ABSTRACT
Since very early in the information security industry, risk management has had many concepts. Some
have been based on applied management strategy (such as portfolio management), old warring tactics
(scenario planning), and modern day economics (feasibility studies and cost to market). Most of these
attempts at risk management have been created and implemented by professionals in a specific industry,
areas of academia and consulting firms, not the actual business areas dealing with the risks. Little
attention has been paid to the complex processes taking place among work producers, business decision
makers, applying a risk management concept and then managing the concept itself.