Many standards exist to guide the process of risk assessment, particularly in the field of information security. This leads to many, subtly different, definitions of risk analysis, evaluation and assessment. Consequently, researchers often confuse these terms and disciplines, which leads to further confusion within the community. In this sense, it is important to come to a common understanding of the processes and terminology to clarify research in this area. A common approach to achieve this goal is to carry out a literature review. This paper takes a formal approach to the literature review based on the ideas of the Cochrane group. The result is a systematic review of risk assessment in the field of information security. We present a systematic review of over 80 research papers published between 2004 and 2014. The main contribution of our paper is to construct a classification of these published papers into seven types. This classification aims to help researchers obtain a clear and unbiased picture of the terminology, developments and trends of information security risk assessment in the academic sector.
information security, ISO 27005, risk analysis, risk assessment, systematic review
 NIST, SP 800-30, Guide for Conducting Risk Assessments, 2012.
 ISO, 27001:2005, Information technology - security techniques - information security management systems - requirements. International Organization for Standardization, 2005.
 ISO, 27005:2011, Information technology-security techniques-information security risk management. International Organization for Standardization, 2011.
 Saleh, M.S. & Alfantookh, A., A new comprehensive framework for enterprise information security risk management. Applied Computing and Informatics, 9(2), pp. 107–118, 2011. http://dx.doi.org/10.1016/j.aci.2011.05.002
 Shameli-Sendi, A., Aghababaei-Barzegar, R. & Cheriet, M., Taxonomy of information security risk assessment (isra). Computers & Security, 57, pp. 14–30, 2016. http://dx.doi.org/10.1016/j.cose.2015.11.001
 Shamala, P., Ahmad, R. & Yusoff, M., A conceptual framework of info structure for information security risk assessment (isra). Journal of Information Security and Applications, 18(1), pp. 45–52, 2013. http://dx.doi.org/10.1016/j.jisa.2013.07.002
 Feng, N. & Li, M., An information systems security risk assessment model under uncertain environment. Applied Soft Computing, 11(7), pp. 4332–4340, 2011. http://dx.doi.org/10.1016/j.asoc.2010.06.005
 Lee, Z.J. & Chang, L.Y., Apply fuzzy decision tree to information security risk assessment. International Journal of Fuzzy Systems, 16(2), pp. 265–269, 2014.
 Awad, G.A., Sultan, E.I., Ahmad, N., Ithnan, N. & Beg, A., Multi- objectives model to process security risk assessment based on ahp-pso. Modern Applied Science, 5(3), p. 246, 2011. http://dx.doi.org/10.5539/mas.v5n3p246
 Eren-Dogu, Z.F. & Celikoglu, C.C., Information security risk assessment: Bayesian prioritization for ahp group decision making. International Journal of Innovative Computing, Information and Control, 8, pp. 8001–8018, 2012.
 Hannes, K., Booth, A., Harris, J. & Noyes, J., Celebrating methodological challenges and changes: reflecting on the emergence and importance of the role of qualitative evidence in cochrane reviews. Systematic Reviews, 2(1), p. 1, 2013. http://dx.doi.org/10.1186/2046-4053-2-84
 Ader, H.J. & Mellenbergh, G.J., Advising on Research Methods: a Consultant’s Companion, Johannes van Kessel Publishing, 2008.
 Kitchenham, B.A. & Charters, S., Guidelines for performing systematic literature reviews in software engineering, EBSE Technical Report, 2007.
 Wei, G., Xhang, X., Zhang, X. & Huang, Z., Research on e-government information security risk assessment-based on fuzzy ahp and artificial neural network model. Networking and Distributed Computing (IC-NDC), First International Conference on, IEEE, pp. 218–221, 2010. http://dx.doi.org/10.1109/icndc.2010.52
 Roy, A., Gupta, A. & Deshmukh, S., Information security risk assessment in SCM. Industrial Engineering and Engineering Management (IEEM), 2013 IEEE International Conference on, IEEE, pp. 1002–1006, 2013. http://dx.doi.org/10.1109/ieem.2013.6962561
 Wei, J., Lin, B. & Loho-Noya, M., Development of an e-healthcare information security risk assessment method. Journal ofDatabase Management (JDM), 24(1), pp. 36–57, 2013.
