You are here: Home Contents V15 N3 V15N3_Nunes.html
Personal tools

Information Security Risk Management: A Systematic Literature Review



Full text

Journal of Information System Security
Volume 15, Number 3 (2019)
Pages 161184
ISSN 1551-0123
Sérgio Nunes — ISEG, Universidade de Lisboa, Portugal
Information Institute Publishing, Washington DC, USA




Risk management can be the solution to minimize the communication gap between top management and information security specialists. There is a need to translate the technical jargon of information security into a language that top management is able to understand and take action. This research presents a systematic literature review of information security risk management. It consolidates and classifies the body of knowledge of information security risk management across multiple dimensions and finds gaps for further research.




Information Security, Risk Management, Cyber Risk




Albakri, S. H., Shanmugam, B., Samy, G. N., Idris, N. B., and Ahmed, A. (2014). Security risk assessment frame- work for cloud computing environments. Security and Communication Networks, 7(11):2114–2124.

Amancei, C. (2011). Practical methods for information security risk management. Informatica Economica, 15(1):151.

Baskerville, R. (1991). Risk analysis: an interpretive feasibility tool in justifying information systems security. European Journal of Information Systems, 1(2):121–130.

Beebe, N. L. and Rao, V. S. (2010). Improving organizational information security strategy via meso-level application of situational crime prevention to the risk management process. Communications of the Association for Information Systems, 26(1):17.

Bojanc, R. and Jerman-Blazic, B. (2013). A quantitative model for information-security risk management. Engineering Management Journal, 25(2):25–37.

Chen, P.-Y., Kataria, G., and Krishnan, R. (2011). Correlated failures, diversification, and information security risk management. Mis Quarterly, 35(2):397–422.

Crossan, M. M. and Apaydin, M. (2010). A multi- dimensional framework of organizational innovation: A systematic review of the literature. Journal of management studies, 47(6):1154–1191.

Dai, W., Zhu, Q., Wang, C., and Zeng, Y. (2012). Risk management model of information security in a manufacturing industry. JOURNAL OF COMPUTERS, 7(2):317.

Dhillon, G. (2007). Principles of Information Systems Security: text and cases. Wiley New York, NY.

Dioubate, B. M., Molok, A., Nuha, N., Talib, S., Tap, M., and Osman, A. (2015). Risk assessment model for organizational information security. ARPN Journal of Engineering and Applied Sciences, 10(23):17607–17613.

Doherty, N. F. and Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25(1):55–63.

Fang, F., Parameswaran, M., Zhao, X., and Whinston, A. B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16(3):399–416.

Feng, N. and Yu, X. (2012). A data-driven assessment model for information systems security risk management. Journal of Computers, 7(12):3103–3109.

Feng, N. and Zheng, C. (2014). A cooperative model for is security risk management in distributed environment. The Scientific World Journal, 2014.

Fenz, S. and Ekelhart, A. (2010). Verification, validation, and evaluation in information security risk management. IEEE Security & Privacy, (2):58–65.

Fenz, S., Ekelhart, A., and Neubauer, T. (2011). Information security risk management: In which security solutions is it worth investing? Communications of the Association for Information Systems, 28(1):329–356.

Fischhoff, B., Slovic, P., and Lichtenstein, S. (1979). Weighing the risks: Risks: Benefits which risks are acceptable? Environment: Science and Policy for Sustainable Development, 21(4):17–38.

Fitzgerald, K. J. (1995). Information security baselines. Information Management & Computer Security, 3(2):8–12.

Hemsley-Brown, J. and Oplatka, I. (2006). Universities in a competitive global marketplace: A systematic review of the literature on higher education marketing. International Journal of Public Sector Management, 19(4):316–338.

Henrie, M. (2013). Cyber security risk management in the scada critical infrastructure environment. Engineering Management Journal, 25(2):38–45.

Jourdan, Z., Rainer Jr, R. K., Marshall, T. E., Ford, F. N., et al. (2010). An investigation of organizational information security risk analysis. Journal of Service Science (JSS), 3(2).

Lai, L. K. H. and Chin, K. S. (2014). Development of a failure mode and effects analysis based risk assessment tool for information security. Industrial Engineering and Management Systems, 13(1):87–100.

Lo, C.-C. and Chen, W.-J. (2012). A hybrid information security risk assessment procedure considering interdependences between controls. Expert Systems with Applications, 39(1):247–257.

Longstaff, T., Chittister, C., Pethia, R., and Haimes, Y. (2000). Are we forgetting the risks of information technology? Computer, 33(12):43 –51.

López, D. and Pastor, O. (2013). Comprehensive approach to security risk management in critical infrastructures and supply chains. Information & Security: An Inter- national Journal, 29(1).

Macpherson, A. and Holt, R. (2007). Knowledge, learning and small firm growth: a systematic review of the evidence. Research Policy, 36(2):172–192.

