Information Systems Security Risk Assessment: Harmonization with International Accounting Standards

This paper emerges from research by (Alter, S. et al., 2004), (Dillard, K. et al., 2004), (Landoll, D.J., 2006) and (Soliman, K., 2006), and it draws on real-world examples so as to underline some limits of quantitative risk assessment. The paper is a case study and emphasized that theoretical formulas used in information security risk assessments do not contain the time dimension of the analysis. The article further develops findings published in our article Information Security Risk Assessment: The Qualitative versus Quantitative Dilemma (Soliman, K., 2006) as we agree that the risk of information system security may only be assessed or estimated, but in practice, it cannot be measured accurately. A degree of trust should be associated with the assessment made by the security analyst. There are other elements that must be evaluated: average time for threat identification, average time for releasing technical procedures to reduce or accept threat and average time necessary until the system becomes operational and the threat is eliminated. The value of loss is different in any of the three moments and should be estimate for any of them.