{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T11:42:31Z","timestamp":1778154151326,"version":"3.51.4"},"reference-count":47,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2021,7,24]],"date-time":"2021-07-24T00:00:00Z","timestamp":1627084800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Encyclopedia"],"abstract":"<jats:p>Information security risk assessment is an important part of enterprises\u2019 management practices that helps to identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. Risk management refers to a process that consists of identification, management, and elimination or reduction of the likelihood of events that can negatively affect the resources of the information system to reduce security risks that potentially have the ability to affect the information system, subject to an acceptable cost of protection means that contain a risk analysis, analysis of the \u201ccost-effectiveness\u201d parameter, and selection, construction, and testing of the security subsystem, as well as the study of all aspects of security.<\/jats:p>","DOI":"10.3390\/encyclopedia1030050","type":"journal-article","created":{"date-parts":[[2021,7,25]],"date-time":"2021-07-25T22:06:21Z","timestamp":1627250781000},"page":"602-617","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":40,"title":["Information Security Risk Assessment"],"prefix":"10.3390","volume":"1","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6917-4234","authenticated-orcid":false,"given":"Ievgeniia","family":"Kuzminykh","sequence":"first","affiliation":[{"name":"Department of Informatics, King\u2019s College London, London WC2R 2ND, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1788-547X","authenticated-orcid":false,"given":"Bogdan","family":"Ghita","sequence":"additional","affiliation":[{"name":"School of Engineering, Computing and Mathematics, University of Plymouth, Plymouth PL4 8AA, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9349-7946","authenticated-orcid":false,"given":"Volodymyr","family":"Sokolov","sequence":"additional","affiliation":[{"name":"Department of Information and Cyber Security, Borys Grinchenko Kyiv University, 04212 Kyiv, Ukraine"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4750-7864","authenticated-orcid":false,"given":"Taimur","family":"Bakhshi","sequence":"additional","affiliation":[{"name":"Center for Information Management and Cyber Security, Foundation for Advancement of Science & Technology, Lahore 54770, Pakistan"}]}],"member":"1968","published-online":{"date-parts":[[2021,7,24]]},"reference":[{"key":"ref_1","unstructured":"ISO Standard (2018). Information Technology\u2014Security Techniques\u2014Information Security Risk Management, ISO Standard. ISO\/IEC 27005:2018."},{"key":"ref_2","unstructured":"Knight, F.H. (1921). Risk, Uncertainty and Profit, Hart, Schaffner and Marx, Houghton Mifflin."},{"key":"ref_3","unstructured":"NIS Cooperation Group, and European Commission (2021, January 11). Cybersecurity Incident Taxonomy. Available online: https:\/\/ec.europa.eu\/information_society\/newsroom\/image\/document\/2018-30\/cybersecurity_incident_taxonomy_00CD828C-F851-AFC4-0B1B416696B5F710_53646.pdf."},{"key":"ref_4","unstructured":"Launius, S.M., and Evaluation of Comprehensive Taxonomies for Information Technology Threats (2021, January 11). SANS Institute. Available online: https:\/\/www.sans.org\/reading-room\/whitepapers\/threatintelligence\/evaluation-comprehensive-taxonomies-information-technology-threats-38360."},{"key":"ref_5","unstructured":"Model Risk Management: Quantitative and Qualitative Aspects (2021, January 11). Management Solutions. Available online: https:\/\/www.managementsolutions.com\/sites\/default\/files\/publicaciones\/eng\/Model-Risk.pdf?q=PDF\/ENG\/Model-Risk.pdf."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Wheeler, E. (2011). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up, Elsevier Inc.. [1st ed.].","DOI":"10.1016\/B978-1-59749-615-5.00012-8"},{"key":"ref_7","unstructured":"Buriachok, V., Sokolov, V., and Skladannyi, P. (2019, January 2\u20134). Security Rating Metrics for Distributed Wireless Systems Threats. Proceedings of the 8th International Conference on \u201cMathematics, Information Technologies, Education\u201d, Lviv, Ukraine."},{"key":"ref_8","unstructured":"Williams, J., and OWASP Risk Rating Methodology (2021, January 11). OWASP. Available online: https:\/\/owasp.org\/www-community\/OWASP_Risk_Rating_Methodology."