Documente Academic
Documente Profesional
Documente Cultură
Prepared by
Masoom
PROJECT TITLE
Evaluation of Risk management for information systems a case of Indian
ISP (Internet Service Provider) Company
PROJECT SUMMARY
Information systems are now the major resource required by organizations to operate.
Information systems have nearly replaced manual working and have increased efficiency of
the organizations as the core business functions gets real attention for the management. As
per Sarigiannidis & Chatzoglou, (2014) IT systems are the backbone of any company as it
manages and integrates various business functions. Increase in use of IT systems has also
increased the risks associated with them. IT risk management is a process that has a core
purpose similar to any other risk management process i.e. to identify risks and develop
strategies to manage the likely impact of those risks. Mohd-Rahim, Chen, Boussabaine,
Abdul-Rahman & Wood, (2014) noted that not many years have passed for organizations in
developing countries, like India, are using information systems to manage business functions.
Information systems help in increasing the efficiency of the organization as well as enhance
customer experience.
This research study will focus on risk management process for two types of risks associated
with information systems used in broadband industry of India. For a case study, a local
broadband service provider will be selected in order to evaluate the risk management process
to manage security and implementation risks.
LITERATURE REVIEW
Information and technology has seen various evolutions and current digital age is a lot
different than a decade ago (Mohd-Rahim et al, 2014). According to LOBATO, BITTAR,
NETO, MACHADO, DE ALMEIDA & MEIRA, (2013) the world is converging and
information systems are interacting with each other in order to increase efficiency. LOBATO
et al, (2013) further argued that information systems are used in organizations to manage
different business functions such as finance, marketing, IT, HRM and Commercial etc. It is
important to integrate different information systems that are implanted to manage different
business functions.
Page 1 of 7
According to Lundqvist, (2014) information systems are used by internal and external
customers of an organization. As the number of users of an information system increases, it
becomes more vulnerable to various risks. Champan, (2014) highlighted security risk as the
major threat to IT system, which could be from internal as well as external customers.
Implementation risk is also identified by Champan, (2014) associated with information
systems that could have negative impacts on companys finances.
As per LOBATO et al, (2013) risk is a positive or negative impact of any uncertain event. It
has been suggested by Mohd-Rahim et al, (2014) that risk does not only have negative impact
as it can have positive impact on organizations as well. Sarigiannidis & Chatzoglou, (2014)
related the risk with the concept of probability where the likelihood of future event is
measured. However, usually risk management strategies are defined in order to cater negative
impact of risks associated with various projects.
According to LOBATO et al, (2013)the process of risk management starts with the
identification of risks. Risk identification is very important step and requires a detailed
overview of the market situation and also the internal and external factors. Once the risks are
identified that can be further processed for next steps such as assessment of likely impact
either positive or negative. Lundqvist, (2014) argues that risk identification defines the fate of
risk management strategies/policies as if the risks left unidentified can result in bigger loss.
Once, the impact of risks is calculated qualitatively or quantitatively through risk assessment,
priorities are set.
The future remains uncertain always however, the role of fate is been significantly reduced
through the emergence of risk management concepts. Organizations can devise strategies to
identify the likely impacts of identified risks and define mitigation strategies that allow the
companies to avoid uncertain events with negative impacts (Sarigiannidis & Chatzoglou,
2014).
Due to convergence of telecommunication and computing, the use of IT systems has been
significantly increased across the globe. The increasing dependence of business functions on
information systems has also increased the risks associated with information systems
(Sarigiannidis & Chatzoglou, 2014). According to Mohd-Rahim et al, (2014) for information
Page 2 of 7
systems, the threats associated with the outcomes of these systems are termed as risks.
However, ELLUL & YERRAMILLI, (2013) argues that risks can also be the opportunities
that an organization can exploit to generate benefit. ELLUL & YERRAMILLI, (2013) also
tried to quantify the impact of risk through an expression i.e. R = P * I. Where R is exposure
to risk, P is probability or likelihood and I is the quantified figure of likely impact.
There are different types of risks associated with IT projects however; we discuss here only
two types to which information systems are vulnerable. Exposure of information systems to
risks is measured in amount. However, not all the risks are translated to amounts as some
risks are likely to trigger other processes that could have negative impact on companys
reputation or image. Security risk is the most important and top rated risks associated with
information systems. As per Champan, (2014) risks to information pertaining to the
customers of the company are huge and in case of negative impact the company may suffer
severe reputation issue in the market. Security risks to information systems are managed
through risk identification and management (LOBATO et al, 2013). Security breach to IT
systems through internal or external environment can lead towards fraudulent activity that has
negative financial impact as well.
Project implementation risk is also associated with IT projects that can have negative impacts
on the business. As per Sarigiannidis & Chatzoglou, (2014) information systems are
implemented in organizations to manage data and information along with the flow of
information for effective communication among internal and external customers.
Implementation has certain timelines, cost and communication with various departments. If
timely implementation is not achieved then cost might go up for the entire project and also
various other risks could trigger related to system stability and security.
Teller, Kock & Gemnden, (2014) discussed two methodologies to assess risk associated to
information systems. Quantitative risk assessment is a methodology to measure expected risk
in financial terms. As per Teller et al, (2014) Annual Loss Expectancy (ALE) is calculated for
security risks in large organizations where information systems are in place. Annual loss
expectancy is calculated by multiplying single loss expectancy with annual rate of occurrence
of security risks.
Page 3 of 7
Qualitative risk assessment is somewhat different from quantitative where rating is associated
with the type of risks. Qualitative risk assessment evaluates the likelihood of occurrence of
event and then assigns a degree of probability such as high risk, medium risk and low risk
(Teller et al, 2014). Such assessment technique is used where quantifying the risks in
financial terms is not possible.
REQUIRED RESOURCES
Page 4 of 7
Since, the research study is a qualitative research therefore no such specialist equipment is
required. However, the researcher is conducting research from UK therefore, data collection
will require telephonic and email conversations. Personal reference of the researcher will be
used to get permission for interviews from the managers working in a broadband company
operating in India. Telephone and personal computer is required in order to complete data
collection and data analysis activity. To be more specific MS office suit is required to compile
the report and final dissertation further, access to university library and online databases such
as EBESCO is required.
PROJECT PLAN
W1
W2
W3
Proposal Submission
Secondary data collection
Literature Review
Methodology
Questionnaire design
Primary Data Collection
Data Analysis
Introduction
Final Draft Preparation
Final Submission
Page 5 of 7
W4
W5
W6
W7
W8
REFERENCES
Guidelines for Major Projects, Gower Pub Co; New edition (January 28, 2014)
ELLUL, A, & YERRAMILLI, V 2013, 'Stronger Risk Controls, Lower Risk:
Evidence from U.S. Bank Holding Companies', Journal Of Finance, 68, 5, pp. 1757-
1803
LOBATO, L, BITTAR, T, NETO, P, MACHADO, I, DE ALMEIDA, E, & MEIRA, S
2013, 'RISK MANAGEMENT IN SOFTWARE PRODUCT LINE ENGINEERING:
A MAPPING STUDY', International Journal Of Software Engineering & Knowledge
Page 6 of 7