Search results

In the current scenario, cybersecurity issues have emerged to be a major challenge for firms to deal with. The increased use of technologies has increased radically the volume and typology of information produced, exchanged, and managed by firms thus creating conditions for cybersecurity incidents or information breaches. In this situation, it becomes paramount for firms to recognize cybersecurity risks and be prepared to prevent them through the implementation of approaches and technologies able to ensure a high level of protection.

In this chapter, we provide a framework for analyzing and managing cybersecurity risks. We employed a case study strategy to understand how the risk analysis process is carried out within an Information Security company. The study and observations obtained from this case study have permitted to define a framework useful for SME to deal with cybersecurity issues.

The concept of risk is often approached as if it is self-defining. Yet placing an event or activity in the category of “risk” is a categorization with consequences. Framing normatively complex problems like immigration, terrorism, or monetary crisis as risks that require regulating suggests that certain cognitive tools are best suited for analyzing them. It suggests that the problems are measurable or quantifiable, that they lend themselves to utilitarian calculus, and that they have ascertainably correct solutions that require no value judgments. This article employs emotion theory to illustrate the difficulties with approaching normatively complex areas of governmental policy through the framework of risk regulation. It argues that interdisciplinary inquiry into the role of emotion in human behavior sheds light on how risks are assessed, prioritized, and ameliorated, on how the category of risk is constructed, and on how that categorization affects the cognitive tools and approaches we bring to normatively complex problems. The article begins with a brief discussion of behavioral law and economics, which styles itself a corrective to law and economics, but which replicates its fatal flaw: its unrealistic view of human behavior. Next it turns to two more specific problems with the standard notion of risk formulation. First, the standard notion reads out the essential role of emotion in deliberation about risk regulation and overvalues top-down expert knowledge. Second, it reads out the heuristics that erase patterns and maintain the status quo. Finally, the article will focus on two illustrative case studies, the Chicago heat wave of 1995, and Hurricane Katrina.

Accounting’s definition of accountability should include attributes of socioenvironmental degradation manufactured by unsustainable technologies. Beck argues that emergent accounts should reflect the following primary characteristics of technological degradation: complexity, uncertainty, and diffused responsibility. Financial stewardship accounts and probabilistic assessments of risk, which are traditionally employed to allay the public’s fear of uncontrollable technological hazards, cannot reflect these characteristics because they are constructed to perpetuate the status quo by fabricating certainty and security. The process through which safety thresholds are constructed and contested represents the ultimate form of socialized accountability because these thresholds shape how much risk people consent to be exposed to. Beck’s socialized total accountability is suggested as a way forward: It has two dimensions, extended spatiotemporal responsibility and the psychology of decision-making. These dimensions are teased out from the following constructs of Beck’s Risk Society thesis: manufactured risks and hazards, organized irresponsibility, politics of risk, radical individualization and social learning. These dimensions are then used to critically evaluate the capacity of full cost accounting (FCA), and two emergent socialized risk accounts, to integrate the multiple attributes of sustainability. This critique should inform the journey of constructing more representative accounts of technological degradation.

The purpose of this paper is to illustrate how information technology (IT) governance supports the process of enterprise risk management (ERM). In particular, the paper illustrates how the Control Objectives for Information and related Technology (COBIT) framework helps a company reach its objectives by integrating and supporting the Enterprise Risk Management by the Committee of Sponsoring Organizations (COSO ERM) framework.

This paper explains how the integration between the two frameworks (COSO ERM and COBIT 5) can represent, for any organization, a good way to achieve the objectives of internal control and risk management and, more generally, corporate governance.

The paper identifies some gaps in the COSO ERM and illustrates how the COBIT framework facilitates the implementation of an adequate system of internal control.

The originality of the work presented here is in analyzing the COBIT 5 together with the COSO ERM framework. This paper highlights that is not enough to apply only an internal control framework for achieving the risk management and internal control system objectives. An IT governance framework, such as COBIT 5 is proposed as a tool that support risk management in order to develop an adequate system of internal control.

Risk management is an under-explored topic in information systems (IS) research that involves complex and interrelated activities. Consequently, the authors explore the importance of interrelated activities by examining how the maturity of one type of information technology risk management (ITRM) practice is influenced by the maturity of other types of ITRM practices. The purpose of this paper is to explore these relationships, the authors develop a model based on organizational strategy implementation theory and the COBIT framework. The model identifies four types of ITRM practices, namely, IT governance (ITG); communications; operations; and monitoring.

The authors use a survey methodology to collect data on senior information technology (IT) executives' perceptions on ITRM practices. The authors use an exploratory factor analysis (EFA) to identify four dimensions of ITR M practices and conduct a structural equation model to observe the associations.

The survey of senior IT executives' perceptions suggests that the maturity of ITRM practices related to ITG, communications and monitoring positively influence the maturity of operations-related ITRM practices. Further, the maturity of communications-related ITRM practices mediates the relationship between ITG and operations-related ITRM practices. The aggregate results demonstrate the inter-relatedness of ITRM practices and highlight the importance of taking a holistic view of ITRM.

Given the content and complexity of the study, it is difficult to obtain senior executives’ responses in large firms. Therefore, this study did not use a separate sample to conduct the EFA to obtain the underlying four constructs. Also, the ITRM practices identified are perceptions. Even though the authors consider this to be a limitation, it also communicates the pressing areas that senior IT professionals are expected to focus given various external and internal pressures. This study focuses on large firms, hence, small to midsize firms are not well represented.

