Bandyopadhyay 1999
Bandyopadhyay 1999
Bandyopadhyay 1999
information technology
Kakoli Bandyopadhyay
Assistant Professor, Department of Information Systems and Analysis,
Lamar University, Beaumont, Texas, USA
Peter P. Mykytyn
Professor, Department of Information Systems and Management Sciences,
University of Texas at Arlington, Arlington, Texas, USA
Kathleen Mykytyn
Doctoral Student, Department of Computer Information Systems and
Quantitative Analysis, University of Arkansas, Fayetteville, Arkansas, USA
itself to continually invest in upgrading antitrust laws because its successful use of
rapidly changing technology, it may become strategic information systems (the SABRE
vulnerable to competitors with more re- reservation system) led to competitors'
sources. Many organizations provide IT tools claims of unfair practice. On another occa-
and expertise to suppliers and customers as sion, Dun & Bradstreet was held liable for an
an integral part of the total business devel- erroneous credit report on a construction
opment. In the process, however, suppliers contractor (Lightle and Sprohge, 1992).
and customers may acquire enough skills to
enhance their bargaining power. Also, docu- Interorganizational level
menting and maintaining strategic IT appli- Here, the focus is on the IT risks of organi-
cations may take more time and effort than zations operating in a networked environ-
the benefits gained. This may eventually ment.
make an organization concentrate more on The most striking and powerful uses of IT
IT and neglect its core business (Vitale, 1986). today involve networks that surpass organi-
Another study by Lightle and Sprohge
zational boundaries. These are automated IS
(1992) identified three types of organizational
shared by two or more organizations. Recent
risks from the internal auditors' perspective:
growth in the use of these interorganiza-
1 sustainability risk,
tional systems (IOS) has contributed to
2 data security risk, and
3 legal risk. increased productivity, flexibility, and com-
petitiveness (Cash et al., 1992). Examples of
The sustainability risk refers to the risk IOS include inter-corporate electronic mail
associated with the sustainability of com- systems, electronic data interchange (EDI)
petitive advantage from the deployment of IT systems permitting buyers and suppliers to
applications on a long-term basis. In the exchange standardized business documents
beginning, the benefits accrued from IT electronically, and inter-corporate electronic
applications enable firms to outperform their graphics data interchange of engineering
rivals. The competitive edge is, however,
documentation (Riggins et al., 1994). Inter-
often short-lived because the competitors are
organizational systems bear a tremendous
eventually able to imitate all IT applications.
impact on the competitive environment by
The data security risk arises from the
improving efficiencies and economies of
strategic use of data within an organization.
Organizations have become largely depen- scale in production and distribution through
dent on data for their survival and success tying EDI and just-in-time (JIT) inventory
amidst intense competition. They run the management together, reducing cost through
risk of incurring substantial losses from the electronic purchasing and ordering, and
denial of access to, or destruction of their adding value to products and services (Cash
data. Finally, the legal risk refers to the et al., 1992). For example, firms such as Levi
probability of loss due to violation of the Strauss (apparel manufacturer), K-Mart (dis-
rights of competitors and customers through count retailer), Supervalue (grocery retailer),
the use of IT. For example, American Air- and Bergen Brunswig (pharmaceutical
lines was charged with the violation of wholesaler) have significantly reduced their
[ 439 ]
Kakoli Bandyopadhyay, inventory holding costs through the use of metrics, and survey questionnaires (Rainer
Peter P. Mykytyn and EDI (Premkumar et al., 1994). et al., 1991).
Kathleen Mykytyn The Delphi technique can be used for both
A framework for integrated When organizations operate in a net-
risk management in worked environment, IT plays an important quantitative and qualitative risk analysis
information technology role in enhancing interfirm relationships. At (Rainer et al., 1991). This technique is used
Management Decision the same time, the IT risks of organizations along with other methodologies to obtain a
37/5 [1999] 437444
compound. A study by Lightle and Sprohge general agreement among managers regard-
(1992) noted that the data security risk of a ing estimated value of IT assets as well as
distributed environment was high. Loch probability estimates for the realization of
et al. (1992) indicate that most managers view various threats.
the external environment to represent the Rainer et al. (1991) have proposed a
greatest level of risk. The top three threats methodology combining quantitative and
for the networked environment are: qualitative approaches to risk analysis. This
1 natural disasters, method suggests employing a value chain
2 intrusion by computer hackers, and analysis for determining the risks inherent
3 weak and ineffective control. in alternative uses of IT. The authors assert
that this combination method is more effec-
Much of the scant empirical research on IT tive than any single method because of its
risk management has addressed IT risks only flexibility in considering a wide variety of IT
at the application level. This comes from an assets, all possible threats, and vulnerabil-
isolated, partial view of the impact of IT. ities.
Today, this closed world assumption of We have not digressed into a detailed
searching only within a specific domain to explanation of all the risk analysis
evaluate the risks associated with IT is methodologies as these have been adequately
unrealistic. It is necessary to adopt a holistic reported in the literature. There is little
view and assess potential threats to IT by empirical evidence to establish the super-
considering the entire spectrum of the IT iority of one risk analysis method over
environment. As the overall impact of IT another. The literature (March and Shapira,
pervades the organization and its environ- 1987) indicates that many organizations deal
ment, IT risk management should focus on IT with risk depending on their managers'
risks at all three levels: perception of and attitude toward risk. These
1 application, organizations employ countermeasures
2 organizational, and depending on the perceived importance of IT
3 interorganizational. risks and do not employ any structured
method to measure the overall IT risks.
