1 - 4 of 4
ItemRisk –Informed Decision Making in Information System Implementation Projects: Using Qualitative Assessment and Evaluation of Stakeholders’ Perceptions of Risk( 2017-01-04)The successful implementation of a new software system at any organization requires identification and management of risks as well as insight into the decision-making process throughout the information system lifecycle. Risk assessment of software systems aids in planning, implementation and adoption stages and helps identify potential problems before they occur. This study utilized a qualitative case study method and an interview design for data collection to gather, organize and make sense of key stakeholders’ perceptions of risk for decision making in the implementation of a new department-wide computerized system. Top stakeholder risks identified include executive sponsorship support; adoption of the new technologies and processes; and interoperability. The results of the analysis of perceptions of risks allowed the organization and the team responsible for the implementation of the new system to make decisions about mitigating strategies aligned with stakeholders’ expectations; forecast potential issues within the implementation timeline based on activities associated with identified risks; and make implementation and process decisions based upon the risk assessment. This study extends the research on IT risk management and decision making by demonstrating the utility and efficacy of a qualitative case study method for eliciting the information needed from stakeholders in order to make decisions regarding system implementation, specifically in an organization that lacks the appropriate risk management maturity level to conduct an exhaustive quantitative analysis of risks associated with the project.
ItemCommunication Barriers in the Decision-making Process: System Language and System Thinking( 2017-01-04)A major problem in the decision-making process is poor communication regarding threats and risks between information security experts and decision makers. By their nature, experts have a strong interest in operational details and limited insight into the purpose of the organization as they may not fully understand the mission and business. They are overusing System Language and System Thinking. This means they will fail making themselves fully understood by the decision makers, who are therefore not able to make carefully considered risk-based decisions. \ \ This paper describes the theory behind the underlying communication problem between information security experts and decision makers and the use of System Language and System Thinking. We questioned 63 participants, observed and analyzed their opinions, and discussed the results. This has led to Lessons Learned for developing a curriculum on Information Security and Privacy Protection (IS&PP) and defining areas for further research. \
ItemA Decision-Theoretic Approach to Measuring Security( 2017-01-04)The question “is this system secure?” is notoriously difficult to answer. The question implies that there is a system-wide property called “security,” which we can measure with some meaningful threshold of sufficiency. In this concept paper, we discuss the difficulty of measuring security sufficiency, either directly or through proxy such as the number of known vulnerabilities. We propose that the question can be better addressed by measuring confidence and risk in the decisions that depend on security. A novelty of this approach is that it integrates use of both subjective information (e.g. expert judgment) and empirical data. We investigate how this approach uses well-known methods from the discipline of decision-making under uncertainty to provide a more rigorous and useable measure of security sufficiency.
ItemIntroeuction to IS Risk and Decision-Making Minitrack( 2017-01-04)