Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of protection for a company’s information assets and for the company as a whole. One of the best ways to address information security problems in the corporate world is through a risk-based approach. In this paper, we present a taxonomy of security risk assessment drawn from 125 papers published from 1995 to May 2014. Organizations with different size may face problems in selecting suitable risk assessment methods that satisfy their needs. Although many risk-based approaches have been proposed, most of them are based on the old taxonomy, avoiding the need for considering and applying the important criteria in assessing risk raised by rapidly changing technologies and the attackers knowledge level. In this paper, we discuss the key features of risk assessment that should be included in an information security management system. We believe that our new risk assessment taxonomy helps organizations to not only understand the risk assessment better by comparing different new concepts but also select a suitable way to conduct the risk assessment properly. Moreover, this taxonomy will open up interesting avenues for future research in the growing field of security risk assessment.