Organisations and individuals always find
themselves under pressure to stay abreast with the current
technology in order to run their businesses or their lives
whereby their IT systems are open to the Internet [2]. There is
a tremendous amount of innovation involved with technology
which introduces a great deal of complexity within the IT
environment; resulting in a significant number of IT security
risks [3]. IT security is a complex topic and evolves almost as
fast as technology does [2].
While research in IT security has started giving importance
to IT security risk management, the focus is still on the
development of procedural guidelines and a few semiautomated
methods [2]. Several issues remain unsolved
including the need of sophisticated formalisation in the risk
management reasoning [2]. In order to bridge this existing
gap, IT security risk should be considered as just another risk
that needs to be managed alongside all other business risks,
rather than treating it as an independent technical concern [6].