Beruflich Dokumente
Kultur Dokumente
Bokolo Anthony Jnr *, Noraini Che Pa , Rozi Nor Haizan Nor and Yusmadi Yah Josoh
a, b, c, d
Abstract
Risk mitigation is an important process for risk management in information technology (IT) governance. Practitioners adopt risk mitigation to allay risks
within IT systems and provide for a sufficient medium to resolve and control operational, strategic and technical risks which depend on IT infrastructures.
Risk mitigation is necessary to ensure the successful implementation of IT governance. Currently, mitigating risks in IT governance is not fully and
successfully adopted due to inadequate support in the mitigation process. The majority of the existing models and frameworks lack the capability to support
IT governance practitioners to adequately mitigate risks. Thus, there is a need for a model that can provide support to help the risk mitigation team to
identify and treat arising risks. Hence, this paper aims to present risk mitigation components and the related metrics needed for risk mitigation in IT
governance. These components and metrics are essential in mitigating both operational and technical risks that practitioners face in the IT governance
process. A quantitative methodology was adopted to collect data on risk mitigation practice, process and procedures implemented by practitioners in selected
governmental institutions in Malaysia. The developed model component and related metrics were initially verified through an online survey (using Survey
Monkey) carried out among 23 IT practitioners in 12 selected Malaysian institutions. Results from the survey show that the components and associated
metrics are important and should be considered by practitioners and experts when mitigating risks in IT governance.
Keywords: Risk; Risk Mitigation; Components; Metrics; IT Governance
1.0 INTRODUCTION
IT governance aims to direct IT endeavours that guarantee the organisations performance on objectives as set out by the
management. With effective governance, investment in IT infrastructure can be optimized to extend an organizations business strategies
and goals. IT governance focuses mainly on the area of IT strategic alignment, IT resource management, risk management, performance
measurement and IT value delivery (ITGI, 2008). Thus, IT governance encompasses the policies and procedures implemented by the
management in organisations to ensure the proper usage of IT infrastructures among practitioners and an organisations staff (Weill and
Ross, 2005). Risks exist when IT infrastructure are used for business continuity (Daya and Mohd, 2008). Risks are events that negatively
impact the organizations ability to achieve its goals as far as the probability of their occurrence and the related consequences are
concerned (Bharat, Kapil and Subhash, 2012). Risk is described as the possibility of suffering a loss due to possible negative impact on the
process or system which could be in the form of poor IT infrastructure solution, increased costs, failure, or delayed completion (Lee, Lim
and Chung, 2006).
Furthermore, all systems to some extent share risks, and a majority of IT infrastructures faces operational, technical and strategic
risks (Lientz and Larssen, 2006). Risk mitigation includes tasks such as identifying potential risks, finding risk-reducing measures, making
decisions related to the risks and monitoring them. Risk mitigation also includes determining risk-reducing measures (Sandip and Jigish,
2010). According to Sneh and Ujjawal (2009) risk mitigation assists practitioners to prepare plans for handling and minimizing potential
adverse effects of the risk which is implemented by controlling and reducing the risk (Sneh and Ujjawal, 2009). Ahdieh and Ow (2012a)
also state that risk mitigation is an action that helps practitioners to understand and solve risks. Since risks are essentially potential
problems, they might or might not happen. Regardless of the outcome, Ahdieh and Ow (2012a) suggested that practitioners are encouraged
to identify risks, measure the probability of their occurrence, and estimate their impact.
Generally IT governance requires a distinctive mitigation process of operational, technical and strategic risks that may cause
failure or loss of important IT processes when they occur (Pricewaterhouse, 2007). Presently, only a few research has been directed to risk
mitigation in the domain of IT governance (Eugene and Johan, 2006; Dirk, 2009; Mirela, 2011). This results in a gap in mitigating
operational, technical and strategic risks. However Moeinzadeh and Hajfathaliha (2009) suggested that the essence of a risk mitigation
1|P a g e
model is to assist in making decisions that optimally align organisational processes and decisions to exploit opportunities while
simultaneously minimizing and mitigating risks. They see risk mitigation as a concept which contains all strategies and measures, all
knowledge, all institutions, all processes and all technologieswhich can be used on the technical, personal and organizational levelsto
mitigate risks in IT governance.
