References

Aagedal, J.O., F. den Braber, T. Dimitrakos, B.A. Gran, D. Raptis and K. Stolen, 2002. Model-based risk assessment to improve enterprise security. Proceedings of the 6th International Enterprise Distributed Object Computing Conference, September 17-20, 2002, Lausanne, Switzerland, pp: 51-62.

Ahmad, A., A.B. Ruighaver and W.T. Teo, 2005. An information-centric approach to data security in organizations. Proceedings of the IEEE Region 10 Conference, November 21-24, 2005, Melbourne, Australia -.

Alberts, C. and A.J. Dorofee, 2001. OCTAVE^SM criteria, version 2.0. Technical Report ESC-TR-2001-016, Carnegie Mellon Software Engineering Institute, Pittsburgh, PA., USA., December 2001.

Alberts, C. and A.J. Dorofee, 2002. Managing Information Security Risks: The OCTAVE^SM Approach. Addison-Wesley Longman Publishing Co. Inc., Boston, MA., USA., ISBN-13: 9780321118868, Pages: 471.

Alberts, C., A. Dorofee, J. Stevens and C. Woody, 2003. Introduction to the OCTAVE^® approach. Carnegie Mellon Software Engineering Institute, Pittsburgh, PA., USA., August 2003.

Alberts, C., A.J. Dorofee and J.H. Allen, 2001. OCTAVE^SM catalog of practices, version 2.0. Technical Report ESC-TR-2001-020, Carnegie Mellon Software Engineering Institute, Pittsburgh, PA., USA., October 2001.

Alnatheer, M. and K. Nelson, 2009. A proposed framework for understanding information security culture and practices in the Saudi context. Proceedings of the 7th Australian Information Security Management Conference, December 1-3, 2009, Perth, Western Australia, pp: 6-17.

Arnett, D.B. and C.M. Wittmann, 2014. Improving marketing success: The role of tacit knowledge exchange between sales and marketing. J. Bus. Res., 67: 324-331.
CrossRef  |  Direct Link  |  

Bandyopadhyay, K., P.P. Mykytyn and K. Mykytyn, 1999. A framework for integrated risk management in information technology. Manage. Decis., 37: 437-445.
CrossRef  |  Direct Link  |  

Baskerville, R., 1991. Risk analysis as a source of professional knowledge. Comput. Secur., 10: 749-764.
CrossRef  |  Direct Link  |  

Belsis, P., S. Kokolakis and E. Kiountouzis, 2005. Information systems security from a knowledge management perspective. Inform. Manage. Comput. Secur., 13: 189-202.
CrossRef  |  Direct Link  |  

Ben-Asher, N. and C. Gonzalez, 2015. Effects of cyber security knowledge on attack detection. Comput. Hum. Behav., 48: 51-61.
CrossRef  |  Direct Link  |  

Bernard, R., 2007. Information lifecycle security risk assessment: A tool for closing security gaps. Comput. Secur., 26: 26-30.
CrossRef  |  Direct Link  |  

Bornman, W.G. and L. Labuschagne, 2004. A comparative framework for evaluating information security risk management methods. Proceedings of the Information Security South Africa Conference, June 30-July 1, 2004, Midrand, South Africa -.

Botha, R.A. and J.H.P. Eloff, 2001. Access control in document-centric workflow systems-an agent-based approach. Comput. Secur., 20: 525-532.
CrossRef  |  Direct Link  |  

CISCO., 2008. Data leakage worldwide: Common risks and mistakes employees make. CISCO Systems Inc., San Jose, CA., USA.

CISCO., 2008. Data leakage worldwide: The high cost of insider threats. CISCO Systems Inc., San Jose, CA., USA.

Choo, C.W., 2000. Working with knowledge: How information professionals help organisations manage what they know? Library Manage., 21: 395-403.
CrossRef  |  Direct Link  |  

Dahl, H.E.I., 2008. The CORAS method for security risk analysis. Proceedings of the 7th Estonian Summer School in Computer and Systems Science in cooperation with the Nordic Network on Dependable Systems, August 24-29, 2008, Otepaa, Estonia -.

Dane, E. and S. Sonenshein, 2015. On the role of experience in ethical decision making at work: An ethical expertise perspective. Organiz. Psychol. Rev., 5: 74-96.
CrossRef  |  Direct Link  |  

Den Braber, F., I. Hogganvik, M.S. Lund, K. Stolen and F. Vraalsen, 2007. Model-based security analysis in seven steps-a guided tour to the CORAS method. BT Technol. J., 25: 101-117.
CrossRef  |  Direct Link  |  

Dhillon, G. and J. Backhouse, 2001. Current directions in IS security research: Towards socio-organizational perspectives. Inf. Syst. J., 11: 127-153.
CrossRef  |  

Elky, S., 2006. An introduction to information system risk management. SANS Institute, May 31, 2006. https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204.

