ISSN: 2222-6990
Open access
Information security becomes an object in IS/IT risk management. Organizations' technology and information systems have been embedded into business processes and become competitive advantage strategies. However, many threats and cybercrime are behind the benefits of IS/IT adoption. This study examines trends and research opportunities related to IS/IT risk management from a bibliography perspective. The research stages consist of four stages: identification, screening, eligibility, and sorting. The 289 papers were obtained from 2020 to 2025 and processed using the VosViewer application to map the bibliography network. The results are 145 terms, and 7 clusters have occurrence values and links to relevance. The Top 3 Terms with the highest occurrence level are terms "project," "assessment," and "threat." IS/IT risk management in enterprises will have different results depending on the conditions of each case. Further research can examine the trends, network of terms, recommendation paper, and gaps presented in this paper.
Abdymanapov, S. A., Muratbekov, M., Altynbek, S., & Barlybayev, A. (2021). Fuzzy Expert System of Information Security Risk Assessment on the Example of Analysis Learning Management Systems. IEEE ACCESS, 9, 156556–156565. https://doi.org/10.1109/ACCESS.2021.3129488
Adriko, R., & Nurse, J. R. C. (2024). Cybersecurity, cyber insurance and small-to-medium-sized enterprises: a systematic Review. INFORMATION AND COMPUTER SECURITY, 32(5), 691–710. https://doi.org/10.1108/ICS-01-2024-0025
AL-Dosari, K., & Fetais, N. (2023). Risk-Management Framework and Information-Security Systems for Small and Medium Enterprises (SMEs): A Meta-Analysis Approach. Electronics (Switzerland), 12(17). https://doi.org/10.3390/electronics12173629
Al-Khulaidi, A. A. G., Nasser, A. A., Al-Ashwal, M. H. Y., Al-Ashwal, M. M. Y., & Altayeb, A. M. (2024). Investigating information security risk management in Yemeni banks: An CILOS-TOPSIS approach. Multidisciplinary Science Journal, 6(9). https://doi.org/10.31893/multiscience.2024175
Alotaibi, F. M., Al-Dhaqm, A., Yafooz, W. M. S., & Al-Otaibi, Y. D. (2023). A Novel Administration Model for Managing and Organising the Heterogeneous Information Security Policy Field. Applied Sciences (Switzerland), 13(17). https://doi.org/10.3390/app13179703
Alshahrani, H. M., Alotaibi, S. S., Ansari, M. T. J., Asiri, M. M., Agrawal, A., Khan, R. A., Mohsen, H., & Hilal, A. M. (2022). Analysis and Ranking of IT Risk Factors Using Fuzzy TOPSIS-Based Approach. Applied Sciences (Switzerland), 12(12). https://doi.org/10.3390/app12125911
Althobaiti, M. M. (2021). Assessing user’s susceptibility and awareness of cybersecurity threats. Intelligent Automation and Soft Computing, 28(1), 167–177. https://doi.org/10.32604/iasc.2021.016660
Androshchuk, ?., Yevseiev, S., Melenchuk, V., Lemeshko, O., & Lemeshko, V. (2020). Improvement of project risk assessment methods of implementation of automated information components of non-commercial organizational and technical systems. EUREKA, Physics and Engineering, 2020(1), 48–55. https://doi.org/10.21303/2461-4262.2020.001131
Arim, A., & Wamema, J. (2022). Towards an Improved Framework for E-Risk Management for Digital Financial Services (DFS) in Ugandan Banks: A Case of Bank of Africa (Uganda) Limited. JOURNAL OF INFORMATION AND ORGANIZATIONAL SCIENCES, 46(1), 103–127. https://doi.org/10.31341/jios.46.1.6
Arista, A., & Ngafidin, K. N. M. (2022). An Information System Risk Management of a Higher Education Computing Environment. International Journal on Advanced Science, Engineering and Information Technology, 12(2), 557–564. https://doi.org/10.18517/ijaseit.12.2.13953
Berrada, H., Boutahar, J., & Houssaini, S. E. G. E. (2021). Simplified IT Risk Management Maturity Audit System based on “COBIT 5 for Risk.” International Journal of Advanced Computer Science and Applications, 12(8), 641–652. https://doi.org/10.14569/IJACSA.2021.0120875
Biswas, B., Mukhopadhyay, A., Kumar, A., & Delen, D. (2024). A hybrid framework using explainable AI (XAI) in cyber-risk management for defence and recovery against phishing attacks. DECISION SUPPORT SYSTEMS, 177. https://doi.org/10.1016/j.dss.2023.114102
Chundu, B., Masamha, T., & Sifile, O. (2025). Cyber-security governance framework pillars for Zimbabwean local authorities. COGENT SOCIAL SCIENCES, 11(1). https://doi.org/10.1080/23311886.2025.2453094
Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda. TQM JOURNAL, 33(7), 76–105. https://doi.org/10.1108/TQM-09-2020-0202