As stated previously three dimensions of risks are considered: operational, technical and strategic risks. If operational risks
become a reality, it is likely that IT output schedule will be affected. As a result, costs will also increase. Technical risks threaten the
quality and timeliness of IT processes. Strategic risks threaten the normal growth and development of the whole IT system and its
associated resources (Gary, Goguen and Feringa, 2002; Ronke, 2012). Despite many scholars and IT practitioners recognizing risk
mitigation processes in IT governance research, insufficient attention has been paid by researchers to select suitable risk mitigation
components and metrics. This paper attempts to address this limitation and the gap in the current literature and provide a risk mitigation
components and related metrics. For that reason, the main target of the paper is to give researchers and practitioners an insight on the
current level of risk mitigation in IT governance by presenting the essential components and the respective metrics for mitigating operation,
technical and strategic risks in IT governance.
This paper is organized as follows. In the next section, we present related work on risk mitigation and various risk mitigation
research. In Section 3 this research paper presents the research methodology adopted. Section 4 presents the risk mitigation component
model showing the risk components and related metrics. Section 5 explains component model verification. Then the verification results are
presented. Section 6 is discusses these results. Section 7 presents the researchs implications and limitations. Finally the last section
presents a conclusion and possible future work to be done.
2.0 RELATED WORK ON RISK MITIGATION
Risk mitigation may be implemented through the use of wide variety of risk mitigation models, processes or applications that
provide quantitative or qualitative measurements of the risks involved (Abdullahi-Mohamud and Basri, 2011). Thus this section discusses
existing risk mitigation models and existing risk mitigation components and metrics.
2.1 Existing Risk Mitigation Models
Risk mitigation in IT governance is an organized way of identifying risks by measuring their probability, possible impact as well as
ways to mitigate or solve them when they arise. Systematic risk mitigation may be facilitated through the use of a wide variety of risk
mitigation models, processes or applications that provide a quantitative or qualitative measurement of the risks involved. There are a few
published risk mitigation models/frameworks that resolve risks associated with IT governance. Taking decisions on a risk is based on
qualitative, quantitative or hybrid measurement results. Qualitative measurement means that the risk information are registered in a verbal
form rather than in numeric form as in the case of quantitative measurement. Hybrid measurement is combination of both quantitative and
qualitative measurement (Abdullahi-Mohamud and Basri, 2011).
Bharat et al. (2012) mentioned that an effective risk mitigation process focuses on taking care of the most frequently occurring
risks. It is possible to predict the possible result of risks in IT governance with good accuracy, not only in identifying them, but also in
estimating and providing solutions on how to treat them. Daya and Mohd (2008) proposed the Software Risk Assessment and Estimation
Model (SRAEM). In their model, the risk is estimated using risk exposure and software metrics of risk mitigation and this metric is based on
mission critical requirements stability risk metrics (MCRSRM).This model not only evaluate the risk but it also estimate the risk. Initially
the model estimates the sources of uncertainty using different paradigms such as measurement error, model error and assumption error.
Say-Wei and Armugam (2000) proposed a Software Risk Assessment Model (SRAM). This model makes use of a comprehensive
questionnaire to provide results based on risk metrics obtained from the proposed model. This model considers the following nine critical
risk elements: complexity, staff involved in the project, targeted reliability, product requirements, method of estimation, method of
monitoring, development process adopted, usability of software and tools used for development. This model considers the method of
prioritization as a single step of risk mitigation but does not specify how prioritization would be done.
Moeinzadeh and Hajfathaliha (2009) proposed an SCRM model assist to make decisions that optimally align organizational
processes and decisions to exploit opportunities while simultaneously mitigating risk by using a questionnaire for dealing with data
regarding qualitative and quantitative risk mitigation. They used a brainstorming method, which was conducive to a group decision-making
process. The researcher based their research on two processes: risk identification and risk measurement. Risk identification is the basis of
risk, the purpose of which is to recognize risks in IT. Risk measurement estimates the risk magnitude by using some qualitative or
quantitative approaches and technologies.
