Next Article in Journal
The Use of AI in Software Engineering: A Synthetic Knowledge Synthesis of the Recent Research Literature
Previous Article in Journal
A Novel Radio Network Information Service (RNIS) to MEC Framework in B5G Networks
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Information
Volume 15
Issue 6
10.3390/info15060353
information-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Strategic Approaches in Network Communication and Information Security Risk Assessment

by
Nadher Alsafwani
1,
Yousef Fazea
2,* and
Fuad Alnajjar
3
1
Center for Humanitarian Dialogue, 1202 Geneva, Switzerland
2
Department of Computer Sciences and Electrical Engineering, Marshall University, One John Marshall Drive, Huntington, WV 25755, USA
3
Department of Business Engineering and Wireless, Mediacom Communications, Mediacom Park, NY 10918, USA
*
Author to whom correspondence should be addressed.
Information 2024, 15(6), 353; https://doi.org/10.3390/info15060353
Submission received: 23 May 2024 / Revised: 12 June 2024 / Accepted: 12 June 2024 / Published: 14 June 2024
(This article belongs to the Section Information Security and Privacy)
Browse Figures
Versions Notes

Abstract

:
Risk assessment is a critical sub-process in information security risk management (ISRM) that is used to identify an organization’s vulnerabilities and threats as well as evaluate current and planned security controls. Therefore, adequate resources and return on investments should be considered when reviewing assets. However, many existing frameworks lack granular guidelines and mostly operate on qualitative human input and feedback, which increases subjective and unreliable judgment within organizations. Consequently, current risk assessment methods require additional time and cost to test all information security controls thoroughly. The principal aim of this study is to critically review the Information Security Control Prioritization (ISCP) models that improve the Information Security Risk Assessment (ISRA) process, by using literature analysis to investigate ISRA’s main problems and challenges. We recommend that designing a streamlined and standardized Information Security Control Prioritization model would greatly reduce the uncertainty, cost, and time associated with the assessment of information security controls, thereby helping organizations prioritize critical controls reliably and more efficiently based on clear and practical guidelines.

1. Introduction

Today, a company’s information system aims to make decision making easier for everyone. In light of the growing reliance on electronic devices, business operations and prospects have improved for corporations [1,2]. A new structure must be established to enhance the efficacy of control prioritizing and selection throughout the risk assessment process, offering consistency and dynamic risk analysis. This can improve overall security and minimize resources (mainly cost and time). Limitations in terms of budget, the availability of experts, and an increase in security breaches present a significant constraint to the efficient deployment of resources [3,4]. Information technology resources are constantly exposed to threats. A threat can be defined as a potential incident that targets information assets in organizations. Then, the vulnerability can be described as weaknesses in information security assets that can cause damage [5]. A combination of a threat with at least one vulnerability causing damage or harm to one or more assets is referred to as a risk. Risk management (RM) is an umbrella term, covering several activities, such as risk identification, mitigation, monitoring, and optimization [6,7,8,9]. Information security risk management (ISRM) is used to detect, analyze, and take measures to decrease risks to a measurable level in general [10,11,12]. Ideally, these principles should trade off risks, benefits, costs, and opportunities [13]. Thus, it is crucial to create essential work that correctly sets the scope and boundaries of ISRM [13,14]. ISRM is a growing challenge and a burden that causes stress to IT staff. ISRM activities demand that IT staff improve timeliness, cost, documentation and records management, and technical solutions [15]. Several ISRM frameworks, such as ISO/IEC 27005 [16] risk management [17], NIST SP 800-30 [18,19], OCTAVE [20], Information Risk Analysis Methodology (IRAM), and Central Computer and Telecommunication Agency (CCTA) Risk Analysis and Management Method (CRAMM), may be used in a company to detect security threats and assess the efficacy of information security safeguards.
The theoretical risk analysis method is described, and control recommendations are provided based on the risk profile. These frameworks are typical; thus, decision makers need to know how risk impacts their business rather than the cost of implementing security controls. Therefore, the comparison point is implementing a security control if its current cost is greater than the risk exposure. In this study, we present a systematic critical literature model and compare alternatives. Given these restrictions, this work introduces ISCP, a revolutionary information security control prioritization method. ISCP’s scientific and quantitative methods make risk assessments more objective. Using multi-criteria TOPSIS, the ISCP model evaluates security solutions based on vulnerabilities, threat severity, and repair costs, unlike previous models. ISCP gives tangible advice to assist organizations in minimizing ambiguity and subjectivity. The model’s self-organizing and flexible architecture lets companies prioritize controls when resources are few. Previous research demonstrated the ISCP model via a case study, including a small- and medium-sized enterprise (SME) in Kuala Lumpur, Malaysia. This practical illustration showcased the tangible efficacy of the model in determining the importance of crucial security protocols [21]. This method enhances cybersecurity management decision making in numerous organizational situations, as evidenced in case studies. Based on the literature analysis, Figure 1 shows the taxonomy of the related work and the scope of information security risk management. By addressing shortcomings in the framework and providing a foundation for risk assessments based on evidence, the ISCP approach enhances information security risk management. This improves the process of control evaluation in ISRM, assisting organizations in reliably and effectively prioritizing essential controls based on clear and practical guidelines. A significant amount of information on ISRM processes has been published by standards organizations, academic institutions, and industry organizations [22]. Risk management requirements and procedures can be standardized due to the widespread adoption of standards and models. Furthermore, using these standards and models raises an organization’s security level by providing a common baseline for processes [22,23,24]. The use of these models for risk assessment is discussed below, along with their limitations and drawbacks for this discussion. The rest of the sections are organized as follows. Section 2 describes ISRM theory. Section 3 presents risk assessment frameworks and challenges in control assessment methods. Section 4 covers the overall challenges in control assessment methods. Section 5 presents the recommended solutions for the future direction. Section 6 concludes this study.

2. Information Security Management

The early iterations of risk management methods contained predetermined system criteria, which attempted to reduce the level of expertise and training needed for analysis. However, with the growing number of threats, new methods have emerged to comply with these trends and have aligned themselves with the primary goal, which is to detect and prevent threats and vulnerabilities [25,26]. Conceptually, the impact of threats and vulnerabilities could be estimated through organizational risk analysis using predetermined risk management methods [25]. In terms of ISRM frameworks, the risk is defined as the negative impact on an organization’s bottom line of exercising vulnerability [27,28]. A risk is the predicted loss of confidentiality, integrity, availability, or accountability. According to ENISA, a loss is defined by Wheeler [27] as the probable frequency and probable size of future loss. Both definitions apply to information security. These two definitions together provide organizations with the recommended emphasis for information security as “the probable frequency and probable magnitude of potential loss of confidentiality, integrity, availability, or accountability”. ISRM may be characterized as a risk management activity that includes managing resources, mission functions, and reputation or image hazards to an organization. Additionally, it is a way of managing an organization’s assets or the outcomes of operations [29]. This is the goal of RM, according to Wheeler [27], which is to maximize the organization’s production while minimizing the possibility of unexpectedly bad consequences. Finding the proper balance requires avoiding the zero-exposure objective and lowering it.
Suspicions are associated with a company’s services and goods while regulating organizational components. This means that the RM process should not be viewed just as a technical activity carried out by IT specialists or technicians who manage and maintain IT systems and services but, rather, as a vital management activity of the business [30]. ISRM techniques and technologies have lately attracted much interest from both industry and academia. Many studies have investigated how successful they are. ISRM, on the other hand, lacks a solid theoretical foundation [25]. ISRM should be a multi-stage, iterative process. Implemented effectively, it will allow for continuous improvement in both performance and decision making.

