نوع مقاله : مقاله پژوهشی
نویسندگان
پژوهشگاه علوم و فناوری اطلاعات ایران (ایرانداک)
چکیده
کلیدواژهها
موضوعات
عنوان مقاله [English]
نویسندگان [English]
One of the key actions in information security management is information security risk management, the main stage of which is known as "information security risk assessment". So far, various methods, standards and frameworks have been formed for this purpose. The main question that has been considered in this study is that despite this range of information security risk assessment methods, how should an organization choose and implement the appropriate method for its goals and situation. In order to answer this question, in this research, first, an evaluation framework consisting of 13 evaluation criteria was designed in two categories: the nature of the method and the adaptation of the method to the organizational situation. Then, based on this framework, 18 well-known information security risk assessment methods were evaluated in the organizational case of Iranian Research Institute for Information Science and Technology (IranDoc). The results of this evaluation showed that the proposed framework has the required validity. Based on these results, the ISO 27005 standard was recognized as the most appropriate method of information security risk assessment in the investigated case. At the end, based on these results and in line with further development and validation of the presented framework, suggestions were presented.
کلیدواژهها [English]