This document summarizes an 18-paper systematic literature review on information security risk assessment methods. The review found papers originating primarily from China and Iran. Most papers were published in 2010 and presented at conferences. The papers were assessed for quality based on whether the methods were similar, tested, and appropriate. Thirteen papers reported positive results on applying the methods in industry. The review identified 25 risk assessment methods addressed across the 18 papers and found that 17 papers mapped specific methods to information security and risk assessment.

1. Systematic Literature Review of Information
Security Risk Assessment
1
Dawan Rashid, 2
Michael Thompson, 3
Md Abdul Khan, 4
Anu Chhetri, 5
Ade Ajasa
The School of Architecture, Computing and Engineering (ACE), University of East London (UEL)
Docklands Campus, University Way, London, England, UK, E16 2RD
(1
u1514695, 2
u1428716, 3
u1443714, 4
u1107492, 5
u0015906) @uel.ac.uk
Abstract— This is a systematic literature review (SLR) regarding
information security and risk assessment and this is to collect,
analyse and generate an overview of what has been gathered
from existing papers after they have been read to generate a new
SLR study. The paper would investigate and discuss the
information security risk assessment via the methodologies
described and implemented within an organisation/ company or
business as well as the advantages and disadvantages of these
methods including the area of application these methods were
validated from.
Keywords— Information security, Risk assessment, Methods,
Methodology, Systematic Literature Review (SLR)
1. INTRODUCTION
IT risk assessment is an appropriate level of security
control that is applied to information assets and a risk
assessment is required to be performed to identify the threats
using the probability to find the possible impact they can
cause to security breaches [1]. Information risk assessment is
required to be carried out by the owners of the assets to
companies or organisations using appropriate guideline(s).
Risk management reduces some of the risks that are identified
at an acceptable level. Risk management assesses the relevant
risks using the appropriate treatment of the identified risks [1].
There are a total of five researchers who will gather
information of papers from a search of Information Security
Risk Assessment using Google Scholars. When we input the
data into the search engine we managed to receive a feedback
of 122 total papers found within the database and we had to
identify what paper is appropriate for the research.
Considering we are trying to write a Systematic Literature
Review (SLR) there are a few limitations such as not to
include any papers that are existent SLRs or papers that are
technical reports. The following will be further details on the
outcomes and approaches, decisions based on the group were
also made to bring a successful written SLR possible.
The purpose of this study is to review a set of existing
papers that evaluate the approaches taken to assess the threats
and vulnerabilities to prevent information security from being
breached and therefore the following will explain the
decisions made to complete the resulting SLR.
2. METHOD
The report is about the view of information security risk
assessment using existing papers that have either implemented
new ideas or used previous ones to accomplish a company or
organisation’s objectives in which preventing valuable
information being accessible to those known as unauthorised
personnel’s [1]. The goal of the review is to collect primary
data information and to produce our own final systematic
literature review report. The steps in this paper are
documented below.
2.1 Research Questions
RQ1 - What are the methods that exist in information
security and risk assessment?
RQ2 - What are the advantages and disadvantages of these
methods?
RQ3 - The area of application, where did they (these
methods) validate?
In designing the research questions we want to know what
Information security risk assessment methods have been
researched recently. We also want to find similarities of the
methods in the research papers reviewed and whether these
methods have been tested. We also want find out which
methods are passing as acceptable or appropriate by each of
the researchers.
In researching information security and risk assessment
methods, it is important to know what advantages or benefits
exist in using various proposed methods and also if any
disadvantages exist with the various methods. Another point is
to analyse the benefits which are common to the methods.
Most proposed methods get tested in specific case study
scenarios, hence we want to analyse the various areas the
methods were validated. Validation is important because it
adds legitimacy to the method proposed. Companies tend to
employ validated methods for other researches, especially
when security is a concern.
The research integrated within this paper was all down to
the research questions we had to use to conduct our studies.
The first research question was in regards to the methods used
within the risk assessment methodologies as there could be a
unique structure that could always work and there could be a
similar structure that contains many issues that in many papers
are mentioned as well as vice-versa. This is why we (as the
group researchers) had to investigate the similar methods
found to address within this review.
The next step was obviously to understand why would it be
important to use such methods so when the idea of
understanding an identified method, would only be conducted
through a non-biased architectural question of knowing the
advantages and disadvantages of the methods mentioned in
the paper.

2. The final research question would only make sense to
understand where such methods would be installed, therefore
the question was created regarding, where would the method
be validated.
2.2 Search Process
The search progression was based on Google scholar as it is
well known as one of the good academic information
gathering source for students. We short listed our research
papers by doing an extensive search on google scholar.
