Abstract
Stakeholder involvement and participation are widely recognized as being key success factors for IT risk assessment. A particular challenge facing current IT risk assessment methods is to provide accessible abstractions on matters of IT risk that attend to both managerial and technical perspectives of the stakeholders involved. In this paper, we investigate whether a conceptual modeling method can address essential requirements in the IT risk assessment domain, and which structural and procedural features such a method entails. The research follows a design research process in which we describe a research artifact, and evaluate it to assess whether it meets the intended goals. In the paper, we specify requirements and assumptions underlying the method construction, discuss the structural specification of the method and its design rationale, present a prototypical application scenario, and provide an initial method evaluation. The results indicate that multi-perspective modeling methods satisfy requirements specific to the IT risk assessment domain, and that such methods, in fact, provide abstractions on matters of IT risk accessible to both a technical and a managerial audience.
Similar content being viewed by others
References
Atkinson, C., & Kuehne, T. (2008). Reducing accidental complexity in domain models. Software & Systems Modeling, 7(3), 345–359.
Bandyopadhyay, K., Mykytyn, P. P., & Mykytyn, K. (1999). A framework for integrated risk management in information technology. Management Decision, 37(5), 437–444.
Boczany, W. J. (1983). Justifying Office Automation. Journal of Systems Management, 34(7), 15–19.
Carnaghan, C. (2006). Business process modeling approaches in the context of process level audit risk assessment: An analysis and comparison. International Journal of Accounting Information Systems, 7(2), 170–204.
Chavez-Demoulin, V., Embrechts, P., & Neslehova, J. (2006). Quantitative models for operational risk: Extremes, dependence, and aggregation. Journal of Banking & Finance, 30(10), 2636–2658.
Clemen, R. T., & Winkler, R. L. (1999). Combining Probability Distributions From Experts in Risk Analysis. Risk Analysis, 19(2), 187–203.
Crouhy, M., Galai, D., & Mark, R. (2001). Risk management. New York: McGraw-Hill.
Davies, I., Green, P., Rosemann, M., Indulska, M., & Gallo, S. (2006). How do practitioners use conceptual modeling in practice? Data & Knowledge Engineering, 58(3), 358–380.
Frank, U. (1994). Multiperspektivische Unternehmensmodellierung: Theoretischer Hintergrund und Entwurf einer objektorientierten Entwicklungsumgebung. München: Oldenbourg.
Frank, U. (2006). Towards a Pluralistic Conception of Research Methods in Information Systems Research. Institute for Computer Science and Business Information Systems (ICB), Duisburg-Essen University. ICB Research Report 7.
Frank, U. (2008). The MEMO Meta Modelling Language (MML) and Language Architecture. Institute for Computer Science and Business Information Systems (ICB), Duisburg-Essen University. ICB Research Report 24.
Frank, U., & Lange, C. (2007). E-MEMO: a method to support the development of customized electronic commerce systems. Information Systems and E-Business Management, 5(2), 93–116.
Frank, U. (1999). Conceptual Modelling as the Core of the Information Systems Discipline—Perspectives and Epistemological Challenges Proceedings of the Fifth Americas Conference on Information Systems (AMCIS 99), Milwaukee, WI. 695–697.
Frank, U. (2002). Multi-perspective enterprise modeling (MEMO): Conceptual framework and modeling languages Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS). Honululu, HI, 72–82.
Frank, U., Heise, D., Kattenstroth, H., & Schauer, H. (2008). Designing and Utilising Business Indicator Systems within Enterprise Models—Outline of a Method. In Loos P, Nüttgens M, Turowski K, Werth D, eds. Proceedings of the Modellierung betrieblicher Informationssysteme (MobIS 2008), Saarbruecken, Germany, Koellen:89–105.
Frank, U., Heise, D., Kattenstroth, H., Ferguson, D., Hadar, E., & Waschke, M. (2009). ITML: A Domain-Specific Modeling Language for Supporting Business Driven IT Management. In Rossi M, Gray J, Sprinkle J, Tolvanen J-P, eds. Proceedings of the 9th Workshop on Domain-Specific Modeling (DSM) at the International Conference on Object Oriented Programming, Systems, Languages and Applications (OOPSLA), Orlando, Florida, USA.
Gemmer, A. (1997). Risk Management: Moving Beyond Process. Computer, 30(5), 33–43.
Gerber, M., & Solms, R. v. (2005). Management of risk in the information age. Computers & Security, 24(1), 16–30.
Hatfield, A. J., & Hipel, K. W. (2002). Risk and Systems Theory. Risk Analysis, 22(6), 1043–1057.
Heemstra, F. J., & Kusters, R. J. (1996). Dealing with risk: a practical approach. Journal of Information Technology, 11, 333–346.
Kirchner, L. (2005). Cost Oriented Modelling of IT-Landscapes: Generic Language Concepts of a Domain Specific Language. In Desel J, Frank U, eds. Proceedings of the Proceedings of the Workshop on Enterprise Modelling and Information Systems Architectures (EMISA 2005), 166–179.
Kliem, R. L. (2000). Risk Management for Business Process Reengineering Projects. Information Systems Management, 17(4), 71–73.
Klinke, A., & Renn, O. (2002). A New Approach to Risk Evaluation and Management: Risk-Based, Precaution-Based, and Discourse-Based Strategies. Risk Analysis, 22(6), 1071–1094.
Lankhorst, M. (2005). Enterprise Architecture at Work: Modelling, Communication and Analysis. Berlin: Springer.