3. Risk Assessment

The core step in risk management is risk assessment, which is used to identify hazards and apply suitable control measures. Risk assessment guarantees that information systems are safe, cost-effective, and up-to-date [31,32]. Risk assessment refers to a set of actions for identifying sensitive data, mapping them to possible threats, assessing the severity of the current environment, and proving the source of potential hazards [33,34,35,36,37]. This activity should consider the vulnerability levels of the resources, whereas a conventional vulnerability assessment would presume the same risk level regardless of location [38,39]. Detecting threats and vulnerabilities to a particular asset, clarifying the risk, and assessing that risk exposure at a specified level are often referred to as risk assessment [40,41,42]. As a result, management must regularly and effectively review the quality of the risk assessment process [43,44] since it is becoming increasingly complicated as IT systems evolve, which may influence technical, physical, and administrative elements. Risk analysis is part of the risk assessment stage, defined as the process of determining the possibility of an undesired event occurring and the severity of that occurrence. During the risk mitigation process, the outcome of a risk assessment leads to the identification of appropriate measures for eliminating or decreasing risk. To obtain more benefits, such as self-adaptability, self-organization, and self-learning, the method considers real-time, integrated, and intelligent functions [45]. The problem in selecting the appropriate risk assessment method is establishing how flexible and viable it is in determining critical security risk areas and how it treats vast amounts of data, combining elements as manageable information to fit the organization’s needs and requirements [44,46]. Risk exposure should be assessed for each threat and vulnerability after the risk assessment stage, which includes identifying assets, threats, openness, and security controls to determine the amount of risk and estimate the business implications. Controls that complement the organization’s aims and goals by providing an appropriate degree of security should be the top priority for implementation. The objective of control analysis in the risk assessment process, according to Singh [47], is to establish whether security controls could apply or to plan how to decrease the risk. These factors should all be considered when designing or selecting any technical security control. One practical method is to establish a checklist of appropriate controls in each security area that will aid the company in meeting its business purpose while maintaining a sufficient degree of security. On the other hand, a checklist necessitates evaluating all controls to assess their strengths and weaknesses; this necessitates additional resources, such as time and money, which impact the business’s budget. ISRM is not the process of compiling a checklist of needed controls and then looking for ways to implement them. Before rules can be implemented, the cause of the problem must be identified. Eventually, the effectiveness and appropriateness of these measures will determine the amount of risk [44,46]. The applied controls will be stated statistically or qualitatively in an effective manner.

3.1. ISO/IEC 27005 Risk Management Standard

As of 2018, ISO/IEC 27005 has been proposed by the International Standards Organization as the gold standard for ISRM. In an iterative process, the proposed control and agreed-upon options may be put into action with the help of a suggestion or risk treatment plan, which can be defined with the help of the ISO/IEC 27005 standards. The risks can then be reduced. Before deciding how and when to reduce risks to an acceptable level, it examines the natural sources of such a risk [48]. The following are all parts of the ISO/IEC 27005 [16] process: setting the context, assessing the risk, treating the risk, accepting the risk, communicating the risk, and monitoring the risk. Figure 2 shows the ISRM framework. Iteratively assessing high-risk situations is key to the ISRM process, which is described as a continuous process for risk assessment and treatment actions.

ISO/IEC 27005 Information Security Risk Assessment

The ISO/IEC risk management context was established initially. The risk assessment activity, which is divided into two parts, risk assessment and risk analysis, is then carried out. The result of this exercise provides you with enough information to determine what you should do next. The ISRM technique and stages are clearly defined as a continuous risk assessment and treatment procedure, with the iterative approach ensuring that high risks are correctly handled. To put it another way, risk is defined by the international risk assessment standard as a combination of the effects and likelihood of an event occurring. The risk assessment evaluates prospective threats, present controls, repercussions, and the value of information assets and potential vulnerabilities. Qualitative risk assessment may be used in the institution to identify the risk and give management the ability to prioritize risks based on their perceived importance or other defined criteria [37]. The ISO/IEC 27005 standard emphasizes qualitative data over quantitative data to keep costs down for decision makers. This risk management guideline fails to provide specific recommendations on the critical phases of important control identification [35], failing to identify relevant analyses for current controls while being a general risk management standard. Furthermore, no precise model of ISRM as an international standard is proposed. Kiesling [38] found that selecting information security controls from common practice is complex, and it is the organization’s responsibility to choose the optimal standard [49]. According to ISMS and the risk management context, an organization’s strategy, tactics, and process can be defined using process principles such as ISMS or the standard that leaves it up to the organization’s decision makers. Breier and Hudec [36] claim that ISO family standards exclude practical aspects and shorten the formal approach for assessing the adequacy of security systems. Although the state of the knowledge base has improved in recent years, modified standardization of the complete risk assessment process is still needed.

3.2. NIST (SP-800-30)

The NIST Handbook for Information Systems (NIST SP-800-30), commonly used in the government sector and offering a foundation for developing the RM concept, was released in 2002. To secure the organization’s information assets, the handbook includes IT risk management advice. It also consists of both practical advice and definitions for creating an effective risk management program for IT systems. Risk assessment, mitigation, and evaluation and assessment are the three primary procedures covered by the NIST standards. In a nutshell, the NIST RM guidance aids IT managers in lowering operating costs [50]. Risk management must be completely integrated with the phases of the System Development Life Cycle (SDLC). Initiation, development or acquisition, implementation, operation or maintenance, and disposal are the five stages of an IT system, with some of the phases running simultaneously. The ISRM framework is the same regardless of which SDLC stages are being followed, and Table 1 details the iterative processes that may be used throughout each step of the SDLC.
The NIST ISRM standards emphasize the need for both risk assessment and risk mitigation. Control analysis (as in step 4) in the risk assessment process does not give clear guidelines on how control analysis should be performed, as in ISO/IEC 27005 [47,51]. Instead of objective examination, the NIST risk assessment procedure relies on the organization’s subjective opinion. As a result, there is no further guidance on identifying and choosing information security measures for testing. Similarly, control selection is a critical stage in risk mitigation, but little additional information is provided on how controls should be applied and monitored [52]. Additionally, NIST SP-800-30 does not consider organization-specific restrictions such as prices, scheduling, and resource limitations. The NIST guidance also necessitates the involvement of specialists to choose the most effective and essential controls. Risk assessment and mitigation are both qualitative processes, but businesses and industries are increasingly turning to quantitative research to aid in decision making.
According to the NIST handbook, risk is defined as the probability that an external threat actor would take advantage of a security vulnerability and cause damage to the organization [53]. Using this strategy, firms may discover risk mitigation strategies. Figure 3 illustrates the nine steps of the risk assessment framework. The system encompasses a comprehensive examination of its description, identification of vulnerabilities and threats, detection of potential risks, evaluation of controls, prescription of control measures, and documentation of the results.