We performed an advanced search in Google Scholar with
the following criteria;
• “with all the words”: Information Security Risk
Assessment
• “with at least one of these words”: Framework
Methodology Method Approach Process (in exactly this order)
• “where my words occur”: in the title of the article
The process of finding specific types of papers regarding
the topic “Information Security Risk Assessment” we used
was within advance scholar search menu on “framework
method methodology process approach” to narrow down a
stronger concept on methods where risk assessment is in use
within an area such as banking, companies, university
research and many more. With new research journals, it gives
out much more new ideas and recent information regarding
the research topic we used as a group. The reason behind
choosing the new research paper is because having old ideas
will not give advance information. The old ideas are always
implemented with new scopes, ideas, and methods in recent
research papers.
Having these guidelines that have been made from the
above explanation on how the data was used to search for the
papers. According to the search engine there was 122 results
found which was twelve pages altogether from the research
team, four researchers went through two pages each however,
one agreed to go through four pages worth of papers. Each
page on Google Scholar represented maximum of ten papers.
2.3 Inclusion/ Exclusion
Once the papers were accessed we decided to then check
through the papers using the search process, mentioned above,
and to cut out the unnecessary papers to only keep those
important to use for the research. All five researchers went
ahead and looked through the papers to locate any papers that
are in regards to information security risk assessment that are
not technical reports, SLRs (because the whole point of this
paper is to write a new SLR) as well as note the papers as
exclusion with specific reason if applicable. The problems
encountered were that many of the papers were in Mandarin
and considering the research was to be done only in English
(UK) we tried to email the authors to gain access to the papers,
and unfortunately the papers were only given in Mandarin and
no translation was available. The papers were then cut down
from 122 to 25 papers that became inclusions and the rest
were specified as exclusions based on the following basis:
• Citation only - Search result was only a citation reference
of another work.
• Dissertation- works produced as dissertation does not
qualify as part of our research
• Not accessible - various works were not accessible due to
language barrier, papers that are not free for academic
purposes and 404 pages not found errors.
• Not relevant to the topic - papers that had at least one key
word from our keywords search yet did not focus on our
research topic.
• Short Paper - Papers with 4 or less pages.
• Technical Paper -papers that were published as
technical papers.
However out of those 25 initially selected papers, finally 18
were selected as final Inclusive papers for this review process.
Table 1 : Total review papers based on inclusion criteria
RP ID Research Paper (RP) Title
RP1 A risk recommendation approach for information security risk
assessment
RP2 New Framework for Comparing Information Security Risk
Assessment Methodologies
RP3 Probit-method for information security risk assessment
RP4 A New Information Security Risk Assessment Method in Power
Production System Based on Rough Sets and Bayesian Network
RP5 Research on the calculation method of information security risk
assessment considering human reliability
RP6 An Improved Risk Assessment Method for SCADA Information
Security
RP7 A Model-based Information Security Risk Assessment Method
for Science Gateways.
RP8 Information Security risk assessment method based on the
CORAS
RP9 Information Security Risk Assessment & Pointed Reporting:
Scalable Approach
RP10 Study on the risk assessment quantitative method of information
security
RP11 Attack Tree Based Information Security Risk Assessment
Method Integrating Enterprise Objectives with Vulnerabilities
RP12 "Information Security Risk Assessment Methodology
Research: Group Decision
Making and Analytic Hierarchy Process"
RP13 Business Process-Based Information Security Risk
Assessment
RP14 Gray Relational Analysis based Method for Information
Security Risk Assessment
RP15 An Approach to Perform Quantitative Information Security
Risk Assessment in IT Landscapes
RP16 A Novel Security Risk Assessment Method of Enterprise
Information System Based on the Correlation of Equipment’s.
RP17 A Formal Methodology for Enterprise Information Security
Risk Assessment
RP18 The Research of Information Security Risk Assessment
Method Based on Fault Tree

3. 2.4 Data Collection
The selected 18 primary studies were read in detail along
with secondary data used by the authors within them, in order
to extract the data essential towards answering research
questions. Five different researchers read the selected papers
in correspondence. The data that was managed to be collected
were based on a comprehensive set of questions. Some of the
fields of our data collection from integrated: research paper ID,
resource (journal or conference) with full reference, key
subject matter, and the authors along with their organization
plus the country, brief description of the study together with
main research questions as well as the answers and quality
assessment. We kept an evidence of the collected information
into a worksheet for following analysis. This helped to
enhance the level of assurance that the data extraction
progression was reliable and minimally subjective.
With respect to RQ1, consideration was taken into account
about available research method used in relation to IS and risk
assessment. This facilitates to classify the degree of similarity
among different existing methodologies together with
disagreement among them at some point. Most of the
disagreement was as regards the organisation or company the
authors were part of, creating a new concept in regards to
identifying threats towards risk assessment of information
security. Not only but also to find correlation between
different newly proposed methods together with their
imitations in terms of IS and Risk assessment.
