Journal of Information Technology Theory and Application (JITTA)


Information security risk management (ISRM) methods aim to protect organizational information infrastructure from a range of security threats by using the most effective and cost-efficient means. We reviewed the literature and found three common deficiencies in ISRM practice: 1) information security risk identification is commonly perfunctory, 2) information security risks are commonly estimated with little reference to the organization’s actual situation, and 3) information security risk assessment is commonly performed on an intermittent, non-historical basis. These deficiencies indicate that, despite implementing ISRM best-practice, organizations are likely to have inadequate situation awareness (SA) regarding their information security risk environments. This paper presents a management system design that organizations can use to support SA in their ISRM efforts.