Authors: Baskerville, R. Date: 1991 Title: “Risk Analysis: an Interpretive Feasibility Tool in Justifying Information Systems Security” Journal: European Journal of Information Systems, 1 (2) Pages: 121-130 |
| Risk analysis, information systems controls, information systems security |
| Risk analysis is the predominant technique used by information security professionals to establish the feasibility of information systems controls. Yet it fails an essential test of scientific method, it lacks statistical rigor and is subject to social misuse. Adoption of alternatives from other disciplines, however, proves even more implausible. Indeed, even improved rigor in risk analysis may limit its usefulness. Perhaps risk analysis is misconceived: its ostensible value as a predictive technique is less relevant than its value as an effective communications link between the security and management professionals who must make decisions concerning capital investments in information systems security. |