Including technical and security risks in the management of information systems: A programmatic risk management model

Developing and managing an information systems project has always been challenging, but with increased security concerns and tight budget resources, the risks are even greater. With more networks, mobility, and telecommuting, there is an increased need for an assessment of the technical and security risks. These risks if realized can have devastating impacts: interruptions of service, data theft or corruption, embezzlement and fraud, and compromised customer privacy. The software risk assessment literature (for example, Barki et al. 2001; Lyytinen et al. 1998; Schmidt et al. 2001) has focused primarily on managerial (i.e., development) risks, while the security risk models (for example, Cohen et al. 1998; Straub and Welke 1998) do not include the development risks and implementation costs. Theoretical risk models need to be developed that can provide a framework for assessing and managing the critical technical failure and security risk factors in conjunction with the managerial and development risks. This research seeks to model this problem by extending risk models originally developed for large-scale engineering systems.

[1]  M E Paté-Cornell,et al.  Organizational aspects of engineering system safety: the case of offshore platforms. , 1990, Science.

[2]  Kalle Lyytinen,et al.  Components of Software Development Risk: How to Address Them? A Project Manager Survey , 2000, IEEE Trans. Software Eng..

[3]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[4]  Samuel E. Bodily,et al.  Introduction: The Practice of Decision and Risk Analysis , 1992 .

[5]  Seth D. Guikema,et al.  Programmatic Risk Analysis for Critical Engineering Systems Under Tight Resource Constraints , 2003, Oper. Res..

[6]  Kalle Lyytinen,et al.  A Framework for software risk management , 1996, Scand. J. Inf. Syst..

[7]  Robin L. Dillon,et al.  Including technical and security risks in the management of information systems: A programmatic risk management model , 2005 .

[8]  Sarma R. Nidumolu A Comparison of the Structural Contingency and Risk-Based Perspectives on Coordination in Software Development Projects , 1996, J. Manag. Inf. Syst..

[9]  Jeffrey L. Whitten,et al.  Systems Analysis and Design Methods , 1986 .

[10]  F. W. McFarlan,et al.  Portfolio approach to information systems , 1989 .

[11]  J Ropponen,et al.  Can software risk management improve system development: an exploratory study , 1997 .

[12]  Suzanne Rivard,et al.  An Integrative Contingency Model of Software Project Risk Management , 2001, J. Manag. Inf. Syst..

[13]  M. M. Baron,et al.  Designing risk-management strategies for critical engineering systems , 1999 .

[14]  Kalle Lyytinen,et al.  A framework for identifying software project risks , 1998, CACM.

[15]  Suzanne Rivard,et al.  Toward an Assessment of Software Development Risk , 1993, J. Manag. Inf. Syst..

[16]  M. Elisabeth Paté-Cornell,et al.  Human and management factors in probabilistic risk analysis: the SAM approach and observations from recent applications , 1996 .

[17]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[18]  M. Greenstein,et al.  Electronic Commerce: Security Risk Management and Control , 1999 .

[19]  Sarma R. Nidumolu The Effect of Coordination and Uncertainty on Software Project Performance: Residual Performance Risk as an Intervening Variable , 1995, Inf. Syst. Res..

[20]  Kalle Lyytinen,et al.  Strategies for Heading Off is Project Failure , 2000, Inf. Syst. Manag..

[21]  Gary Klein,et al.  Software development risks to project effectiveness , 2000, J. Syst. Softw..

[22]  Fred Cohen,et al.  Special feature: A cause and effect model of attacks on information systems , 1998 .

[23]  Fred Cohen,et al.  Information system attacks: A preliminary classification scheme , 1997, Comput. Secur..

[24]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[25]  Ernest J. Henley,et al.  Probabilistic risk assessment : reliability engineering, design, and analysis , 1992 .

[26]  Gary Klein,et al.  Information system success as impacted by risks and development strategies , 2001, IEEE Trans. Engineering Management.

[27]  Kalle Lyytinen,et al.  Attention Shaping and Software Risk - A Categorical Analysis of Four Classical Risk Management Approaches , 1998, Inf. Syst. Res..

[28]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[29]  B. Boehm Software risk management: principles and practices , 1991, IEEE Software.

[30]  Kalle Lyytinen,et al.  Identifying Software Project Risks: An International Delphi Study , 2001, J. Manag. Inf. Syst..

[31]  Fred Cohen,et al.  Information system defences: A preliminary classification scheme , 1997, Comput. Secur..

[32]  R. Keeney Decision analysis: an overview. , 1982, Operations research.

[33]  Ralph L. Keeney,et al.  Feature Article - Decision Analysis: An Overview , 1982, Oper. Res..