A framework for the management of information security risks

Document Type

Journal Article


Springer Science & Business Media


Computing, Health and Science


School of Computer and Information Science, Centre for Security Research




This article was originally published as: Jones, A. (2007). A framework for the management of information security risks. BT Technology Journal, 25(1), 30-36. Original article available here


This paper looks at the development of a framework for information security risk assessments within an organisation. A risk framework is a convenient and communicable tool that can be used to describe the principles and essential components of the security risk management process of an organisation. The framework shows how significant risks can be identified, assessed and treated. It also explains the measures that can be taken to mitigate or ‘treat’ the risk exposure of the organisation for the future. The risk framework will provide a common language, which can be used by all of the parties that are involved in the process, from the members of the board, through the security and audit staffs, to the end users of the systems, as a vehicle for communication and improved understanding. In addition, a risk framework will provide a high level outline for the way in which an organisation will implement information security risk management and define the roles of the key participants in the process.


Link to publisher version (DOI)