Information security risk assessment has emerged as the primary means by which organizations secure information infrastructure. A number of risk management standards and methodologies, such as the AS/NZS 4360 and HB231 provide organizations with guidance on developing a risk assessment process. However, while there exists such high-level guidance, there is correspondingly little literature on the practice of conducting risk assessments. This paper presents the results of a case study undertaken as part of a larger investigation that examines the information security risk assessment processes implemented by organizations as well as the reasons for adopting them. This research finds that organizations apply the high-level generic methodology outlined in the AS/NZS 4360 risk management standard due to a perceived ease of use. This research also finds that organizations simplify the risk methodology for the purposes of broad application across the organization. The process of simplification is achieved at the expense of the granularity of detail thereby reducing the depth at which the methodology is applied. The resulting outcome is a risk assessment methodology that no longer reflects the comprehensive nature of the original standard.

ASIS International. (2002). The General Security Risk Assessment Guidelines, ASIS

International, Alexandria, Virginia, USA.

AS/NZS 4360. (1999). Risk management, Sydney, Australia/ Wellington, New

Zealand. Standards Australia/ Standards New Zealand.

AS/NZS ISO/IEC 17799. (2001). Information technology - Code of practice for

information security management, Sydney, Australia/ Wellington, New Zealand. Standards

Australia/ Standards New Zealand.

Bandyopadhyay, K., Mykytyn, P.P. and Mykytyn, K. (1999). 'A framework for integrated

risk management in information technology', Management Decision, 37 (5): pp.437-444.

Cavaye, A. (1996). 'Case Study Research: a multifaceted research approach for IS,

Information Systems Journal, 6: p.227-242.

Frosdick, S. (1997). 'The techniques of risk analysis are insufficient in themselves', Disaster Prevention and Management: An International Journal, 6 (3): pp.165-177.

Galliers, R.D. (1991). 'Choosing Information Systems Research Approaches' in Information Systems Research: Contemporary Approaches and Emergent Traditions, eds. H-E. Nissen, H.K. Klein and R.A. Hirschheim, Proc. IFIP TC8/WG8.2 Working Conference, Dec. 1990, North Holland.

Gerber, M. and von Solms, R. (2005). 'Management of risk in the information age', Computers and Security, 24: pp.16-30.

Halliday, S., Badenhorst, K., von Solms, R. (1996). 'A business approach to effective information technology risk analysis and management, Information Management and Computer Security, vol.4, no.1, pp.19-31.

HB 231. (2004). Information security risk management guidelines, Sydney, Australia/Wellington, New Zealand. Standards Australia/ Standards New Zealand.

KPMG. (2000). Risk Survey Report, KPMG, Canada.

Lichtenstein, S. (1996). 'Factors in the selection of a risk assessment method', Information Management and Computer Security, 4 (4): pp.20-25.

Neuman, W.L. (2003). Social Research Methods - Qualitative and Quantitative Approaches, Allyn and Bacon, United States of America.

Peltier, T. (2000). Information Security Risk Analysis, Auerbach Publications, United States of America.

Roper, C.A. (1999). Risk management for security professionals, Butterworth-Heinemann, United States of America.

Scott, J. (2002). Risk management survey, PricewaterhouseCoopers, United States of America.

Shanks, G., Rouse, A. and Arnott, D. (1993). 'A Review of Approaches in Research and Scholarship in Information Systems, Proceedings of the 4th Australian Conference on Information Systems, Brisbane, pp.29-44.

Thorn, M.E. (2001). 'Applications of technology and risk management', S.A.M. Advanced Management Journal, 66 (4): pp.4-14.

Vigilinx. (2001). Security Assessment Methodology, Vigilinx Digital Security Solutions, Parsippany, New Jersey, USA.

Visintine, V. (2003). An Introduction to Information Risk Assessment, SANS Institute.

Waring, A. and Glendon, A.I. (1998). Managing Risk, International Thomson Business Press, London, UK.

Whitman, M.E. and Mattord, H.J. (2005). Principles of Information Security, Thomson Course Technology, United States of America.