A Review of Risk Identification Approaches in the Telecommunication Domain Ahmed Seid Yesuf Deutsche Telekom Chair of Mobile Business & Multilateral Security, Goethe University Frankfurt, Frankfurt am Main, Germany ahmed.yesuf@m-chair.de Keywords: Risk Identification, Security, Telecommunication Service, Risk Assessment, Fraud Risk, Risk Management Abstract: Risks in the telecommunication (telco) domain are complex to identify due to the involvement of several independent stakeholders and the difficulty of predicting emerging threats to the services. This is costing the Telecom operators billions of dollars. We believe the little emphasis given to the important step of risk assessment process – risk identification (RI) – is the main reason for this loss. Unlike other domains, the proprietary nature of Telecom systems makes it challenging to show the risk assessment approaches in the domain. In this paper, we investigate the classifications of the RI approaches from the literature written on the telco and other related domains. We also investigate the research trends in the last 16 years when Telecom risks are evolving and the revenue loss of Telecom operators is largely affected. Based on our review, we also show future research directions in the domain. 1 INTRODUCTION The lives of people are changing through time since the beginning of telecommunication (telco) ser- vices. Individuals able to communicate with their families, friends and relatives from almost anywhere using data, voice or video communication services. Companies and organisations facilitate their tasks better than ever using the telco services. Telecom companies strive to deliver their services considering customers’ information security and privacy require- ments into consideration. It is also obvious that they want to protect their revenue stable and profitable. The responsibilities of a Telecom companies include accepting, delivering and transmitting the message from a sender to a recipient. Typical telco services are roaming, VoIP, PBAX service, national and interna- tional messaging and call services. Unfortunately, at- tackers or fraudsters are working to deform the telco services to gain individual or organised benefit, for instance, using the service without payment. According to the Communication Fraud Control Association (CFCA)(CFCA, 2015), fraud is the use of telco services or products with no intention of pay- ment. Thus, fraud negatively affect the global telco revenue. In 2015, fraud affect the global Telecom rev- enue by almost $38.1 billion USD. It is lower from the previous reporting years because the Telecom op- erators outsource their fraud risk management to the third party companies. Even though there is momen- tum in reduction of fraud loss from 2009, it requires a lot of work in risk reduction from the Telecom op- erators’ perspective. The estimated global loss from 2000 is shown in Table 1. The two top most sustain- able fraud categories from the year 2000 are subscrip- tion and PBX hacking, where the loss in 2013, for in- stance, is $5.22 and $4.42 billion USD respectively. Despite the fact that the Telecom industry loses billions of dollars every year due to several types of risks (socio-technical-economic risks), the control measures are not handling to stop risks from happen- ing. The reasons are due to the following problems: 1) risks in the Telecom industry are not straight for- ward to identify how they could happen, 2) the exist- ing risk assessment process in the Telecom industry couldn’t cope up with those complex, dynamic and sophisticated attacks/fraud, and 3) researches on risk assessment techniques are limited in the telco domain to handle those risks. In this paper, we are interested in business related and socio-technical risks, but we use the general term risk to indicate also other types of risks - fraud risks, performance and security risks. In order to address problems, the risk assessment process – specifically the risk identification (RI) stage - plays an important role. There are different types of RI approaches in the research community specific to