{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T21:02:26Z","timestamp":1777496546179,"version":"3.51.4"},"reference-count":33,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2020,6,19]],"date-time":"2020-06-19T00:00:00Z","timestamp":1592524800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2020,6,19]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This study aims to develop a framework for cybersecurity risk assessment in an organization. Existing cybersecurity frameworks are complex and implementation oriented. The framework can be systematically used to assess the strategic orientation of a firm with respect to its cybersecurity posture. The goal is to assist top-management-team with tailoring their decision-making about security investments while managing cyber risk at their organization.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>A thematic analysis of existing publications using content analysis techniques generates the initial set of keywords of significance. Additional factor analysis using the keywords provides us with a framework comprising of five pillars comprising prioritize, resource, implement, standardize and monitor (PRISM) for assessing a firm\u2019s strategic cybersecurity orientation.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The primary contribution is the development of a novel PRISM framework, which enables cyber decision-makers to identify and operationalize a tailored approach to address risk management and cybersecurity problems. PRISM framework evaluation will help organizations identify and implement the most tailored risk management and cybersecurity approach applicable to their problem(s).<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>The new norm is for companies to realize that data stratification in cyberspace extends throughout their organizations, intertwining their need for cybersecurity within business operations. This paper fulfills an identified need improve the ability of company leaders, as CIOs and others, to address the growing problem of how organizations can better handle cyber threats by using an approach that is a methodology for cross-organization cybersecurity risk management.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-11-2018-0131","type":"journal-article","created":{"date-parts":[[2020,6,17]],"date-time":"2020-06-17T11:01:15Z","timestamp":1592391675000},"page":"591-625","source":"Crossref","is-referenced-by-count":30,"title":["PRISM: a strategic decision framework for cybersecurity risk assessment"],"prefix":"10.1108","volume":"28","author":[{"given":"Rajni","family":"Goel","sequence":"first","affiliation":[]},{"given":"Anupam","family":"Kumar","sequence":"additional","affiliation":[]},{"given":"James","family":"Haddow","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"1","key":"key2020100112345362900_ref001","first-page":"57","article-title":"A comparative study on information security risk analysis methods","volume":"12","year":"2017","journal-title":"Journal of Computers"},{"key":"key2020100112345362900_ref002","unstructured":"AIRMIC, Alarm, IRM (2010), \u201cA structured approach to enterprise risk management (ERM) and the requirements of ISO 31000\u201d, available at: www.theirm.org\/media\/886062\/ISO3100_doc.pdf"},{"key":"key2020100112345362900_ref003","doi-asserted-by":"crossref","first-page":"323","DOI":"10.1016\/j.cose.2017.09.011","article-title":"Improving risk assessment model of cyber security using fuzzy logic inference system","volume":"74","year":"2018","journal-title":"Computers and Security"},{"key":"key2020100112345362900_ref004","unstructured":"Andrews, C. (2016), \u201cFrom the inside out: creating a holistic cybersecurity strategy for government\u201d, GovLoop, December 2016. available at: www.govloop.com\/resources\/inside-creating-holistic-cybersecurity-strategy-government\/"},{"key":"key2020100112345362900_ref005","unstructured":"Bailey, T. Kaplan, J. and Rezek, C. (2014), \u201cWhy senior leaders are the front line against cyberattacks\u201d, McKinsey Digital, June 2014. available at: www.mckinsey.com\/business-functions\/digital-McKinsey\/our-insights\/why-senior-leaders-are-the-front-line-against-cyberattacks"},{"key":"key2020100112345362900_ref006","unstructured":"Cambridge Centre for Risk Studies (2018), \u201cGlobal risk outlook for 2018\u201d, Cambridge Centre for Risk Studies. available at: www.jbs.cam.ac.uk\/fileadmin\/user_upload\/research\/centres\/risk\/downloads\/crs-cyber-risk-outlook-2018.pdf"},{"key":"key2020100112345362900_ref007","unstructured":"Chenok, D. and Lainhart, J. (2014), \u201cAchieving cost-effective, mission-based cybersecurity: using risk management and analytics to manage vulnerabilities and threats\u201d, IBM Center for The Business of Government, March 2014. available at: www.businessofgovernment.org\/blog\/business-government\/achieving-cost-effective-mission-based-cybersecurity-using-risk-management"},{"key":"key2020100112345362900_ref008","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cose.2015.09.009","article-title":"A review of cyber security risk assessment methods for SCADA systems","volume":"56","year":"2016","journal-title":"Computers and Security"},{"key":"key2020100112345362900_ref009","unstructured":"Deloitte (2014), \u201cNIST cyber security framework: 4 steps for CIOs\u201d, CIO Journal, January 2014. available at: https:\/\/deloitte.wsj.com\/cio\/2014\/01\/14\/nist-cyber-security-framework-4-steps-cios-can-take-now\/"},{"key":"key2020100112345362900_ref010","first-page":"1","article-title":"Aurum: a framework for information security risk management","volume-title":"2009 42nd HI International Conference on System Sciences","year":"2009"},{"key":"key2020100112345362900_ref011","unstructured":"Elky, S. (2007), \u201cAn