Fauzi, R., & Lubis, M. (2021). Assessment Framework for Defining the Maturity of Information Technology within Enterprise Risk Management (ERM). International Journal of Advanced Computer Science and Applications, 12(10), 680–689. https://doi.org/10.14569/IJACSA.2021.0121075
Flyvbjerg, B., Budzier, A., Lee, J. S., Keil, M., Lunn, D., & Bester, D. W. (2022). The Empirical Reality of IT Project Cost Overruns: Discovering A Power-Law Distribution. JOURNAL OF MANAGEMENT INFORMATION SYSTEMS, 39(3), 607–639. https://doi.org/10.1080/07421222.2022.2096544
Gordon, L. A., Loeb, M. P., & Zhou, L. (2020). Integrating cost-benefit analysis into the NIST Cybersecurity Framework via the Gordon-Loeb Model. JOURNAL OF CYBERSECURITY, 6(1). https://doi.org/10.1093/cybsec/tyaa005
Gu, M. H., Yang, L., & Huo, B. F. (2021). The impact of information technology usage on supply chain resilience and performance: An ambidexterous view. INTERNATIONAL JOURNAL OF PRODUCTION ECONOMICS, 232. https://doi.org/10.1016/j.ijpe.2020.107956
Hammami, S., Durrah, O., Jamil, S. A., & Eltigani, M. (2022). Engaging Knowledge Capabilities to Sustain the Application of Information Technology Governance in Healthcare Institutions. SAGE Open, 12(4). https://doi.org/10.1177/21582440221132783
Kamiya, S., Kang, J.-K., Kim, J., Milidonis, A., & Stulz, R. M. (2021). Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics, 139(3), 719–749. https://doi.org/10.1016/j.jfineco.2019.05.019
Kitsios, F., Chatzidimitriou, E., & Kamariotou, M. (2023). The ISO/IEC 27001 Information Security Management Standard: How to Extract Value from Data in the IT Sector. Sustainability (Switzerland), 15(7). https://doi.org/10.3390/su15075828
Kopencova, D., Rak, R., & Hudecova, V. (2021). Global phenomenon of threats and risk management in management and information technologies. Issues in Information Systems, 22(1), 75–83. https://doi.org/10.48009/1_iis_2021_75-83
Kozlov, A., & Noga, N. (2021). About Some Risks Associated with Subjective Factors, and the Methodology for their Assessment. Review of Business and Economics Studies, 9(3), 94–102. https://doi.org/10.26794/2308-944X-2021-9-3-94-102
Kulathunga, K., Ye, J. M., Sharma, S., & Weerathunga, P. R. (2020). How Does Technological and Financial Literacy Influence SME Performance: Mediating Role of ERM Practices. INFORMATION, 11(6). https://doi.org/10.3390/info11060297
Li, P., & Zhang, L. M. (2025). Application of big data technology in enterprise information security management. SCIENTIFIC REPORTS, 15(1). https://doi.org/10.1038/s41598-025-85403-6
Lin, C.-L., Fan, C.-L., & Chen, B.-K. (2022). Hybrid Analytic Hierarchy Process–Artificial Neural Network Model for Predicting the Major Risks and Quality of Taiwanese Construction Projects. Applied Sciences (Switzerland), 12(15). https://doi.org/10.3390/app12157790
Liu, Z., & Wu, X. (2023). Structural Analysis of the Evolution Mechanism of Online Public Opinion and its Development Stages Based on Machine Learning and Social Network Analysis. International Journal of Computational Intelligence Systems, 16(1). https://doi.org/10.1007/s44196-023-00277-8
Magabaleh, A. A., Ghraibeh, L. L., Audeh, A. Y., Albahri, A. S., Deveci, M., & Antucheviciene, J. (2024). Systematic review of software engineering uses of multi-criteria decision-making methods: Trends, bibliographic analysis, challenges, recommendations, and future directions. In Applied Soft Computing (Vol. 163). Elsevier Ltd. https://doi.org/10.1016/j.asoc.2024.111859
Melaku, H. M. (2023). Context-Based and Adaptive Cybersecurity Risk Management Framework. Risks, 11(6). https://doi.org/10.3390/risks11060101
Moreira, F. R., Da Silva Filho, D. A., Nze, G. D. A., De Sousa Junior, R. T., & Nunes, R. R. (2021). Evaluating the Performance of NIST’s Framework Cybersecurity Controls through a Constructivist Multicriteria Methodology. IEEE Access, 9, 129605–129618. https://doi.org/10.1109/ACCESS.2021.3113178
Muhammad, A. H., Nasiri, A., & Harimurti, A. (2025). Machine learning methods for classification and prediction information security risk assessment. IAES International Journal of Artificial Intelligence, 14(1), 457–465. https://doi.org/10.11591/ijai.v14.i1.pp457-465
Pertiwi, D. E., & Kusumah, L. H. (2023). Identification of operational risk of embedded Subscriber Identity Module (SIM) technology based on ISO 31000: Systematic Literature Review. Sinergi (Indonesia), 27(2), 193–200. https://doi.org/10.22441/sinergi.2023.2.007