Given the demanding regulatory and financial reporting requirements and the complexity of IT, there is an increasing possibility that the accounting profession will require IT professionals to focus on operations-related ITRM practices, such as security, availability and confidentially of data and IS are closely related to internal controls. However, as this study demonstrates, the maturity of operations-related ITRM practices cannot be achieved by focusing solely on operations-related IT risks. Therefore, IT practitioners can use this study to raise awareness of the complex interrelationships among ITRM practices among managers to improve the overall ITRM practices in a firm.

The study also shows the importance of establishing proper communication channels among various business functions with regard to ITRM. Extant IT research identifies the importance of the firm’s communication structure on various firm performance measures. For example, Krotov (2015) mentions the importance of communication in improving trust between the Chief Executive Officer and Chief Financial Officer. Firms with established communication channels have the necessary medium to educate and involve other departments with regard to the security of data. Thus, such firms are more likely to have mature risk management practices because of increased awareness of risks and preventive techniques.

The study contributes to ITG and risk management literature by identifying the role of monitoring-related ITRM practices on improving other areas of risk management. The study also extends the existing ITRM literature by providing an organizational strategy perspective to ITRM practices and showing how ITRM practices follow organizational strategy implementation. Further, the authors identify four underlying ITRM categories. Consequently, researchers could choose between two factors (Vincent et al., 2017) or four factors based on the level of detail required for the particular study.

The purpose of this paper is to study the recognition, application and understanding (status) of risk management in information technology (IT) projects in the South African public sector and thus contribute to the research gap.

A quantitative approach in the form of a survey design was adopted, with data being collected through a questionnaire. The results from the study are compared to the theory and practice of risk management before drawing conclusions on the status of risk management in IT projects.

The findings provide significant statistical support for the conclusion that risk management is being applied in current IT projects and that it is understood by the respective project clients.

Though risk management has been studied by several authors, very little is known about its status in the South African public sector. This study sheds light on its application in IT projects and its understanding by IT project clients.

The study findings encourage project executives to develop knowledge bases for risk management in IT projects, as well as the corresponding tools. This will ultimately assist in knowledge sharing, which increases chances of IT project success. Importantly, the study also highlights that the relationship between project clients and project teams can be accelerated through knowledge sharing and continuous project communication.

The research addresses one of the questions held by many scholars on the status of risk management in IT projects. It advances the recognition of risk management as a knowledge base and the practical implications thereof.

Purpose – This article aims to focus on raising awareness of the limitations of traditional “enterprise‐centric” views of enterprise risk management that ignore the risks that are inherited from key business and supply chain partners. In essence, enterprise systems implementations have allowed organizations to couple their operations more tightly with other business partners, particularly in the area of supply chain management, and in the process enterprise systems applications are redefining the boundaries of the entity in terms of risk management concerns and the scope of financial audits. Design/methodology/approach – The prior literature that has begun to explore aspects of assessing key risk components in these relationships is reviewed with an eye to highlighting the limitations of what is understood about risk in interorganizational relationships. This analysis of the prior research establishes the basis for the logical formation of a framework for future enterprise risk management research in the area of e‐commerce relationships. Findings – Conclusions focus on the overall framework of risks that should be considered when interorganizational relationships are critical to an enterprise's operations and advocate an “extended‐enterprise” view of enterprise risk management. Research limitations/implications – The framework introduced in this paper provides guidance for future research in the area of interorganizational systems control and risk assessment. Practical implications – The framework further highlights areas of risk that auditors and corporate risk managers should consider in assessing the risk inherited through interorganizational relationships. Originality/value – The paper highlights the need to shift from an enterprise‐centric view of risk management to an extended‐enterprise risk management view.

This paper aims to examine the connection between information system (IS) availability and operational risk losses and the capital requirements. As most businesses today become increasingly dependent on information technology (IT) services for continuous operations, IS availability is becoming more important for most industries. However, the banking sector has particular sector-specific concerns that go beyond the direct and indirect losses resulting from unavailability. According to the first pillar of the Basel II accord, IT outages in the banking sector lead to increased capital requirements and thus create an additional regulatory cost, over and above the direct and indirect costs of an outage.

A Bayesian belief network (BBN) with nodes representing causal factors has been used for identification of the factors with the greatest influence on IS availability, thus helping in investment decisions.

Using the BBN model for making IS availability-related decisions action (e.g. bringing a causal factor up to the best practice level), organization, according to the presented mapping table, would have less operational risk events related to IS availability. This would have direct impact by decreasing losses, related to those events, as well as to decrease the capital requirements, prescribed by the Basel II accord, for covering operational risk losses.

An institution using the proposed framework can use the mapping table to see which measures for improving IS availability will have a direct impact on operational risk events, thus improving operational risk management.

The authors mapped the factors causing unavailability of IS system to the rudimentary IT risk management framework implied by the Basel II regulations and, thus, established an otherwise absent link from the IT availability management to operational risk management according to the Basel II framework.

Suggests that a number of difficulties are experienced by organizations using conventional risk analysis and management. “Conventional” refers to those methodologies which are based on the traditional asset/threat/vulnerability model. Identifies a need for an approach that is more suitable for smaller organizations, as well as organizations requiring a quicker, more simplified and less resource‐intensive approach. In light of this requirement, proposes an alternative approach to effective information technology (IT) risk analysis and management. This approach has a business‐oriented focus from an IT perspective.