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Kuzminykh, I., Yevdokymenko, M., and Ageyev, D. (2020, January 6\u20139). Analysis of Encryption Key Management Systems: Strengths, Weaknesses, Opportunities, Threats. Proceedings of the IEEE International Scientific-Practical Conference Problems of Infocommunication, Science and Technology (PIC S&T-2020), Kyiv, Ukraine.","DOI":"10.1109\/PICST51311.2020.9467909"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1007\/978-3-030-65729-1_8","article-title":"Comparative Analysis of Cryptographic Key Management Systems","volume":"Volume 12526","author":"Galinina","year":"2020","journal-title":"Internet of Things, Smart Spaces, and Next Generation Networks and Systems"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"35","DOI":"10.3390\/jrfm11030035","article-title":"Enterprise risk management practices and firm performance, the mediating role of competitive advantage and the moderating role of financial literacy","volume":"11","author":"Yang","year":"2018","journal-title":"J. Risk Financ. Manag."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Rios, E., Rego, A., Iturbe, E., Higuero, M., and Larrucea, X. (2020). Continuous quantitative risk management in smart grids using attack defense trees. Sensors, 20.","DOI":"10.3390\/s20164404"},{"key":"ref_13","first-page":"31","article-title":"Methodological approaches to assessing the competitiveness of organizations","volume":"9","author":"Generalov","year":"2016","journal-title":"Vestnik NGIJeI"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1007\/978-3-030-01168-0_6","article-title":"Analysis of Assets for Threat Risk Model in Avatar-Oriented IoT Architecture","volume":"Volume 11118","author":"Galinina","year":"2018","journal-title":"Internet of Things, Smart Spaces, and Next Generation Networks and Systems"},{"key":"ref_15","unstructured":"Kuzminykh, I. (June, January 31). Avatar Conception for \u201cThing\u201d Representation in Internet of Things. Proceedings of the 14th Swedish National Computer Networking Workshop, Karlskrona, Sweden."},{"key":"ref_16","unstructured":"(2021, July 22). NIST Special Publication (SP) 800-30, Revision 1. Guide for Conducting Risk Assessments, Available online: https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-30\/rev-1\/final."},{"key":"ref_17","unstructured":"GB\/T 20984-2007 (2007). Information Security Technology: Risk Assessment Norm of Information System, National Standard of the People\u2019s Republic of China; Standardization Administration of PRC."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Cole, E. (2013). Chapter 4\u2014Risk-Based Approach to Security. Advanced Persistent Threat, Syngress.","DOI":"10.1016\/B978-1-59-749949-1.00004-8"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1007\/11824633_3","article-title":"Information Security Risk Assessment Model for Risk Management","volume":"Volume 4083","author":"Furnell","year":"2006","journal-title":"Trust and Privacy in Digital Business (TrustBus)"},{"key":"ref_20","first-page":"29","article-title":"Information security risk analysis methods and research trends: AHP and fuzzy comprehensive method","volume":"6","author":"Lee","year":"2014","journal-title":"Int. J. Comp. Sci. Inf. Tech."},{"key":"ref_21","unstructured":"Alexander, D., Finch, A., Sutton, D., and Taylor, A. (2013). Information Security Management Principles, BCS Learning & Development Ltd."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Watson, D., and Jones, A. (2013). Chapter 5: Risk management. Digital Forensics Processing and Procedures, Syngress. [1st ed.].","DOI":"10.1016\/B978-1-59749-742-8.00005-4"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3145905","article-title":"Exiting the Risk Assessment Maze: A Meta-Survey","volume":"51","author":"Gritzalis","year":"2018","journal-title":"ACM Comput. Surv."},{"key":"ref_24","unstructured":"Ionita, D. (2013). Current Established Risk Assessment Methodologies and Tools. [Master\u2019s Thesis, University Twente]. Available online: https:\/\/essay.utwente.nl\/63830\/1\/MSc_D_Ionita.pdf."},{"key":"ref_25","first-page":"1","article-title":"Modern Information Risk Management","volume":"1","author":"Lutskiy","year":"2012","journal-title":"Inf. Prot."},{"key":"ref_26","unstructured":"ENISA (2021, June 29). Inventory of Risk Management. Risk Assessment Methods. Available online: https:\/\/www.enisa.europa.eu\/topics\/threat-risk-manage-ment\/risk-management\/current-risk\/risk-management-inventory\/rm-ra-methods."},{"key":"ref_27","unstructured":"(2021, June 29). CRAMM Version 5.1 User Guide; Insight Consulting: 2005. Available online: https:\/\/pdfcoffee.com\/cramm-version-51-user-guide-pdf-free.html."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Peltier, T.R. (2001). Facilitated Risk Analysis Process (FRAP). Information Security Risk Analysis, Auerbach Publications. [1st ed.].","DOI":"10.1201\/b12444"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Caralli, R.A., Stevens, J.F., Young, L.R., and Wilson, W.R. (2007). Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process, Software Engineering Institute, Carnegie Mellon University. CMU\/SEI-2007-TR-012 Technical Report.","DOI":"10.21236\/ADA470450"},{"key":"ref_30","unstructured":"Alberts, C., and Dorofee, A. (2021, January 11). OCTAVE Threat Profiles. Available online: http:\/\/130.18.86.27\/faculty\/warkentin\/SecurityPapers\/Merrill\/AlbertsDorofee_OCTAVEThreatProfiles.pdf."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"681","DOI":"10.1007\/s10207-017-0382-0","article-title":"A framework for estimating information security risk assessment method completeness","volume":"17","author":"Wangen","year":"2018","journal-title":"Int. J. Inf. Secur."},{"key":"ref_32","unstructured":"(2021, January 11). Manage Risk Meet Compliance Improve Security. Available online: https:\/\/riskwatch.com\/#productoverview."},{"key":"ref_33","unstructured":"Goel, S., and Chen, V. (2021, January 11). Information Security Risk Analysis\u2014A Matrix-Based Approach. Available online: https:\/\/www.albany.edu\/~goel\/publications\/goelchen2005.pdf."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Kure, H.I., Islam, S., and Razzaque, M.A. (2018). An integrated cyber security risk management approach for a cyber-physical system. Appl. Sci., 8.","DOI":"10.3390\/app8060898"},{"key":"ref_35","unstructured":"Mehari (2021, June 29). Risk Analysis and Treatment Guide. Available online: http:\/\/meharipedia.x10host.com\/wp\/wp-content\/uploads\/2016\/12\/MEHARI-2010-Risk-Analysis-and-Treatment-Guide.pdf."},{"key":"ref_36","first-page":"34","article-title":"Risk Forecasting Automation on the Basis of MEHARI","volume":"Volume 1339","author":"Venter","year":"2020","journal-title":"International Information Security Conference"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Lund, M.S., Solhaug, B., and Stolen, K. (2011). Model-Driven Risk Analysis, Springer.","DOI":"10.1007\/978-3-642-12323-8"},{"key":"ref_38","first-page":"96","article-title":"Integrated Presentation of Risk Parameters","volume":"1","author":"Korchenko","year":"2011","journal-title":"Inf. Prot."},{"key":"ref_39","unstructured":"Zhao, D.-M., Liu, J.-X., and Zhang, Z.-H. (2009, January 12\u201315). Method of risk evaluation of information security based on neural networks. Proceedings of the 2009 International Conference on Machine Learning and Cybernetics, Baoding, China."},{"key":"ref_40","unstructured":"Shang, K., and Hossen, Z. (2013). Applying Fuzzy Logic to Risk Assessment and Decision-Making, Project Report; Casualty Actuarial Society, Canadian Institute of Actuaries, Society of Actuaries."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"475","DOI":"10.1016\/j.ssci.2019.06.001","article-title":"Learning about risk: Machine learning for risk assessment","volume":"118","author":"Paltrinieri","year":"2019","journal-title":"Saf. Sci."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"2946158","DOI":"10.1155\/2019\/2946158","article-title":"Application of BP Neural Network Model in Risk Evaluation of Railway Construction","volume":"2019","author":"Changwei","year":"2019","journal-title":"Complexity"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Faggini, M., and Vinci, C.P. (2010). Ontology Based Risk Management. Decision Theory and Choices: A Complexity Approach, Springer.","DOI":"10.1007\/978-88-470-1778-8"},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"1005","DOI":"10.1007\/s10845-016-1252-8","article-title":"An ontology supported risk assessment approach for the intelligent configuration of supply networks","volume":"29","author":"Palmer","year":"2018","journal-title":"J. Intell. Manuf."},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"TajDini, M., Sokolov, V., Kuzminykh, I., Shiaeles, S., and Ghita, B. (2020). Wireless Sensors for Brain Activity\u2014A Survey. Electronics, 9.","DOI":"10.3390\/electronics9122092"},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Pileggi, S.F., Indorf, M., Nagi, A., and Kersten, W. (2020). CoRiMaS\u2014An Ontological Approach to Cooperative Risk Management in Seaports. Sustainability, 12.","DOI":"10.3390\/su12114767"},{"key":"ref_47","doi-asserted-by":"crossref","unstructured":"Mozzaquatro, B.A., Agostinho, C., Goncalves, D., Martins, J., and Jardim-Goncalves, R. (2018). An Ontology-Based Cybersecurity Framework for the Internet of Things. Sensors, 18.","DOI":"10.3390\/s18093053"}],"container-title":["Encyclopedia"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2673-8392\/1\/3\/50\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T06:34:26Z","timestamp":1760164466000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2673-8392\/1\/3\/50"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,7,24]]},"references-count":47,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2021,9]]}},"alternative-id":["encyclopedia1030050"],"URL":"https:\/\/doi.org\/10.3390\/encyclopedia1030050","relation":{},"ISSN":["2673-8392"],"issn-type":[{"value":"2673-8392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,7,24]]}}}