Verification, Validation, and Evaluation in Information Security Risk Management

Over the past four decades, various information security risk management (ISRM) approaches have emerged. However, there is a lack of sound verification, validation, and evaluation methods for these approaches. Although restrictions, such as the impossibility of measuring exact values for probabilities and follow-up costs, obviously exist, verification, validation, and evaluation of research is essential in any field, and ISRM is no exception. So far, there is no systematic overview of the available methods. In this article, the authors survey verification, validation, and evaluation methods referenced in ISRM literature and discuss which ISRM phase to apply the methods. They then demonstrate how to select appropriate methods with a real-world example. This systematic analysis draws conclusions on the current status of ISRM verification, validation, and evaluation and can serve as a reference for ISRM researchers and users who aim to establish trust in their results. © 2011 IEEE.