Author(s)

L. PAN & A. TOMLINSON

Abstract

Many standards exist to guide the process of risk assessment, particularly in the field of information security. This leads to many, subtly different, definitions of risk analysis, evaluation and assessment. Consequently, researchers often confuse these terms and disciplines, which leads to further confusion within the community. In this sense, it is important to come to a common understanding of the processes and terminology to clarify research in this area. A common approach to achieve this goal is to carry out a literature review. This paper takes a formal approach to the literature review based on the ideas of the Cochrane group. The result is a systematic review of risk assessment in the field of information security. We present a systematic review of over 80 research papers published between 2004 and 2014. The main contribution of our paper is to construct a classification of these published papers into seven types. This classification aims to help researchers obtain a clear and unbiased picture of the terminology, developments and trends of information security risk assessment in the academic sector.

Keywords

information security, ISO 27005, risk analysis, risk assessment, systematic review