Loch, K. D., Carr, H. H., & Warketin, M. E. (1992). Threats to Information Systems: Today's Reality, Yesterday's Understanding. MIS Quarterly, 16(2), 173–186.
Lu, R., Sadiq, S., & Governatori, G. (2008). Compliance Aware Business Process Design. In ter Hofstede AHM, Benatallah B, Paik H-Y, eds. Proceedings of the Business Process Management Workshops, Brisbane, Springer:120–131.
March, J. G., & Shapira, Z. (1987). Managerial perspectives on risk and risk taking. Management Science, 33(11), 1404–1418.
McGaughey, R. E., Jr., Synder, C. A., & Carr, H. H. (1994). Implementing information technology for competitive advantage: Risk management issue. Information & Management, 26(5), 273–280.
Mun, J. (2004). Applied risk analysis: Moving beyond uncertainty in business. Hoboken: Wiley.
Neiger, D., Curilov, L., zur Muehlen, M., & Rosemann, M. (2006). Integrating Risks in Business Process Models with Value Focused Process Engineering Proceedings of the 2006 European Conference on Information Systems (ECIS 2006), Goteborg, Sweden, June 12–14, 2006.
Odell, J. (1998). Power Types. In J. Odell (Ed.), Advanced Object-Oriented Analysis and Design Using UML, (pp. 23–33). Cambridge: Cambridge University Press.
Rainer, R. K., Synder, C. A., & Carr, H. H. (1991). Risk Analysis for Information Technology. Journal of Management Information Systems, 8(1), 129–147.
Remenyi, D., Bannister, F., & Money, A. (2007). The Effective Measurement and Management of ICT Costs & Benefits. Oxford: Elsevier.
Rogers, S., Lukens, S., Lin, S., & Jon, E. (2008). Balancing Risk and Performance with an Integrated Finance Organization (The Global CFO Study 2008). Somers: IBM Global Business Services.
Sadiq, S., Governatori, G., & Namiri, K. (2007). Modeling Control Objectives for Business Process Compliance. In Alonso G, Dadam P, Rosemann M, eds. Business Process Management, Springer:149–164.
Salmela, H. (2008). Analysing business losses caused by information systems risk: a business process analysis approach. Journal of Information Technology, 23(3), 185–202.
Sayer, P., & Wailgum, T. (2008). What You Can Learn about Risk Management from Société Générale. http://www.cio.com/article/336816/What_You_Can_Learn_about_Risk_Management_from_Societe_Generale. Accessed Jan 21, 2009.
Schaefer, G. (1988). Functional Analysis of Office Requirements: A Multiperspective Approach. Chichester: Wiley.
Scheer, A.-W. (1992). Architecture of Integrated Information Systems: Foundations of Enterprise Modelling. Berlin: Springer.
Scheer, A.-W. (1999). ARIS—Business Process Frameworks (3rd ed.). Berlin: Springer.
Scheer, A.-W. (2000). ARIS—Business Process Modeling (3rd ed.). Berlin: Springer.
Schelp, J., & Winter, R. (2006). Method Engineering: Lessons Learned from Reference Modeling. In Chatterjee S, Hevner A, eds. Proceedings of the First International Conference on Design Science Research in Information Systems and Technology (DESRIST'06), Claremont, CA, 555–575.
Sienou, A., Lamine, E., Karduck, P. A., & Pingaud, H. (2007). Conceptual model of risk: towards a risk modeling language. In Weske M, Hacid M-S, Godart C, eds. Proceedings of the Web Information Systems Engineering—WISE 2007 Workshop, Montpellier, France, June 17, 2008, Springer:118–129.
Sienou, A., Lamine, E., & Pingaud, H. (2008). A Method for Integrated Management of Process-risk. In Sadiq S, Indulska M, zur Muehlen M, Franch X, Hunt E, Coletta R, eds. Proceedings of the 1st International Workshop on Governance, Risk and Compliance—Applications in Information Systems (GRCIS'08) held in conjunction with the CAiSE'08 Conference, Montpellier, France, June 17, 2008.
Verschuren, P., & Hartog, R. (2005). Evaluation in Design-Oriented Research. Quality & Quantity, 39(6), 733–762.
Wand, Y., & Weber, R. (2002). Research Commentary: Information Systems and Conceptual Modeling-A Research Agenda. Information Systems Research, 13(4), 363–376.
Wand, Y., Monarchi, D. E., Parsons, J., & Woo, C. C. (1995). Theoretical foundations for conceptual modelling in information systems development. Decision Support Systems, 15(4), 285–304.
Ward, S., & Chapman, C. (2003). Transforming project risk management into project uncertainty management. International Journal of Project Management, 21(2), 97–105.
Weill, P., & Ross, J. W. (2004). IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business School Press
Westerman, G., & Hunter, R. (2007). IT Risk: Turning Business Threats into Competitive Advantage. Cambridge: Harvard Business School Press.
Willcocks, L., & Margetts, H. (1994). Risk assessment and information systems. European Journal of Information Systems, 3(2), 127–138.
zur Muehlen, M., & Rosemann, M. (2005). Integrating Risks in Business Process Models Proceedings of the 16th Australasian Conference on Information Systems (ACIS 2005), Sydney, 62–72.
Acknowledgement
The authors would like to thank the anonymous referees for their constructive comments that greatly helped improve the paper. We would also like to thank Arne Weuster for his support and Jens Gulden for valuable comments on an earlier version of the manuscript.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Strecker, S., Heise, D. & Frank, U. RiskM: A multi-perspective modeling method for IT risk assessment. Inf Syst Front 13, 595–611 (2011). https://doi.org/10.1007/s10796-010-9235-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-010-9235-3