This Is AuburnElectronic Theses and Dissertations

An Investigation of Organizational Information Security Risk Analysis




Jourdan, Stephen Zachariah

Type of Degree





From the dawn of the information age, technology has advanced rapidly to today where networked computers are almost ubiquitous. One of the problems with connecting computers together is the increased vulnerability to information security threats. Computer viruses, denial of service attacks, and intruders hacking into organizational information systems are becoming commonplace (Mitnick & Simon, 2002; Bodin, Gordon, & Loeb, 2005). In recent years, practitioners and researchers have begun to study issues related to information security (Straub & Welke, 1998). One component of this research is assessing the information security risk analysis practices of the organization (Cavusoglu, Mishra, & Raghunathan, 2004). Despite a growing number and variety of information security threats, many organizations continue to neglect implementing information security policies and procedures. The likelihood that an organization’s information systems can fall victim to these threats is known as information systems risk (Straub & Welke, 1998). To combat these threats, an organization must undergo a rigorous process of self-analysis. Rainer, Snyder, and Carr (1991) published one of the seminal papers related to Information Security Risk Analysis (ISRA). Since the publication of that work, very little research has been conducted to investigate the risk analysis processes that organizations conduct to assess and remedy the variety of information security threats that exist in a modern networking environment. To better understand the current state of this information security risk analysis (ISRA) process, this study used two phase approach. In the first phase, a questionnaire using both open-ended and closed ended questions was administered to a group of information security professionals (N=32). The results of this initial investigation led to a second phase questionnaire where a regression model was tested using a new sample of information security professionals (N=144). The qualitative and quantitative results of this study show that organizations are beginning to conduct regularly scheduled ISRA processes. However, the results also show that organizations still have room for improvement to create idyllic ISRA processes. In this exploratory study, a regression model was tested the effect of the frequency of the ISRA process, number of methodologies in the ISRA process, the use of insurance to protect the organization’s information assets, the calculation of Return on Investment for security expenditures, the perceived significance of threats to the organization’s information systems, the support of top management for the ISRA process, and the security culture of the organization all indicated a positive effect on the perceived ISRA effectiveness. Limitations of the study and implications for researchers and managers are discussed.