Factors in the selection of a risk assessment method

Risk assessment is a fundamental decisionmaking process in the development of information security, resulting in the selection of appropriate safeguards for an information system. It is a two-stage process. In the first stage, a risk analysis process defines the scope of the risk assessment, identifies information resources (assets), and determines and prioritizes risks to the assets. In the second stage, a risk management process makes decisions to control unacceptable risks; a decision may be to transfer a risk (for example via insurance), ignore a risk, or reduce a risk, via selection of appropriate safeguards. Risk assessments also fulfil other roles, including the engagement of management in information security decision making, and enabling definition and refinement of security policy. Formal and comprehensive risk assessment methods are essential for the direction and control of data collection and data interpretation, for the provision of defined deliverables, and generally to underpin the risk assessment process with a phased framework[1]. Each method is based on an underlying risk model, which typically varies from one method to another. A risk model consists of a set of key concepts and terms[2], and references assets, threats, risks, impacts, safeguards, vulnerabilities and the relationships between them. Risk assessment methods are usually classified as quantitative or qualitative. Qualitative methods produce descriptive estimates for risks – for example, “very high” risk – whereas quantitative methods produce numeric exposure estimates for risks, often measured in dollar terms – for example, by annual loss exposure. Many methods employ some degree of automation. Risk assessment methods have evolved over three generations[3]. First generation methods are based on checklists of safeguards which are checked for presence, and then recommended if absent. Second generation methods determine information security requirements as a fundamental process within the method. Third generation methods identify logical information security requirements and physical information security requirements. Formal risk assessment methods differ in a variety of ways, for example, in their underlying risk models. Each method has its own peculiar set of problems, for example, a dependence on subjective estimates of information security input data. Problems with current risk assessment methods are described by many authors[1,4-9]. Organizations must frequently select or develop a risk assessment method, necessitating a comparison of many diverse and imperfect methods. This selection or development should be based both on an organization’s specific requirements, as well as on a set of ideal requirements for a risk assessment method[10]. Organizations consider and evaluate a set of factors for each method being considered, based on such requirements, in order to choose a method. This paper aims to specify a set of factors to be considered in the selection of a risk assessment method. The paper begins by describing a set of ideal requirements for a risk assessment method. Factors to be considered in the selection of a risk assessment method are then proposed and discussed. The paper presents and discusses empirical results obtained from testing the factors in two large, Australian organizations. A conclusion evaluates the research results, and gives directions for future research.