Abstract

The ever increasing trend of Information Technology (IT) in organizations has given them new horizon in international market. Organizations now totally depend on IT for better and effective communication and daily operational tasks. Advancements in IT have exposed organization to information security threats also. Several methods and standards for assessment of information security in an organization are available today. Problems with these methods and standards are that they neither provide quantitative analysis of information security nor access potential loses information malfunctioning could create. This paper highlight the necessity of information security tool which could provide quantitative risk assessment along with the classification of risk management controls like management, operational and technical controls in an organizations. It is not possible for organizations to establish information security effectively without knowing the loopholes in their controls. Empirical data for this research was collected from the 5 major banks of Pakistan through two different questionnaires. It is observed that mostly banks have implemented the technical and operational control properly, but the real crux, the information security culture in organization is still a missing link in information security management.