With respect to RQ3, consideration was taken in to account
in terms of area of validation individual researchers, the
organisation to which researchers were affiliated and the
country in which the organisation is situated.
2.5 Deviations from protocol
As this is the first report there are no earlier versions of this
paper and there have been only changes due to grammar,
paraphrases and misleading paragraphs that have been
reworded. However, in regards to approaches there have been
changes as following are changes to our original experimental
protocol:
 Clarified that the research questions were studies that
could help expand our knowledge on the topic and find
relevant materials
 There was an expansion to our data collection practically
as well as the section itself, which was extended
 Clarified a link between the research questions and the
data collection
3. RESULTS
This section gives a summary of the study in regards to the
results found within the study.
3.1 Search results
When identifying the papers origin the results indicate from
Figure 1, six of the 18 papers are originated from China. The
second most mentioned is from Iran and that contains two
papers that originated from them. This is a very interesting
area considering most are from the Asian continent.
Figure1. Origin of reviewed papers
Figure2. Total number of papers reviewed, by year
Figure3.Types of publication (inclusions)
Table 1 identifies the total papers and basic information of
each paper that was carried through for the research. Although
initially we identified a total of 25 papers there were many
that were already SLRs and many that was only discussing
information risk in regarding to weather systems and not
regarding specific information security risk assessment so
therefore we had to cut out a further 6 papers and therefore
ended up with 18 relevant and unique papers. With respect to
Figure 2 most number of paper were is published in the year
of 2010, along with least number for the years of 2008 and
2010 out of 18 reviewed paper used in this SLR. Besides
Figure 3 indicates that 12 of the 18 papers were from
conferences and the rest of them are journals.

4. 3.2 Quality evaluation of papers
The quality of the papers was determined in regards to what
the researchers found from the paper and was able to extract
the key information that could answer the research questions.
The research questions would be answered and then a general
summary about the paper (like an abstract) would be
considered from the researcher that when another researcher
needs information regarding a specific topic the one user who
has already written the answers and the overview can make
life easier for the colleague by giving exactly what they need.
After all there are five researchers and our main objective is to
make things easier for each other.
Another process taken to assess the quality was via the sub
questions made to analyse if the methods in the paper were
correct as the following would explain the process in much
more detail using the sub questions as the answers from those
questions determined if the paper would be providing the right
quality. These assessments were made by extracting answers
to the questions below:
• Q1.1 Are there any similarity of the methods
identified within Information security and risk assessment?
• Q1.2 Have these methods been tested?
• Q1.3 Are the quality of the identifiable method
appropriate? If not is it improving?
Table 2: Quality assessment of research papers
RPID Q1.1 Q1.2 Q1.3
RP1 YES YES YES
RP2 YES YES YES
RP3 YES YES YES
RP4 YES YES YES
RP5 YES YES YES
RP6 YES YES YES
RP7 YES YES YES
RP8 YES YES YES
RP9 YES YES NO
RP10 YES YES YES
RP11 YES YES YES
RP12 YES YES YES
RP13 YES YES NO
RP14 YES YES YES
RP15 NO YES YES
RP16 NO YES NO
RP17 YES YES NO
RP18 YES YES YES
Due to the research quality to become very good we had to
assess the papers in regards to what sort of methods were used
and to do this the parts of the first question helped establish
that.
However, in the second sub-assessment question, it is
noticed that all of the research papers reported testing their
slightly-enhanced methods in various environments or
industries. This is encouraging as the applicability of the
method to industry plays a vital role in its acceptance and
usage.
Lastly we look at the appropriateness of the method quality
for use in the industry. It turns out 13 out of the 18 papers
report positively on the use of its method in the industry. As
Table 2 demonstrates the quality of the paper, if the paper has
a ‘no’ answered then the quality of the paper would suggest a
less quality than that those with ‘yes’ due to the method either
being a much reliant considering existence of similarity of the
methods, methods tested, quality of the method
appropriateness can deliver an overall of the paper being at a
good quality.
4. DISCUSSION
This part presents the findings of our analysis of the data
extracted from the reviewed papers in order to answer the
research questions. Also address our specific research
questions and identifies any changes between different papers
discussed in primary studies.
4.1 What are the methods that exist in information security
and risk assessment?
Table 3 (below) suggest that many different methods are
being addressed. In order to have some baseline on the way to
assess the point to which information security and risk
assessment topic are being concentrated on, we considered
how well the methods of significance both to IS and risk
assessment are connected to security management.