introduction to information system risk management, SANS institute\u201d, available at: www.sans.org\/reading-room\/whitepapers\/auditing\/introduction-information-system-risk-management-1204"},{"key":"key2020100112345362900_ref012","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1016\/j.dss.2016.02.012","article-title":"Decision support approaches for cyber security investment","volume":"86","year":"2016","journal-title":"Decision Support Systems"},{"key":"key2020100112345362900_ref07a","article-title":"Managing cybersecurity risk in government: an implementation model","year":"2018"},{"key":"key2020100112345362900_ref013","article-title":"The corporate fortress","year":"2019"},{"key":"key2020100112345362900_ref014","unstructured":"International Organization of Standardization (2018), \u201cISO 31000:2018 risk management principles and guidelines\u201d, available at www.iso.org\/obp\/ui#iso:std:iso:31000:ed-2:v1:en"},{"key":"key2020100112345362900_ref015","unstructured":"IRM (2014), \u201cIRM cyber risk: executive summary\u201d, The Institute of Risk Management, 2014. available at: www.theirm.org\/media\/4209532\/IRM_Cyber-Risk_Exec-Summ_A5_low-res.pdf"},{"issue":"6","key":"key2020100112345362900_ref016","first-page":"48","article-title":"Managing risks: a new framework","volume":"90","year":"2012","journal-title":"Harvard Business Review"},{"key":"key2020100112345362900_ref017","unstructured":"Lipner, S. and Lampson, B. (2016), \u201cRisk management and the cybersecurity of the U.S. Government\u201d, Input to the Commission on Enhancing National Cybersecurity. available at: www.nist.gov\/sites\/default\/files\/documents\/2016\/09\/16\/s.lipner-b.lampson_rfi_response.pdf"},{"key":"key2020100112345362900_ref018","unstructured":"NIST (2011), Managing \u201cInformation security risk. Special publication 800-39\u201d, available at: https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-39.pdf"},{"key":"key2020100112345362900_ref019","unstructured":"NIST (2016), \u201cRisk management framework (RMF) overview\u201d, Available at: http:\/\/csrc.nist.gov\/groups\/SMA\/fisma\/framework.html"},{"key":"key2020100112345362900_ref020","unstructured":"NIST (2018), \u201cFramework for improving critical infrastructure cybersecurity\u201d, available at: https:\/\/nvlpubs.nist.gov\/nistpubs\/CSWP\/NIST.CSWP.04162018.pdf"},{"key":"key2020100112345362900_ref021","unstructured":"Noble, Z. (2016), \u201cFISMA report show pain, few gains\u201d, FCW, March 2016. available at: https:\/\/fcw.com\/articles\/2016\/03\/21\/fisma-omb-noble.aspx"},{"key":"key2020100112345362900_ref022","unstructured":"Overby, S. (2012), \u201cAdopting ITIL, COBIT is not always the best practice\u201d, CIO, February 2012. available at: www.cio.com\/article\/2399188\/it-organization\/adopting-itil\u2013cobit-is-not-always-the-best-practice.html"},{"key":"key2020100112345362900_ref023","unstructured":"PwC (2017), \u201cRisk in review 2017\u201d, available at: https:\/\/create.org\/news\/pwc-risk-review-2017\/"},{"key":"key2020100112345362900_ref024","unstructured":"Ravindranath (2017). \u201cMost feds like NIST\u2019s cybersecurity framework\u201d, available at: www.nextgov.com\/cybersecurity\/2017\/09\/most-feds-nists-cybersecurity-framework\/141400\/"},{"key":"key2020100112345362900_ref025","unstructured":"Schlimmer (2018), \u201cA framework for cybersecurity\u201d, available at: www.csoonline.com\/article\/3268937\/implementing-the-nist-cybersecurity-framework-could-be-worth-at-least-1-4m-to-your-business.html"},{"key":"key2020100112345362900_ref026","first-page":"573","article-title":"Cybersecurity compliance and risk management strategies: what directors, officers, and managers need to know","volume":"11","year":"2014","journal-title":"NYUJL and Bus"},{"key":"key2020100112345362900_ref027","article-title":"A lack of cybersecurity funding and expertise threatens U.S. Infrastructure","year":"2018","journal-title":"Forbes"},{"key":"key2020100112345362900_ref028","volume-title":"Assessing Information Security: Strategies, Tactics, Logic and Framework","year":"2010"},{"key":"key2020100112345362900_ref029","volume-title":"Improving Government Decision Making through Enterprise Risk Management","year":"2015"},{"key":"key2020100112345362900_ref030","unstructured":"WEF (2015), \u201cPartnering for cyber resilience towards the quantification of cyber threats\u201d, World Economic Forum, January 2015. available at: www.weforum.org\/reports\/partnering-cyber-resilience-towards-quantification-cyber-threats"},{"key":"key2020100112345362900_ref031","unstructured":"William, J. (2018), \u201cNew risk management framework expected to improve DoD cybersecurity\u201d, Federal News Network, April 2018. available at: https:\/\/federalnewsnetwork.com\/cyber-exposure\/2018\/04\/using-the-risk-management-framework-to-improve-cybersecurity\/"},{"key":"key2020100112345362900_ref032","unstructured":"Williams, L.C. (2018), \u201cDOD struggles with risk management framework adoption\u201d, Defense IT, November 2018. available at: https:\/\/defensesystems.com\/articles\/2018\/11\/30\/dod-risk-management-framework.aspx"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2018-0131\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2018-0131\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:19Z","timestamp":1753406599000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/4\/591-625\/112483"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,6,19]]},"references-count":33,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,6,19]]}},"alternative-id":["10.1108\/ICS-11-2018-0131"],"URL":"https:\/\/doi.org\/10.1108\/ics-11-2018-0131","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2020,6,19]]}}}