A General, But Readily Adaptable Model of Information System Risk

This article is the first of two whose goal is to advance the discussion of IS risk by addressing limitations of the current IS risk literature. These limitations include: • inconsistent or unclear definitions of risk, • limited applicability of risk models, • frequent omission of the temporal nature of risk, and • lack of an easily communicated organizing framework for risk factors. This article presents a general, but broadly adaptable model of system-related risk. The companion article, Volume 14, Article 2[Sherer and Alter, 2004] focuses on IS risk factors and how these factors can be organized. This article starts by identifying criteria for a general, but broadly applicable risk model. It compares alternative conceptualizations of risk and provides clarifications of the definitions of risk and of different treatments of goals, expectations, and baselines for assessing risk. It presents several of the risk models in the IS literature and discusses the temporal nature of risk. Based on that background it presents a general and broadly adaptable model of risk that encompasses: • goals and expectations, • risk factors and other sources of uncertainty, • the operation of the system or project whose risks are being managed, • the risk management effort, • the possible outcomes and their probabilities, • impacts on other systems, 2 Communications of the Association for Information Systems (Volume 14, 2004) 1-28 A General, but Readily Adaptable Model of Information Risk by S. Alter and S.A. Sherer • and the resulting financial gains or losses. The model’s adaptability allows users to eliminate facets that are not important for their purposes. For example, the majority of current practitioners would probably think of risk in terms of negative outcomes rather than the full distribution of possible outcomes. A comparison of the general model with other risk models in the IS literature shows that it covers most of the ideas expressed by previous IS risk models while also providing a practical approach that managers can use for thinking about IS risk at whatever level of detail makes sense to them.