Basit, Abdullah and Al (2010) presented a Risk Identification, Mitigation and Avoidance Model for Handling Software Risk
(RIMAM). This model briefly presents the strategies that are expected for the purpose of identification, mitigation of risk over-optimistic
technology perceives, staff experience, staff turnover, excessive error detection and the preservation of intellectuals. This model can be
customized with respect to the environment in which it is being used (Basit, Abdullah and Al, 2010).
2|P a g e
Mohd and Mohd (2010) suggested a Software Risk Assessment and Evaluation Process using Model Based Approach (SRAEP).
This method is a better technique of risk estimation, risk prioritization and mitigation. After the identification of risks, several mitigation
countermeasures are put into place.
2.2 Existing Risk Mitigation Components and Metrics
Ahdieh and Ow (2012b) proposed a model for software risk mitigation plan which involves creating a risk mitigation plan and
actually modeling the actual risks. Their model reduces the risk consequences and their occurrence probabilities. It identifies effective
factors in fault tolerance, risks consequences, and presenting solutions to reduce the risks. The model components includes people,
environment, and organization, while the metrics are commitment, availability, cooperation, effectiveness, stability, flexibility, cost,
dependability, capability, suitability and integration.
Mohd and Mohd (2010) presented a model to mitigate IT risk which provides managers and decision makers to integrate
components comprising of people, technology, procedure, policy, and decision makers. The metrics involved are capacities, collaboration
modularity, transferability, clarity, effectiveness, extensibility, susceptibility, consistency, agility, interoperability, dependability and
predictability.
Sailesh et al. (2008) proposed a risk mitigation model for a robust design process that helps to mitigate the risks associated with
development in an IT environment. Model components comprise process, staff, technology, and process while the metrics are commitment,
collaboration, coordination, reliability, effectiveness, liability, vulnerability, compatibility, consistency, viability and acceptability.
Vu and Liu (2007) developed a risk mitigating model for integrated software systems to effectively identify and address these
potential technical risks. Components involved include people guidelines, infrastructure and process. The metrics involved are trust,
capacities, resource availability, reliability, time, capability, efficiency, performance, security, data integrity, consequences, consistency,
agility, modularity and operability.
Ahdieh and Ow (2012a) designed a software risk mitigation process model that facilitates the development of a comprehensive risk
mitigation plan by focusing on the unseen risks and opportunities accompanying risk mitigation decisions. Its components comprise team
members, process, and technique and the metrics are transferability, acceptability, extensibility, correctness, clarity, predictability,
dependability, time and trust.
Junchao et al. (2013) proposed a search-based risk mitigation planning model for solving the problem of mitigating risks in
software projects, thus providing useful decision-making support for managers. Identified components include people, procedure, methods,
technology and guidelines. Model metrics include expenses, security, data integrity, capabilities, complexity, simplicity, performance,
reliability capacities, resource availability, resource usage, mentality, team behavior and efficiency.
3.0 RESEARCH METHODOLOGY
This section presents the research methodology carried out to develop and verify the risk mitigation component model. In order to
develop the risk mitigation component model, data was collected from the existing risk mitigation literature. A systematic literature review
(SLR) on risk assessment and mitigation practice, process and procedures in IT Governance was conducted, as seen in Section 2. Then, a
preliminary study was conducted starting with the pilot study which comprises three Malaysian institutions that presently adopts risk
mitigation in the Information and Communications Technology (ICT) division of the institutions. The pilot study aimed to check if the
respondents understood the questions in the questionnaire. The next phase was to develop the risk mitigation component model based on
the secondary data from the literature collected. The model was then verified by IT practitioners from selected Malaysia-based institutions
using an online survey. The research methodology is shown in Figure 1.