Eloff, J.H., R. Holbein and S. Teufel, 1996. Security classification for documents. Comput. Secur., 15: 55-71.
CrossRef  |  Direct Link  |  

Feng, N., H.J. Wang and M. Li, 2014. A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Inform. Sci., 256: 57-73.
CrossRef  |  Direct Link  |  

Fenz, S. and A. Ekelhart, 2009. Formalizing information security knowledge. Proceedings of the 4th International Symposium on Information Computer and Communications Security ASIACCS 09 (2009), March 10-12, 2009, Sydney, Australia, pp: 183-194.

Fredriksen, R., M. Kristiansen, B.A. Gran, K. Stolen, T.A. Opperud and T. Dimitrakos, 2002. The CORAS framework for a model-based risk management process. Proceedings of the 21st International Conference on Computer Safety, Reliability and Security, September 10-13, 2002, Catania, Italy, pp: 94-105.

Gerber, M. and R. von Solms, 2005. Management of risk in the information age. Comput. Secur., 24: 16-30.
CrossRef  |  Direct Link  |  

Halliday, S., K. Badenhorst and R. von Solms, 1996. A business approach to effective information technology risk analysis and management. Inform. Manage. Comput. Secur., 4: 19-31.
CrossRef  |  Direct Link  |  

Jourdan, Z., R.K. Rainer Jr., T.E. Marshall and F.N. Ford, 2010. An investigation of organizational information security risk analysis. J. Serv. Sci., 3: 33-42.
CrossRef  |  Direct Link  |  

Kailay, M. and P. Jarratt, 1995. RAMeX: A prototype expert system for computer security risk analysis and management. Comput. Secur., 14: 449-463.
CrossRef  |  

Karabacak, B. and I. Sogukpinar, 2005. ISRAM: Information security risk analysis method. Comput. Secur., 24: 147-159.
CrossRef  |  

Kolokotronis, N., C. Margaritis, P. Papadopoulou, P. Kanellis and D. Martakos, 2002. An integrated approach for securing electronic transactions over the web. Benchmarking: Int. J., 9: 166-181.
CrossRef  |  Direct Link  |  

Liu, S., C. Cheung and L. Kwok, 2006. A knowledge framework for information security modeling. Proceedings of the 4th Australian Information Security Management Conference, December 5, 2006, Edith Cowan University, Perth, Western Australia -.

Lund, M.S., B. Solhaug and K. Stolen, 2011. A Guide Tour of the CORAS Method. In: Model-Driven Risk Analysis: The CORAS Approach, Lund, M.S., B. Solhaug and K. Stolen (Eds.). Chapter 3, Springer, Berlin, Germany, ISBN-13: 9783642123238, pp: 23-43.

NIST., 2010. Guide for applying the risk management framework to federal information systems. Joint Task Force Transformation Initiative, Special Publication 800-37, Revision 1, NIST, Gaithersburg, MD., USA.

NIST., 2011. Managing information security risk: Organization, mission and information system view. NIST Special Publication 800-39, National Institute of Standards and Technology, Gaithersburg, MD., USA., March 2011.

NIST., 2012. Guide for conducting risk assessments: Information security. NIST Special Publication 800-30 (Revision 1), National Institute of Standards and Technology, Gaithersburg, MD., USA., September 2012.

Nazareth, D.L. and J. Choi, 2015. A system dynamics model for information security management. Inform. Manage., 52: 123-134.
CrossRef  |  Direct Link  |  

Onwubiko, C. and A.P. Lenaghan, 2007. Managing security threats and vulnerabilities for small to medium enterprises. Proceedings of the IEEE Conference on Intelligence and Security Informatics, May 23-24, 2007, New Jersey, pp: 244-249.

Rainer, Jr. R.K., C.A. Snyder and H.H. Carr, 1991. Risk analysis for information technology. J. Manage. Inform. Syst., 8: 129-147.
CrossRef  |  Direct Link  |  

Ramli, N.A. and N.A. Aziz, 2012. Risk identification for an information security management system implementation. Proceedings of the 6th International Conference on Emerging Security Information, Systems and Technologies, August 19-24, 2012, Rome, Italy, pp: 57-61.

Raymond, K., 1995. Reference Model of Open Distributed Processing (RM-ODP): Introduction. In: Open Distributed Processing, Raymond, K. and L. Armstrong (Eds.). Chapter 1, Springer, USA., ISBN: 978-1-4757-6074-3, pp: 3-14.

Refsdal, A., 2011. Analysing risk in practice: The CORAS approach to model-driven risk analysis. Proceedings of the 18th ACM Conference on Computer and Communications Security, October 17-21, 2011, Chicago, IL., USA -.

