Numerous methods for information security risk assessment (ISRA) are available, yet there is little guidance on how to choose one. Through a comprehensive risk identification, estimation, and evaluation framework, the author evaluates the practical application of three ISRA methods in terms of tasks required, user experience, and results.