 Mouw, E., van’t Noordende, G., Louter, B. & Olabarriaga, S.D., A model-based information security risk assessment method for science gateways. IWSG, 2013.
 Dark, M.J., Assessing student performance outcomes in an information security risk assessment, service learning course. Proceedings ofthe 5th Conference on Information Technology Education, ACM, pp. 73–78, 2004. http://dx.doi.org/10.1145/1029533.1029552
 Huang, C.C., Farn, K.J. & Lin, F.Y.S., A study on implementations of information security risk assessment: Application to chlorine processing system of water treatment. IJ Network Security, 16(4), pp. 377–384, 2014.
 Xiangmo, Z., Ming, D., Shuai, R., Luyao, L. & Zongtao, D., Risk assessment model of information security for transportation industry system based on risk matrix. Applied Mathematics & Information Sciences, 8(3), pp. 1301–1306, 2014. http://dx.doi.org/10.12785/amis/080345
 Ye, Y., Lin, W.M., Deng, S. & Zhang, T., A practical solution to the information security risk evaluation problems in power systems. 2014 International Conference on Future Computer and Communication Engineering (ICFCCE 2014), Atlantis Press, 2014. http://dx.doi.org/10.2991/icfcce-14.2014.9
 Latif, R., Abbas, H., Assar, S. & Ali, Q., Cloud computing risk assessment: A systematic literature review. Future Information Technology, Springer, pp. 285–295, 2014.
 Makarevich, O., Mashkina, I. & Sentsova, A., The method of the information security risk assessment in cloud computing systems. Proceedings of the 6th International Conference on Security of Information and Networks, ACM, pp. 446–447, 2013. http://dx.doi.org/10.1145/2523514.2527021
 Albakri, S.H., Shanmugam, B., Samy, G.N., Idris, N.B. & Ahmed, A., Security risk assessment framework for cloud computing environments. Security and Communication Networks, 2014.
 Peiyu, L. & Dong, L., The new risk assessment model for information system in cloud computing environment. Procedia Engineering, 15, pp. 3200–3204, 2011. http://dx.doi.org/10.1016/j.proeng.2011.08.601
 Jing, Y., Ahn, G., Zhao, Z. & Hu, H., Towards automated risk assessment and mitigation of mobile application.
 Haimes, Y.Y., Hierarchical holographic modeling. Systems, Man and Cybernetics, IEEE Transactions on, 11(9), pp. 606–617, 1981.
 Haimes, Y.Y., Lambert, J., Li, D., Schooff, R. & Tulsiani, V., Hierarchical holographic modeling for risk identification in complex systems. Systems, Man and Cybernetics, 1995. Intelligent Systems for the 21st Century., IEEE International Conference on, IEEE, volume 2, pp. 1027–1032, 1995. http://dx.doi.org/10.1109/icsmc.1995.537904
 Ting, J.S.L., Tsang, A.H.C. & Kwok, S.K., Hybrid risk management methodology: a case study. International Journal of Engineering Business Management, 1(1), pp. 25–32, 2009.
 Chu, Y.C., Wei, Y.C. & Chang, W.H., A risk recommendation approach for information security risk assessment. Network Operations and Management Symposium (APNOMS), 2013 15th Asia-Pacific, IEEE, pp. 1–3, 2013.
 Shedden, P., Smith, W. & Ahmad, A., Information security risk assessment: towards a business practice perspective, Proceedings of the 8th Australian Information Security Management Conference, Edith Cowan University, Perth Western, Australia, 2010.
