A DEA-Based Approach for Information Technology Risk Assessment through Risk IT Framework
Seyed Hatefi1 and Mehdi Fasanghari2
1Faculty of Engineering, Shahrekord University, Iran
2Cyber Space Research
Institute, North Karegar St., Iran
Abstract: The
use of Information Technology (IT) in organizations is subject to various kinds
of potential risks. Risk management is a key component of project management enables
an organization to accomplish its mission(s). However, IT projects have often
been found to be complex and risky to implement in organizations. The organizational
relevance and risk of IT projects make it important for organizations to focus
on ways in order to successfully implement IT projects. This paper focuses on
the IT risk management, especially the risk assessment model and proposes a
process oriented approach to risk management. To do this end, this paper applies
the risk IT framework which has three main domains, i.e., risk governance, risk
analysis, risk response and 9 key processes. Then, a set of scenarios, which
can improve the maturity level of risk IT processes, are considered and the
impact of each scenario on the risk IT processes is determined by the expert
opinions. Finally, the Data Envelopment Analysis (DEA) is customized to evaluate
improvement scenarios and select the best one. The proposed methodology is
applied to the Iran Telecommunication Research Centre (ITRC) to improve the
maturity level of its IT risk management processes.
Keywords: Risk
IT framework, risk management, process model, DEA.
Received
June 10, 2012; accepted September 11, 2013