The 18 reviews discussed in this paper addressed a broader
range of different methods related to information security and
risk assessment. There is added predominance of methods and
less general information and risk assessment topics have been
addressed. Within the 18 studies reported in this paper, 17
papers were mapping studies related to specific methods in
relation to information security and risk assessment. Thus, the
fraction of papers directed at particular methods was 85% out
of 100%.With respect to the research topic most of the papers
were relate to the research trends rather than specific research
questions. In terms of the information security and risk
assessment methods addressed by the SLRs It is obvious that
some of the reviewed papers have recognized several methods
in regards to IS and risk assessment. When one study
estimates various methods, we term evaluation of each
method as an occurrence. Our SLR identified 25 instances in
the 18 reviewed papers.
Table 3 demonstrates that 2 particular instances (CORAS
& OCTAVE) [2] [3] [18] were repeated multiple times in
three different papers along with one paper specifically talks
about CORAS [9]. Also instances like: CRAMM [3] [18] and
NIST (800-53) [3] [10] were found in two different papers
along with CORAS, OCTAVE and ISO 27001 [10].
However, out of 18 different papers ISO 27001 [2] [10]
instances were presented in only two paper, along with
consideration about CORAS and OCTAVE instances.
Additionally, another similar method was with Fuzzy
Mathematics as two research papers came under the same
heading regarding the method that was proposed [5] [11].
Besides we found 13 papers in which each of the paper
talks about different novel IS and risk assessment methods,
well-matched to the needs of a particular industry or type of
enterprise.

5. Table3: Methods within research papers
Identified Methods Type RPID Citation
CORAS, OCTAVE, ISO
27001, AURUM and
Threat-Vulnerability
Conference
Paper
RP1 [2]
CORAS, NIST (800-53),
OCTAVE, DREAD MS,
DREAD OWASP and
CRAMM (widely used in
the UK)
Journal RP2 [3]
Probabilistic and statistical
methods
Journal RP3 [4]
Set theory, Fuzzy
mathematics
Conference
Paper
RP4 [5]
THERP Conference
Paper
RP5 [6]
SCADA Journal RP6 [7]
MISRAM Journal RP7 [8]
CORAS Conference
Paper
RP8 [9]
Scalable Approach (metric
based assessment and
reporting plan), NIST
(800-53) &ISO 27001
Conference
Paper
RP9 [10]
Fuzzy Analytic Hierarchy
Process Method
Conference
Paper
RP10 [11]
TEOREM Journal RP11 [12]
GAHP (group decision
making and analytic
hierarchy process) method
Conference
Paper
RP12 [13]
Gathering risk assessment
information and accounting
risks.
Conference
Paper
RP13 [14]
Grey relational analysis Conference
Paper
RP14 [15]
Quantitative approach
based on objective
statistical data
Journal RP15 [16]
Risk assessment method
which considers the
correlation of the
equipment’s
Conference
Paper
RP16 [17]
A generic risk analysis
methodology based on
dependencies among risk
elements, OCTAVE,
FRAAP, COBRA, and
CRAMM
Conference
Paper
RP17 [18]
Information systems fault
tree model
Conference
Paper
RP18 [19]
The methods that have been repeated or used commonly are
highlighted in bold as this indicates such common existence
of the information security risk assessment methodology
carried out. The following would be discussed information
about what each of the five instances (CORAS, OCTAVE,
NIST, CRAMM, ISO 27001 and Fuzzy Mathematics) which
is found commonly in the papers and how each method
addresses the security concerns:
CORAS [2] [3] [9] (Construct a platform for Risk Analysis
of Security Critical Systems) methodology is based on UML
(Unified Modelling Language) that make use of methods for
risk analysis, semi-formal methods for object-oriented
modelling.
Beside that OCTAVE [2] [3] [18] (Operationally Critical
Threat, Asset and Vulnerability Evaluation) reviews the
security requests and can verify the criticality and impact of
how vulnerable the threats are throughout its checks.
OCTAVE can use the information to provide understanding of
what possible negative impact can cause a threat to an
organisation by the usage of security checklists.
Furthermore risk assessment method NIST (800-53) [3]
[10] combines impact and likelihood in a simple way along
with nine different steps. Although this methodology requires
consideration in regards to reasonable amount of time and
money. In addition CRAMM [3] [18] (CCTA Risk Analysis
and Management Method) analysis is extensively exercised in
the UK and takes consideration about categorizing the assets,
conveying financial values and calculating impacts.
Moreover ISO 27000 series demonstrates the requirements,
security controls and implementation are within a government
or organisation which uses the security protocols to process
the risk assessment of information security [20].
Also ‘fuzzy mathematics’ identifies the rapid measurement
of actions occurring and obtains exact value of risks via the
amount of requests at the same time as it measures the rapid
assessment of risks [5] [11].
Table4: Defined dissimilar methods within research papers
Unique
Methods
RPID Summary
AURUM RP1 AURUM can support someone
implementing the security by using the
security checklist and investigating if it
requires such system to be necessary in the
organisation [2]. An issue of AURUM is that
it provides standard security checks and not
advanced as it depends on the user’s
knowledge to build a new ontology [2].
