Traditionally, IT and information security risk has been a responsibility of IT departments. Systems however, are becoming more complex and integrated and frequently connected to third parties. Risk management should therefore not only be performed by IT personnel, but include all stakeholders and different kinds of users and roles to ensure that every aspect of risk is addressed, including hardware, software, employee awareness, users and business processes. Risk management is one of the key activities in information security management.