A Conceptual Model for Information Security Risk Considering Business Process Perspective

Abstract

Information security risk assessment (ISRA) and modeling has become a prominent topic in the last decade. ISRA methods have been developed by many researchers, showing that this issue is always on the lookout for review. Business process is a new perspective in ISRA domain. In this perspective, risk assessment is based on business processes rather than organization's assets. This research is aimed to conduct a systematic review of the ISRA model developed in recent years. Research papers from 2010 to 2017 were selected and examined in the context of information security risk assessment, modeling, and its relationship with business process management. In addition to the current taxonomy, new aspects were added to analyze these papers, i.e. risk context, adaptive ability, and model purpose. Based on analysis results, two research gaps in information security risk modeling were found. First, risk model should have comprehensive assessment method that considers vulnerability propagation and resource valuation in different resources level. Second, risk model should also be able to adapt to business process changes. In this paper, research challenges faced with respect to such issues are outlined and a new conceptual model for ISRA is proposed.