To Risk Analyse, or Not to Risk Analyse: That’s the Question
2025 (English)In: Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, Proceedings, Part I / [ed] Nathan Clarke; Steven Furnell, Cham: Springer, 2025, p. 107-119Conference paper, Published paper (Refereed)
Abstract [en]
Risk analysis is a key activity for organisations that are looking to protect their valuable information assets against threats, such as malicious actors. It is one of the essential parts of risk management and is used to justify and prioritise what assets require the attention of which potential security controls. Risk management, and more specifically, risk analysis, is an activity that should be performed continuously. However, recent studies indicate that this is not always the case. As such, this paper investigates risk analysis as it is performed in practice in different Swedish public sector organisations. The results are based on semi-structured interviews with 17 senior security experts, an analysis of standards, and a national method support aiming to fill the gap between standard and practice. The results are presented in three themes: how, when and why risk analysis is performed. Of note, we identify that there is an issue of overlooking specific assets or systems when establishing an organisational-wide risk profile and a general recognition of the necessity for risk analysis, albeit not always in alignment with a classic risk analysis.
Place, publisher, year, edition, pages
Cham: Springer, 2025. p. 107-119
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 721
Keywords [en]
Cybersecurity, Information security, Risk analysis, Risk assessment, Cyber security, Information assets, Organisational, Public sector organization, Risk analyze, Risks management, Security controls, Security experts, Semi structured interviews, Swedishs
National Category
Information Systems Information Systems, Social aspects Work Sciences
Research subject
Information Systems
Identifiers
URN: urn:nbn:se:his:diva-24793DOI: 10.1007/978-3-031-72559-3_8Scopus ID: 2-s2.0-85211361560ISBN: 978-3-031-72558-6 (print)ISBN: 978-3-031-72561-6 (print)ISBN: 978-3-031-72559-3 (electronic)OAI: oai:DiVA.org:his-24793DiVA, id: diva2:1922674
Conference
18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024
Projects
VISKA
Funder
Swedish Civil Contingencies Agency, MSB 2021-14650
Note
© IFIP International Federation for Information Processing 2025
Correspondence Address: E. Bergström; School of Engineering, Jönköping University, Jönköping, Sweden; email: erik.bergstrom@ju.se
We gratefully acknowledge the grant from the Swedish Civil Contingencies Agency (MSB), project VISKA (MSB 2021-14650).
2024-12-192024-12-192025-09-29Bibliographically approved