Purpose - This paper seeks to present a conceptual modeling approach, which is new in the domain of information systems security risk assessment. Design/methodology/approach - The approach is helpful for performing means-end analysis, thereby uncovering the structural origin of security risks in information systems, and how the root-causes of such risks can be controlled from the early stages of the projects. Findings - Though some attempts have previously been made to model security risk assessment in information systems using conventional modeling techniques such as data flow diagrams and UML, the previous works have analyzed and modeled the same just by addressing what a process is like. However, they do not address why the process is the way it is. Originality/value - The approach addresses the limitation of theexisting security risk assessment models by exploring the strategic dependencies between the actors of a system and analyzing the motivations, intents and rationales behind the different entities and activities constituting the system.

Additional Metadata
Keywords Data security, Information control, Modelling, Risk assessment
Persistent URL dx.doi.org/10.1108/09685220710738787
Journal Information Management and Computer Security
Citation
Misra, S.C. (Subhas C.), Kumar, V, & Kumar, U. (2007). A strategic modeling technique for information security risk assessment. Information Management and Computer Security, 15(1), 64–77. doi:10.1108/09685220710738787