nach oben

Information Systems Frontiers

Erschienen in:

01.09.2011

RiskM: A multi-perspective modeling method for IT risk assessment

verfasst von: Stefan Strecker, David Heise, Ulrich Frank

Erschienen in: Information Systems Frontiers | Ausgabe 4/2011

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Stakeholder involvement and participation are widely recognized as being key success factors for IT risk assessment. A particular challenge facing current IT risk assessment methods is to provide accessible abstractions on matters of IT risk that attend to both managerial and technical perspectives of the stakeholders involved. In this paper, we investigate whether a conceptual modeling method can address essential requirements in the IT risk assessment domain, and which structural and procedural features such a method entails. The research follows a design research process in which we describe a research artifact, and evaluate it to assess whether it meets the intended goals. In the paper, we specify requirements and assumptions underlying the method construction, discuss the structural specification of the method and its design rationale, present a prototypical application scenario, and provide an initial method evaluation. The results indicate that multi-perspective modeling methods satisfy requirements specific to the IT risk assessment domain, and that such methods, in fact, provide abstractions on matters of IT risk accessible to both a technical and a managerial audience.

Vorheriger Artikel Information systems resources and information security

Nächster Artikel Erratum to: Examining influencing factors of post-adoption usage of mobile internet: Focus on the user perception of supplier-side attributes

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Atkinson, C., & Kuehne, T. (2008). Reducing accidental complexity in domain models. Software & Systems Modeling, 7(3), 345–359.CrossRef

Bandyopadhyay, K., Mykytyn, P. P., & Mykytyn, K. (1999). A framework for integrated risk management in information technology. Management Decision, 37(5), 437–444.CrossRef

Boczany, W. J. (1983). Justifying Office Automation. Journal of Systems Management, 34(7), 15–19.

Carnaghan, C. (2006). Business process modeling approaches in the context of process level audit risk assessment: An analysis and comparison. International Journal of Accounting Information Systems, 7(2), 170–204.CrossRef

Chavez-Demoulin, V., Embrechts, P., & Neslehova, J. (2006). Quantitative models for operational risk: Extremes, dependence, and aggregation. Journal of Banking & Finance, 30(10), 2636–2658.

Clemen, R. T., & Winkler, R. L. (1999). Combining Probability Distributions From Experts in Risk Analysis. Risk Analysis, 19(2), 187–203.

Crouhy, M., Galai, D., & Mark, R. (2001). Risk management. New York: McGraw-Hill.

Davies, I., Green, P., Rosemann, M., Indulska, M., & Gallo, S. (2006). How do practitioners use conceptual modeling in practice? Data & Knowledge Engineering, 58(3), 358–380.CrossRef

Frank, U. (1994). Multiperspektivische Unternehmensmodellierung: Theoretischer Hintergrund und Entwurf einer objektorientierten Entwicklungsumgebung. München: Oldenbourg.

Frank, U. (2006). Towards a Pluralistic Conception of Research Methods in Information Systems Research. Institute for Computer Science and Business Information Systems (ICB), Duisburg-Essen University. ICB Research Report 7.

Frank, U. (2008). The MEMO Meta Modelling Language (MML) and Language Architecture. Institute for Computer Science and Business Information Systems (ICB), Duisburg-Essen University. ICB Research Report 24.

Frank, U., & Lange, C. (2007). E-MEMO: a method to support the development of customized electronic commerce systems. Information Systems and E-Business Management, 5(2), 93–116.CrossRef

Frank, U. (1999). Conceptual Modelling as the Core of the Information Systems Discipline—Perspectives and Epistemological Challenges Proceedings of the Fifth Americas Conference on Information Systems (AMCIS 99), Milwaukee, WI. 695–697.

Frank, U. (2002). Multi-perspective enterprise modeling (MEMO): Conceptual framework and modeling languages Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS). Honululu, HI, 72–82.

Frank, U., Heise, D., Kattenstroth, H., & Schauer, H. (2008). Designing and Utilising Business Indicator Systems within Enterprise Models—Outline of a Method. In Loos P, Nüttgens M, Turowski K, Werth D, eds. Proceedings of the Modellierung betrieblicher Informationssysteme (MobIS 2008), Saarbruecken, Germany, Koellen:89–105.

