Information risk management in SME sector enterprises

  • 1 Czestochowa University of Technology, Faculty of Management, Częstochowa, Poland


The article attempts to determine the level of use of methods increasing the security of information resources among the SME sector enterprises declaring the use of information security risk management methods. Research was carried out to determine the scope of use of risk management methods in the aspect of actions taken in the area of security of the intangible assets. Also the so-called “human factor” in the information protection process was taken into account. An attempt was made to determine how business entities use risk assessment in any form and how many of them use (and to what extent) the recommendations described in the ISO/IEC 27005 standard.



  1. M. Ghazouani, H. Medromi, A. Sayouti, S. Faris, Information Security Risk Assessment - A Practical Approach with a Mathematical Formulation of Risk, International Journal of Computer Applications, 103(8), 36–42, (2014).
  2. T. Peng, ISO 27005 Information Security Risk Management [Online]. SlideShare, (2016), [access date: 14.01.2020], URL:
  3. V. Agrawal, A Framework for the Information Classification in ISO 27005 Standard, 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud), 264–269, (2017).
  4. ISO/IEC 27005:2014-01 Standard, [Online], 2014, [access date: 14.01.2020], 01p.html
  5. B. Barafort, A.L. Mesquida, A. Mas, Integrating risk management in IT settings from ISO standards and management systems perspectives, Computer Standards & Interfaces, 54, 176–185, (2017).
  6. M.A. Fikri, F.A. Putra, Y. Suryanto, K. Ramli, Risk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique in Profit-Based Organization: Case Study of ZZZ Information System Application in ABC Agency, Procedia Computer Science, 161, 1206–1215, (2019).
  7. C. Yang-Ngam, T. Chankoson, P. Aodton, Influence of internal and external factors on supply chain information system risk management implementation, International Journal of Supply Chain Management, 8, 612–623, (2019).
  8. A. Shameli-Sendi, R. Aghababaei-Barzegar, M. Cheriet, Taxonomy of information security risk assessment (ISRA), Computers & Security, 57, 14–30, (2016).
  9. L. Pan, A. Tomlinson, A systematic review of information security risk assessment, International Journal of Safety and Security Engineering, 6, 270–281, (2016).
  10. K. Zielosko, Analiza ryzyka, [Online], Encyklopedia Zarządzania, (2019), [access date: 14.01.2020], URL:
  11. J. Łuczak, Metody szacowania ryzyka – kluczowy element systemu zarządzania bezpieczeństwem informacji ISO/IEC 27001, Zeszyty Naukowe Akademii Morskiej w Szczecinie, 19, 63–70, (2009).
  12. G. Wangen, Information Security Risk Assessment: A Method Comparison, Computer, 50(4), 52–61, (2017).
  13. J. Stanik, M. Kiedrowicz, Metoda analizy i szacowania ryzyka zasobu informacyjnego, Roczniki Kolegium Analiz Ekonomicznych, Szkoła Główna Handlowa, Warszawa, 49, 371–390 (2018).
  14. K. Mersinas, B. Hartig, K. Martin, A. Seltzer, Measuring Attitude towards Risk Treatment Actions amongst Information Security Professionals: An Experimental Approach, Conference: Workshop on the Economics of Information Security, At Berkeley, CA, (2016).
  15. S. Snedaker, C. Rima, Chapter 6 - Risk Mitigation Strategy Development, [in:] S. Snedaker, C. Rima (Eds.), Business Continuity and Disaster Recovery Planning for IT Professionals, Syngress, 337–367, (2014).
  16. R.J. Chapman, Simple Tools and Techniques for Enterprise Risk Management, John Wiley & Sons, New Jersey, (2011).
  17. C. Martani, Risk Management in Architectural Design: Control of Uncertainty over Building Use and Maintenance, Springer, Cham, (2014).
  18. S. Ariyani, M. Sudarma, Implementation Of The ISO/IEC 27005 In Risk Security Analysis Of Management Information System, Journal of Engineering Research and Application, 6(8), pp.01- 06, (2016).
  19. P. Kobis, Human factor in the aspect of digital information in business enterprises, Proceedings of the 9th International Conference on Management (ICOM) vol. II, Gödöllő, Hungary, 35–42, (13-14 June 2019).
  20. P. Kawczyński, Analiza ryzyka – metody szacowania ryzyka – cz. 2, [Online], PortalODO by Lubasz i wspólnicy, (2014), [access date: 15.01.2020], URL:
  21. KPMG, (2019). Report: Barometr cyberbezpieczeństwa. W obronie przed cyberatakami, [Online], KPMG, (2019), [access date: 17.01.2020], URL: Raport-KPMG-Barometr-Cyberbezpieczenstwa-W-obronie-przed-cyberatakami.pdf

Article full text

Download PDF