Abstract
Risk assessment in the insurance and financial industries use processes and empirical data created specifically for their needs. The risk assessment processes used by IT and information security (InfoSec) risk management do not work as well. The processes for risk assessment used in IT and InfoSec are either taken wholesale from these or other disciplines, and the empirical data that is available is either inadequate of nonexistent.Why then do IT and InfoSec practitioners need to assess risk? In most cases it is done to validate a risk control strategy or to justify the expense of a risk control regime. The dominant practice at this time is to express a risk-based assessment in the trappings of a cost-benefit analysis using the best tools at hand. This is not often an adequate response.One noted authority in the area of information security (Parker, 2005) has proposed an alternative approach. He proposes that a three-pronged approach of due diligence, compliance, and a philosophy of business enablement can replace the current reliance on risk-based justification. This paper describes some of the deficiencies in the risk-based methodology currently in wide use in the field of IT risk assessment and then describes how alternative approaches, such as Parker's, can work. Evidence showing some support for this approach has been drawn from a small-scale survey of current practitioners.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
