“…According to Ghernaouti-Helie, Simms, and Tashi [24] and Ponnam et al, [25], the main purpose of performing an effective risk assessment is to prioritize security efforts for valuable information assets, such as electronic and physical copies of student and financial information, which are vital to the continued operation of the institution. Because, for most organizations, the cost, in terms of personnel and financial resources, of mitigating all IS risks is impossible [6,13], it is important to have a method to prioritize risk mitigation efforts.…”