How can organizations choose the most effective method for assessing information security risks? This research identifies and evaluates key factors to consider when selecting a risk assessment method for an organization's information security needs. In the era of evolving cyber threats, organizations face a complex challenge in protecting sensitive data and systems. This paper addresses the critical decision-making process of selecting a suitable risk assessment method. The study examines the requirements for an ideal risk assessment approach. It validates these factors through empirical research conducted at two large Australian organizations. The authors highlight the challenges associated with existing methods, such as time consumption, subjective data, financial loss quantification, and high costs. Ultimately, this paper provides practical guidance for organizations in evaluating, selecting, or developing risk assessment methods. The findings offer valuable insights into decision-making processes within organizational information security, helping businesses make informed choices to safeguard their assets.
This paper explores a methodology applicable to assess organizational information security. There are not related journal categories to contextualize the paper within the journal's scope.