Pochmara, J., & ?wietlicka, A. (2024). Cybersecurity of Industrial Systems—A 2023 Report. Electronics (Switzerland), 13(7). https://doi.org/10.3390/electronics13071191
Prislan, K., Miheli?, A., & Bernik, I. (2020). A real-world information security performance assessment using a multidimensional socio-technical approach. PLoS ONE, 15(9 September). https://doi.org/10.1371/journal.pone.0238739
Ren, S. (2022). Optimization of Enterprise Financial Management and Decision-Making Systems Based on Big Data. Journal of Mathematics, 2022. https://doi.org/10.1155/2022/1708506
Richter, S., & Ammenwerth, E. (2023). IT risk management for medical devices in hospital IT networks: a catalogue of measures and indicators. BMJ Health and Care Informatics, 30(1). https://doi.org/10.1136/bmjhci-2022-100639
Rodríguez-Espíndola, O., Chowdhury, S., Dey, P. K., Albores, P., & Emrouznejad, A. (2022). Analysis of the adoption of emergent technologies for risk management in the era of digital manufacturing. Technological Forecasting and Social Change, 178, 121562. https://doi.org/10.1016/j.techfore.2022.121562
Sahibu, S., Sakti, A., & Iskandar, A. (2024). Risk Management Analysis of SMK Telkom Makassar’s Integrated Academic Information System in Compliance with ISO 31000 Standards. Ingenierie Des Systemes d’Information, 29(1), 205–218. https://doi.org/10.18280/isi.290121
Sanjaya, I. G. A. S., Sasmita, G. M. A., & Sri Arsa, D. M. (2020). Information technology risk management using ISO 31000 based on issaf framework penetration testing (Case study: Election commission of x city). International Journal of Computer Network and Information Security, 12(4), 30–40. https://doi.org/10.5815/ijcnis.2020.04.03
Savitri, R., & Hasibuan, M. S. (2024). Information Security Measurement using INDEX KAMI at Metro City. Journal of Applied Data Sciences, 5(1), 33–45. https://doi.org/10.47738/jads.v5i1.152
Sektas-Bilusich, D., Nunes-Vaz, R. A., Chim, L., & Lord, S. (2020). A risk-based framework to inform prioritisation of security investment for insider threats. International Journal of Safety and Security Engineering, 10(1), 49–57. https://doi.org/10.18280/ijsse.100107
Selvakumar, J. J., Suganya, G., Arthi, T. S., & Pachiyappan, S. (2024). Does risk management components influence on project success? Evidence from IT sector. Journal of Project Management (Canada), 9(3), 269–276. https://doi.org/10.5267/j.jpm.2024.4.001
Shakibazad, M., & Rashidi, A. J. (2020). New method for assets sensitivity calculation and technical risks assessment in the information systems. IET Information Security, 14(1), 133–145. https://doi.org/10.1049/iet-ifs.2018.5390
Sikorska, J., Bradley, S., Hodkiewicz, M., & Fraser, R. (2020). DRAT: Data risk assessment tool for university-industry collaborations. Data-Centric Engineering, 1(2). https://doi.org/10.1017/dce.2020.13
Soares, R. A., Chaves, M. S., & Pedron, C. D. (2020). W4RM: A prescriptive framework based on a wiki to support collaborative risk management in information technology projects. International Journal of Information Systems and Project Management, 8(1), 67–83. https://doi.org/10.12821/ijispm080104
Sobb, T., Turnbull, B., & Moustafa, N. (2020). Supply Chain 4.0: A Survey of Cyber Security Challenges, Solutions and Future Directions. ELECTRONICS, 9(11). https://doi.org/10.3390/electronics9111864
Taherdoost, H. (2021). A Review on Risk Management in Information Systems: Risk Policy, Control and Fraud Detection. Electronics, 10(24), 3065. https://doi.org/10.3390/electronics10243065
Taskin, N., Özkele? Y?ld?r?m, A., Ercan, H. D., Wynn, M., & Metin, B. (2025). Cyber Insurance Adoption and Digitalisation in Small and Medium-Sized Enterprises. Information (Switzerland), 16(1). https://doi.org/10.3390/info16010066
Wang, Y., Jiang, M. Y., He, M., & Du, M. J. (2024). Design and Implementation of an Inpatient Fall Risk Management Information System. JMIR MEDICAL INFORMATICS, 12. https://doi.org/10.2196/46501
Yang, X. (2022). Judgment of Social Governance System Risk Based on Big Data Analysis. Mobile Information Systems, 2022. https://doi.org/10.1155/2022/7861756
Najwa, N. F., Miskon, S., & Okfalisa. (2025). Risk Management in Information Systems and Technology Trends: A Bibliographic Perspective. International Journal of Academic Research in Business and Social Sciences, 15(12), 1684–1694.
Copyright: © 2025 The Author(s)
Published by HRMARS (www.hrmars.com)
This article is published under the Creative Commons Attribution (CC BY 4.0) license. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this license may be seen at: http://creativecommons.org/licences/by/4.0/legalcode