Does traditional security risk assessment have a future in information security?

The current information security standards still advocate the use of risk assessment in the prioritisation of security investments. However, prior research on the use of risk assessment methodologies in organisational security has shown that the use of the traditional monolithic risk assessment process described in the current risk management standard is simply not practical at the organisational level. This paper first examines the problems in performing a systematic risk assessment and then discusses the limitations of a traditional risk assessment. To address these limitations, this paper proposes splitting up the current monolithic risk assessment process. The result is an information security assessment framework that puts greater emphasis on situational awareness and allows for better decision making on the prioritization of security investments.