An Opportunity-Based Approach to Information Security Risk

An Opportunity-Based Approach to Information Security Risk

연구 분야: Safety

학회: European Symposium on Research in Computer Security

The traditional approach to Information Security Risk Management (ISRM) is to assume that risk can only affect businesses negatively. However, it is interesting to notice that the latest edition of the standard ISO/IEC 27005:2022 Guidance on managing information security risks provides a definition of risk that covers both positive and negative consequences. Hence, present and future business leaders can expect information security professionals in their organisations to report on positive aspects of information security risk in addition to negative risk, which is a rather new and radical idea. Since information security risk assessment has traditionally focused on threats, no guidelines currently exist for how to identify, describe or assess positive risk in the context of ISRM. The aim of this study is to describe an opportunity-based approach to information security risk. In addition, this paper discusses some limitations of how ISO/IEC 27005:2022 defines risk, and hence this paper also proposes a definition of positive risk in the context of ISRM. Finally, some strategies to describe and assess positive risk are described.