3|P a g e
4|P a g e
Technology
Description
This component comprises of the practitioners, IT experts, staff or team members who carry out
risk mitigation in the institution (Ahdieh and Ow, 2012a; Ahdieh and Ow, 2012b; Mohd, Banwet
and Shankar, 2007). People are the strength of any risk mitigation success in IT governance. People
are also key determiners of risk in any risk mitigation process.
This component involves the technologies (application, hardware, software networks communication
and servers) that are deployed to cater for risk mitigation (Mohd, Banwet and Shankar, 2007;
Sailesh, et al., 2008).
5|P a g e
Technique
Management
Method
Risk Mitigation
This component states the procedures employed to mitigate risk in IT governance. The processes
are carried out by the team members or staff at the institution. This component involves techniques
that assist in risk mitigation such as spreadsheets, focus group, discussions, scenario analysis,
brainstorming, lessons learnt, checklist, risk breakdown, inductive reasoning, SWOT analyses,
team meetings, and worksheet lists (Mohd, Banwet and Shankar, 2007; Vu and Liu, 2007; Sailesh
et al., 2008; Ahdieh and Ow, 2012a; Ahdieh and Ow, 2012b).
This component comprises the stakeholders and decision makers that produce guidelines and make
decisions involving the mitigation of risk in the institution (Pankaj, Whiteman and Malzahn, 2004;
Mohd et al., 2007).
This component highlights the approaches (measurements) used to mitigate risks in IT governance
(Sailesh, et al., 2008). This component involves either qualitative or quantitative methods such as
interviews, questionnaires, workshops, and surveys used for risk mitigation.
This is the dependent variable that relies on the other variables. This is the current risk mitigation
process or software that is presently adopted or implemented in the institution in mitigating risk
(Sailesh, et al., 2008; Shan, Chen, Liu, and Zhang, 2009).
Description
Trust between team members; helping them reach their ability to mitigate risk.
Team members available to support each other to mitigate risks in the organization.
Interest and concern of team members to mitigate risks in the organization.
Team members willingness to be involved in the mitigation process.
Team members cooperation in mitigating risks.
The talent, ability and potential of team members to achieve performance goals in risk
mitigation.
Interaction among team members in mitigating risks.
Table 2 outlines the metrics that are used to measure the people component, where the people are the practitioners in ICT division
in the institutions that implements risk mitigation in IT governance.
Table 3 Technology Metrics
Technology Metrics
Te1=Interoperability
Te2= Efficiency
Te3= Performance
Te4= Security
Te5= Data Integrity
Te6= Reliability
Te7= Responsiveness
Te8= Functionality
Description
Ability to work with other systems using different platforms.
Ability to offer proper support when mitigating risks.
The usefulness of the risk mitigation results provided by the technology.
The technology protects the data and resources related to risk mitigation.
The technology protects against altering data related to risk mitigation.
Ability to maintain a specific level of performance, when used under specific conditions.
Ability to react quickly when performing activities and complete assigned tasks within a
given time.
Ability of the technology to provide the required services to aid risk mitigation.
Table 3 outlines the metrics that are used to measure the technology component, where the technology is the computer related
hardware, software, servers and network facilities utilized in mitigating risks in IT governance.
Table 4 Technique Metrics
Technique Metrics
T1=Time
T2=Cost
T3= Dependability
T4= Predictability
T5=Flexibility
T6= Complexity
Description
Duration for a specific activity to be carried out in supporting risk mitigation.
The monetary value spent when applying a technique for mitigating risks.
If the technique depends on another technique to provide specified services when mitigating
risk.
The ability to predict results of risk mitigation
Ability for the technique to adapt to possible or future changes in its approach for mitigating
risks.
Ability of the technique to be complex or simple in supporting risk mitigation.
6|P a g e
T7=Effectiveness
Table 4 shows the metrics that are used to measure the technique component, where the techniques are the existing activities and
strategies implemented in the institutions in mitigating risk.
