{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,14]],"date-time":"2025-10-14T11:08:37Z","timestamp":1760440117905,"version":"3.41.2"},"reference-count":18,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[1996,10,1]],"date-time":"1996-10-01T00:00:00Z","timestamp":844128000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[1996,10,1]]},"abstract":"<jats:p>A risk assessment method is used to carry out a risk assessment for an organization\u2019s information security. Currently, there are many risk assessment methods from which to choose, each exhibiting a variety of problems. For example, methods may take a long time to perform, may rely on subjective estimates for the security input data, may rely heavily on quantification of financial loss due to vulnerability, or may be costly to purchase and use. Discusses requirements for an ideal risk assessment method, and develops and evaluates factors to be considered in the selection method. Empirical research was carried out at two large, Australian organizations, in order to determine and validate factors. These factors should be of use to organizations in the evaluation, selection or development of a risk assessment method. Interesting conclusions are drawn about decision making in organizational information security.<\/jats:p>","DOI":"10.1108\/09685229610130503","type":"journal-article","created":{"date-parts":[[2002,7,27]],"date-time":"2002-07-27T02:08:10Z","timestamp":1027735690000},"page":"20-25","source":"Crossref","is-referenced-by-count":35,"title":["Factors in the selection of a risk assessment method"],"prefix":"10.1108","volume":"4","author":[{"given":"Sharman","family":"Lichtenstein","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022021119524561200_b1","unstructured":"1Anderson, A.M., \u201cComparing risk analysis methodologies\u201d, Proceedings of the IFIP TC11 Seventh International Conference on Information Security, North Holland, New York, NY, Amsterdam, 1991, pp. 301\u201011."},{"key":"key2022021119524561200_b2","doi-asserted-by":"crossref","unstructured":"2Bodeau, D.J., \u201cA conceptual model for computer security risk analysis\u201d, Proceedings of Eighth Annual Computer Security Applications Conference, IEEE Computer Society Press, Los Alamitos, CA, 1992, pp. 56\u201063.","DOI":"10.1109\/CSAC.1992.228233"},{"key":"key2022021119524561200_b3","doi-asserted-by":"crossref","unstructured":"3Baskerville, R., \u201cInformation systems security design methods: implications for information systems development\u201d, ACM Computing Surveys, Vol. 25 No. 4, 1993, pp. 373\u2010414.","DOI":"10.1145\/162124.162127"},{"key":"key2022021119524561200_b4","unstructured":"4Anderson, A.M., \u201cThe risk data repository: a novel approach to security risk modelling\u201d, Proceedings of the IFIP TCII Seventh International Conference on Information Security, North Holland, New York, NY, Amsterdam, 1993, pp. 185\u201094."},{"key":"key2022021119524561200_b5","doi-asserted-by":"crossref","unstructured":"5Baskerville, R., \u201cRisk analysis as a source of professional knowledge\u201d, Computers & Security, Vol. 10 No. 8, 1991.","DOI":"10.1016\/0167-4048(91)90094-T"},{"key":"key2022021119524561200_b6","unstructured":"6Birch, D.G.W., \u201cAn information driven approach to network security\u201d, Second International Conference on Private Switching Systems and Networks, Institution of Electrical Engineers, London, 1992."},{"key":"key2022021119524561200_b7","unstructured":"7Caelli, W., Longley, D. and Shain, M., Information Security Handbook, Macmillan, Basingstoke, 1991."},{"key":"key2022021119524561200_b8","unstructured":"8Clark, R., \u201cRisk management \u2010 a new approach\u201d, Proceedings of the Fourth IFIP TCII International Conference on Computer Security, North Holland, New York, NY, Amsterdam, 1989."},{"key":"key2022021119524561200_b9","unstructured":"9Garrabrants, W.M., Ellis, A.W.III, Hoffman, L.J. and Kamel, M., \u201cCERTS: a comparative evaluation method for risk management methodologies and tools\u201d, Sixth Annual Computer Security Conference, IEEE Computer Society Press, Los Alamitos, CA, 1990."},{"key":"key2022021119524561200_b10","doi-asserted-by":"crossref","unstructured":"10Katzke, S.W., \u201cA government perspective on risk management of automated information systems\u201d, Proceedings of the 1988 Computer Security Risk Management Model Builders Workshop, 1987, pp. 3\u201020.","DOI":"10.1016\/0267-3649(88)90039-8"},{"key":"key2022021119524561200_b11","doi-asserted-by":"crossref","unstructured":"11Birch, D.G.W. and McEvoy, N.A., \u201cRisk analysis for information systems\u201d, Journal of Information Technology, Vol. 7 No. 1, 1992.","DOI":"10.1177\/026839629200700107"},{"key":"key2022021119524561200_b12","unstructured":"12Moses, R., \u201cA European standard for risk analysis\u201d, Proceedings of COMPSEC International, Elsevier, Oxford, 1993."},{"key":"key2022021119524561200_b13","doi-asserted-by":"crossref","unstructured":"13Eloff, J.H.P., Labuschagne, L. and Badenhorst, K.P., \u201cA comparative framework for risk analysis methods\u201d, Computers & Security, Vol. 12 No. 6, 1993.","DOI":"10.1016\/0167-4048(93)90056-B"},{"key":"key2022021119524561200_b14","unstructured":"14FIPS 79, Guideline for Automatic Data Processing Risk Analysis, FIPS PUB 65, National Bureau of Standards, US Department of Commerce, 1979."},{"key":"key2022021119524561200_b15","unstructured":"15Mayerfeld, H.T., \u201cFramework for risk management: a synthesis of the working group reports\u201d, First Computer Security Risk Management Model Builders Workshop, NIST, Gaithersburg, MD, 1989."},{"key":"key2022021119524561200_b16","unstructured":"16Saltmarsh, T.J. and Browne, P.S., \u201cData processing \u2010 risk assessment\u201d, Advances in Computer Security Management, Vol. 2, 1983."},{"key":"key2022021119524561200_b17","unstructured":"17Wong, K. and Watt, W., Managing Information Security: A Non\u2010technical Management Guide, Elsevier Advanced Technology, Amsterdam, 1990."},{"key":"key2022021119524561200_b18","doi-asserted-by":"crossref","unstructured":"18Bennett, S.P. and Kailay, M.P., \u201cAn application of qualitative risk analysis to computer security for the commercial sector\u201d, Proceedings of the Eighth Annual Computer Security Applications Conference, IEEE Computer Society Press, Los Alamitos, CA, 1992, pp. 64\u201073.","DOI":"10.1109\/CSAC.1992.228232"}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685229610130503","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685229610130503\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685229610130503\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:41Z","timestamp":1753402181000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/4\/4\/20-25\/390684"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[1996,10,1]]},"references-count":18,"journal-issue":{"issue":"4","published-print":{"date-parts":[[1996,10,1]]}},"alternative-id":["10.1108\/09685229610130503"],"URL":"https:\/\/doi.org\/10.1108\/09685229610130503","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[1996,10,1]]}}}