The by the fast approaching “internet of

The authors of
this scholarly journal talk about the current risk management methods and how
these methods are being affected by the fast approaching “internet of things”
in modern day technology.  The “internet
of things” is stressed upon in the article because with more devices having
technology built into them, it can be used for malicious behavior that was not
intended for the devices.  The authors’
main focus points was to look at common problems happening with risk management
methods, how those methods can be cost-effective, and an overall review of the
methods with a suggested solution.

The journal goes
into detail about the roots of where most information security risk management
methodologies originated from.  The first
methodology that was mentioned was from 1975 which used the “Annual Loss
Expectancy” to calculate the risk of computers. 
The authors mention that this method had a weak link in which it did not
do a great job separating low-impact events and high-impact events.  This lead to another method that was
developed that had multiple steps and focused on qualitative and quantitative
risk.  The methods involved were mostly
checklist approaches or detailed models of a problem with a solution built
in.  The authors point out that these
general approaches failed to consider security specifications that a company
would need to consider.  They consider
most of these methods to be generic and could be improved with research and
other methodologies.

Best services for writing your paper according to Trustpilot

Premium Partner
From $18.00 per page
4,8 / 5
Writers Experience
Recommended Service
From $13.90 per page
4,6 / 5
Writers Experience
From $20.00 per page
4,5 / 5
Writers Experience
* All Partners were chosen among 50+ writing services by our Customer Satisfaction Team

The authors then
go into more detail about current risk management frameworks such as NIST SP
800-30, ISO 27005, EBIOS, OCTAVE, CRAMM, FAIR, and ISAMM.  They explain how these frameworks function
and how they have an impact on information security risk management.  The article points out that there are only a
few differences between the frameworks. 
The frameworks contain system boundaries, threat and vulnerability
assessments, and how to control risk and implement solutions.  The authors point out the positives of the
frameworks and then evaluated and conducted research of these frameworks to
find potential problems.

The authors came
up with five problems that can be approached, along with potential solutions
that they concluded would work.  The
first problem is having proper identification and accurate asset
inventory.  The second problem is trying
to give assets a true value based on losses and system downtime due to those
losses.  The third problem is failed
predictions of risk and ignoring risks that might be nothing today but
something big in the future.  The fourth
problem is what the authors called the “overconfidence effect” which entails
professionals are too bias of the outcome of a risk.  The fifth problem consists of how knowledge
sharing can lead to improved security, but also open another door for a
security breach among companies.  The
last problem is deciding if the cost of protecting against risks is cost-effective.

The authors let the audience know that there is
still room for improvement when it comes to information security risk
management.  They will continue their
research to address these problems and develop more thought-out methods as
solutions.  The main focus at the end is
coming up with future solutions to the problems such as methods for increasing
efficiency of inventories, determining asset value in regards to
confidentiality, calibration tests for the overconfidence effect, and knowledge
sharing technology that allows secure information sharing.