Risk Management Practices in Information Security: Exploring the Status Quo in the DACH Region

by   Michael Brunner, et al.

Information security management aims at ensuring proper protection of information values and information processing systems (i.e. assets). Information security risk management techniques are incorporated to deal with threats and vulnerabilities that impose risks to information security properties of these assets. This paper investigates the current state of risk management practices being used in information security management in the DACH region (Germany, Austria, Switzerland). We used an anonymous online survey targeting strategic and operative information security and risk managers and collected data from 26 organizations. We analyzed general practices, documentation artifacts, patterns of stakeholder collaboration as well as tool types and data sources used by enterprises to conduct information security management activities. Our findings show that the state of practice of information security risk management is in need of improvement. Current industrial practice heavily relies on manual data collection and complex potentially subjective decision processes with multiple stakeholders involved. Dedicated risk management tools and methods are used selectively and neglected in favor of general-purpose documentation tools and direct communication between stakeholders. In light of our results we propose guidelines for the development of risk management practices that are better aligned with the current operational situation in information security management.


Evaluation of Security Training and Awareness Programs: Review of Current Practices and Guideline

Evaluating the effectiveness of security awareness and training programs...

Current Practices in the Information Collection for Enterprise Architecture Management

The digital transformation influences business models, processes, and en...

AGI labs need an internal audit function

The paper argues that organizations that have the stated goal of buildin...

XI Commandments of Kubernetes Security: A Systematization of Knowledge Related to Kubernetes Security Practices

Kubernetes is an open-source software for automating management of compu...

Forensic-Ready Risk Management Concepts

Currently, numerous approaches exist supporting the implementation of fo...

Software Protection as a Risk Analysis Process

The last years have seen an increase of Man-at-the-End (MATE) attacks ag...

Enhancing Strategic Information Security Management in Organizations through Information Warfare Practices

In this short paper we argue that to combat APTs, organizations need a s...

Please sign up or login with your details

Forgot password? Click here to reset