The Classification of Information Assets and Risk Assessment: An Exploratory Study using the Case of C-Bank

Many information systems' incidents result from inadequate protection of information assets. Assets classification and risks assessment procedures will no doubt help to identify the associated risks related to information systems for a better security control. In the banking industry, prior research and studies are rather lacking due to the nature of maintaining confidentiality. The purpose of this study is to develop an approach to classify information assets of financial institutions and also assess their corresponding risks. Delphi method was adopted and questionnaires based on the guidelines of the well-recognized standard of ISO/IEC 27001 were developed subsequently. A total of 99 information assets subject to security breaches are chosen for risks assessment and a panel of seven experts is invited to complete questionnaires. Consequently, a model for calculating the risk index is proposed according to an exponential scale ranging over 9 grades. The results reveal that three types of information assets exposed to a high level of risk warrant special protection. The experts also make some security enhancement suggestions for the assets with a risk grade >= 6. Aiming to enrich research literature on the risks assessment of information assets in the banking industry, the results of this study can provide a valuable reference for both academia and security practitioners.