An Investigation and Evaluation of Risk Assessment Methods in Information systems

Abstract

As technology develops and information society becomes more and more popular, information systems are involved in almost every aspect of people’s life. One recent example is the uprising concept “Internet of things” that almost tries to solve everything within network and technology. With the convenience and benefits technology brings to us, risks also follow and threaten the environment we are enjoying. Wikileaks, NSA and Snowden, etc, those big dramas should make us more alert of those security issues and risks that we might encounter with information systems. In order to foresee the potential risks, predict the consequences and prepare the possible countermeasures, an exhaustive review into the risk assessment mechanisms we have today is needed. There are mainly three existing risk assessment methods: quantitative approach, qualitative approach and combined approach. This thesis makes a survey of the existing risk assessment methods (8 management tools, 2 technical tools, and 9 basic methods). It performs a comprehensive analysis and comparison between the different approaches, this involve reconstructing and grouping the surveyed methods according to their important factors, processing methods, and application environment. The weaknesses and benefits of the surveyed methods are discussed, and a risk assessment classification framework is proposed, dealing with risk assessment decision making or other related scenarios. Further, a systematic method is presented as an elaborate solution in the risk assessment field. Finally, the result of the study is considered in the broad picture of the risk assessment process design and implementation.