3.3. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

The conceptualization of OCTAVE took place in 1999 at Carnegie Mellon University’s Software Engineering Institute (SEI). The concepts were formalized using OCTAVE. The implementation of the Health Insurance Portability and Accountability Act utilizing the SEI and Telemedicine and Advanced Technology Research Center (TATRC) OCTAVE technology raised security compliance problems for the US Department of Defense (DoD). OCTAVE was publicly launched in September 2001. A variety of tools, methodologies, and approaches are provided by OCTAVE for risk-based information security, strategic assessment, and planning. When compared to ISO/IEC 27005 and NIST, OCTAVE offers superior generic risk management guidelines and data. To assist businesses in developing qualitative risk criteria, OCTAVE has been designed and organized to describe the operational risk burden, determine the consequences for the organization if threats are found, and identify the vulnerabilities and threats to the organization’s critical assets. Allen [54] claims that OCTAVE focuses on qualitative risk determination. However, the environment has altered dramatically in favor of the need for quantitative information approaches that decision makers are already familiar with. The analysis team or users evaluate the optimal controls and hazards associated with information security measures as part of the selection process. The subjective judgment grows when more persons are engaged in making the mitigation choice [55]. These guidelines do not generally consider organization-specific limitations like costs and resource restrictions when identifying information security policies.

3.4. Information Risk Analysis Methodology (IRAM)

IRAM is a unique risk analysis tool developed by the Information Security Forum that employs business impact analysis. The process involves assessing potential risks and vulnerabilities, determining the impact of security breaches on the organization, evaluating information hazards, analyzing the need for controls, and developing a plan of action to meet control requirements. The IRAM risk assessment process consists of three primary components. The first stage of the business impact assessment involves ascertaining the repercussions of the firm’s system failure. The process of conducting threat and vulnerability assessments starts by creating a detailed system profile and implementing a thorough evaluation methodology. After the strategy is put into action, an assessment is conducted to identify and evaluate any risks and weaknesses. During the last stage, known as control selection, the assessment of risk is conducted via qualitative interviews with important individuals involved in the process.
The most crucial aspect of IRAM’s third phase, control selection is a qualitative interview with all key stakeholders and business owners. Using personal judgments to estimate risk is inaccurate, and stakeholders often have divergent views on the criticality of an asset. IRAM relies on professionals to manage everything. So, the subjective security assessment may be entirely judged as possible. Thus, risk analysis aims to reduce subjective variables. Therefore, most currently used approaches rely on quantitative data to help management properly make choices.

3.5. Expression of Needs and Identification of Security Objectives (EBIOS)

Managers of risk information systems can use EBIOS as a complete collection of guides. While the French government first pushed for the organization’s creation, it is now backed by a group of international specialists. Standard practices and application papers for end users in diverse situations are introduced by EBIOS. EBIOS is widely utilized in the public and business sectors across the world [6]. It provides risk managers with a high-level strategy and dependable outcomes, assisting them in achieving global objectives, global vision, and trustworthy judgments on more systems. EBIOS specifies the controls by formalizing the security objectives, However, it does not give specific instructions on achieving them. As with IRAM and EBIOS, this relies on the user’s judgment. Evidence from Jurgenson and Willemson [55] and Kiesling et al. [56] shows that EBIOS only works as a high-level strategy without anchoring the rationale in the company. Because of this, it relies on expert judgments [21,54] to offer excellent guidance concerning calculated risks, vulnerabilities, and controls. Threat and vulnerability probability, for instance, are mainly determined by subjective judgments rather than objective evaluation. As proven by Allen [54], human specialists make surprising sorts of mistakes in their assessments of uncertainty and risk, and decision makers may hold divergent views on the criticality of an asset, which is concerning.

3.6. Cramm Method

The Central Communication and Telecommunication Agency (CCTA) in the United Kingdom created CRAMM, a risk analysis technique [24]. It is necessary to use a specialized tool to implement the CRAMM technique, and the method and device were initially released based on best practices from British government agencies. CRAMM is the UK government’s recommended risk analysis approach because it works well for large organizations like governments and businesses.
Without the CCTA tool, using the CRAMM method is a real pain in the neck. It is based on UK organizations’ best practices, such as the BS7799 standard [57]. A vital element of the approach is that it offers phases for both technical and non-technical information security issues [58,59,60]. Because CRAMM primarily relies on qualitative risk assessment, the results are shaky at best. Since it pertains more to general information security than risk assessment, it is inappropriate. Figure 4 shows the high-level structure of the CRAAM methodology.

3.7. Statistical Design of Expression Approach

Singh [61] suggested a statistical experiment design based on the Plackett and Burman model [62,63]. Before beginning the tests, he examined several things. To begin, he clarified that while specific security measures are more critical than others, it is not a good idea to test them all simultaneously. Second, these controls are monotonic, i.e., high-level security will not help the business in the same manner as low-level security. Finally, because the controls overlap, the interactions between them are minimal. For these reasons, Singh [64] presented a screening approach similar to Plackett and Burman’s designs to identify essential security controls. His technique is more efficient in experimental design, requiring less training and skill. The Plackett and Burman design necessitates conducting 2N trials, with a limited number of potential outcomes for each variable [65,66]. The screening technique is easier to implement and assess compared to the complete factorial design (2X for X variables) due to the reduced number of trials. A reduced number of trials implies a more straightforward configuration and comprehension, requiring a lesser amount of expertise [61]. The statistical method calculates the effect cost based on the event cost received from the expert’s benchmark, which may be incorrect due to subjective variables such as interviews and questionnaires during the security review. Critical control is ranked based on the total of the scores, which might lead to errors. For example, if a company wants to know how essential a firewall is, it adds up all the preceding ranks to obtain the final score. Assume that a firewall is impenetrable to all but one of these assaults. According to their findings, the firewall is not as important as the rest of the system. The model also needs expert input to calculate the cost impact score. Still, the qualitative elements should be minimized to provide decision makers with a more precise picture of the risks to the company. The approach focuses on the analysis of control efficacy without giving the business additional information regarding risk impact and remediation costs. Other selection criteria may be added to this technique to make it a more robust decision support system for control selection and yield better outcomes.

3.8. Multi-Criteria Evaluation Methods

Lv et al. [62] created a technique for evaluating several different aspects simultaneously [67]. They presented a Preference Ranking Organization Method for Enrichment Evaluations (PROMETHEE) methodology and a Geometrical Analysis for Interactive Assistance (GAIA) strategy to quantitatively rank existing risk control measures. The PROMETHEE technique is a pair-wise comparison multi-criteria analysis approach. The model considers a criteria value and a criterion weight from decision makers, such as departing flow, incoming flow, and net flow. Control metrics are compared for their advantages and drawbacks in each preparation program using the criteria. The most significant addition of this research is the availability of a ranking model for security control plans that takes numerous criteria analyses and the interests of various decision makers into account. Therefore, there is no need for a model in this research, as controlling subjectivity and objectivity is necessary to offer an appropriate ranking of controls. Before conducting the analysis, experts weigh in on the control weight and recommended functions.