Following the identification of the IT envir-
March and Shapira (1987) found that the
onment and the associated IT risks, the
perceptions of risk actually held by managers
related vulnerabilities of IT assets need to be were much different from the theoretical
determined. This provides the basis on which concepts of risk which involved estimating
risk management decisions are made. the probabilities of possible outcomes and
choosing from among alternative actions.
Managers were mostly unaffected by prob-
Risk analysis ability estimates of possible outcomes. Most
Several methodologies are currently avail- managers did not consider uncertainty of
able to comprehend and fathom the extent of possible outcomes as a significant risk. To
losses of IT assets from the realization of them, a risky choice was one that might have
internal and external threats identified in the a negative outcome. Managers were more
previous section. These methodologies are concerned about the volume of risk than the
probability of loss. The procedures for ana-
categorized as quantitative, qualitative, or a
lyzing IT risks are summarized in Table II.
combination of both.
Quantitative approaches to risk analysis
are based on expected value analysis, i.e.
they assign dollar values to the various risks Risk-reducing measures
using probability theory. These methodolo- Implementing measures to reduce IT risks is
gies include annualized loss expectancy the third phase in our proposed risk man-
(ALE), the Courtney method, and the Liver- agement framework (Figure 1). Once the IT
more risk analysis methodolgy (LRAM) assets and the many different threats to
(Rainer et al., 1991). which they are exposed are identified and the
Qualitative approaches use descriptive related vulnerabilities assessed, necessary
variables for analyzing IT risks. These ap- steps should be taken to ensure that the
proaches include scenario analysis, Fuzzy entire IT environment is protected from all
[ 440 ]
Kakoli Bandyopadhyay, Table II
Peter P. Mykytyn and Overview of risk analysis process
Kathleen Mykytyn
A framework for integrated Risk analysis approaches Procedures
risk management in
information technology Quantitative approaches Expected value analysis
Management Decision Annualized loss expectancy (ALE)
37/5 [1999] 437444 Courtney method
Livermore risk analysis methodology (LRAM)
Qualitative approaches Scenario analysis
Fuzzy metrics
Survey questionnaires
Combined quantitative and qualitative approaches Delphi technique
Value chain analysis
[ 443 ]
Kakoli Bandyopadhyay, Bidgoli, H. and Azarmsa, R. (1989), ``Computer Lightle, S. and Sprohge, H. (1992), ``Strategic
Peter P. Mykytyn and security: new managerial concern for the information system risk'', Internal Auditing,
Kathleen Mykytyn 1980s and beyond'', Journal of Systems pp. 31-6.
A framework for integrated
risk management in Management, pp. 21-7. Loch, K.D., Carr H.H. and Warkentin, M.E. (1992),
information technology Cash, J.I., McFarlan, F.W., McKenney, J.L. and ``Threats to information systems: today's
Management Decision Applegate, L.M. (1992), Corporate Information reality, yesterday's understanding'', MIS
37/5 [1999] 437444 Quarterly, Vol. 16 No. 2, pp. 173-86.
Systems Management, Irwin, Inc., Homewood,
March, J.G. and Shapira, Z. (1987), ``Managerial
IL.
perspectives on risk and risk taking'',
Day, G.S. (1984), Strategic Market Planning: The
Management Science, Vol. 33 No. 11,
Pursuit of Competitive Advantage, West
pp. 1404-18.
Publishing Company, St Paul, MN. Premkumar, G., Ramamurthy, K. and Nilkanta, S.
Dryden, P. (1995), ``Managers beef up network (1994), ``Implementation of electronic data
security with AuditTrack'', Computerworld, interchange: an innovation diffusion per-
Vol. 29 No. 16, pp. 53-5. spective'', Journal of Management
Eloff, J.H.P., Labuschagne L. and Badenhorst, Information Systems, Vol. 11 No. 2, pp. 157-86.
K.P. (1993), ``A comparative framework for Rainer, R.K., Snyder, C.A. and Carr, H.H. (1991),
risk analysis methods'', Computers & ``Risk analysis for information technology'',
Security, Vol. 12 No. 6, pp. 597-603. Journal of Management Information Systems,
Epich, R. and Persson, J. (1994), ``A fire drill for Vol. 8 No. 1, pp. 129-47.
business'', Information Strategy: The Execu- Riggins, F.J., Kriebel, C.H. and Mukhopadhyay,
tive's Journal, pp. 44-7. T. (1994), ``The growth of interorganizational
Fried, L. (1993), ``Distributed information systems in the presence of network external-
security'', Information Systems Management, ities'', Management Science, Vol. 40 No. 8,
pp. 984-98.
pp. 56-65.
Schnitt, D.L. (1993), ``Reengineering the
Gascoyne, R.J.N. (1993), ``Information technology:
organization using IT'', Journal of Systems
CAATTs it if you can'', Singapore Accountant,
Management, pp. 14-23.
Vol. 9 No. 6, p. 19.
Toigo, J.W. (1992), Disaster Recovery Planning:
Gottfried, I.S. (1989), ``When disaster strikes'',
Managing Risk and Catastrophe in
Journal of Information Systems Management, Information Systems, Yourdan Press Comput-
pp. 86-9. ing Services, Prentice-Hall, Englewood Cliffs,
Kemerer, C.F. and Sosa, G.L. (1991), ``Systems NJ.
development risks in strategic information Vitale, M.R. (1986), ``The growing risks of infor-
systems'', Information & Software mation systems success'', MIS Quarterly,
Technology, Vol. 33 No. 3, pp. 212-23. Vol. 10 No. 4, pp. 327-34.
Application questions
2 What is your organization's risk manage-
1 Are information technology decisions in ment plan? Are there any areas which you
organizations best taken by IT specialists think might need addressing based on the
or general managers, or a combination of authors' arguments/discussions?
the two?
[ 444 ]