Abstract
Information Security Risk Management (ISRM) activities are essential for organizations seeking to control and monitor risk. However, it is well known that doing so is difficult, and the different ISRM activities provide different challenges. To provide support, ISRM tools can be used. Such tools can come in the form of spreadsheets, document templates, or dedicated software to support either part of or the full ISRM work. Few studies have been conducted investigating the use of such tools and their necessary properties. Through semi-structured interviews with 17 security practitioners in the Air Traffic Management (ATM) domain and five validation sessions with 34 experts, this study examines the needs of security practitioners using ISRM tools. The ATM domain was chosen as the study context since they use a method built on the ISO/IEC 27005 standard, which, unlike other ISRM frameworks, does not provide tool support. The findings contain a collection of properties needed in ISRM tools. Notably, the ability to get a holistic view of risks in and toward the organization, tool flexibility, and the ability to get assistance with documentation and information exchange. We also identify that current ISRM tools do not provide enough support and suggest ways to address this.