3.9. Cyber Investment Analysis Methodology (CIAM)

Llansó [68] introduced the Cyber Investment Analysis Methodology (CIAM). It is a data-driven technique for choosing and prioritizing security policies inside a ranking framework. The methodology uses data from past trials and control effectiveness ratings to rate security mechanisms. There are four steps in the process: choose the data collection, for example, previous vulnerabilities and weight security controls, conduct effectiveness rating, and compute the priorities. Prioritizing controls based on their efficacy is the goal of the technique. Nevertheless, the weighting of security controls is dependent on experts’ subjective assessments of the effectiveness of these controls’ capabilities. Datasets are not classified, and there is no defined process for estimating and analyzing the data. Because CIAM is currently at the proposal stage, further research is needed to demonstrate and confirm its correctness.

3.10. Enhanced Grey Risk Assessment Model Supporting Cloud Service Provider

Razaque et al. [69] used grey system theory (GST) and the analytic hierarchy process (AHP) to assess the susceptibility of cloud service providers (CSPs) for management, legislative, and technology issues. GST effectively handles complex and insufficient data in an expanded gray risk assessment model. The use of GST facilitates the process of evaluating risks in intricate domains such as cybersecurity, particularly when there is a lack of available information. The approach utilizes the analytic hierarchy process (AHP) to prioritize risks by dissecting the decision-making process into criteria and possibilities. GST and AHP provide comprehensive risk assessments with enhanced insights and practical recommendations. The simulation results demonstrated that the proposed risk assessment model contributes to reducing deviation to support CSPs with the three adopted models (GST, AHP, and Enhanced Gray Model).

3.11. A Situation Awareness Model for Information Security Risk Management

Webb et al. [70] proposed a process model called Situation-Aware ISRM (SA-ISRM) to address three significant vulnerabilities by gathering, examining, and communicating risk-related information across the whole company. They used Endsley’s concept of situation awareness and applied it to a case study involving a US national security intelligence outfit. The proposed Information Security Risk Management (ISRM) system assists companies in identifying all potential threats to information security, generating prioritized requests for further intelligence in cases where information is insufficient. Subsequently, it employs feedback loops to direct the security risk investigation of the intelligent entity, thus enhancing precision. Subsequently, the SA-ISRM process should consistently include all relevant security risk-related information, including historical intelligence, rather than sporadically. The ISRM team is informed on both short- and long-term trends that might potentially impact security.

3.12. A Hybrid Model for Information Security Assessment

In their study, S. Haji et al. [71] proposed a new evaluation model that emphasizes the need to incorporate systematic threat analysis into IT risk management frameworks. It addresses a deficiency in the evaluation of risks related to information security. Future studies on risk management may examine the efficacy of the hybrid model in companies of different sizes and levels of complexity. The authors also said that it establishes the foundation for future investigations into information security risks and the changing threat landscape as a component of the risk assessment process.

3.13. BWM-SWARA Approach

A. Sukumar et al. [72] introduced a multilayer decision-making framework designed for small e-tailers to tackle cybersecurity threats in small- and medium-sized e-tailing firms (SMEs). The methodology uses a multi-criteria decision analysis (MCDA) technique, integrating Stepwise Weight Assessment Ratio Analysis (SWARA) and the Best–Worst Method (BWM), to evaluate 28 identified cyber hazards in several areas, including security, dependence, employee, strategic, and legal concerns. This comprehensive plan aims to improve the cybersecurity resilience of small- and medium-sized enterprises (SMEs) by offering customized solutions to address their vulnerabilities.

3.14. An Integrated Model to Enhance Security

P. Subhash et al. [73] proposed an integrated threat model that utilizes a multi-level approach encompassing investigation, testing, and maintenance cycles to bolster system security. The iterative process includes data collection and analysis to identify vulnerabilities, the implementation of security measures such as Multi-Factor Authentication and firewalls, and regular system updates and testing to address emerging threats, thereby ensuring continuous cybersecurity enhancement.

3.15. AI-Powered Cyber Insurance Risk Assessment

S. Jawhar et al. [74] investigated the use of artificial intelligence (AI) to improve the report generation process for cyber insurance by analyzing consumer responses to a pre-designed questionnaire. AI processes this data to produce detailed, data-driven reports by comparing insights with historical industry data, ensuring efficient and informative analysis. The proposed approach, tested with 100 sample responses using GPT-4, showcases AI’s capability to accurately assess cyber risks, recommend suitable cybersecurity measures, and customize insurance policies to fit specific organizational requirements.

4. Challenges in Control Assessment Methods

The cost of developing information tools has been increasing over recent years. Security controls, such as firewalls, intrusion detection systems (IDSs), and operating systems, reduce the risks of security breaches. However, attack methods are being developed and updated all the time, and organizations are often unable to react to these attacks before their business has been impacted. Hence, identifying and managing the IT infrastructure and system risks has become a primary concern for organizations. There are many risk assessment frameworks and models responsible for protecting information assets and organizational governance. The issues and challenges in these models have become a significant concern among decision makers. The standards are not sufficiently flexible or dynamic to track technological changes. At the same time, international standards are often updated on a regular time cycle of three to five years and become outdated too quickly to be used for cybersecurity. These models or frameworks have typically concentrated on establishing a process around risk management substantially. Despite this great approach, most of these frameworks do not provide specific criteria for a control security evaluation. Most of the frameworks and models rely on at least some subjective inputs or subjective judgments about uncertainty and risk. In short, there is no appropriate quantitative risk analysis method that attempts to increase the reliability of these models. Therefore, based on all the drawbacks and limitations of the existing frameworks, this research proposes a model that can improve the performance of the risk assessment process. Existing risk assessment systems typically lack granularity and rely on qualitative data, resulting in subjective and inaccurate results. Due to its multi-criteria decision-making framework, the ISCP model provides a more methodical and quantitative security evaluation [21]. For cost-effective risk analysis, a dynamic quantitative model is necessary. The method should investigate the link between system vulnerabilities, threats, and countermeasures. Due to the rapidity and minimal human input required by a dynamic quantitative model, the process may be repeated with consistent and comparable outcomes. Thus, by knowing the potential risks, decision makers can effectively decide which security controls should be implemented. On the other hand, an organization does not need to see only the threats affecting the controls; it also needs to know the cost of the remediation of these vulnerabilities. Illustrating the risk factors affecting the critical assets will give the decision makers an accurate plan about the organization, so there is a need for a systematic, easily implemented, repeatable model to study the risk exposure of the organization. Table 2 shows the prior work on information security control assessment frameworks and models.

