{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,2]],"date-time":"2026-02-02T23:36:53Z","timestamp":1770075413298,"version":"3.49.0"},"reference-count":14,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2007,2,27]],"date-time":"2007-02-27T00:00:00Z","timestamp":1172534400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2007,2,27]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>This paper seeks to present a conceptual modeling approach, which is new in the domain of information systems security risk assessment.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>The approach is helpful for performing means\u2010end analysis, thereby uncovering the structural origin of security risks in information systems, and how the root\u2010causes of such risks can be controlled from the early stages of the projects.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>Though some attempts have previously been made to model security risk assessment in information systems using conventional modeling techniques such as data flow diagrams and UML, the previous works have analyzed and modeled the same just by addressing \u201cwhat\u201d a process is like. However, they do not address \u201cwhy\u201d the process is the way it is.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>The approach addresses the limitation of the existing security risk assessment models by exploring the strategic dependencies between the actors of a system and analyzing the motivations, intents and rationales behind the different entities and activities constituting the system.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220710738787","type":"journal-article","created":{"date-parts":[[2007,3,9]],"date-time":"2007-03-09T03:35:50Z","timestamp":1173411350000},"page":"64-77","source":"Crossref","is-referenced-by-count":14,"title":["A strategic modeling technique for information security risk assessment"],"prefix":"10.1108","volume":"15","author":[{"given":"Subhas C.","family":"Misra","sequence":"first","affiliation":[]},{"given":"Vinod","family":"Kumar","sequence":"additional","affiliation":[]},{"given":"Uma","family":"Kumar","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2022021720423434600_b1","unstructured":"Aagedal, J.O., Braber, F.D., Dimitrakos, T., Gran, B.A., Raptis, D. and Stolen, K. (2002), \u201cModel\u2010based risk assessment to improve enterprise security\u201d, Proceedings of the Fifth International Enterprise Distributed Object Computing Conference (EDOC 2002), Lausanne, Switzerland, 17\u201020, September."},{"key":"key2022021720423434600_b2","unstructured":"Barber, B. and Davey, J. (1992), \u201cThe use of the CCTA risk analysis and management methodology (CRAMM) in health information systems\u201d, Medinfo 92, North Holland, Amsterdam, pp. 1589\u201093."},{"key":"key2022021720423434600_b3","doi-asserted-by":"crossref","unstructured":"Chung, L., Nixon, B.A., Yu, E. and Mylopoulos, J. (2000), Non\u2010Functional Requirements in Software Engineering, Kluwer Academic Publishers, Dordrecht.","DOI":"10.1007\/978-1-4615-5269-7"},{"key":"key2022021720423434600_b4","unstructured":"Common Criteria Organization (2002), \u201cCommon criteria for information technology security evaluation\u201d, available at: www.commoncriteria.org (accessed 2004)."},{"key":"key2022021720423434600_b5","unstructured":"Control Objectives for Information and Related Technology (2002), COBIT, available at: www.isaca.org\/ct\u2010denld.htm."},{"key":"key2022021720423434600_b6","doi-asserted-by":"crossref","unstructured":"Donzelli, P. and Bresciani, P. (2003), \u201cAn agent\u2010based requirements engineering framework for complex socio\u2010technical systems\u201d, Proceedings of SELMAS 2003, Portland, Oregon, USA.","DOI":"10.1007\/978-3-540-25943-5_11"},{"key":"key2022021720423434600_b7","doi-asserted-by":"crossref","unstructured":"Dubois, E., Yu, E. and Petit, M. (1998), \u201cFrom early to late formal requirements: a process control case study\u201d, Proc. 9th International Workshop on Software Specification and Design, Ise\u2010Shima, Japan, 16\u201018 April, pp. 34\u201042.","DOI":"10.1109\/IWSSD.1998.667917"},{"key":"key2022021720423434600_b8","unstructured":"Gans, G., Jarke, M., Kethers, S., Lakemeyer, G., Ellrich, L., Funken, C. and Meister, M. (2001), \u201cRequirements modeling for organization networks: a (dis)trust\u2010based approach\u201d, Proceedings of the 5th IEEE International Symposium on Requirements Engineering, Toronto."},{"key":"key2022021720423434600_b9","unstructured":"Mouratidis, H., Giorgini, P., Manson, G. and Philip, I. (2002), \u201cA natural extension of tropos methodology for modeling security\u201d, Proceedings of the Agent Oriented Methodologies Workshop (OOPSLA 2002), Seattle\u2010USA, November."},{"key":"key2022021720423434600_b10","unstructured":"Reactive System Design Support (2002), RSDS, available at: www.kcl.ac.uk."},{"key":"key2022021720423434600_b11","unstructured":"Schechter, S.E. (2004), \u201cComputer security and risk: a quantitative approach\u201d, PhD thesis, Computer Science, Harvard University, Cambridge, MA."},{"key":"key2022021720423434600_b12","unstructured":"Standards Australia (1999), AS\/NZS 4360: Risk Management. Standards Australia, Standard, AS\/NZS 4360."},{"key":"key2022021720423434600_b13","doi-asserted-by":"crossref","unstructured":"Sutcliffe, A.G. and Minocha, S. (1999), \u201cLinking business modeling to socio\u2010technical system design\u201d, Proceedings of CaiSE'99, pp. 73\u201087.","DOI":"10.1007\/3-540-48738-7_7"},{"key":"key2022021720423434600_b14","unstructured":"Vraalsen, F., Braber, F.D., Hogganvik, I., Lund, S. and Stolen, K. (2004), \u201cThe CORAS tool\u2010supported methodology\u201d, SINTEF Report, Report No. STF90A04015, February, SINTEF ICT, Trondheim."}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220710738787","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220710738787\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220710738787\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:01Z","timestamp":1753402141000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/15\/1\/64-77\/186802"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2007,2,27]]},"references-count":14,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2007,2,27]]}},"alternative-id":["10.1108\/09685220710738787"],"URL":"https:\/\/doi.org\/10.1108\/09685220710738787","relation":{},"ISSN":["0968-5227"],"issn-type":[{"value":"0968-5227","type":"print"}],"subject":[],"published":{"date-parts":[[2007,2,27]]}}}