1 research outputs found
Risk Management Practices in Information Security: Exploring the Status Quo in the DACH Region
Information security management aims at ensuring proper protection of
information values and information processing systems (i.e. assets).
Information security risk management techniques are incorporated to deal with
threats and vulnerabilities that impose risks to information security
properties of these assets. This paper investigates the current state of risk
management practices being used in information security management in the DACH
region (Germany, Austria, Switzerland). We used an anonymous online survey
targeting strategic and operative information security and risk managers and
collected data from 26 organizations. We analyzed general practices,
documentation artifacts, patterns of stakeholder collaboration as well as tool
types and data sources used by enterprises to conduct information security
management activities. Our findings show that the state of practice of
information security risk management is in need of improvement. Current
industrial practice heavily relies on manual data collection and complex
potentially subjective decision processes with multiple stakeholders involved.
Dedicated risk management tools and methods are used selectively and neglected
in favor of general-purpose documentation tools and direct communication
between stakeholders. In light of our results we propose guidelines for the
development of risk management practices that are better aligned with the
current operational situation in information security management