5. Future Directions

Recently, there have been suggestions for alternative models to improve risk assessment techniques. These techniques facilitate the establishment of a structured system and procedure for a corporation, but they do not provide explicit, practical measures to be taken. Their selection is based on subjective judgment and professional opinion. The lack of objective, quantitatively applicable standards makes it difficult to prioritize and assess sensitive assets and controls.
There are three significant challenging judgments and risk assessment methodologies: providing clear steps for risk assessment, reducing human input and errors caused by subjective judgments, and obtaining accurate and sufficient data to quantify risks. To accomplish this, the ISCP model must be designed to improve information security assessment by incorporating five evaluation criteria: valid vulnerabilities, attacks, severity, and cost of the remediation effort. A benchmark or baseline for estimating and determining the severity of assets is required, rather than relying on humans to make the final decision.
This is because human input and subjective judgments can lead to inappropriate or incorrect choices. Risk cost remediation plans must also be determined in detail, necessitating agreement on the cost and time of the remediation effort.
The ISCP model proposed in this work effectively tackles these difficulties by providing a quantitative assessment of information security risk. The ISCP rates critical security measures based on factors, such as the work required for repair, the presence of true vulnerabilities, the severity of potential attacks, and the number of vulnerabilities identified. Prior studies have shown that this approach reduces the expenses, duration, and ambiguity associated with security control assessment. Companies establish priorities by conducting ISCP risk assessments, which assess security indicators using these specific criteria. Thorough research indicates that this method significantly aids in the process of making decisions for a corporation [21].

6. Conclusions

Organizations face significant challenges in managing information security risks and resources since the methodologies for Information Security Risk Management (ISRM) are broad. When enterprises establish an information security system, they need to consider numerous factors, such as cost, time, efficacy, and the environment. Current methodologies, such as risk analysis and management, have a crucial function in evaluating and reducing risks. However, they often fail to consider organizational limitations, such as the cost of implementation and the availability of resources, when choosing information security measures. Furthermore, these methodologies usually fail to provide priority to the needed controls and instead offer generic suggestions for risk assessment. Consequently, decision makers have the responsibility of choosing the most suitable approach to fulfill their organization’s needs. They must modify and tailor best practices and standard processes accordingly. Based on the literature study, a major obstacle in risk assessment approaches is the difficulty of achieving a suitable equilibrium between risk exposure and investment in security. An evaluation of these methodologies and criteria was necessary to design a solution that effectively employs core ideas and principles to guarantee optimal performance. ISO/IEC 27005, NIST SP800-30, OCTAVE, EBIOS, CRAMM, and IRAM are internationally recognized and nationally adopted standards that provide comprehensive guidelines for establishing security goals. Each technique has distinct advantages but also some limitations, frequently requiring businesses to depend on expert assessments and qualitative evaluations without fully considering particular organizational limitations. Our thorough analysis emphasizes that while these approaches provide a systematic approach to risk management, there is a need for models that give priority to and combine cost-effective and resource-efficient methods. The 2018 research provided evidence of the feasibility and resilience of the ISCP concept. This model’s improved structured security control evaluation and prioritizing capabilities make it a powerful tool for firms seeking to successfully strengthen their data protection procedures. By using such a framework, companies may gain a more equitable approach to allocating resources for security and managing potential risks. This enables them to develop a customized and effective security plan that is in line with their unique requirements and limitations.