Refsdal, A., 2011. The CORAS approach to model-driven risk analysis. Proceedings of the e-RISE 2011 Workshop: Engineering of Risk and Security Requirements, May 13, 2011, Dauphine University, Paris, France -.

Richardson, R., 2008. 2008 CSI computer crime and security survey. Computer Security Institute, New York. http://www.kwell.net/doc/FBI2008.pdf.

SIEMENS, 2005. Managing CRAMM reviews using PRINCE. SIEMENS Enterprise, Erlangen, Germany.

Salmela, H., 2008. Analysing business losses caused by information systems risk: A business process analysis approach. J. Inform. Technol., 23: 185-202.
CrossRef  |  Direct Link  |  

Sanchez, R., 2004. Tacit knowledge versus explicit knowledge approaches to knowledge management practice. http://www.fraserhealth.ca/media/Tacit-vs-Explicit%20Knowledge%20Transfer.pdf.

Sarkheyli, A. and N.B. Ithnin, 2010. Improving the current risk analysis techniques by study of their process and using the human body's immune system. Proceedings of the 5th International Symposium on Telecommunications, December 4-6, 2010, Tehran, Iran, pp: 651-656.

Shamala, P. and R. Ahmad, 2014. A proposed taxonomy of assets for Information Security Risk Assessment (ISRA). Proceedings of the 4th World Congress on Information and Communication Technologies, December 8-11, 2014, Bandar Hilir, Malacca, Malaysia, pp: 29-33.

Shamala, P., R. Ahmad and M. Yusoff, 2013. A conceptual framework of info structure for Information Security Risk Assessment (ISRA). J. Inform. Secur. Applic., 18: 45-52.
CrossRef  |  Direct Link  |  

Shedden, P., R. Scheepers, W. Smith and A. Ahmad, 2011. Incorporating a knowledge perspective into security risk assessments. Vine, 41: 152-166.
CrossRef  |  Direct Link  |  

Shedden, P., W. Smith and A. Ahmad, 2010. Information security risk assessment: Towards a business practice perspective. Proceedings of the 8th Australian Information Security Management Conference, November 30-December 2, 2010, Perth, Australia, pp: 119-130.

Shedden, P., W. Smith, R. Scheepers and A. Ahmad, 2009. Towards a knowledge perspective in information security risk assessments-an illustrative case study. Proceedings of the 20th Australasian Conference on Information Systems, December 2-4, 2009, Melbourne, Australia, pp: 74-84.

Souag, A., R. Mazo, C. Salinesi and I. Comyn-Wattiau, 2016. Reusable knowledge in security requirements engineering: A systematic mapping study. Requir. Eng., 21: 251-283.
CrossRef  |  Direct Link  |  

Spears, J.L., 2006. A Holistic Risk Analysis Method for Identifying Information Security Risks. In: Security Management, Integrity and Internal Control in Information Systems, Dowland, P., S. Furnell, B. Thuraisingham and X.S. Wang (Eds.). Springer, Boston, MA., USA., ISBN: 978-0-387-29826-9, pp: 185-202.

Stolen, K., F. den Braber, T. Dimitrakos, R. Fredriksen and B.A. Gran et al., 2002. Model-based risk assessment-the coras approach. Proceedings of the 1st iTrust Workshop on Trust Management in Dynamic Open Systems, September 2-4, Glasgow, UK -.

Stoneburner, G., A. Goguen and A. Feringa, 2002. Risk management guide for information technology systems. NIST Special Publication 800-30, National Institute of Standards and Technology, Gaithersburg, MD., USA., July 2002.

Suh, B. and I. Han, 2003. The IS risk analysis based on a business model. Inform. Manage., 41: 149-158.
CrossRef  |  Direct Link  |  

Syalim, A., Y. Hori and K. Sakurai, 2009. Comparison of risk analysis methods: Mehari, magerit, NIST800-30 and microsoft's security management guide. Proceedings of the International Conference on Availability, Reliability and Security, March 16-19, 2009, Fukuoka, Japan, pp: 726-731.

Visintine, V., 2003. An introduction to information risk assessment. GSEC Practical, Version 1.4b, SANS Institute, USA., August 8, 2003.

Vorster, A. and L.E.S. Labuschagne, 2005. A framework for comparing different information security risk analysis methodologies. Proceedings of the Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on IT Research in Developing Countries, September 20-22, 2005, South Africa, pp: 95-103.

Webster, J. and R.T. Watson, 2002. Analyzing the past to prepare for the future: Writing a literature review. MIS Q., 26: 12-22.
Direct Link  |  

Yazar, Z., 2002. A qualitative risk analysis and management tool-CRAMM. Version 1.3, SANS Institute, USA.

Zakaria, O., 2006. Internalisation of information security culture amongst employees through basic security knowledge. Proceedings of the IFIP TC-11 21st International Information Security Conference, May 22-24, 2006, Karlstad, Sweden, pp: 437-441.