Change search
ReferencesLink to record
Permanent link

Direct link
The Risk Assessment based on international standards, a credibility evaluation: A case study on international standards of Risk Assessment and Management in the Information Security context
Umeå University, Faculty of Social Sciences, Umeå School of Business and Economics (USBE), Business Administration.
Umeå University, Faculty of Social Sciences, Umeå School of Business and Economics (USBE), Business Administration.
2015 (English)Independent thesis Advanced level (degree of Master (One Year)), 10 credits / 15 HE creditsStudent thesis
Abstract [en]


Organizations face risks regardless of the type of industry or government. Historically risks have been undertaken in various processes and coped with differently by society. An appropriate application of risk management is widely acknowledged as one of the most critical aspects of undertaking business activities across all sectors in society, public and private. In order to carry out this activity as part of the crucial actions the organizations implement as part of their culture, many standards have been developed at the international level. These standards provide the groundwork for entities to start implementing these processes and reduce the risk they face with a standardized set of procedures across sectors. Risk assessment faces abundant arguments that lead to doubt the credibility of the standards implemented by different organizations, as not a single method or definition is agreed upon across cultural and sectorial barriers. Therefore, the credibility of the standardized assessment is doubted.

This study aims to evaluate the credibility of standardized risk assessments with a focus on the Information Security Risk Assessment Standards, in particular ISO 27005 and NIST 800-30 in collaboration with the Swedish Armed Forces. The research adapts the frameworks available in literature to evaluate credibility of risk assessments to the international standardized assessment procedure. The standards credibility will be evaluated with different criteria divided in five categories considered applicable to the standardised risk assessment procedure. Also, input from experts in organizations currently employing the standards and academic experts in the field will also be utilized. This study utilizes a qualitative case study approach.

The credibility evaluation performance of each international standard is similar; the only category that NIST 800-30 has a significant better performance is the category related to the final Risk Assessment Results (Report). The NIST provides a further step in the process as well as the guidelines and templates in order to develop different parts of the assessment process including the report, which is considered a best practice of a standardised risk assessment. The findings of the research contradict four criteria of the framework found in the literature, related to with what can be learned from past risk assessments, to the wide ranging of the required scope of a risk assessment, the relevance of the disclosure of information on the final risk assessment report related to the composition of the assessment group and finally the procedure for finding consensus among stakeholders.

The research question “How credible are standardized risk assessments?” provide a holistic understanding of the credibility of the standards previously mentioned, determining that these provide a solid framework for companies to start assessing the risks in a regulated and standardized procedure. These oversee the problems embedded in the subjectivity of a risk assessment and the ever-changing (intrinsic and extrinsic) aspects of stakeholder behaviour with a lack of a systemic approach to solve these issues, which also include the lack of proper handling of risk uncertainty and the lack of transparency on the final risk assessment report. The study provides a groundwork which can be used in order to develop future research. This study also provides a grounded framework which can be used by entities utilizing the standards in order to reflect their procedures of their risk assessment activities.

Keywords: Credibility, risk assessment, risk management, international standards, risk, information security, ISO 27005, NIST 800-30.

Place, publisher, year, edition, pages
2015. , 90 p.
Keyword [en]
Credibility, risk assessment, risk management, international standards, risk, information security, ISO 27005, NIST 800-30.
National Category
Business Administration
URN: urn:nbn:se:umu:diva-99982OAI: diva2:789086
External cooperation
Swedish Armed Forces
Available from: 2015-02-19 Created: 2015-02-17 Last updated: 2015-02-19Bibliographically approved

Open Access in DiVA

Credibility of Standardized Risk Assesments(1504 kB)850 downloads
File information
File name FULLTEXT01.pdfFile size 1504 kBChecksum SHA-512
Type fulltextMimetype application/pdf

By organisation
Business Administration
Business Administration

Search outside of DiVA

GoogleGoogle Scholar
Total: 850 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 3742 hits
ReferencesLink to record
Permanent link

Direct link