DREAD -MS RP2 (Damage potential, Reproducibility,
Exploitability, Affected users,
Discoverability) has its main focus, to
identify and prioritise of possible risks with
the STRIDE/ DREAD methods [3].
DREAD-
OWASP
RP2 DREAD- OWASP gives a more formal
definition of the attributes, introduces
weights, and gives a different value to each
attribute [3]. Risk is defined as the sum of
the weighted attributes.
Probabilistic
and statistical
methods
RP3 Probabilistic and statistical methods are used
to attract additional information on the
distribution of damage in case of
implementation of the information security
risks of the asset. It is assumed that for the
operating conditions of organizational and
technical system of the company is known
for the distribution function of loss of
information security incidents [4]. Theoretic
probabilistic method is all down to
assumption.
THERP RP5 An advanced technique that measures the
human reliability which identifies the errors
that are made by a human [6].
SCADA RP6 (Supervisory Control and Data)- a type of
system validated within a Hydroelectric
Power Plants. The method investigates
information security risk assessment, which
is suitable for industrial SCADA systems
[7].

6. MISRAM RP7 MISRAM is the model-based Information
Security Risk Assessment Method. It is used
as an information architecture model, a
method that allocates the values to assets
information and IT components [8]. The
output of the MISRAM is to rank the list of
risk and actionable assignment or a task to
solve the main problem (issues).
TEOREM RP11 Based Enterprise Objective Risk Evaluation
Method - In the modelling of a threat domain
for an enterprise, attack trees are frequently
utilized [12]. However, the execution of
attack tree modelling is costly from the effort
and timing requirements and also has
inherent scalability issues.
GAHP (GDM
and AHP)
RP12 Not able to gain information about the
method definition..
Grey Relational
Analysis
RP14 Finds similarities within the information risk
assessment and then gives an overall
evaluation of the risks within the information
system [15].
Quantitative
approach based
on objective
statistical data
RP15 The effective and efficient assessment of
risks related to information security.
Measures information security (IS) related
risks [16].
Risk
assessment
method which
considers the
correlation of
the
equipment’s
RP16 Where the risk of every equipment is divided
into the individual one and the impact of
other equipment’s. By setting vulnerability
threat conjunction matrix of the equipment’s,
this approach is developed [17].
FRAAP RP17 (Facilitated Risk Analysis and Assessment
Process) follows a qualitative risk
assessment methodology that finds ways to
mitigate risks. This also requires an experts
input and this can cause lack of consistency
[18].
COBRA RP17 COBRA uses the qualitative and quantative
approaches to mitigate risks as it involves
the expert system principles with the use of
theoretical analysis implemented.One issue,
however, is that it is not precise and the
feedback information cannot be gauranteed
accurate [18].
Information
systems fault
tree model
RP18 This is based on integrity and usability of
information as well as the most important
thing regarding important information which
is confidentiality [19]. This method can
calculate the risks attacks using certain
algorithms to mitigate the threats.
4.2 What are the advantages and disadvantages of these
methods?
Firstly, when assessing the advantages and disadvantages
one of the researchers used the answers from all five
researchers (including themselves) and had to read the
answers in regards to all 18 research papers.
When reading through the answers RP1, RP2 and RP8 use
the same Method, which is CORAS [2] [3] [9], in their
respective research papers. This method is mainly used to
conduct security risk analysis. They discuss the advantages as
that it supports the findings of security risks and is easy to use
to analyse and identify the risks with the use of CORAS [2]
[3]0 [9]. For example in RP1 it gives disadvantage regarding
the proposed method that it is assumed that it works due to the
fact it has not identified solution to threats. So if there are
threats that it has not identified then this assumption would
not be given unless the threat is located and this has yet to
occur [2].
However, in RP2 the paper specifies an advantage of
CORAS that it develops a “framework that exploits methods
for risk analysis” using semi-formal methods for object-
oriented modelling [3]. The paper (RP2) also contains
methods regarding NIST, DREAD and OCTAVE. NIST
identifies a combination of loss of assets, harm of system
mission and injury of humans (if applicable) [3]. The fact is
that NIST [3] combines impact and likelihood in a straight
forward way.
In regards to DREAD [3], it is easy and fast to use and can
provides a positive feedback due to these two elements.
DREAD can identify the threat using the five major attributes
being Damage Potential, Reproducibility, Exploitability,
Affected users, Discoverability [3]. And for OCTAVE the
paper (still RP2) states that it can be of a selected parameters
that have to be met as this can cause it to become cost
effective and very well time consuming [3] considering the
requirement of a full whole list of evaluation to identify the
value of the threat to critical assets and the many information
which needs to be collected [3].
