Call For Papers
Contact Us

  Risk Indicators for Information Security Risk Identification  
  Authors : Upasna Saluja; Norbik Bashah Idris
  Cite as:


Information Security Risk identification in today’s methodologies is asset-centric, thus making it tedious and time consuming. It is subjective and depends a lot on expertise of information security practitioners conducting the risk assessment. This paper has proposed a methodology for Risk Identification that drives away from an asset-centric approach by incorporating the concept of Risk Indicators, which is the foundation of Risk Identification in finance and medicine. This Risk Identification approach enables statistical analysis for Risk Assessment making it objective and scientific thus inspiring greater confidence among stakeholders.


Published In : IJCSN Journal Volume 3, Issue 5

Date of Publication : October 2014

Pages : 393 - 401

Figures : 01

Tables : 04

Publication Link : Risk Indicators for Information Security Risk Identification




Upasna Saluja : completed her Masters in Statistics in 1992 and a Bachelor degree in English and Economics in 1989 from Punjab University. She also completed a Post BS Diploma in Computer Applications from Kuruskshetra University, India in 1990. She has over 15 years of experience including teaching and vital risk management and consulting roles in multinational companies such as Malaysia HP (2008-2010), Thomson Reuters (2010-2014) and most recently at ANZ Banking group (since May 2014). Prior to 2008 she worked in numerous Information Security consulting companies in India (2 Years) and Malaysia (4 years). She has industry leading certifications such as CISSP, CISA, CRISC, ISO 27001 and BS 25999. She has over 20 papers, articles and presentations on her name. She won a best paper award for her paper Information Risk Management - Qualitative or Quantitative? Cross Industry lessons from the medical and financial field at The 8th International Symposium on Risk Management and Cyber-Informatics: RMCI 2011, held in Florida, USA.

Norbik Bashah Idris : is Professor of "Software Engineering & Informatio n Security" at Advanced Informatics School, Universit i Teknologi Malaysia. He is also Founder of the SCAN Group of c ompanies with a niche on information security. He is a CISSP and CISM.








Information Security

Risk Assessment

Risk Identification

This paper has presented a new approach for Information Security Risk Identification which is objective in nature. Being more objective, this approach provides scientifically determined Risk Indicators as a reliable input for Statistical Risk Analysis. Further it reduces subjectivity, assessor bias that is mandatory for qualitatively managed risk assessments.










[1] Rowe, W.D., An anatomy of risk. 1977: Wiley. [2] ISO, ISO 31000 - Risk management. 2009. [3] Yazar, Z. A qualitative risk analysis and management tool. GSEC 2002 [cited Version 1.3. [4] Radack, S., CONDUCTING INFORMATION SECURITY-RELATED RISK ASSESSMENTS. 2012, National Institute of Standards and Technology U.S. Department of Commerce]. [5] Clint Witchalls, J.C., Information risk Managing digital assets in a new technology landscape, in The Economist. 2013. [6] Chapelle, A. The importance of preventative KRIs. Operational Risk & Regulation 2013. [7] Jorion, P., Financial Risk Manager Handbook Second Edition 2003, USA: John Wiley & Sons. [8] Young, P.J., THE USE OF KEY RISK INDICATORS BY BANKS AS AN OPERATIONAL RISK MANAGEMENT TOOL, in International conference “Improving Financial institutions: the proper balance between regulation and governance". 2012: Helsinki,. [9] Leisch, A.M.a.F., semPLS: Structural Equation Modeling Using Partial Least Squares. 2012. [10] Svante Wold, M.S., Lennart Eriksson, PLS-regression: a basic tool of chemometrics. Chemometrics and Intelligent Laboratory Systems 58 2001 109–130 ˇ, 2001. [11] Shugan, S.M., Marketing Science, Models, Monopoly Models, and Why We Need Them. MARKETING SCIENCE Vol. 21, No. 3, Summer 2002, pp. 223–228, 2002.