论文信息 - Information security risk management: An empirical study on the importance and practices in ICT outsourcing

Information security risk management: An empirical study on the importance and practices in ICT outsourcing

There are many organizations opt for outsourcing in order to cut cost and improve efficiency for their ICT services. On the other hand, ICT outsourcing could also contribute to some risks especially information risks that could jeopardize information asset in the company. An appropriate information security risk management (ISRM) in ICT outsourcing should be in place in order to minimize the potential risks and their impact to business operation as well as ICT services. The objective of this research is to conduct an empirical study on the relationship between importance and practices of ISRM in ICT Outsourcing. Questionnaires were distributed to various private companies and government agencies in Malaysia for the study. Findings of the study show that importance of ISRM process influences its practices in ICT outsourcing. Through the findings, information security risk professional would be able to identify the importance of ISRM and improve their practices in managing information security risk for ICT outsourcing projects. Finally, companies and government agencies need to improve their practices managing information risks in ICT Outsourcing.

[1] J. Wreathall,et al. Knowledge-base for the new human reliability analysis method, A Technique for Human Error Analysis (ATHEANA) , 1996 .

[2] H. Schneider. Failure mode and effect analysis : FMEA from theory to execution , 1996 .

[3] Ira S. Winkler. Information Security Is INFORMATION Security , 2007 .

[4] Amanda Andress,et al. Surviving Security: How to Integrate People, Process, and Technology, Second Edition , 2001 .

[5] A. Mohamed,et al. Information security risk factors: Critical threats vulnerabilities in ICT outsourcing , 2010, 2010 International Conference on Information Retrieval & Knowledge Management (CAMP).

[6] A. Sloper. Meeting the challenge of outsourcing , 2004 .

[7] S. Barman,et al. Writing Information Security Policies , 2001 .

[8] Azlinah Mohamed,et al. Inherent risks in ICT outsourcing projects , 2007 .

[9] Ibrahim Sogukpinar,et al. ISRAM: information security risk analysis method , 2005, Comput. Secur..

[10] Ketil Stølen,et al. The CORAS methodology: model-based risk assessment using UML and UP , 2003 .

[11] John Haigh,et al. Probabilistic Risk Analysis: Foundations and Methods , 2003 .

[12] Suzanne Rivard,et al. A framework for information technology outsourcing risk management , 2005, DATB.

[13] Les Labuschagne,et al. A framework for comparing different information security risk analysis methodologies , 2005 .