Organizations are becoming progressively aware that information security is an important aspect of their businesses strategy. The concern aware organizations to apply information security risk management (ISRM) to identify the security risks in the organizations and provides a measured, analyzed security risk profile of the critical assets in order to build plans to treat the risks [30,50–۵۲]. Nowadays, there are a number of different types of risk management methods, standards, guidelines and specifications that are available for assessing and managing risk management [13,42]. Most of the methods prescribe a similar process that leads to establishing a scope of the assessment, collecting information, producing intermediary information, and finally quantifying and sorting items such as assets, vulnerabilities, threats and risks, according to a set of parameters. All the ISRM methods only differ from each other in terms of the target community, details of the analytic process, as well as the information they prescribe [28]. Seems the goal of ISRM is basically the same, which is selecting effective preventive measures and combating information threat in an active fashion [11], organizations need to define appropriate controls for reducing or eliminating those risk by using the output of the risk assessment. Therefore, information security department needs to complete all the required planning before starting the actual risk assessment. This because the success of the risk assessment fully depends on the information gathered in order to make concise and accurate security planning decisions. Practically, practitioners systematically gather more information than the use, yet continue to ask for more in order to fulfill the requirements to be met before risk assessment is conducted. According to Kenett and Shmueli [25], basically, there are many different collection tools are available to use to collect information such as surveys, laboratory tests, field and computer experiments, simulations, web searches, observational studies, social network and more. This situation will lead practitioners to easily deflects with grown information and become unmanageable. Much of the information is gathered in a surveillance mode rather than in a decision mode. Furthermore, with the development of information technology [61], organizations tend to collect enormous of information and more complex information resources [33]. Hence practitioners are required to evaluate the collected information resources based on the user’s perspective in order to eliminate all the “garbage” information. This is due to the quality of the output is extremely depends on the quality of the input information, known as the “garbage-in-garbage-out” phenomenon [6,7]. Furthermore, information is a critical resource for organization merely because the quality of information is one of the key determinants of the quality of their decisions and actions [54]. Although there is a wide range of active research and practice in IQ in other application areas [16], there is a need for further research incorporating IQ in ISRM field in order to successfully measure the quality of the information to be gathered in process of gathering and planning risk assessment. In the area of risk management, the concept of what dimensions constitutes IQ in risk management has not been addressed.