Frank, U., Heise, D., Kattenstroth, H., Ferguson, D., Hadar, E., & Waschke, M. (2009). ITML: A Domain-Specific Modeling Language for Supporting Business Driven IT Management. In Rossi M, Gray J, Sprinkle J, Tolvanen J-P, eds. Proceedings of the 9th Workshop on Domain-Specific Modeling (DSM) at the International Conference on Object Oriented Programming, Systems, Languages and Applications (OOPSLA), Orlando, Florida, USA.

Gemmer, A. (1997). Risk Management: Moving Beyond Process. Computer, 30(5), 33–43.CrossRef

Gerber, M., & Solms, R. v. (2005). Management of risk in the information age. Computers & Security, 24(1), 16–30.CrossRef

Hatfield, A. J., & Hipel, K. W. (2002). Risk and Systems Theory. Risk Analysis, 22(6), 1043–1057.CrossRef

Heemstra, F. J., & Kusters, R. J. (1996). Dealing with risk: a practical approach. Journal of Information Technology, 11, 333–346.CrossRef

Kirchner, L. (2005). Cost Oriented Modelling of IT-Landscapes: Generic Language Concepts of a Domain Specific Language. In Desel J, Frank U, eds. Proceedings of the Proceedings of the Workshop on Enterprise Modelling and Information Systems Architectures (EMISA 2005), 166–179.

Kliem, R. L. (2000). Risk Management for Business Process Reengineering Projects. Information Systems Management, 17(4), 71–73.CrossRef

Klinke, A., & Renn, O. (2002). A New Approach to Risk Evaluation and Management: Risk-Based, Precaution-Based, and Discourse-Based Strategies. Risk Analysis, 22(6), 1071–1094.CrossRef

Lankhorst, M. (2005). Enterprise Architecture at Work: Modelling, Communication and Analysis. Berlin: Springer.

Loch, K. D., Carr, H. H., & Warketin, M. E. (1992). Threats to Information Systems: Today's Reality, Yesterday's Understanding. MIS Quarterly, 16(2), 173–186.CrossRef

Lu, R., Sadiq, S., & Governatori, G. (2008). Compliance Aware Business Process Design. In ter Hofstede AHM, Benatallah B, Paik H-Y, eds. Proceedings of the Business Process Management Workshops, Brisbane, Springer:120–131.

March, J. G., & Shapira, Z. (1987). Managerial perspectives on risk and risk taking. Management Science, 33(11), 1404–1418.

McGaughey, R. E., Jr., Synder, C. A., & Carr, H. H. (1994). Implementing information technology for competitive advantage: Risk management issue. Information & Management, 26(5), 273–280.CrossRef

Mun, J. (2004). Applied risk analysis: Moving beyond uncertainty in business. Hoboken: Wiley.

Neiger, D., Curilov, L., zur Muehlen, M., & Rosemann, M. (2006). Integrating Risks in Business Process Models with Value Focused Process Engineering Proceedings of the 2006 European Conference on Information Systems (ECIS 2006), Goteborg, Sweden, June 12–14, 2006.

Odell, J. (1998). Power Types. In J. Odell (Ed.), Advanced Object-Oriented Analysis and Design Using UML, (pp. 23–33). Cambridge: Cambridge University Press.

Rainer, R. K., Synder, C. A., & Carr, H. H. (1991). Risk Analysis for Information Technology. Journal of Management Information Systems, 8(1), 129–147.

Remenyi, D., Bannister, F., & Money, A. (2007). The Effective Measurement and Management of ICT Costs & Benefits. Oxford: Elsevier.

Rogers, S., Lukens, S., Lin, S., & Jon, E. (2008). Balancing Risk and Performance with an Integrated Finance Organization (The Global CFO Study 2008). Somers: IBM Global Business Services.

