TITLE:
Towards Development of a Security Risk Assessment Model for Saudi Arabian Business Environment Based on the ISO/IEC 27005 ISRM Standard
AUTHORS:
Wael G. Alheadary
KEYWORDS:
Risk Assessment, Risk Analysis, Design Science Research, ISO/IEC 27005 ISRM
JOURNAL NAME:
Journal of Information Security,
Vol.14 No.3,
July
6,
2023
ABSTRACT: Security risk assessment refers to the
process of identifying, analyzing, and evaluating potential security risks for
an organization. An organization’s assets,
personnel, and operations are protected through it as part of a comprehensive
security program. Various security assessments models have been published in the literature to protect the Saudi
organization’s assets, personnel, and
operations. However, these models are redundant and were developed for specific
purposes. Hence, the comprehensive security risk assessment model used to
safeguard Saudi organizations’ assets, personnel, and operations is still
omitted. Using a design science methodology, the objective of this study is to
develop a comprehensive security risk assessment model called CSRAM to assess
security risks in Saudi Arabian organizations based on the International
Organization for Standardization and the International Electrotechnical
Commission/Information security risk management (ISO/IEC 27005 ISRM) standard.
CSRAM is made up of six stages: threat identification, vulnerability
assessment, risk analysis, risk evaluation, risk treatment, and monitoring and
review of the risk. The stages have many activities and tasks that need to be
accomplished at each stage. Based on the results of the validation of the
completeness of the CSRAM, we can say that the CSRAM covers the whole ISO/IEC
27005 ISRM standard, and it is complete.