Author Contributions

Conceptualization, N.A. and Y.F.; methodology, N.A. and Y.F.; validation, Y.F. and F.A.; investigation, N.A., Y.F. and F.A.; resources, N.A., Y.F. and F.A.; data curation, N.A. and Y.F.; writing—original draft preparation, N.A. and Y.F.; writing—review and editing, Y.F. and F.A.; visualization, Y.F.; supervision, Y.F. and F.A.; project administration, Y.F.; funding acquisition, Y.F. and F.A. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Alshahrani, H.M.; Alotaibi, S.S.; Ansari, M.T.J.; Asiri, M.M.; Agrawal, A.; Khan, R.A.; Mohsen, H.; Hilal, A.M. Analysis and Ranking of IT Risk Factors Using Fuzzy TOPSIS-Based Approach. Appl. Sci. 2022, 12, 5911. [Google Scholar] [CrossRef]
  2. Ghahramani, F.; Yazdanmehr, A.; Chen, D.; Wang, J. Continuous improvement of information security management: An organisational learning perspective. Eur. J. Inf. Syst. 2023, 32, 1011–1032. [Google Scholar] [CrossRef]
  3. Eachempati, P. Change Management in Information Asset. J. Glob. Inf. Manag. (JGIM) 2017, 25, 68–87. [Google Scholar] [CrossRef]
  4. Koltays, A.; Konev, A.; Shelupanov, A. Mathematical model for choosing counterparty when assessing information security risks. Risks 2021, 9, 133. [Google Scholar] [CrossRef]
  5. Shinde, P.S.; Ardhapurkar, S.B. Cyber security analysis using vulnerability assessment and penetration testing. In Proceedings of the 2016 World Conference on Futuristic Trends in Research and Innovation for Social Welfare (Startup Conclave), Coimbatore, India, 29 February–1 March 2016; pp. 1–5. [Google Scholar]
  6. Hubbard, D.W. The Failure of Risk Management: Why It’s Broken and How to Fix It; John Wiley & Sons: Hoboken, NJ, USA, 2020. [Google Scholar]
  7. Fenton, N.; Neil, M. Risk Assessment and Decision Analysis with Bayesian Networks; CRC Press: Boca Raton, FL, USA, 2018. [Google Scholar]
  8. Lu, L.; Goerlandt, F.; Banda, O.A.V.; Kujala, P. Developing fuzzy logic strength of evidence index and application in Bayesian networks for system risk management. Expert Syst. Appl. 2022, 192, 116374. [Google Scholar] [CrossRef]
  9. Akinrolabu, O.; New, S.; Martin, A. CSCCRA: A novel quantitative risk assessment model for SaaS cloud service providers. Computers 2019, 8, 66. [Google Scholar] [CrossRef]
  10. Hammarberg, R.; Gazzawi, A. Risk Management Challenges for SMEs: A Case Study; Springer: Berlin/Heidelberg, Germany, 2022. [Google Scholar]
  11. Jabar, T.; Singh, M.M. Exploration of Mobile Device Behavior for Mitigating Advanced Persistent Threats (APT): A Systematic Literature Review and Conceptual Framework. Sensors 2022, 22, 4662. [Google Scholar] [CrossRef] [PubMed]
  12. Wang, J. A Bayesian-Network-Based Framework for Risk Analysis and Decision Making in Cybersecurity. Ph.D. Thesis, Queen Mary University of London, London, UK, 2021. [Google Scholar]
  13. Llansó, T.; McNeil, M.; Noteboom, C. Multi-criteria selection of capability-based cybersecurity solutions. In Proceedings of the 52nd Hawaii International Conference on System Sciences, Maui, HI, USA, 8–11 January 2019. [Google Scholar]
  14. Nespoli, P.; Mármol, F.G.; Vidal, J.M. Battling against cyberattacks: Towards pre-standardization of countermeasures. Clust. Comput. 2021, 24, 57–81. [Google Scholar] [CrossRef]
  15. Bognár, F.; Benedek, P. A Novel Risk Assessment Methodology: A Case Study of the PRISM Methodology in a Compliance Management Sensitive Sector. Acta Polytech. Hung. 2021, 18, 89–108. [Google Scholar] [CrossRef]
  16. ISO/IEC 27005; Information Technology Security Techniques Information Security Risk Management. ISO: Geneva, Switzerland, 2008.
  17. Fahrurozi, M.; Tarigan, S.A.; Tanjung, M.A.; Mutijarsa, K. The Use of ISO/IEC 27005: 2018 for Strengthening Information Security Management (A Case Study at Data and Information Center of Ministry of Defence). In Proceedings of the 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), Yogyakarta, Indonesia, 6–8 October 2020; pp. 86–91. [Google Scholar]
  18. Al-Sartawi, A.M.M. Information technology governance and cybersecurity at the board level. Int. J. Crit. Infrastruct. 2020, 16, 150–161. [Google Scholar] [CrossRef]
  19. Samimi, A. Risk Management in Information Technology. Prog. Chem. Biochem. Res. 2020, 3, 130–134. [Google Scholar] [CrossRef]
  20. Alberts, C.; Dorofee, A.; Stevens, J.; Woody, C. Introduction to the OCTAVE Approach; Carnegie-Mellon University Software Engineering Institute: Pittsburgh, PA, USA, 2003. [Google Scholar]
  21. Al-Safwani, N.; Fazea, Y.; Ibrahim, H. ISCP: In-depth model for selecting critical security controls. Comput. Secur. 2018, 77, 565–577. [Google Scholar] [CrossRef]
  22. Fischer, E.A. Creating a National Framework for Cybersecurity: An Analysis of Issues and Options; Library of Congress Washington Dc Congressional Research Service: Washington, DC, USA, 2005.
  23. Sun, L.; Srivastava, R.P.; Mock, T.J. An information systems security risk assessment model under the Dempster-Shafer theory of belief functions. J. Manag. Inf. Syst. 2006, 22, 109–142. [Google Scholar] [CrossRef]
  24. Feng, N.; Li, M. An information systems security risk assessment model under uncertain environment. Appl. Soft Comput. 2011, 11, 4332–4340. [Google Scholar] [CrossRef]
  25. Hong, K.S.; Chi, Y.P.; Chao, L.R.; Tang, J.H. An integrated system theory of information security management. Inf. Manag. Comput. Secur. 2003, 11, 243–248. [Google Scholar] [CrossRef]
  26. Sindhuja, P. The impact of information security initiatives on supply chain robustness and performance: An empirical study. Inf. Comput. Secur. 2021, 29, 365–391. [Google Scholar]
  27. Wheeler, E. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up; Elsevier: Amsterdam, The Netherlands, 2011. [Google Scholar]
  28. Maček, D.; Magdalenić, I.; Begičević Ređep, N. A Model for the Evaluation of Critical IT Systems Using Multicriteria Decision-Making with Elements for Risk Assessment. Mathematics 2021, 9, 1045. [Google Scholar] [CrossRef]
  29. Furlani, C.M. Minimum Security Requirements for Federal Information and Information Systems; DIANE Publishing: Collingdale, PA, USA, 2009. [Google Scholar]
  30. Jean-Jules, J.; Vicente, R. Rethinking the implementation of enterprise risk management (ERM) as a socio-technical challenge. J. Risk Res. 2021, 24, 247–266. [Google Scholar] [CrossRef]
  31. Qiangmin, W.; Mengquan, L.; Jianhua, L. Method on network information system security assessment based on rough set. In Proceedings of the 2007 Third International IEEE Conference on Signal-Image Technologies and Internet-Based System, Shanghai, China, 16–19 December 2007; pp. 1041–1046. [Google Scholar]
  32. Leszczyna, R. Review of Cybersecurity Assessment Methods: Applicability Perspective. Comput. Secur. 2021, 108, 102376. [Google Scholar] [CrossRef]
  33. Zhang, X.; Wuwong, N.; Li, H.; Zhang, X. Information security risk management framework for the cloud computing environments. In Proceedings of the 2010 10th IEEE International Conference on Computer and Information Technology, Bradford, UK, 29 June–1 July 2010; pp. 1328–1334. [Google Scholar]
  34. Faizi, A.; Padyab, A.; Naess, A. From rationale to lessons learned in the cloud information security risk assessment: A study of organizations in Sweden. Inf. Comput. Secur. 2022, 30, 190–205. [Google Scholar] [CrossRef]
  35. Merchan-Lima, J.; Astudillo-Salinas, F.; Tello-Oquendo, L.; Sanchez, F.; Lopez-Fonseca, G.; Quiroz, D. Information security management frameworks and strategies in higher education institutions: A systematic review. Ann. Telecommun. 2021, 76, 255–270. [Google Scholar] [CrossRef]
  36. Breier, J.; Hudec, L. Risk analysis supported by information security metrics. In Proceedings of the 12th International Conference on Computer Systems and Technologies, Vienna, Austria, 16–17 June 2011; pp. 393–398. [Google Scholar]
  37. Bhol, S.G.; Mohanty, J.; Pattnaik, P.K. Taxonomy of cyber security metrics to measure strength of cyber security. Mater. Today Proc. 2023, 80, 2274–2279. [Google Scholar] [CrossRef]
