of information security risk assessment (isra). Computers & Security, 57, pp. 14–30, 2016. http://dx.doi.org/10.1016/j.cose.2015.11.001

[6] Shamala, P., Ahmad, R. & Yusoff, M., A conceptual framework of info structure for information security risk assessment (isra). Journal of Information Security and Applications, 18(1), pp. 45–52, 2013. http://dx.doi.org/10.1016/j.jisa.2013.07.002

[7] Feng, N. & Li, M., An information systems security risk assessment model under uncertain environment. Applied Soft Computing, 11(7), pp. 4332–4340, 2011. http://dx.doi.org/10.1016/j.asoc.2010.06.005

[8] Lee, Z.J. & Chang, L.Y., Apply fuzzy decision tree to information security risk assessment. International Journal of Fuzzy Systems, 16(2), pp. 265–269, 2014. 

[9] Awad, G.A., Sultan, E.I., Ahmad, N., Ithnan, N. & Beg, A., Multi- objectives model to process security risk assessment based on ahp-pso. Modern Applied Science, 5(3), p. 246, 2011. http://dx.doi.org/10.5539/mas.v5n3p246

[10] Eren-Dogu, Z.F. & Celikoglu, C.C., Information security risk assessment: Bayesian prioritization for ahp group decision making. International Journal of Innovative Computing, Information and Control, 8, pp. 8001–8018, 2012.

[11] Hannes, K., Booth, A., Harris, J. & Noyes, J., Celebrating methodological challenges and changes: reflecting on the emergence and importance of the role of qualitative evidence in cochrane reviews. Systematic Reviews, 2(1), p. 1, 2013. http://dx.doi.org/10.1186/2046-4053-2-84

[12] Ader, H.J. & Mellenbergh, G.J., Advising on Research Methods: a Consultant’s Companion, Johannes van Kessel Publishing, 2008.

[13] Kitchenham, B.A. & Charters, S., Guidelines for performing systematic literature reviews in software engineering, EBSE Technical Report, 2007.

[14] Wei, G., Xhang, X., Zhang, X. & Huang, Z., Research on e-government information security risk assessment-based on fuzzy ahp and artificial neural network model. Networking and Distributed Computing (IC-NDC), First International Conference on, IEEE, pp. 218–221, 2010. http://dx.doi.org/10.1109/icndc.2010.52

[15] Roy, A., Gupta, A. & Deshmukh, S., Information security risk assessment in SCM. Industrial Engineering and Engineering Management (IEEM), 2013 IEEE International Conference on, IEEE, pp. 1002–1006, 2013. http://dx.doi.org/10.1109/ieem.2013.6962561

[16] Wei, J., Lin, B. & Loho-Noya, M., Development of an e-healthcare information security risk assessment method. Journal ofDatabase Management (JDM), 24(1), pp. 36–57, 2013.

[17] Mouw, E., van’t Noordende, G., Louter, B. & Olabarriaga, S.D., A model-based information security risk assessment method for science gateways. IWSG, 2013.

[18] Dark, M.J., Assessing student performance outcomes in an information security risk assessment, service learning course. Proceedings ofthe 5th Conference on Information Technology Education, ACM, pp. 73–78, 2004. http://dx.doi.org/10.1145/1029533.1029552

[19] Huang, C.C., Farn, K.J. & Lin, F.Y.S., A study on implementations of information security risk assessment: Application to chlorine processing system of water treatment. IJ Network Security, 16(4), pp. 377–384, 2014.

[20] Xiangmo, Z., Ming, D., Shuai, R., Luyao, L. & Zongtao, D., Risk assessment model of information security for transportation industry system based on risk matrix. Applied Mathematics & Information Sciences, 8(3), pp. 1301–1306, 2014. http://dx.doi.org/10.12785/amis/080345

[21] Ye, Y., Lin, W.M., Deng, S. & Zhang, T., A practical solution to the information security risk evaluation problems in power systems. 2014 International Conference on Future Computer and Communication Engineering (ICFCCE 2014), Atlantis Press, 2014. http://dx.doi.org/10.2991/icfcce-14.2014.9

[22] Latif, R., Abbas, H., Assar, S. & Ali, Q., Cloud computing risk assessment: A systematic literature review. Future Information Technology, Springer, pp. 285–295, 2014.

[23] Makarevich, O., Mashkina, I. & Sentsova, A., The method of the information security risk assessment in cloud computing systems. Proceedings of the 6th International Conference on Security of Information and Networks, ACM, pp. 446–447, 2013. http://dx.doi.org/10.1145/2523514.2527021

[24] Albakri, S.H., Shanmugam, B., Samy, G.N., Idris, N.B. & Ahmed, A., Security risk assessment framework for cloud computing environments. Security and Communication Networks, 2014.

[25] Peiyu, L. & Dong, L., The new risk assessment model for information system in cloud computing environment. Procedia Engineering, 15, pp. 3200–3204, 2011. http://dx.doi.org/10.1016/j.proeng.2011.08.601

[26] Jing, Y., Ahn, G., Zhao, Z. & Hu, H., Towards automated risk assessment and mitigation of mobile application.

[27] Haimes, Y.Y., Hierarchical holographic modeling. Systems, Man and Cybernetics, IEEE Transactions on, 11(9), pp. 606–617, 1981.

