This paper seeks to present a conceptual modeling approach, which is new in the domain of information systems security risk assessment.
The approach is helpful for performing means‐end analysis, thereby uncovering the structural origin of security risks in information systems, and how the root‐causes of such risks can be controlled from the early stages of the projects.
Though some attempts have previously been made to model security risk assessment in information systems using conventional modeling techniques such as data flow diagrams and UML, the previous works have analyzed and modeled the same just by addressing “what” a process is like. However, they do not address “why” the process is the way it is.
The approach addresses the limitation of the existing security risk assessment models by exploring the strategic dependencies between the actors of a system and analyzing the motivations, intents and rationales behind the different entities and activities constituting the system.