 Guan, J.Z., Lei, M.T., Zhu, X.L. & Liu, J.Y., Knowledge-based information security risk assessment method. The Journal of China Universities of Posts and Telecommunications, 20, pp. 60–63, 2013. http://dx.doi.org/10.1016/S1005-8885(13)60220-4
 Padyab, A.M., Paivarinta, T. & Harnesk, D., Genre-based assessment of information and knowledge security risks. System Sciences (HICSS), 2014 47th Hawaii International Conference on, IEEE, pp. 3442–3451, 2014. http://dx.doi.org/10.1109/hicss.2014.428
 Shedden, P., Scheepers, R., Smith, W. & Ahmad, A., Incorporating a knowledge perspective into security risk assessments. Vine, 41(2), pp. 152–166, 2011. http://dx.doi.org/10.1108/03055721111134790
 Fu, S. & Xiao, Y., Strengthening the research for information security risk assessment. International Conference on Biological and Biomedical Science Advanced in Biomedical Engineering, 9, pp. 386–392, 2012.
 Lo, C.C. & Chen, W.J., A hybrid information security risk assessment procedure considering interdependences between controls. Expert Systems with Applications, 39(1), pp. 247–257, 2012. http://dx.doi.org/10.1016/j.eswa.2011.07.015
 Lee, M.C., Information security risk analysis methods and research trends: Ahp and fuzzy comprehensive method. International Journal ofComputer Science, 2014.
 Karabacak, B. & Sogukpinar, I., Isram: information security risk analysis method. Computers & Security, 24(2), pp. 147–159, 2005. http://dx.doi.org/10.1016/j.cose.2004.07.004
 Zhiwei, Y. & Zhongyuan, J., A survey on the evolution of risk evaluation for information systems security. Energy Procedia, 17, pp. 1288–1294, 2012. http://dx.doi.org/10.1016/j.egypro.2012.02.240
 Bhattacharjee, J., Sengupta, A. & Mazumdar, C., A formal methodology for enterprise information security risk assessment. Risks and Security of Internet and Systems (CRiSIS) International Conference on, IEEE, pp. 1–9, 2013. http://dx.doi.org/10.1109/crisis.2013.6766354
 Khanmohammadi, K. & Houmb, S.H., Business process-based information security risk assessment. Network and System Security (NSS) 4th International Conference on, IEEE, pp. 199–206, 2010. http://dx.doi.org/10.1109/nss.2010.37
 Chang, L.Y. & Lee, Z.J., Applying fuzzy expert system to information security risk assessment -a case study on an attendance system. Fuzzy Theory and Its Applications (iFUZZY) International Conference on, IEEE, pp. 346–351, 2013.
 Imamverdiyev, Y., An application of extreme value theory to e-government information security risk assessment. AICT, International Conference on Application of Information and Communication Technologies, IEEE, pp. 1–4, 2013. http://dx.doi.org/10.1109/icaict.2013.6722700
 Korman, M., Sommestad, T., Hallberg, J., Bengtsson, J. & Ekstedt, M., Overview of enterprise information needs in information security risk assessment. Enterprise Distributed Object Computing Conference (EDOC), IEEE 18th International, IEEE, pp. 42–51, 2014. http://dx.doi.org/10.1109/edoc.2014.16
 Coleman, J., Assessing information security risk in healthcare organizations of different scale. International Congress Series, Elsevier, 1268, pp. 125–130, 2004.
 Caralli, R.A., Stevens, J.F., Young, L.R. & Wilson, W.R., Introducing octave allegro: Improving the information security risk assessment process. Technical Report, DTIC Document, 2007.
 Yeo, A.C., Rahim, M.M. & Miri, L., Understanding factors affecting success of information security risk assessment: The case of an Australian higher educational institution. PACIS Proceedings, p. 74, 2007.
 Baker, W.H., Rees, L.P. & Tippett, P.S., Necessary measures: metric-driven information security risk assessment and decision making. Communications of the ACM, 50(10), pp. 101–106, 2007. http://dx.doi.org/10.1145/1290958.1290969
 Gao, G.H., Li, X.Y., Zhang, B.J. & Xiao, W.X., Information security risk assessment based on information measure and fuzzy clustering. Journal of Software, 6(11), pp. 2159–2166, 2011. http://dx.doi.org/10.4304/jsw.6.11.2159-2166