Information is a key asset for organizations, and reducing the risk of information compromise is a high priority. There are a lot of risk analysis methods available today, some of which are qualitative while others are more quantitative in nature. They all have the same fundamental target to estimate the overall value of risk, but most attempts to hit the target from very different approaches. Some approaches can be applied to all types of risk, while others are specific to particular risks. This work addresses some of the methodologies used currently to analyze information security risks. The main task for an organization is to determine which one to use. Since the organization will spend money on whichever method they choose, it is vital that the chosen methodology meet the requirements. The purpose of the study is to compare and clarify the different activities, inputs, and outputs required by each model of information security risk assessment and the analysis that effectively addresses the risks of information security.

1. K. P. Badenhorst, J. H. P. Eloff and L. Labuschagne, "A comparative framework for risk analysis methods," Computers & Security, vol. 12, no. 6, pp. 597-603, 1993.
2. Casualty Actuarial Society CAS, Overview of Enterprise Risk Management.
3. A. Bayaga, Institutional risk management: analysis of factors associated with the extent of monitoring and reporting of Risk. The Journal of International Social Research, vol (3)10, pp. 77-89, October 2010.
4. S. Lund, F. D. Braber, K. Stolen and F. Vraalsen, "A UML profile for the identification and analysis of security risks during structured brainstorming," SINTEF Technical report STF40 A03067, 2004.
5. A. Vorster and L. Labuschagne, "A framework for comparing different information security risk analysis methodologies," University of Johannesburg, 2005.
6. B. Karabacaka and I. Sogukpinar, "ISRAM: information security risk analysis method," 2004.
7. S. Goel and V. Chen, "Information security risk analysis – a matrix-based approach," University at Albany, 2005.
8. Z. Yazar, "A Qualitative Risk Analysis and Management Tool – CRAMM," SANS Institute InfoSec Reading Room, 2011.
9. N. Mayer, "Managing security IT risk: a goal-based requirements engineering approach," in Proceedings of Doctoral Consortium in conjunction with the 13th IEEE International Requirements Engineering Conference, Aug. 2005.
10. G. Bornman and L. Labuschagne, L, "A comparative framework for evaluating information security risk management methods," in Proceedings of the Information Security South Africa Conference, 2004.
11. B. Jung, I. Han, and S. Lee, "Security threats to Internet: a Korean multi-industry investigation," Information & Management, Vol. 38,2001, pp. 487–498.
12. K. Stolen, F. D. Braber, S. Lund and J. Aagedal, "Model-based risk assessment – the CORAS approach," 2002.
13. S. Hariri, Q. Guangzhi, T. Dharmagadda, M. Ramkishore, and C. Raghavendra, "Impact analysis of faults and attacks in large-scale networks," IEEE Security and Privacy, vol. 1 (5), pp. 49–54, September/ October 2003.
14. R. Fredriksen, M. Kristiansen, B. A. Gran, K. Stølen, T. A. Opperud and T. Dimitrakos, "The CORAS framework for a model-based risk management process," in Proceedings of the 21st International Conference on Computer Safety, Reliability and Security, 2002.
15. NISER, Information Security Management System (ISMS) Survey, 2003.
16. S. Hariri, Q. Guangzhi, T. Dharmagadda, M. Ramkishore, and C. Raghavendra, "Impact analysis of faults and attacks in large-scale networks," IEEE Security and Privacy, vol. 1 (5), pp. 49–54, September/ October 2003.
17. D. Raptis, T. Dimitrakos, A. Gran and K. Stolen, K, "The CORAS approach for model-based risk management". Applied to Ecommerce Domain, 2002.
18. A. Sunyaev, M. Hansen and H. Krcmar, "Method engineering: a formal description," Technische Universität München.
19. N. Mayer, "Managing security IT risk: a goal-based requirements engineering approach," in Proceedings of Doctoral Consortium in conjunction with the 13th IEEE International Requirements Engineering Conference, Aug. 2005.
20. J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton, "Analysis of end user security behaviors," Computers & Security, vol. 24, pp. 124–133, March 2005.
21. Arthur Jung-Ting Chang and Quey-Jen Yehr, "Coping With Systems Threats: A Study of the Adequacy of Security in Taiwan," IEEE International Conference on Management of Innovation and Technology, 2006 pp. 689–693.
22. S. Hariri, Q. Guangzhi, T. Dharmagadda, M. Ramkishore, and C. S. Raghavendra, "Impact analysis of faults and attacks in large–scale networks IEEE Security & privacy, pp. 49–54, 9 2003.
23. R. V. Solms, "Information security management (2): guidelines to the management of information technology security (GMITS)," Information Management & Computer Security, vol. 6 (5), pp. 221-223, 1998
24. M. T. Siponen, "A Conceptual Foundation for Organizational Information Security Awareness,"Information Management & Computer Security, vol. 8, p. 31, 2000.
25. J. Aagedal, F. Den Braber, and K. Stolen, "Model-based risk assessment to improve enterprise security".
26. J. Backhouse and G. Dhillon, "Structures of responsibility and security of information systems," European Journal of Information Systems, vol. 5, no. 1, pp. 2-9, 1996.
27. F. Vraalsen, F. D. Braber, I. Hogganvik and K. Stolen, "The CORAS tool-supported methodology for UML-based security analysis," Sintef report, ISBN 82-14-0336, 2004.
28. Z. Yazar, "A Qualitative Risk Analysis and Management Tool – CRAMM," SANS Institute InfoSec Reading Room, 2011.
29. D. Wawrzyniak, "Information security risk assessment model for risk management," 2006.
30. International Security Technology Inc (IST Inc), "A brief history of CORA,".

Component Information Security Risk Analysis Risk Assessment Risk Analysis Models Risk Analysis Method Risk Analysis Comparison Information Security Risk Analysis Methods