This article introduces a taxonomy of security risk assessment approaches. The taxonomy is based on the challenges in the information system security (IS-Security) risk assessment discipline. Traditionally, classification schemes for IS-Security risk assessment approaches are motivated by business needs. They aim at offering management an effective tool for selecting methods that meet their needs rather than meeting research needs. Researchers may value new ideas, how to improve the approaches in the existing paradigms, and how to create a new paradigm to solve the unsolved problems of the existing paradigms more than business interests. The taxonomy proposed in this article aims at guiding researchers to choose research areas, and to discover new ideas and paradigms in the IS-Security risk assessment discipline.