The research papers of RP6, RP12, RP13, RP14, RP15,
RP16 and RP17, use the Risk Assessment Method, RP12 type
is the GAHP (GDM and AHP) [13] and this demonstrates that
the risk assessment procedure method would be able to be
used to determine the decision group making under the
methods used. The RP16 illustrates that the method and
assessment method implemented is traditional and without the
correlation of equipment’s means the proposed method is
efficient [17]. Other papers like RP4 and RP10 use similar
methods, Fuzzy Mathematics and Bayesian Network (BN)
Method [5] and Fuzzy Analytic Hierarchy Process Method [11]
as they intended the implementation of the set theory and
fuzzy logic. The RP7 uses the MISRAM Method [8], which is
easy to implement.
In the other hand, RP9 uses the METRIC Model Method
[10], mainly used in education establishments as of the
security assessment programme. The RP5 uses the THERP
Method [6], dealing with human error during a research which
establishes the usage of an expert testing if the human error is
likely to occur and if so how. RP11 uses the TEOREM
method [12], which is efficient. RP3 uses the Theoretic
Probabilistic Method [4] and specifies the following as
disadvantages which is being labour intensive, due to being
probability it is not accurate enough and neither reliable of the
results the research processed, but in essence of other
estimations it use is justified [4].
The advantages and disadvantages of these methods was
useful in picking out the reason behind the methods
implementation and justifies the research papers indication of
what sort of research was put through to propose their
conclusion in using or not using such methods.

7. 4.3 The area of application, where did they validate?
Table 5 lists area of application and validation with cited
references for all the methods identified earlier in Table 3 in
terms of 18 review papers for this study. Since detailed
presentation about each area of application and validation in
the study context is not feasible, we choose to discuss closely
related area of application and validation in concert. Area of
application and validation are closely related when there is
some common goal of evaluation. Clustering associated to the
area of application and validation not only illustrates the
frequent goals of the studies. Nevertheless, to give weight
towards enhanced understanding about the consequence down
to increased sample size. For instance, based on the identified
methods, 4 reviewed papers have some sort of common
networking aspect in terms of application and validation can
be considered related, while 1 paper is specially talks about
information system of a campus website [19].
Most interestingly enterprise information system [17] [18]
was taken into consideration in order to validate the identified
methods for two of the reviewed papers, are accordingly
research paper 16 and 17. Besides identified methods for
another two of the reviewed papers (RP8 & RP13) were
validated in the area of banking industry [14] alongside
focusing on electronic banking system [9]. Furthermore
Information security and risk assessment method identified
within two of the reviewed paper out of 18 were applied and
validated in the area of Power plant production control system
[5] and Hydro Electric Power Plant [7]. Here both of the
above area of application and validation were closely related
by the common goal of evaluation “power plant”.
Table5. Area of validation of identified methods
Area of validation RPID Citation
Telecommunication laboratories in Taiwan RP1 [2]
Department of mathematics , Islamic Azad
University Iran
RP2 [3]
Biological and medical research in Ukraine RP3 [4]
Power Plant production control system RP4 [5]
Human reliability analysis centre in China RP5 [6]
Hydro Electric Power Plant RP6 [7]
e-BioScience group in the Academic
Medical Centre in Amsterdam
RP7 [8]
Online Electronic bank system's RP8 [9]
Campus network on educational institutes RP9 [10]
Backpropagation(BP) of artificial neural
network
RP10 [11]
A medium scale technology company RP11 [12]
School of Economy and Management ,China
University of Geosciences
RP12 [13]
Banking industry RP13 [14]
Business financial software system, highway
network toll system and highway network
monitoring system
RP14 [15]
IT landscape related to email processing and
spam detection within a small business
organization
RP15 [16]
Enterprise information system RP16 [17]
Enterprise information system RP17 [18]
Information system of a campus website RP18 [19]
As well in terms of similarity in the field of application and
validation both research paper (RP3 and RP7) used medical
research [4] [8] ground based on two different countries.
However both papers identified different method in terms of
IS and risk assessment in this systematic review process. More
to the point different department of two educational institutes
[3] [13] were taken in to consideration in order to validate
identified methods within research paper 2 and research paper
12. On the other hand in terms of application and validation of
identified methods rest of the papers consequently (RP1, RP5,
RP11 and RP15) were totally different to each others with
respect to diverse origins.
5. LIMITATIONS OF THIS REVIEW
The outcome from this current research have experienced
from subsequent limitations, which should be taken into
consideration while understanding or using the detailed
outcomes. Throughout the review process accuracy and
consistency was based on a common perceptive among the
five different researchers. Mistake can be the occasion of
subjective results. One of the main restrictions of the review
can be the likelihood of partiality in the selection of different
papers. To help out make sure that the assortment procedure
was as impartial as likely; we expanded in depth guiding
principle in the review procedure prior just before the starting
of the review. Within the paper selection stage, the grounds
for its inclusion or exclusion were documented. Subsequently
we also read repetitively the reviewed papers based on the
inclusion/exclusion principle.
