Discussion
As observed at the 4th International Conference on Globale-Security in London in June 2008, Information Security RiskManagement (ISRM) is a major concern of organizations worldwide.Although the number of existing ISRM methodologies is enormous, inpractice a lot of resources are invested by organizations increating new ISRM methodologies in order to capture more accuratelythe risks of their complex information systems. This is a crucialknowledge-intensive process for organizations, but in most cases itis addressed in an ad hoc manner. The existence of a systematicapproach for the development of new or improved ISRM methodologieswould enhance the effectiveness of the process (Papadaki et al,2008). In this review, we examine existing ISRM methodologies,analyse trends in the development of new or improved methods andhighlight gaps in research on the subject. The overarching researchquestions that form the foundations for this study wereconsequently formulated as follows:

RQ1: What information security risk management methodologies arecurrently being used in the industry?
RQ2:   What evidence has been presented in ISRM researchregarding the benefits and limitations of these methodologies?
RQ3: How much effort has been devoted to making these methodologiesmore SME-friendly?
RQ4:   What are the prospects of the concept of Evidence-BasedRisk Management in ISRM?