Although managing information technology (IT) risks is widely regarded as a critical in organizations, stakeholders often question the value provided by IT risk management (ITRM) to an organization. Organizational research suggests the concept of ‘enabling formalization’ to design highly formalized organizational processes. Processes like IT-RM that are designed in an enabling way support organ...

Are the levels of information risk management efforts within and between firms correlated with the resilience of the firms to information disruptions? This paper examines the question by considering the results of field studies of information risk management practices at organizations and in supply chains. The organizations investigated differ greatly in the degree of coupling from a general an...

IT security issues and outsourcing of business processes are common but largely disjoint themes in the literature; common consideration is rare even though information security risk becomes a shared risk both through IS-based processes at outsourcing partners and potentially tightly-integrated IS systems. This paper explores this lack of an integrated model combining IT risk management view wit...

Increasing numbers of security incidents such as malware or hacker attacks prompt companies to spend billions of dollars on protecting their information systems. In this context IT risk management (ITRM) has become an important organizational function to control internal and external risks associated with IT. Much effort has been put on mitigating IT risks by means of physical, procedural, and ...

As Information Technology (IT) has become increasingly important to the competitive position of firms, managers have grown more sensitive to their organization's overall IT risk management. Recent publicity concerning losses incurred by companies becauseofproblcms with their sophisticated information systems has focused attention on the importance of these systems to the organization. In an att...

We present a solution for modeling the dependencies of an IT infrastructure and determine the availability of components and services therein using Markov logic networks (MLN). MLNs offer a single representation of probability and first-order logic and are well suited to model dependencies and threats. We identify different kinds of dependency and show how they can be translated into an MLN. Th...

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....

A risk inventory provides an integrated view on risk management artifacts, e.g., risks, risk controls, and performance indicators. In this paper, we show how adapting the enterprise architecture management processes (EAM) may provide a foundation for an integrated IT risk inventory. Based on a design research approach, we develop a systematic approach for integrating the disciplines of risk man...

In this paper we propose a novel approach for the systematic assessment and analysis of IT related risks in organisations and projects. The approach is model-driven using an enterprise architecture as the basis for the security management process. Using an enterprise architecture it is possible to provide an integrated description of an organisation’s structure, processes and its underlying IT ...