  38. Behnia, A.; Abd Rashid, R.; Chaudhry, J.A. A survey of information security risk analysis methods. SmartCR 2012, 2, 79–94. [Google Scholar] [CrossRef]
  39. Schmitz, C.; Pape, S. LiSRA: Lightweight security risk assessment for decision support in information security. Comput. Secur. 2020, 90, 101656. [Google Scholar] [CrossRef]
  40. Saleh, Z.I.; Refai, H.; Mashhour, A. Proposed Framework for Security Risk Assessment. J. Inf. Secur. 2011, 2, 85–90. [Google Scholar] [CrossRef]
  41. Shameli-Sendi, A.; Aghababaei-Barzegar, R.; Cheriet, M. Taxonomy of information security risk assessment (ISRA). Comput. Secur. 2016, 57, 14–30. [Google Scholar] [CrossRef]
  42. Patiño, S.; Solís, E.F.; Yoo, S.G.; Arroyo, R. ICT risk management methodology proposal for governmental entities based on ISO/IEC 27005. In Proceedings of the 2018 International Conference on eDemocracy & eGovernment (ICEDEG), Ambato, Ecuador, 4–6 April 2018; pp. 75–82. [Google Scholar]
  43. Zainal, K.; Jali, M.Z. A perception model of spam risk assessment inspired by danger theory of artificial immune systems. Procedia Comput. Sci. 2015, 59, 152–161. [Google Scholar] [CrossRef]
  44. Alcántara, M.; Melgar, A. Risk management in information security: A systematic review. J. Adv. Inf. Technol. 2016, 7, 1–7. [Google Scholar] [CrossRef]
  45. Bagheri, S. Investigating Organisational Aspects of Cyber Resilience in Large Organisations. Ph.D. Thesis, University of Tasmania, Hobart, Australia, 2020. [Google Scholar]
  46. Samy, G.N.; Ahmad, R.; Ismail, Z. A framework for integrated risk management process using survival analysis approach in information security. In Proceedings of the 2010 Sixth International Conference on Information Assurance and Security, Atlanta, GA, USA, 23–25 August 2010; pp. 185–190. [Google Scholar]
  47. Fischer, E.A. Creating a National Framework for Cybersecurity: An Analysis of Issues and Options; Nova Science Publishers: Hauppauge, NY, USA, 2009. [Google Scholar]
  48. Mahmoud, M.S.B.; Larrieu, N.; Pirovano, A. A risk propagation based quantitative assessment methodology for network security-aeronautical network case study. In Proceedings of the 2011 Conference on Network and Information Systems Security, La Rochelle, France, 18–21 May 2011; pp. 1–9. [Google Scholar]
  49. Ross, R.S.; Johnson, L.A.; Katzke, S.W.; Toth, P.R.; Stoneburner, G.; Rogers, G. Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans; National Institute of Standards and Technology: Gaithersburg, MA, USA, 2008.
  50. ISACA; Governance Institute; The Office of Government Commerce. Aligning CobiT, ITIL and ISO 17799 for Business Benefit. 2007. Available online: https://www.itgovernance.co.uk/files/ITIL-COBiT-ISO17799JointFramework.pdf (accessed on 22 May 2024).
  51. Andersen, C. Successful security control selection using NIST SP 800-53. ISSA I 2009, 1, 12–17. [Google Scholar]
  52. Singh, A.; Lilja, D.J. Criteria and methodology for grc platform selection. ISACA J. 2010, 1, 32. [Google Scholar]
  53. Jones, J. An introduction to factor analysis of information risk (fair). Norwich J. Inf. Assur. 2006, 2, 67. [Google Scholar]
  54. Allen, J. Mastering the Risk/Reward Equation: Optimizing Information Risks to Maximize Business Innovation Rewards; RSA, USA, Industry Report. 2008. Available online: https://www.robinsoninsight.com/wp-content/uploads/2017/07/Risk-Reward-Equation_Security-for-Business-Innovation.pdf (accessed on 22 May 2024).
  55. Jürgenson, A.; Willemson, J. Processing multi-parameter attacktrees with estimated parameter values. In International Workshop on Security; Springer: Berlin/Heidelberg, Germany, 2007; pp. 308–319. [Google Scholar]
  56. Kiesling, E.; Strausß, C.; Stummer, C. A multi-objective decision support framework for simulation-based security control selection. In Proceedings of the 2012 Seventh International Conference on Availability, Reliability and Security, Prague, Czech Republic, 20–24 August 2012; pp. 454–462. [Google Scholar]
  57. Tong, C.K.; Fung, K.; Huang, H.Y.; Chan, K.K. Implementation of ISO17799 and BS7799 in picture archiving and communication system: Local experience in implementation of BS7799 standard. In International Congress Series; Elsevier: Amsterdam, The Netherlands, 2003; Volume 1256, pp. 311–318. [Google Scholar]
  58. Piatyszek, E.; Karagiannis, G.-M. A model-based approach for a systematic risk analysis of local flood emergency operation plans: A first step toward a decision support system. Nat. Hazards 2012, 61, 1443–1462. [Google Scholar] [CrossRef]
  59. Al-Hamdani, W.A. Non risk assessment information security assurance model. In Proceedings of the 2009 Information Security Curriculum Development Conference, Kennesaw, Georgia, 25–26 September 2009; pp. 84–90. [Google Scholar]
  60. Shukla, A.; Katt, B.; Nweke, L.O.; Yeng, P.K.; Weldehawaryat, G.K. System Security Assurance: A Systematic Literature Review. arXiv 2021, arXiv:2110.01904. [Google Scholar] [CrossRef]
  61. Singh, A.; Lilja, D. STARTS: A decision support architecture for dynamic security configuration management. In Proceedings of the 2009 IEEE International Conference on Industrial Engineering and Engineering Management, Hong Kong, China, 8–11 December 2009; pp. 2185–2191. [Google Scholar]
  62. Lv, J.-J.; Zhou, Y.-S.; Wang, Y.-Z. A multi-criteria evaluation method of information security controls. In Proceedings of the 2011 Fourth International Joint Conference on Computational Sciences and Optimization, Kunming, China, 15–19 April 2011; pp. 190–194. [Google Scholar]
  63. Carauta Ribeiro, R.; Dias Canedo, E. Using mcda for selecting criteria of lgpd compliant personal data security. In Proceedings of the 21st Annual International Conference on Digital Government Research, Seoul, Republic of Korea, 15–19 June 2020; pp. 175–184. [Google Scholar]
  64. Singh, A.; Lilja, D. Improving risk assessment methodology: A statistical design of experiments approach. In Proceedings of the 2nd International Conference on Security of Information and Networks, Famagusta, Cyprus, 6–10 October 2009; pp. 21–29. [Google Scholar]
  65. Brunner, M.; Sillaber, C.; Breu, R. Towards automation in information security management systems. In Proceedings of the 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS), Prague, Czech Republic, 25–29 July 2017; pp. 160–167. [Google Scholar]
  66. Hagerty, J.; Verma, K.; Gaughan, D. The Governance Risk Management and Compliance (GRC) Landscape Part 2: Software’s Integral Role in GRC Automation; Gartner, Inc.: Stamford, CT, USA, 2008. [Google Scholar]
  67. Asosheh, A.; Dehmoubed, B.; Khani, A. A new quantitative approach for information security risk assessment. In Proceedings of the 2009 2nd IEEE International Conference on Computer Science and Information Technology, Beijing, China, 8–11 August 2009; pp. 222–227. [Google Scholar]
  68. Llansó, T. CIAM: A data-driven approach for selecting and prioritizing security controls. In Proceedings of the 2012 IEEE International Systems Conference SysCon 2012, Vancouver, BC, Canada, 19–22 March 2012; pp. 1–8. [Google Scholar]
  69. Razaque, A.; Amsaad, F.; Hariri, S.; Almasri, M.; Rizvi, S.S.; Frej, M.B.H. Enhanced grey risk assessment model for support of cloud service provider. IEEE Access 2020, 8, 80812–80826. [Google Scholar] [CrossRef]
  70. Webb, J.; Ahmad, A.; Maynard, S.B.; Shanks, G. A situation awareness model for information security risk management. Comput. Secur. 2014, 44, 1–15. [Google Scholar] [CrossRef]
  71. Haji, S.; Tan, Q.; Costa, R.S. A hybrid model for information security risk assessment. Int. J. Adv. Trends Comput. Sci. Eng. 2019, 8, 100–106. [Google Scholar] [CrossRef]
  72. Sukumar, A.; Mahdiraji, H.A.; Jafari-Sadeghi, V. Cyber risk assessment in small and medium-sized enterprises: A multilevel decision-making approach for small e-tailors. Risk Anal. 2023, 43, 2082–2098. [Google Scholar] [CrossRef] [PubMed]