Sadiq, S., Governatori, G., & Namiri, K. (2007). Modeling Control Objectives for Business Process Compliance. In Alonso G, Dadam P, Rosemann M, eds. Business Process Management, Springer:149–164.

Salmela, H. (2008). Analysing business losses caused by information systems risk: a business process analysis approach. Journal of Information Technology, 23(3), 185–202.CrossRef

Sayer, P., & Wailgum, T. (2008). What You Can Learn about Risk Management from Société Générale. http://www.cio.com/article/336816/What_You_Can_Learn_about_Risk_Management_from_Societe_Generale. Accessed Jan 21, 2009.

Schaefer, G. (1988). Functional Analysis of Office Requirements: A Multiperspective Approach. Chichester: Wiley.

Scheer, A.-W. (1992). Architecture of Integrated Information Systems: Foundations of Enterprise Modelling. Berlin: Springer.

Scheer, A.-W. (1999). ARIS—Business Process Frameworks (3rd ed.). Berlin: Springer.CrossRef

Scheer, A.-W. (2000). ARIS—Business Process Modeling (3rd ed.). Berlin: Springer.CrossRef

Schelp, J., & Winter, R. (2006). Method Engineering: Lessons Learned from Reference Modeling. In Chatterjee S, Hevner A, eds. Proceedings of the First International Conference on Design Science Research in Information Systems and Technology (DESRIST'06), Claremont, CA, 555–575.

Sienou, A., Lamine, E., Karduck, P. A., & Pingaud, H. (2007). Conceptual model of risk: towards a risk modeling language. In Weske M, Hacid M-S, Godart C, eds. Proceedings of the Web Information Systems Engineering—WISE 2007 Workshop, Montpellier, France, June 17, 2008, Springer:118–129.

Sienou, A., Lamine, E., & Pingaud, H. (2008). A Method for Integrated Management of Process-risk. In Sadiq S, Indulska M, zur Muehlen M, Franch X, Hunt E, Coletta R, eds. Proceedings of the 1st International Workshop on Governance, Risk and Compliance—Applications in Information Systems (GRCIS'08) held in conjunction with the CAiSE'08 Conference, Montpellier, France, June 17, 2008.

Verschuren, P., & Hartog, R. (2005). Evaluation in Design-Oriented Research. Quality & Quantity, 39(6), 733–762.CrossRef

Wand, Y., & Weber, R. (2002). Research Commentary: Information Systems and Conceptual Modeling-A Research Agenda. Information Systems Research, 13(4), 363–376.CrossRef

Wand, Y., Monarchi, D. E., Parsons, J., & Woo, C. C. (1995). Theoretical foundations for conceptual modelling in information systems development. Decision Support Systems, 15(4), 285–304.CrossRef

Ward, S., & Chapman, C. (2003). Transforming project risk management into project uncertainty management. International Journal of Project Management, 21(2), 97–105.CrossRef

Weill, P., & Ross, J. W. (2004). IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business School Press

Westerman, G., & Hunter, R. (2007). IT Risk: Turning Business Threats into Competitive Advantage. Cambridge: Harvard Business School Press.

Willcocks, L., & Margetts, H. (1994). Risk assessment and information systems. European Journal of Information Systems, 3(2), 127–138.CrossRef

zur Muehlen, M., & Rosemann, M. (2005). Integrating Risks in Business Process Models Proceedings of the 16th Australasian Conference on Information Systems (ACIS 2005), Sydney, 62–72.

Titel: RiskM: A multi-perspective modeling method for IT risk assessment
verfasst von: Stefan Strecker
David Heise
Ulrich Frank
Publikationsdatum: 01.09.2011
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 4/2011
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-010-9235-3

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2011

Semantic business process space for intelligent management of sales order business processes

Impacts of navigation structure, task complexity, and users’ domain knowledge on Web site usability—an empirical study

Threshold jumping and wrap-around scan techniques toward efficient tag identification in high density RFID systems

Erratum to: Examining influencing factors of post-adoption usage of mobile internet: Focus on the user perception of supplier-side attributes

A user-centric evaluation of the readability of privacy policies in popular web sites

Information systems resources and information security

Premium Partner