The information security (IS) risk assessment process is an essential part to organisation's their protection of digital assets. However, the fast changing IS environment causes for limited knowledge of eventualities, dependencies and values of systems and phenomena. Consequently, the IS risk assessment process is depending on the judgment of cybersecurity professionals to complement the incomplete knowledge. The outset of this research is to understand how cybersecurity professionals provide judgment when they experience uncertainty about the IS environment. First, the perception of uncertainty with cybersecurity professionals is analysed, guided by the theory on perceived environmental uncertainty. Second, the judgment operations of the cybersecurity professionals are analysed, guided by the theory on judgment heuristics. These two concepts are synthesised against the backdrop of the ISO27005 information security risk asessment methodology, that serves as different components of the information security environment. The results show that cybersecurity professionals perceive uncertainty about the IS environment in which it is difficult to: grasp the different interrelations in the organisation’s landscape of information and information systems, assign accurate values to the occurrence of changes/events in the IS environment and to determine the impact from changes/events to the organisation. This uncertainty is caused by the complexity and dynamism dimensions within the organisation’s IS environment. Indicated factors attributed to these dimensions are shadow IT, the innovation processes within an organisation and the organisational structuring. The judgment operations of the cybersecurity professionals are partly explained with the help from judgment heuristics. The data shows that the selective accessibility model is predominantly used to provide judgment about the IS environment during risk assessments. Thereby heavily relying on the information provided to them from different sources, consequently staying close to the initial values. The availability and representative heuristic are also identified but are referenced in fewer instances. This would suggest that the cybersecurity professional assess the information more on a case–by–case basis, rather than providing judgment based on similarity or the ease with which a scenario is retrieved from memory. Aside from the identified heuristics, the cybersecurity professional is observed not to be included in the final judgment. In such cases the uncertainty is then accepted because it is not part of their responsibility. Additionally, the security policy and philosophy paradigm shift from prevention to detection and response allow the cybersecurity professional to accept that not all IS incidents can be prevented. But that detection and response of IS incidents allow the impact to the organisation to be minimised. Finally the cybersecurity professional also judges the security awareness of the people involved when providing judgment operations during an IS risk assessment.

A platform needs to have sufficient market potential, represented by the number of users who can join a platform. Platform openness affects the ease of actors joining the platform. Hence, in order to increase the chances of platform success, platforms want to maximize market potential and consequently also platform openness. This is problematic because architectural configurations with the highest market potential do not necessarily represent the most favourable configurations for societal values. Although there is anecdotal evidence of safety and privacy risks resulting in adjusted platform openness, there is little literature explaining the drivers and the process of adjusting due to risks posed to societal values. Hence, this thesis build an initial theory on the process of how digital platforms adjust their openness upon learning about risks for societal values. A case study was performed to pattern match theoretical concepts in a critical case. The study found that concepts of organizational legitimacy, double-loop learning and background theories may explain how a digital platform sponsor adjusts openness due to societal risks. In addition, empirical findings suggest that organizational maturity may affect platform openness. Nonetheless, it was inconclusively found whether societal risks cause a change in the value system of the platform. This research found that the identification of a societal risk may change the theories-in-use of a digital platform and subsequently affect platform openness.