Advocates of software risk management claim that by identifying and analyzing threats to success (i.e., risks) action can be taken to reduce the chance of failure of a project. The first step in the ...risk management process is to identify the risk itself, so that appropriate countermeasures can be taken. One problem in this task, however, is that no validated lists are available to help the project manager understand the nature and types of risks typically faced in a software project. This paper represents a first step toward alleviating this problem by developing an authoritative list of common risk factors. We deploy a rigorous data collection method called a "ranking-type" Delphi survey to produce a rank-order list of risk factors. This data collection method is designed to elicit and organize opinions of a panel of experts through iterative, controlled feedback. Three simultaneous surveys were conducted in three different settings: Hong Kong, Finland, and the United States. This was done to broaden our view of the types of risks, rather than relying on the view of a single culture-an aspect that has been ignored in past risk management research. In forming the three panels, we recruited experienced project managers in each country. The paper presents the obtained risk factor list, compares it with other published risk factor lists for completeness and variation, and analyzes common features and differences in risk factor rankings in the three countries. We conclude by discussing implications of our findings for both research and improving risk management practice.
Today, the use of technology is a common thing that is used to support everyday life. However, this technology also carries risks that can compromise the security of information in organizations. ...Kalbis Institute is a private campus in the East Jakarta area that has been established since 2012. The academic information system used there includes all actors in the campus environment. This risk analysis is carried out to see and understand what risks exist in the current information system. This risk analysis will assess how likely there are threats and vulnerabilities to information systems. This study uses the OCTAVE Allegro method with the help of the OCTAVE Allegro Worksheet. The purpose of this study is to conduct a risk analysis of the academic information system at Kalbis Institute. The result of this study is to look at risk assessments and recommendations for strategies to protect information systems within organization.
With the growing popularity of Internet of Things (IoT) and Cyber-Physical Systems (CPS), cloud- based systems have assumed a greater important role. However, there lacks formal approaches to ...modeling the risks transferred through information systems implemented in a cloud-based environment. This paper explores formal methods to quantify the risks associated with an information system and evaluate its variation throughout its implementation. Specifically, we study the risk variation through a quantitative and longitudinal model spanning from the launch of a cloud-based information systems project to its completion. In addition, we propose to redefine the risk estimation method to differentiate a mitigated risk from an unmitigated risk. This research makes valuable contributions by helping practitioners understand whether cloud computing presents a competitive advantage or a threat to the sustainability of a company.
Mergers and acquisitions (M&A) require organizations to blend together different information system (IS) configurations. Unfortunately, less than 50 percent of M&A's achieve their goals, with IS ...integration being a major problem. Here, the authors offer a framework to help managers prepare for, analyze, and mitigate risks during post-merger IS integration. They identify key risks relating to IS integration content, process, and context, and present five strategies for mitigating those risks. Their framework aims to help managers proactively reduce the impact of adverse events. Adopting the framework supported by their templates is straightforward and the time and resources required are minimal. When properly executed, adoption increases the likelihood of successful merger outcomes; the framework is thus a valuable addition to the management tool box and can be applied in collaboration with key stakeholders at the start of - and at several points throughout - a post-merger IS integration.
This paper explores the applicability of the concepts of absorptive capacity and “
ba” to ex ante project risk. We develop a hybrid framework to explain knowledge transfer based on these concepts—one ...that proposes a hybrid transference process. We then apply this framework to develop a methodology and metric for assessing ex ante software project risk, the risk that a new technology introduced into an organization may not be used as designed or may not achieve the anticipated benefits. As a preliminary validation of these concepts, we describe three case studies, employing the framework and metric to show how examining absorptive capacity can help to assess the risk level of software projects.
This research work focuses on the risk management practices adopted by Commercial Banks in Nigeria that are related to the outsourcing of information systems (IS). The need for the research emerged ...from the lack of studies addressing these problems in developing countries in general and in this country in particular. The research reported in this paper shows that despite the globally increasing trend of IS outsourcing in the sector, Nigerian commercial banks are lacking in both strategic and operational risk management practices. Consequently, they are especially prone to the adoption inappropriate IS solutions and are vulnerable to IS failure and fraud.