Also we identified that most of the papers did not have
adequate information in regards to the different methods that
exists in information security and risk assessment, along with
their advantage and disadvantage as well as the area of
validation. The findings were typically detailed in a way,
which made it complex to establish the consequence of a
paper reviewed. At some point we had to deduce specific parts
of information throughout the data extraction course of action.
Therefore there is likelihood that the data gathering
progression might have brought in a number of factual errors
in the extorted data. In order to reduce this likelihood, we
decided to account such information supported on the primary
data accessible within the reviewed papers.
In addition, we held regular talks amongst different
researchers occupied in this research, with the intention of
simplifying any doubt throughout the review stage. This
exercise facilitates us to review our results, to make sure that
there was stability between individual researchers, in addition
to assist and determine any dissimilarity.
However based on the limitation of time and available
resources, we did not manage to analyse every piece of
extorted data in regard to information security and risk
assessment. We carefully ran cross-tests in the different parts
of this systematic review process.
Another major constraint in this systematic review process
was finding all the related papers to our research title. Here we
consume an advanced search in Google scholar based on some
key word related to research topic, instead of advanced search

8. in IEEExplore, ACM Digital Library and Science Direct for
most recent papers. This raised an issue that there is likelihood,
we have missed some papers that are on the margin
connecting the information security and risk assessment
(ISRA). We have also excluded all the technical report along
with book section and thesis papers from graduates based on
an assumption that all the high-quality papers will emerge as
journal along with conference papers. Yet this does not
emerge to be a setback for methodical review within ISRA in
terms of security management.
A further limitation is that the quality assessment in the
study was performed based on the data extracted by the
researcher to answer different research questions along with
sub questions as part of quality evaluation of papers under
results section. However the outcomes of quality comparisons
using both the techniques mentioned above are slightly
different at some points.
6. CONCLUSIONS
In summary, risk assessment is becoming more and more
vital to companies today. A lot of methods exist to address
Risk assessment in information Security. Some of these
methods have been identified as reported in 18 research
papers analyzed in this review paper. A number of these
methods showed up in multiple papers including CORAS [2]
[3] [9] and OCTAVE [2] [3] [18]. This demonstrates the
research concentration area in particular the methods of risk
assessment in information security. Considering 33% of the
paper reviewed came from only China it is understandable
that not many reported on well-known standards such as ISO
2700 [2] series and the NIST [3] [10] series. Not many papers
reported disadvantages of the methods they described,
however, similar advantages such ease of application were
spotted in couple of papers. Almost all the papers had various
methods tested in specific domains and similarities were
found in areas of validation in most of the papers out of 18.
The researchers as a whole would agree that the good
experience through this SLR would be that the major research
gathered and the data acknowledged was extracted really well
and managed to use the data extraction to investigate and
analyze the data in appropriate order. The other good point
was that considering each researcher had different background
the good point was that we managed to work really well
together to use the best of our abilities to complete the tasks
within the best expected quality. However, one problem we
faced during the research was that we gathered loads of papers
from China and unfortunately could not get hold of the
information to use for our study hence why it was brought
down from 122 papers to 18 relevant and important research
papers. The papers that we could of got hold of was in
Mandarin and when we did manage to translate the text it was
very hard to read and therefore this prevented us from using
those papers. The structure the researchers followed was very
reasonable and clear and allowed this SLR to be very
successful. The papers we generated was mostly conference
papers and when we did our quality assessment of regarding
the methods which was based on the first research question we
managed to gain the right path in understanding if the paper’s
content is relevant for this SLR.
In regards to the future research if we were to change our
experiences for further research it would be advisable to make
sure that the time frame would be longer to make sure we use
a resource center much improved compared to Google
Scholars such as IEEE, Springer or Science Direct. Looking at
the general impression of all 18 research papers, it can be
noted that most of the papers from the 18 are published in
Risk Assessment in the last 8 years and mostly have
originated from Asia. The question raised was ‘is the West
less concerned about publishing on Risk Assessment in
Information Security?’ an area worth looking into for further
research as it would generate a much interesting and enhanced
background knowledge.
Overall we agree that we were satisfied in completing this
SLR at the best of our quality. Also by making sure with the
short time frame that was accessible we managed to gather the
important information required to make this a successful SLR.
And that we hope this allows other researchers to understand
the information we managed to gain and be used for future
purposes if possible.
