The October issue of the Journal of Organizational Computing and Electronic Commerce has published our research on “The State of Risk Assessment Practices in Information Security“. It’s not easy to get data on information security practices (it’s secret, after all), but our survey was able to find associations between doing the things that security experts say we should be doing–more frequent risk assessment, use of quantitative loss estimates, more complete asset inventories–and higher levels of user satisfaction and perceived usefulness. Check it out.

This work was done with research wonder Jackie Rees at Purdue University.