Including technical and security risks in the management of information systems: A programmatic risk management model

Abstract

Developing and managing information systems have always been challenging, but increased security concerns and tighter budget resources have made these tasks even more difficult in recent years. Increased networking, mobility, and telecommuting, while beneficial to business productivity, have introduced serious technical issues and potential security problems. The software risk assessment literature has focused primarily on managerial risks, while security risk models have generally excluded these risks and the associated implementation costs. In addition, the social components of decision-making under risk (e.g., a corporate culture that rewards only on-time, on-budget software delivery) have proven to be a primary risk driver in many environments. On the basis of a high-level risk analysis model, this paper provides a framework that permits assessment and management of the critical risks of technical failures and security breaches of information systems, in conjunction with the managerial risks of exceeding the levels of resources allocated to their development. To do so, we consider explicitly the tradeoffs involved and the effects of resource constraints on system reliability and security. © 2004 Wiley Periodicals, Inc. Syst Eng 8: 15–28, 2005