An abundance of information security and risk management theories are prevalent; however, it can be difficult to identify valid and applicable theories. In the reading to follow, several information security and risk management theories are evaluated. These theories are presented and employed via various frameworks, models, and best practice guidelines. An assessment of sufficient research pertaining to these theories is addressed, along with a consideration of the challenges that arise from a lack of research.
The evolution and understanding of the importance of information security and risk management originates from the awareness for the potential of IT in business functions and as a business enabler. This was then followed by the realization that the risks brought about by this boundless facilitator must be appropriately understood and addressed. The essence of information security and risk management is to identify low vs. high-risk systems and processes, followed by appropriately addressing those risks.
Risk Management Theory. The Risk Management Theory has been around for quite some time. According to Hong, Chi, Chao, and Tang (2003), risks pertaining to IT security can be measured and evaluated by means of assessing potential attack vectors, and susceptibilities to the organization’s systems and processes. The authors suggest that the outcome of this evaluation allows for the identification of essential security programs and the employment of IT security controls to mitigate these risks. The intended outcome of utilizing this theory is to manage risks until they are at a permissible state. The Risk Management Theory, while broad in nature, does not encompass enough of the information security and risk management paradigm. Though it is supported by considerable research, this author opines that it would be most effective to incorporate the theory amongst additional frameworks.
Control Objectives for Information and Related Technology (COBIT). Originally published in 1996, COBIT is a globally recognized framework centered on controls pertaining to IT governance (Burch, 2008). The Information Systems Audit and Control Association (ISACA) established the framework in conjunction with the IT Governance Institute. As the framework has evolved to encompass the management of IT in addition to IT governance, COBIT 5 was unveiled in April of 2012 and declared by ISACA to be “…the only business framework for the governance and management of enterprise IT” (ISACA, 2012c). COBIT 5 for Information Security has also been developed by ISACA and is intended to be an encompassing framework to link together with other frameworks and information security best practices. Such frameworks and standards that COBIT 5 for Information Security is complemented by include ISACA’s Business Model for Information Security (BMIS), the Information Security Forum’s (ISF) Standard of Good Practice, the ISO/IEC 27000 series, NIST SP 800-53a, and...