In this section we present different fields that are related to this paper. A short description of how the fields relates to the paper and some examples of tools and frameworks used within each field. The different fields are outlined in Figure 1.
IT Security Risk Management
IT Security Risk Management is a part of Information Security Management which in turn is related to IT Security Governance. International Standard Organization (ISO) has established a standard for Information Security Management (ISMS) which is described in ISO 27001 (ISO/IEC, 2005) and other document which represent one of the main documents in the area. The concept of IT Security Governance is described in Guidance for Information Security Managers (ITGI, 2008) and the Risk IT Framework (ISACA, 2009).
As a part of Information Security Management, ISO has also established a standard for IT Security Risk Management (ISO/IEC 27005, 2008).
National Institute of Standard and Technology (NIST) has introduced the framework of Enterprise-wide Risk Management using three different levels (Tiers) where one can look at the organization from different views. The Multitier concept is described in a number of Special Publication from NIST (NIST 800-30, 2011; NIST 800-37, 2010; NIST 800-39, 2011; NIST 800-137, 2011).
ENISA has published a survey of Risk Management methods where a total of 13 methods have been considered (ENISA, 2005). The survey includes a number of methods but excluded general management oriented methods like COBIT, Basel II and product or system security oriented methods like Common Criteria. Examples of some well-known methods are presented below.