Technological advances continue to evolve at an ever-increasing pace. Despite these technological improvements, the use of theoretical frameworks in risk management or information security may be lacking due to inadequate theory grounding. Additionally, academic research is underway to corroborate existing theories related to risk management or information security, but current research may not support existing theories. According to Chuy et al. (2010), the roles of theories may not be fully understood and likely used by others in the research process. In this article, several theories regarding information security and risk management will be presented. Furthermore, the selected theories will be compared with the implicit use in terms of information security and risk. Additionally, a brief analysis of each theory will be conducted to see if there is abundant research on the specific theory that can be used by the academic community and others. Finally, a discussion will be offered of any challenges that may arise for each theory that does not have sufficient supporting research. Theoretical Discussion Information security and risk have become a priority for organizations competing to protect a network and organizational data from unscrupulous entities (Zhao, Xue, & Whinston, 2013). In the operation of systems and/or processes, theoretical frameworks can be used to assist organizations in developing security control measures that support the denial of threats such as phishing attacks and rootkit installations (Sun, Srivastava, & Mock, 2006) . Furthermore, Sun et al. (2006) summarized that theoretical frameworks help in the methodologies associated with the identical...... half of the article ......g in the Dempster-Shafer theory. International Journal of Approximate Reasoning, 52(8), 1124-1135. doi:10.1016/j.ijar.2011.06.003 Srivastava, R. P., Mock, T. J., & Gao, L. (2011). The Dempster-Shafer theory: an introduction and example of fraud risk assessment. Australian Accounting Review, 21(3), 282-291. doi:10.1111/j.1835-2561.2011.00135.xSun, L., Srivastava, R. P., & Mock, T. J. (2006). A risk assessment model for information systems security according to the Dempster-Shafer belief function theory. Journal of Management Information Systems, 22(4), 109-142. Retrieved from http://www.jmis-web.org/Zhao, X., Xue, L., & Whinston, A. B. (2013). Managing interdependent information security risks: cyber insurance, managed security services and risk pooling agreements. Journal of Management Information Systems, 30(1), 123-152. Retrieved from 10.2753/MIS0742-1222300104