IT RISK IDENTIFICATION AND ASSESSMENT METHODOLOGY
DOI:
https://doi.org/10.17770/etr2017vol2.2539Keywords:
IT risk, risk identification methodology, risk assessment methodology, risk practitioner, qualitative risk, quantitative riskAbstract
There are numerous methods for risk identification and risk assessment phases. Which for risk identification includes historical and systematic approach and inductive or theoretical analysis. One of the main reasons why risk identification is very helpful is that it provides justification in many cases for any large IT investment and other large undertakings. Without it organization probably wouldn’t be able to come to conclusion. Also in this phase business recognize the threats, vulnerabilities, and assets associated with its IT systems. Together with risk assessment phase risk management specialist is responsible for determining asset value, what's the value of the asset business is protecting, and risk acceptance level. Risk assessment on the other hand examines impact or consequence, as well as examines and evaluates the likelihood or probability of that adverse event happening. Risk assessment includes methods like Bayesian analysis, Bow Tie Analysis, brainstorming or structured interviews, business impact analysis, cause and consequence, cause-and-effect analysis, Delphi method, event tree analysis, fault tree analysis, hazard analysis, hazard and operational studies, and finally structured what if technique or SWIFT process. Risk assessment has two distinctive assessment types- quantitative and qualitative assessment. Quantitative assessment tries to put a monetary value on all risks. Qualitative assessment on the other hand rather look at it from a range of values like low, medium, high. The results of these phases are going to be documented in the risk assessment report and reported to senior management.Downloads
References
National Research Council, (2005) The Owner's Role in Project Risk Management pp.32-33, ISBN:978-0-309-09518-1
Harold F. Tipton, Micki Krause, Will Ozier, Information security management, volume- Risk analysis and Assessment, (2000), pp. 247-285, ISBNm1-8493-9829-0
Anthony Mills, (2001) "A systematic approach to risk management for construction", Structural Survey, Vol. 19 Iss: 5, pp.245 – 252
Heather Douglas, Philosophy of Science, Inductive risk and values in science, 67 (December 2000) pp. 559-579. 0031-8248/2000/6704-0001
Pluralsight course, Risk management Information systems control risk assessment, https://app.pluralsight.com/library/courses/risk-management-information-systems-control-risk-assessment/table-of-contents (2016)
ISO/IEC 27005:2011 second edition, Information technology Security techniques Information security risk management, (2011), pp.17
NIST Special Publication 800-30 Revision 1, Guide for conducting Risk Assessment, (2012), pp 4-37
ISACA, The risk IT framework (2009) Ppp.75-76