Version 1
: Received: 18 October 2023 / Approved: 18 October 2023 / Online: 19 October 2023 (10:08:06 CEST)
How to cite:
Metin, B.; Duran, S.; Telli, E.; Mutlutürk, M.; Wynn, M. Digitalisation and IT Risk Management: Towards a System for Improved Business Sustainability. Preprints2023, 2023101227. https://doi.org/10.20944/preprints202310.1227.v1
Metin, B.; Duran, S.; Telli, E.; Mutlutürk, M.; Wynn, M. Digitalisation and IT Risk Management: Towards a System for Improved Business Sustainability. Preprints 2023, 2023101227. https://doi.org/10.20944/preprints202310.1227.v1
Metin, B.; Duran, S.; Telli, E.; Mutlutürk, M.; Wynn, M. Digitalisation and IT Risk Management: Towards a System for Improved Business Sustainability. Preprints2023, 2023101227. https://doi.org/10.20944/preprints202310.1227.v1
APA Style
Metin, B., Duran, S., Telli, E., Mutlutürk, M., & Wynn, M. (2023). Digitalisation and IT Risk Management: Towards a System for Improved Business Sustainability. Preprints. https://doi.org/10.20944/preprints202310.1227.v1
Chicago/Turabian Style
Metin, B., Meltem Mutlutürk and Martin Wynn. 2023 "Digitalisation and IT Risk Management: Towards a System for Improved Business Sustainability" Preprints. https://doi.org/10.20944/preprints202310.1227.v1
Abstract
To proactively manage information security, enterprises often employ information security risk assessment techniques. Asset value - which is used to calculate the financial impact of possible threats - is one of the key parameters of information security risk. However, assets in a system are rarely independent, and their values are typically interdependent. Asset owners and IT teams may hold different views as regards these values, and there is thus the need to reduce subjectivity in a qualitative risk assessment. The research entails the development of a conceptual framework derived from the literature to minimize subjectivity, and the design of a system based on those concepts. The study uses the Unified Modeling Language as a design tool and puts forward an object-oriented model for defining asset values, in which the relationships between assets, vulnerabilities and related threats are identified. A “segregation of duties” approach is integrated into the risk management system to mitigate against subjectivity and better determine asset values. Survey responses from 16 practitioners working in the private and public sectors confirm the validity of the approach, but suggest it may be more workable in larger organisations where resources allow dedicated risk professionals to operate.
Keywords
risk assessment; information security; risk management; segregation of duties; security culture model; SCM; COBIT 2019; unified modelling language; ISO 27001
Subject
Business, Economics and Management, Business and Management
Copyright:
This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.