The research is empirically based drawing on an extensive literature and case study review as well as an extensive survey of banks in Nigeria. The main method of data collection was a questionnaire sent to 15 commercial banks, which was aimed at respondents in three distinct categories: executive management, systems managers and users. The analysis of the data included both a quantitative and an inductive qualitative approach. The latter was used to draw inferences on the current situation.
The findings revealed that managers of commercial banks understand the nature of IS outsourcing and that they all agreed that adopting risk management practices is important. Nevertheless, the situation is critical. A significant proportion of the commercial banks have no documented and structured outsourcing strategy or policy; consequently no programme or procedural guidance is available at any level. The study also discovered that contrary to practice in developed countries, the regulatory authorities in Nigeria have not formulated substantive guidelines or procedural rules to be adopted nationally by commercial banks.
Understanding the risks caused by relying on information systems is an enduring research stream in the Information Systems (IS) discipline. With information systems becoming ubiquitous, IS risks ...permeate every aspect of life and effective risk mitigation increasingly requires a holistic structure. We use the largest and oldest publicly available risk collection to understand the developments of IS risks, its characteristics, and interdependencies. We review this data set using text mining techniques. Interestingly, we find that some types of IS risks tend to reoccur. We find that this database provides rich opportunities for learning from previous mistakes, which could help avoid similar problems in the future. Our contributions to theory includes a risk-taker's view on contemporary information systems, a differentiation between controllable and reoccurring risks, and the increased interconnection of IS risks. As implications for practice we provide a basis for learning from past IS risks and an initial structure.
The increasing frequency and total cost of security incidents require organizations to apply proper IS risk management in order to assess the economically reasonable usage of security measures. In ...this paper, we contribute a model that supports risk-related investment decisions in service-based information systems. The model supports decision makers in analyzing the cost-benefit trade-off related to security measures by solving the key problem of efficiently calculating the probability density function of the potential losses for a given information system. Based on the proposed model, it is possible to derive individual metrics, such as the Value-at-Risk, that can be used to choose the optimal security level, i.e., the most economically reasonable combination of security measures. Furthermore, we demonstrate the model's application in the context of an existing real-life e-commerce system by evaluating and comparing two alternative security investments for this business process.
Legislators, regulators, and shareholders increasingly demand good governance over all aspects of their business. While much is made of financial governance, most legislation and regulation ...implicitly recognizes the need for prudent governance of information technology (IT) functions. In this study we conduct an exploratory collective case study of IT governance (ITG) in two financial mutuals–one in Australia and one in Canada--using a contextual lens. In one case, the mutual governs its IT through Board participation in a subsidiary. In the second, governance is delegated to management and a lead director. Both of these mechanisms appear to minimize ITG risk, and are the result of their respective regulatory environments. This research begins to lend some clarity regarding IT governance choices by firms, and denotes important contextual differences between countries’ regulatory environments. This will allow researchers, managers, and directors to better understand and discriminate between ITG processes and structures.
Nowadays, information systems is an important point in supporting business strategies including in education division. Critical assets related to information systems are very susceptible to threats ...that can exploit and damage assets until they lead to disruption of business processes and even lead to financial losses. PT. Autocomp Systems Indonesia (PASI) has implemented Information Security Management System (ISMS) based on ISO / IEC 27001 to define a set of risk management strategies. However, some threats still occur and make the organization to get losses. The organization needs to conduct an evaluation of risk management that has been implemented to determine whether the risk protection strategy is adequate. Evaluation is done by comparing the current condition with the expected ideal condition using Catalogue of Practices from OCTAVE. The gaps found and then the risk assessment of the related assets is carried out. The results of this study indicate that the level of risk management maturity obtained by the organization is 89.40 %. The biggest gap is found in the contingency plan/disaster recovery plan and vulnerability management. Then a mitigation plan is proposed from the results of the risk assessment using the OCTAVE Allegro approach so the risk can be controlled properly.