The TOPM (Target Optimum Portfolio Management) approach to IT (information technology) risk management, as proposed in this paper, is a formal approach based on the concept of a dynamic life cycle, with one of its major objectives the targeting and optimization of the risk management process itself. Across the range of different types of businesses, business cultures, organizational structures, information technology environments and application systems within those environments, the requirements of risk management methods for business information systems differ to a great extent. A distinctive feature of the TOPM approach is its dynamic nature, which allows a customized model to be defined for every situation considered. Addressing the need for new formal models in a holistic way, covering the full IT risk management life cycle, as well as all IT domains within the business environment, a deterministic and intuitive approach is applied in the definition of the model. Rather than approaching the analysis, assessment and management of IT risk in the conventional manner through rigidly considering domains such as hardware, software, environment and personnel, the TOPM model follows a composite approach. Matrix theory is applied for the allignment of domains. The concept of transaction routes further facilitates the integregation and alignment process. In signifying its relevance to functional organizational structures, the TOPM model is further placed in the context of the multi-disciplinary five-phased IS (information security) methodology, as formerly proposed by the authors. Various enabling technologies are introduced, some of which are often applied in mathematical modelling, others of which are applied in business functions not usually directly associated with information technology, such as financial risk management portfolio theory.
[1]
T. Copeland,et al.
Financial Theory and Corporate Policy.
,
1980
.
[2]
Jan H. P. Eloff,et al.
Computer security methodology: Risk analysis and project definition
,
1990,
Comput. Secur..
[3]
Thomas C. Bartee.
Digital Computer Fundamentals
,
1971
.
[4]
Thomas C. Bartee.
Digital computer fundamentals (6th ed.)
,
1985
.
[5]
Jan H. P. Eloff,et al.
A comparative framework for risk analysis methods
,
1993,
Comput. Secur..
[6]
Jan H. P. Eloff,et al.
Information risk assessment, risk analysis and risk management: The IRR research model☆
,
1992
.
[7]
Charles Cresson Wood.
A context for information systems security planning
,
1988,
Comput. Secur..