Abstract
PurposeThis study aims to address the issue of practicing information security risk assessment (ISRA) on cloud solutions by studying municipalities and large organizations in Sweden.Design/methodology/approachFour large organizations and five municipalities that use cloud services and conduct ISRA to adhere to their information security risk management practices were studied. Data were gathered qualitatively to answer the study’s research question: How is ISRA practiced on the cloud? The Coat Hanger model was used as a theoretical lens to study and theorize the practices.FindingsThe results showed that the organizations aimed to follow the guidelines, in the form of frameworks or their own experience, to conduct ISRA; furthermore, the frameworks were altered to fit the organizations’ needs. The results further indicated that one of the main concerns with the cloud ISRA was the absence of a culture that integrates risk management. Finally, the findings also stressed the importance of a good understanding and a well-written legal contract between the cloud providers and the organizations using the cloud services.Originality/valueAs opposed to the previous research, which was more inclined to try out and evaluate various cloud ISRA, the study provides insights into the practice of cloud ISRA experienced by the organizations. This study represents the first attempt to investigate cloud ISRA that organizations practice in managing their information security.
Highlights
Cloud solutions have been firmly embedded into the fabric of many organizations
Rationale According to the experts, the rationale for conducting information security risk assessment (ISRA) in the cloud could be divided into general categories of complying with the external regulations and following internal information security risk management (ISRM) frameworks
External requirements is a driving force to conduct ISRA that usually deals with the critical practices that start with the questions such as “is this and that information critical to the business?” and “whether it requires protection?” In this regard, cloud provider’s compliance with various laws is considered
Summary
Research shows steady and remarkable growth in the implementation of cloud solutions (Paxton, 2016) owing to the benefits that they bring in areas such as cloud storage, enterprise cloud and mobile cloud. The concept of risk is defined as the possibility of a compromising event occurring that will impact the IS. Risk is measured in terms of consequence (or impact) and the likelihood of the event. In this regard, a wellconstructed risk assessment approach is a strategic tool for management decisions. No ISRA method is complete in itself, and a tweak and twist of the methods is a common activity
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
