THE STATE OF RISK ASSESSMENT PRACTICES IN INFORMATION SECURITY: AN EXPLORATORY INVESTIGATION

Risk in Information Systems Security can be defined as a function of a given threat source's exercising a particular vulnerability and the resulting impact of that adverse event on the organization. Risk management is the process of identifying and assessing risk and taking steps to reduce it to an acceptable level given the costs involved in doing so. The major activity within risk management is the risk assessment process. The objective of this research is to assess the current state of practice in conducting risk assessments for information security policy management. Results from an exploratory survey of U.S. headquartered firms indicate that increased frequency of conducting risk assessments, the use of quantitative measures of likelihood of loss, and more complete asset inventories correspond with higher levels of user satisfaction and perceived usefulness, although many companies choose not to engage in this level of practice or to only go part way. Additionally, respondents reported substantial difficulty in identifying threats and estimating loss, indicating that much can be done to improve the current state of practice.