IS Risk and Decision-Making Minitrack

Permanent URI for this collection

The Information System (IS) today is a vital and ever-present part of our lives, from our computers and mobile devices to our online business and social sites; from the systems that are embedded in our planes, cars, and appliances to the medical devices that may be embedded in our own bodies. They are a source of benefits, but also of risk. Everyone who is responsible for building, acquiring, or maintaining these systems face questions of risk during the IS life cycle. Are the systems safe? Are they reliable? Are they secure? Based on answers to these questions, decisions must be made: should the new software be released or held for more testing? Should the next rocket to Mars be launched? Should a new insulin pump be approved for human use?

We are looking for contributions from researchers and practitioners, in both academia and industry, who can provide insight into decision-making throughout the IS life cycle and its impact on IS risk. What methods are being used for risk-informed decision-making? How are trade-offs for risk vs. cost, schedule, and performance handled? How are decisions affected by software or systems assurance? How are decisions affected by the cognitive biases of the decision-makers and the culture of the IS development organization? Cross-disciplinary submissions, including social and psychological factors in addition to technical ones, are particularly welcome.

Topics include but are not restricted to:

  • Methods for risk-informed decision making
  • Risk analyses for critical decisions, such as “certification for launch readiness”
  • Handling trade-offs for risk, cost, schedule, and performance
  • Assuring safety, reliability, or security during the IS life-cycle
  • The role of government and industry standards
  • The effect of cognitive biases on risk perception and decision-making
  • The effect of organizational culture or economic pressures on risk perception and decision-making
  • Analyses of actual success or failure of risk-critical decisions
  • Processes and tools (e.g., risk analysis methods or decision support systems) with the potential for improving risk-critical decision outcomes
  • Risk driven processes for IS decision making

Minitrack Co-Chairs:

Dan Port (Primart Contact)
University of Hawaii at Manoa

Joel Wilf
University of Hawaii at Manoa


Recent Submissions

Now showing 1 - 4 of 4
  • Item
    Risk –Informed Decision Making in Information System Implementation Projects: Using Qualitative Assessment and Evaluation of Stakeholders’ Perceptions of Risk
    ( 2017-01-04) Schurr, Monica ; De Tuya, Manuel ; Noll, Kathryn
    The successful implementation of a new software system at any organization requires identification and management of risks as well as insight into the decision-making process throughout the information system lifecycle. Risk assessment of software systems aids in planning, implementation and adoption stages and helps identify potential problems before they occur. This study utilized a qualitative case study method and an interview design for data collection to gather, organize and make sense of key stakeholders’ perceptions of risk for decision making in the implementation of a new department-wide computerized system. Top stakeholder risks identified include executive sponsorship support; adoption of the new technologies and processes; and interoperability. The results of the analysis of perceptions of risks allowed the organization and the team responsible for the implementation of the new system to make decisions about mitigating strategies aligned with stakeholders’ expectations; forecast potential issues within the implementation timeline based on activities associated with identified risks; and make implementation and process decisions based upon the risk assessment. This study extends the research on IT risk management and decision making by demonstrating the utility and efficacy of a qualitative case study method for eliciting the information needed from stakeholders in order to make decisions regarding system implementation, specifically in an organization that lacks the appropriate risk management maturity level to conduct an exhaustive quantitative analysis of risks associated with the project.
  • Item
    Communication Barriers in the Decision-making Process: System Language and System Thinking
    ( 2017-01-04) Schinagl, Stef ; Paans, Ronald
    A major problem in the decision-making process is poor communication regarding threats and risks between information security experts and decision makers. By their nature, experts have a strong interest in operational details and limited insight into the purpose of the organization as they may not fully understand the mission and business. They are overusing System Language and System Thinking. This means they will fail making themselves fully understood by the decision makers, who are therefore not able to make carefully considered risk-based decisions. \ \ This paper describes the theory behind the underlying communication problem between information security experts and decision makers and the use of System Language and System Thinking. We questioned 63 participants, observed and analyzed their opinions, and discussed the results. This has led to Lessons Learned for developing a curriculum on Information Security and Privacy Protection (IS&PP) and defining areas for further research. \
  • Item
    A Decision-Theoretic Approach to Measuring Security
    ( 2017-01-04) Port, Dan ; Wilf, Joel
    The question “is this system secure?” is notoriously difficult to answer. The question implies that there is a system-wide property called “security,” which we can measure with some meaningful threshold of sufficiency. In this concept paper, we discuss the difficulty of measuring security sufficiency, either directly or through proxy such as the number of known vulnerabilities. We propose that the question can be better addressed by measuring confidence and risk in the decisions that depend on security. A novelty of this approach is that it integrates use of both subjective information (e.g. expert judgment) and empirical data. We investigate how this approach uses well-known methods from the discipline of decision-making under uncertainty to provide a more rigorous and useable measure of security sufficiency.
  • Item
    Introeuction to IS Risk and Decision-Making Minitrack
    ( 2017-01-04) Port, Dan ; Wilf, Joel