Risk analysis: An interpretive feasibility tool in justifying information systems security

Risk analysis is the predominant technique used by information security professionals to establish the feasibility of information systems controls. Yet it fails an essential test of scientfic method-it lacks statistical rigour and is subject to social misuse. Adoption of alternatives from other disciplines, however, proves even more implausible. Indeed, even improved rigour in risk analysis may limit its usefulness. Perhaps risk analysis is misconceived: its ostensible value as a predictive technique is less relevant than its value as an effective communications link between the security and management professionals who must make decisions concerning capital investments in information systems security.