Consideration of Opportunity and Human Factor: Required Paradigm Shift for Information Security Risk Management

Abstract

Most of the existing Risk Analysis and Management Methods (RAMMs) focus on threat without taking account of the available opportunity to an entity. Besides, human aspects are not often given much importance in these methods. These issues create a considerable drawback as the available opportunities to an entity (organization, system, etc.) might go unnoticed which might hamper the entity from achieving its objectives. Moreover, understanding the motives of humans play an important role in guiding the risk analysis. This paper reviews several existing RAMMs to highlight the above issues and provides reasoning as to emphasize the importance of these two issues in information security management. From the analysis of the selected methods, we identified that a majority of the methods acknowledge only threat and the consideration of human factors have not been reflected. Although, the issues are not new, these still remain open and the field of risk management needs to be directed towards addressing them. The review is expected to be helpful both to the researchers and practitioners in providing relevant information to consider these issues for further improving the existing RAMMs or when developing new methods.