[28] Haimes, Y.Y., Lambert, J., Li, D., Schooff, R. & Tulsiani, V., Hierarchical holographic modeling for risk identification in complex systems. Systems, Man and Cybernetics, 1995. Intelligent Systems for the 21st Century., IEEE International Conference on, IEEE, volume 2, pp. 1027–1032, 1995. http://dx.doi.org/10.1109/icsmc.1995.537904

[29] Ting, J.S.L., Tsang, A.H.C. & Kwok, S.K., Hybrid risk management methodology: a case study. International Journal of Engineering Business Management, 1(1), pp. 25–32, 2009.

[30] Chu, Y.C., Wei, Y.C. & Chang, W.H., A risk recommendation approach for information security risk assessment. Network Operations and Management Symposium (APNOMS), 2013 15th Asia-Pacific, IEEE, pp. 1–3, 2013.

[31] Shedden, P., Smith, W. & Ahmad, A., Information security risk assessment: towards a business practice perspective, Proceedings of the 8th Australian Information Security Management Conference, Edith Cowan University, Perth Western, Australia, 2010.

[32] Guan, J.Z., Lei, M.T., Zhu, X.L. & Liu, J.Y., Knowledge-based information security risk assessment method. The Journal of China Universities of Posts and Telecommunications, 20, pp. 60–63, 2013. http://dx.doi.org/10.1016/S1005-8885(13)60220-4

[33] Padyab, A.M., Paivarinta, T. & Harnesk, D., Genre-based assessment of information and knowledge security risks. System Sciences (HICSS), 2014 47th Hawaii International Conference on, IEEE, pp. 3442–3451, 2014. http://dx.doi.org/10.1109/hicss.2014.428

[34] Shedden, P., Scheepers, R., Smith, W. & Ahmad, A., Incorporating a knowledge perspective into security risk assessments. Vine, 41(2), pp. 152–166, 2011. http://dx.doi.org/10.1108/03055721111134790

[35] Fu, S. & Xiao, Y., Strengthening the research for information security risk assessment. International Conference on Biological and Biomedical Science Advanced in Biomedical Engineering, 9, pp. 386–392, 2012.

[36] Lo, C.C. & Chen, W.J., A hybrid information security risk assessment procedure considering interdependences between controls. Expert Systems with Applications, 39(1), pp. 247–257, 2012. http://dx.doi.org/10.1016/j.eswa.2011.07.015

[37] Lee, M.C., Information security risk analysis methods and research trends: Ahp and fuzzy comprehensive method. International Journal ofComputer Science, 2014.

[38] Karabacak, B. & Sogukpinar, I., Isram: information security risk analysis method. Computers & Security, 24(2), pp. 147–159, 2005. http://dx.doi.org/10.1016/j.cose.2004.07.004

[39] Zhiwei, Y. & Zhongyuan, J., A survey on the evolution of risk evaluation for information systems security. Energy Procedia, 17, pp. 1288–1294, 2012. http://dx.doi.org/10.1016/j.egypro.2012.02.240

[40] Bhattacharjee, J., Sengupta, A. & Mazumdar, C., A formal methodology for enterprise information security risk assessment. Risks and Security of Internet and Systems (CRiSIS) International Conference on, IEEE, pp. 1–9, 2013. http://dx.doi.org/10.1109/crisis.2013.6766354

[41] Khanmohammadi, K. & Houmb, S.H., Business process-based information security risk assessment. Network and System Security (NSS) 4th International Conference on, IEEE, pp. 199–206, 2010. http://dx.doi.org/10.1109/nss.2010.37

[42] Chang, L.Y. & Lee, Z.J., Applying fuzzy expert system to information security risk assessment -a case study on an attendance system. Fuzzy Theory and Its Applications (iFUZZY) International Conference on, IEEE, pp. 346–351, 2013.

[43] Imamverdiyev, Y., An application of extreme value theory to e-government information security risk assessment. AICT, International Conference on Application of Information and Communication Technologies, IEEE, pp. 1–4, 2013. http://dx.doi.org/10.1109/icaict.2013.6722700

[44] Korman, M., Sommestad, T., Hallberg, J., Bengtsson, J. & Ekstedt, M., Overview of enterprise information needs in information security risk assessment. Enterprise Distributed Object Computing Conference (EDOC), IEEE 18th International, IEEE, pp. 42–51, 2014. http://dx.doi.org/10.1109/edoc.2014.16

[45] Coleman, J., Assessing information security risk in healthcare organizations of different scale. International Congress Series, Elsevier, 1268, pp. 125–130, 2004.

[46] Caralli, R.A., Stevens, J.F., Young, L.R. & Wilson, W.R., Introducing octave allegro: Improving the information security risk assessment process. Technical Report, DTIC Document, 2007.

[47] Yeo, A.C., Rahim, M.M. & Miri, L., Understanding factors affecting success of information security risk assessment: The case of an Australian higher educational institution. PACIS Proceedings, p. 74, 2007.

[48] Baker, W.H., Rees, L.P. & Tippett, P.S., Necessary measures: metric-driven information security risk assessment and decision making. Communications of the ACM, 50(10), pp. 101–106, 2007. http://dx.doi.org/10.1145/1290958.1290969

[49] Gao, G.H., Li, X.Y., Zhang, B.J. & Xiao, W.X., Information security risk assessment based on information measure and fuzzy clustering. Journal of Software, 6(11), pp. 2159–2166, 2011. http://dx.doi.org/10.4304/jsw.6.11.2159-2166