Upasna Saluja, Dr Norbik Idris
Information security risk assessment has gained importance as organisations‟ dependence on information has grown on the one handwhile the threat environment has become complex on the other hand. Traditional risk assessments are subjective and are have proven to be inadequate in addressing the growing complexity of identifying, analyzing and evaluating risks in recent times. Risk-related decisions are invariably based upon scores derived from rudimentary aggregation of qualitative ratings. A study of risk assessment practices over the last two decades revealed that effort has been made to make risk assessments as quantitative as possible. Literature review revealed rich potential for adaptations of risk assessment methods from other mature fields namely medicine and finance.The study proposes research and innovation requirement towards a new information security risk assessment model. This new approach should have a scientific foundation to assess and evaluate risks which should improve information security risk assessment approach by assessing risks in a more objective manner while giving due consideration to appropriate measurement unit for each specific risk area; while taking into consideration inter dependence among different risk areas.This paper lays a sound foundation for advanced innovation in the field of information risks.