Including technical and security risks in the management of information systems: A programmatic risk management model

Developing and managing information systems have always been challenging, but increased security concerns and tighter budget resources have made these tasks even more difficult in recent years. Increased networking, mobility, and telecommuting, while beneficial to business productivity, have introduced serious technical issues and potential security problems. The software risk assessment literature has focused primarily on managerial risks, while security risk models have generally excluded these risks and the associated implementation costs. In addition, the social components of decision-making under risk (e.g., a corporate culture that rewards only on-time, on-budget software delivery) have proven to be a primary risk driver in many environments. On the basis of a high-level risk analysis model, this paper provides a framework that permits assessment and management of the critical risks of technical failures and security breaches of information systems, in conjunction with the managerial risks of exceeding the levels of resources allocated to their development. To do so, we consider explicitly the tradeoffs involved and the effects of resource constraints on system reliability and security. © 2004 Wiley Periodicals, Inc. Syst Eng 8: 15–28, 2005

[1]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[2]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[3]  Ralph L. Keeney,et al.  Feature Article - Decision Analysis: An Overview , 1982, Oper. Res..

[4]  Jeffrey L. Whitten,et al.  Systems Analysis and Design Methods , 1986 .

[5]  F. W. McFarlan,et al.  Portfolio approach to information systems , 1989 .

[6]  M E Paté-Cornell,et al.  Organizational aspects of engineering system safety: the case of offshore platforms. , 1990, Science.

[7]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[8]  B. Boehm Software risk management: principles and practices , 1991, IEEE Software.

[9]  Samuel E. Bodily,et al.  Introduction: The Practice of Decision and Risk Analysis , 1992 .

[10]  Ernest J. Henley,et al.  Probabilistic risk assessment : reliability engineering, design, and analysis , 1992 .

[11]  Suzanne Rivard,et al.  Toward an Assessment of Software Development Risk , 1993, J. Manag. Inf. Syst..

[12]  Sarma R. Nidumolu The Effect of Coordination and Uncertainty on Software Project Performance: Residual Performance Risk as an Intervening Variable , 1995, Inf. Syst. Res..

[13]  M. Elisabeth Paté-Cornell,et al.  Human and management factors in probabilistic risk analysis: the SAM approach and observations from recent applications , 1996 .

[14]  Kalle Lyytinen,et al.  Identifying Software Project Risks: An International Delphi Study , 2001, J. Manag. Inf. Syst..

[15]  Sarma R. Nidumolu A Comparison of the Structural Contingency and Risk-Based Perspectives on Coordination in Software Development Projects , 1996, J. Manag. Inf. Syst..

[16]  Fred Cohen,et al.  Information system attacks: A preliminary classification scheme , 1997, Comput. Secur..

[17]  J Ropponen,et al.  Can software risk management improve system development: an exploratory study , 1997 .

[18]  Fred Cohen,et al.  Special feature: A cause and effect model of attacks on information systems , 1998 .

[19]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[20]  Dorothy E. Denning,et al.  Information Warfare And Security , 1998 .

[21]  Kalle Lyytinen,et al.  A framework for identifying software project risks , 1998, CACM.

[22]  Kalle Lyytinen,et al.  Attention Shaping and Software Risk - A Categorical Analysis of Four Classical Risk Management Approaches , 1998, Inf. Syst. Res..

[23]  M. M. Baron,et al.  Designing risk-management strategies for critical engineering systems , 1999 .

[24]  M. Greenstein,et al.  Electronic Commerce: Security Risk Management and Control , 1999 .

[25]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[26]  Gary Klein,et al.  Software development risks to project effectiveness , 2000, J. Syst. Softw..

[27]  Jeanette Thompson Cause and effects , 2000 .

[28]  Kalle Lyytinen,et al.  Strategies for Heading Off is Project Failure , 2000, Inf. Syst. Manag..

[29]  Suzanne Rivard,et al.  An Integrative Contingency Model of Software Project Risk Management , 2001, J. Manag. Inf. Syst..

[30]  Gary Klein,et al.  Information system success as impacted by risks and development strategies , 2001, IEEE Trans. Engineering Management.

[31]  Seth D. Guikema,et al.  Programmatic Risk Analysis for Critical Engineering Systems Under Tight Resource Constraints , 2003, Oper. Res..