REFERENCES
[1] N. name, “risk-assessment,” IT service, [Online]. Available:
https://www.it.ox.ac.uk/policies-and-guidelines/is-toolkit/risk-
assessment. [Accessed 03 11 2015].
[2] Y. C. Chu, Y. C. Wei and W. H. Chang, “A risk
recommendation approach for information security risk
assessment,” in 15th Asia-Pacific, Network Operations and
Management Symposium (APNOMS), Hiroshima, 2013.
[3] S. Derakhshandeh and N. Mikaeilvand, “New Framework for
Comparing Information Security Risk Assessment
Methodologies,” Australian Journal of Basic and Applied
Sciences, vol. 5, no. 9, pp. 160-166, 2011.
[4] V. Mokhor and V. Tsurkan, “PROBIT-METHOD FOR
INFORMATION SECURITY,” Information Technology and
Security, vol. 1, no. 3, pp. 65-71, 2013.
[5] Z. Dai, H. Gao, P. Yong and L. Huikang, “A New Information
Security Risk Assessment Method in Power Production System
Based on Rough Sets and Bayesian Network,” in in Tenth
International Conference on, Intelligent Information Hiding and
Multimedia Signal Processing (IIH-MSP), Kitakyushu, 2014.
[6] T. Gu, M. Lu, L. Li and J. Li, “Research on the calculation
method of information security risk assessment considering
human reliability,” in International Conference on Reliability,
Maintainability and Safety (ICRMS), Guangzhou, 2014.
[7] J. D. Markovic-Petrovic and M. D. Stojanovic, “An Improved
Risk Assessment Method for SCADA Information Security,”
ELEKTRONIKA IR ELEKTROTECHNIKA, vol. 20, no. 7, pp.
69-72, 2014.
[8] E. Mouw, G. v. Noordende, B. Louter and S. D. Olabarriaga, “A
Model-based Information Security Risk Assessment Method for
Science Gateways,” IWSG, pp. 1-8, 2013.
[9] Q. Yong, X. Long and L. Qianmu, “Information Security Risk
Assessment Method Based on CORAS Frame,” in International
Conference on Computer Science and Software Engineering,
Wuhan, 2008.

9. [10] D. Bhilare, A. Ramani and S. Tanwani, “Information Security
Risk Assessment and Pointed Reporting: Scalable Approach,” in
International Conference on Computer Engineering and
Technology, Singapore, 2009.
[11] Z. Wang and H. Zeng, “Study on the risk assessment
quantitative method of information security,” in 3rd
International Conference on Advanced Computer Theory and
Engineering (ICACTE), Chengdu, 2010.
[12] B. Karabey and N. Baykal, “Attack tree based information
security risk assessment method integrating enterprise
objectives with vulnerabilities,” Int. Arab J. Inf. Technol, vol.
10, no. 3, pp. 297-304, 2013.
[13] Z. Xinlan, H. Zhifang, W. Guangfu and Z. Xin, “Information
Security Risk Assessment Methodology Research: Group
Decision Making and Analytic Hierarchy Process,” in Second
World Congress on Software Engineering (WCSE), Wuhan,
2010.
[14] K. Khanmohammadi and S. Houmb, “Business Process-Based
Information Security Risk Assessment,” in 4th International
Conference on Network and System Security (NSS), Melbourne,
2010.
[15] L. Zhou and Y. Zhou, “Gray relational analysis based method
for information security risk assessment,” in 7th International
Conference on Computer Science & Education (ICCSE),
Melbourne, 2012.
[16] A. Romanov, H. Tsubaki and E. Okamoto, “An Approach to
Perform Quantitative Information Security Risk Assessment in
IT Landscapes,” Information Processing Society of Japan, vol.
51, no. 9, pp. 1736 - 1749, 2010.
[17] Y. Liu, Q. Lin, K. Meng and Z. M. Tian, “A Novel Security
Risk Assessment Method of Enterprise Information System
Based on the Correlation of Equipments,” in 1st International
Conference on Information Science and Engineering (ICISE),
Nanjing, 2009.
[18] J. Bhattacharjee, A. Sengupta and C. Mazumdar, “A formal
methodology for Enterprise Information Security risk
assessment,” in International Conference on Risks and Security
of Internet and Systems (CRiSIS), La Rochelle, 2013.
[19] H. X. Tao, C. Liang, W. Chi and H. L. Qun, “The research of
information security risk assessment method based on fault
tree,” in Sixth International Conference on Networked
Computing and Advanced Information Management (NCM),
Seoul, 2010.
[20] A. R. McGee, F. A. Bastry, U. Chandrashekhar, S. Vasireddy
and L. A. Flynn, “Using the Bell Labs security framework to
enhance the ISO 17799/27001 information security management
system,” Bell Labs Technical Journal, vol. 12, no. 3, pp. 39 -
54 , 2007.