NIST, J. T. F. T. I. (2010). Sp 800-37 rev. 1. Guide for applying the risk management framework to federal information systems: A security life cycle approach. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States.

Okoli, C. and Schabram, K. (2010). A guide to conducting a systematic literature review of information systems research. Sprouts Work. Pap. Inf. Syst, 10:26.

Ozkan, S. and Karabacak, B. (2010). Collaborative risk method for information security management practices: A case context within Turkey. International Journal of Information Management, 30(6):567–572.

Paquette, S., Jaeger, P. T., and Wilson, S. C. (2010). Identifying the security risks associated with governmental use of cloud computing. Government Information Quarterly, 27(3):245–253.

Pittaway, L., Robertson, M., Munir, K., Denyer, D., and Neely, A. (2004). Networking and innovation: a systematic review of the evidence. International Journal of Management Reviews, 5(3-4):137–168.

Poolsappasit, N., Dewri, R., and Ray, I. (2012). Dynamic security risk management using bayesian attack graphs. Dependable and Secure Computing, IEEE Transactions on, 9(1):61–74.

Renn, O. (1998). Three decades of risk research: accomplishments and new challenges. Journal of Risk Re- search, 1(1):49–71.

Ryan, J. J., Mazzuchi, T. A., Ryan, D. J., De la Cruz, J. L., and Cooke, R. (2012). Quantifying information security risks using expert judgment elicitation. Computers & Operations Research, 39(4):774–784.

Saleh, Z. I., Refai, H., and Mashhour, A. (2011). Proposed framework for security risk assessment. Journal of Information Security, 2(02):85.

Saluja, U. and Idris, D. N. B. (2015). Statistics based in- formation security risk management methodology. International Journal of Computer Science and Network Security (IJCSNS), 15(10):117.

Schneier, B. (2008). The psychology of security. Africacrypt, pages 50–79.

Shedden, P., Scheepers, R., Smith, W., and Ahmad, A. (2011). Incorporating a knowledge perspective into security risk assessments. Vine, 41(2):152–166.

Silva, M. M., de Gusmão, A. P. H., Poleto, T., e Silva, L. C., and Costa, A. P. C. S. (2014). A multidimensional approach to information security risk management using fmea and fuzzy theory. International Journal of Information Management, 34(6):733–740.

Slayton, R. (2015). Measuring risk: Computer security metrics, automation, and learning. IEEE Annals of the His- tory of Computing, 37(2):32–45.

Spears, J. L. and Barki, H. (2010). User participation in information systems security risk management. MIS Quarterly, 34(3):503–522.

Stroie, E. R. and Rusu, A. C. (2011). Security risk management-approaches and methodology. Informatica Economica, 15(1):228.

Taylor, R. G. (2015). Potential problems with information security risk assessments. Information Security Journal: A Global Perspective, 24(4-6):177–184.

Thorpe, R., Holt, R., Macpherson, A., and Pittaway, L. (2005). Using knowledge within small and medium-sized firms: A systematic review of the evidence. International Journal of Management Reviews, 7(4):257–281.

Tiganoaia, B. (2012). Comparative study regarding the methods used for security risk management. Scientific Bulletin - Nicolae Balcescu Land Forces Academy, 17(2):149.

Tranfield, D., Denyer, D., and Smart, P. (2003). Towards a methodology for developing evidence-informed management knowledge by means of systematic review. British Journal of Management, 14(3):207–222.

Van Deursen, N., Buchanan, W. J., and Duff, A. (2013). Monitoring information security risks within health care. Computers & Security, 37:31–45.

Wang, T., Kannan, K. N., and Ulmer, J. R. (2013). The association between the disclosure and the realization of information security risk factors. Information Systems Research, 24(2):201–218.

Webb, J., Ahmad, A., Maynard, S. B., and Shanks, G. (2014). A situation awareness model for information security risk management. Computers & Security, 44:1–15.

Westerman, G. (2009). It risk as a language for alignment. MIS Quarterly Executive, 8(3).

Yang, Y.-P. O., Shieh, H.-M., and Tzeng, G.-H. (2013). A vikor technique based on dematel and anp for information security risk control assessment. Information Sciences, 232:482–500.

Yeo, M. L., Rolland, E., Ulmer, J. R., and Patterson, R. A. (2014). Risk mitigation decisions for it security. ACM Transactions on Management Information Systems (TMIS), 5(1):5.

Yin, R. K. (2003). Case study research: design and methods. Sage Publications, 3rd edition.

Zafar, H., Ko, M. S., and Clark, J. G. (2014). Security risk management in healthcare: A case study. Communications of the Association for Information Systems, 34(1):37.

Zhao, X., Xue, L., and Whinston, A. B. (2013). Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30(1): 123–152.