  73. Subhash, P.; Qayyum, M.; Mehernadh, K.; Sahit, K.J.; Varsha, C.L.; Hardeep, M.N. Risk assessment threat modelling using an integrated framework to enhance security. J. Theor. Appl. Inf. Technol. 2024, 102, 3857–3867. [Google Scholar]
  74. Jawhar, S.; Kimble, C.E.; Miller, J.R.; Bitar, Z. Enhancing Cyber Resilience with AI-Powered Cyber Insurance Risk Assessment. In Proceedings of the 2024 IEEE 14th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 8–10 January 2024; pp. 0435–0438. [Google Scholar]
  75. Chandra, N.A.; Ramli, K.; Ratna, A.A.P.; Gunawan, T.S. Information Security Risk Assessment Using Situational Awareness Frameworks and Application Tools. Risks 2022, 10, 165. [Google Scholar] [CrossRef]
  76. Supriyadi, Y.; Hardani, C.W. Information system risk scenario using COBIT 5 for risk and NIST SP 800-30 Rev. 1 a case study. In Proceedings of the 2018 3rd International Conference on Information Technology, Information System and Electrical Engineering (ICITISEE), Yogyakarta, Indonesia, 13–14 November 2018; pp. 287–291. [Google Scholar]
  77. Wangen, G. Information Security Risk Assessment: A Method Comparison. Computer 2017, 50, 52–61. [Google Scholar] [CrossRef]
  78. Kiran, K.; Reddy, L.; Haritha, N.L. A compartive analysis on risk assessment information security models. Int. J. Comput. Appl. 2013, 82, 41–47. [Google Scholar] [CrossRef]
  79. Abbass, W.; Baina, A.; Bellafkih, M. Using EBIOS for risk management in critical information infrastructure. In Proceedings of the 2015 5th World Congress on Information and Communication Technologies (WICT), Marrakech, Morocco, 14–16 December 2015; pp. 107–112. [Google Scholar]
  80. Mullerova, J.; Nemec, V. Risk assessment RM/RA CRAMM–quantitative method for environmental, technology and social threats. In Proceedings of the International Multidisciplinary Scientific GeoConference: SGEM, Albena, Bulgaria, 28 June–6 July 2019; Volume 19, pp. 279–285. [Google Scholar]
  81. Kim, H.J. Three Approaches to Risk Management in the Cloud. Inf. Resour. Manag. J. (IRMJ) 2022, 35, 1–12. [Google Scholar] [CrossRef]
Information 15 00353 g001
Figure 1. Taxonomy of the related works and scope of information security risk management.
Figure 1. Taxonomy of the related works and scope of information security risk management.
Information 15 00353 g001
Information 15 00353 g002
Figure 2. ISO/IEC 27005 Information Security Risk Management [16].
Figure 2. ISO/IEC 27005 Information Security Risk Management [16].
Information 15 00353 g002
Information 15 00353 g003
Figure 3. NIST Risk Assessment Activities.
Figure 3. NIST Risk Assessment Activities.
Information 15 00353 g003
Information 15 00353 g004
Figure 4. High-level structure of CRAMM.
Figure 4. High-level structure of CRAMM.
Information 15 00353 g004
Table 1. Risk management and SDLC phases.
Table 1. Risk management and SDLC phases.
SDLC PhasesPhase Characteristics RMA Support
Phase 1: InitiationAn IT system is deemed necessary, and the goal and scope of the IT system are definedThe identified dangers aid in the formulation of the system requirements.
Phase 2: Development or AcquisitionDesign, procurement, development of programming, or other construction of the information technology system.The hazards found during this phase can be utilized to help with the IT system’s security analysis.
Phase 3: ImplementationConfiguration, enablement, testing, and verification of system security features are required.System implementation is evaluated against its specifications and within a modeled operating environment using the risk management method.
Phase 4: Operation Maintenance The system goes about its business. Adding hardware and software to the system is a common practice for system modifications.Periodic system reauthorization (or reaccreditation) or substantial modifications to an IT system necessitate risk management actions.
Phase 5: DisposalThis step may include the disposal of data, hardware, and software.System components that will be discarded or replaced will have risk management actions carried out to guarantee that old hardware and software are disposed of correctly.
Table 2. Prior work regarding control assessment methods.
Table 2. Prior work regarding control assessment methods.
Ref.ModelResults
[75]ISO/IEC 27005This standard offers a comprehensive structure for effectively handling and mitigating risks related to information security. The main focus is on the identification, assessment, and mitigation of risks to establish efficient information security protocols inside businesses. Despite its widespread acceptance, this framework presents a multitude of intricate regulations that might be difficult to implement without the assistance of specific examples.
[76]NIST SP800-30Information technology risk management is rigorous with NIST principles. Risk assessment, mitigation, and monitoring demonstrate the necessity for an IT-specific risk management plan. Its various, intricate processes need competence to perform.
[77]OCTAVEThe OCTAVE risk management method addresses risks inside organizations by conducting an Operationally Critical Threat, Asset, and Vulnerability Evaluation. The methodology encompasses the process of identifying assets, profiling potential threats, and developing plans for protection. Qualitative approaches may not provide explicit organizational rules.
[78]IRAMThe Information Risk Assessment Methodology (IRAM) is a risk assessment technique proposed by the Information Security Forum. It connects security measures with the organization’s goals. Its generalizability may be limited due to its heavy reliance on expert opinion and organizational context.
[79]EBIOSEBIOS offers a thorough method for detecting and evaluating security requirements. It is extensively used in French enterprises and the government, providing a methodical approach to controlling security threats. However, it often prioritizes broad assessments without a thorough and specific methodology.
[80,81]CRAMMThe CRAMM technique provides a comprehensive strategy for effectively managing information security risks via the use of statistical and analytical tools. The document offers a well-organized strategy for establishing a strong security system by doing thorough analysis and using effective risk management techniques.
[64]SDEAThis methodology uses statistical experimental design to address risk management, offering a quantitative structure for assessing and reducing hazards. The risk management strategy integrates statistical and qualitative methodologies to provide a comprehensive analysis.
[62]McEMThis approach assesses information security measures by using several criteria to strike a balance between different elements and attain optimum security management. It provides a systematic method for making decisions when implementing security controls.
[68]CIAMCIAM is a systematic approach that uses data to choose and rank security measures. The main objective is to assess the efficiency of controls and prioritize high-priority threats to improve overall security measures.
SDEA: Statistical Design of Experiments Approach; McEM: A Multi-Criteria Evaluation Method.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Alsafwani, N.; Fazea, Y.; Alnajjar, F. Strategic Approaches in Network Communication and Information Security Risk Assessment. Information 2024, 15, 353. https://doi.org/10.3390/info15060353

AMA Style

Alsafwani N, Fazea Y, Alnajjar F. Strategic Approaches in Network Communication and Information Security Risk Assessment. Information. 2024; 15(6):353. https://doi.org/10.3390/info15060353

Chicago/Turabian Style

Alsafwani, Nadher, Yousef Fazea, and Fuad Alnajjar. 2024. "Strategic Approaches in Network Communication and Information Security Risk Assessment" Information 15, no. 6: 353. https://doi.org/10.3390/info15060353

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop