As the old Chinese proverb goes: for one’s work to be done properly, one must first sharpen the tools. However, despite the availability of various information security risk management (ISRM) methodologies and standards such as ISO/IEC 2700x and NIST 800-30, practitioners often struggle to effectively implement them. Implementation is especially tricky for novices who have little or no previous experience and know-how in information security. A recent study conducted by Taylor & Francis through semi-structured interviews with 17 security practitioners in the Air Traffic Management (ATM) domain and five validation sessions with 34 experts identified two primary themes regarding practitioner needs: automation and assistance. Automation focuses on reducing repetitive tasks, enhancing data accuracy, and improving efficiency through features like automated risk calculations and report generation. Assistance emphasizes the necessity for clearer guidance, better process understanding and support for less experienced users, including comprehensive explanations of steps and terminology.

This article outlines the study results and underscores the importance of developing tools that can adapt to the dynamic security landscape and provide real-time, actionable insights rather than relying on static, outdated data. It also suggests that future tools should integrate artificial intelligence to improve decision-making and risk assessment processes. Additionally, the research highlights the need for tools that facilitate secure communication and standardized terminology to ensure a common understanding among users. The study calls for a holistic approach to tool development that takes into account the complex, specific needs of security practitioners in high-stakes environments like air traffic management. By bridging the gap between theoretical frameworks and practical, effective risk management, these tools can significantly enhance the overall efficiency and accuracy of the ISRM process.