A Comparative Study of Risk Assessment Methodologies for Information Systems

Today’s highly vulnerable world information systems are subjected to greater risks than ever before. As a result, related officials should be in a position to identify the risks which an organization faces and its management policies have to effectively manage those risks. Risk assessment is currently used as a key technique for managing security information systems. Literature reveals various information security risk assessment methods that can be implemented by the organizations, and each has different approaches to assess the information security risks. Organizations find it difficult to select an information security risk assessment method. Therefore, there is a need for a critical review of existing risk assessment methodologies. This paper presents a brief discussion on the top risk assessment methodologies, particularly COBRA, CORAS, CRAMM, OCTAVE, SOMAP, and NIST Guide, along with its strengths and weaknesses. After that, a comparative study is also done as the basis of the review results. Further research directions may also be taken by the weaknesses section. This work provides an evaluation to determine whether an information security risk assessment method is in line with information technology governance or not. The research paper will help the senior IT personnel to provide their recommendations for using a risk assessment methodology based on the specific requirements of an organization.