Table 5 Management Metrics
Management Metrics
Ma1=Policy
Ma2= Awareness
Ma3= Resources
Ma4= Incentives
Description
Guidelines, rules, regulations, laws, principles, or directions for team members in mitigating
risks.
Decisions makers knowledge about risks from past events, or based on information or
experience.
Available people, materials, equipment, finance, knowledge and time for risk mitigation.
How much pay the management allocates to team members to boost their performance.
Table 5 shows the metrics that are used to measure the management component. The management is defined as the decision
makers and stakeholders in the institutions that make IT governance rules and regulations on how practitioners and other employees can
utilize IT infrastructures and IT facilities effectively in accomplishing the aims and objectives of the institution.
Table 6 Method Metrics
Methods Metrics
M1=Suitability
M2= Opportunities
M3= Consequence
M4=Consistency
Description
The method is suitable for mitigating risks.
The benefits the risk mitigation method provides.
The method provides disadvantages or negative effects.
The method results are always at the same level or standard.
Table 6 shows the metrics that are used to measure the method component, where the method is mostly the procedures
implemented by practitioners in mitigating risks in IT governance.
Table 7 Risk Mitigation Metrics
Risk Mitigation Metrics
RM1=Redundancy
RM2= Competency
RM3= Maintainability
RM4= Adaptability
RM5= Integrity
Description
The duplication of critical process with the intention of increasing reliability in risk
mitigation.
The ability of the risk mitigation software or process to mitigate risk successfully,
efficiently or properly.
How easy to add new functions to the existing risk mitigation process without causing any
issues.
Ability of the risk mitigation process to change or be changed to work better in some
cases.
Ability of the risk mitigation process to work alongside with other system in mitigating
risk.
Table 7 shows the metrics that are used to measure the risk mitigation component, which is the dependent variable as stated
previously. It is influenced by other variables in the model, as shown in Figure 2. The risk mitigation component is the existing approach
utilized by practitioners in mitigating risks in their institution. The risk mitigation component is enhanced in the model, which is the main
aim of this research paper. This is accomplished by adopting the components in the model.
Tables 2 to 7 show and describe the components and their respective metrics. The metrics are utilized to create questions for the
questionnaire, which are used to verify each of the models components as seen in the next section.
5.0 COMPONENT MODEL VERIFICATION
The risk mitigation components are verified to ensure the quality of the identified components. Figure 3 outlines the process
implemented to verify the developed model.
Design Survey Questions: In this phase of the research, the authors implemented the initial creation of risk mitigation questions
to be used to verify the model components. Each of the components is based on questions derived from the related metrics. After
developing the questionnaire for the survey, the questionnaire items were sent to three different experts in the authors research group to
check each component items (metrics questions) to ensure that the questions are easily understood by respondents in the actual survey
session.
Choose Sampling Method: After expert checking of the questionnaire, the research proceeded to choose a suitable sampling
method. The researchers decided to choose non-probability sampling, also known as purposive sampling, where the respondents for the
survey were selected based on their experience and skills in mitigating risk in the organization they belong to, either presently or
previously.
Specify Respondents for Verification: Then the research study proceeded to choose the respondents mainly from ICT division
in each selected institutions across Malaysia. Not all institutions were contacted for the survey since not all institutions possess an ICT
division whose sole aim is to carryout IT governance, management and maintenance processes. Thus only institutions that have their own
ICT division were contacted.
Collect Data: The researchers proceeded to locate and visit each of their website to get official information on the respondents
that are made available to the public. This is comprised of their name, email address, office telephone number, current position,
designation and responsibility in their institution. The invitation to partake in the survey was sent to their official email address several
times within the period of February 2015 to May 2015.
Data Analysis and Presentation: The collected data was analyzed and the results of each component and its related metrics were
retrieved from Survey Monkey. The risk mitigation components were verified using the expert/accreditation approach as suggested by
Hallie and Darlene, (2005) whereby the authors suggested that a minimum number of three experts and a maximum of unlimited experts is
suitable to verify a research model. In this research the experts for verification were IT practitioners from the ICT divisions of selected
Malaysian institutions. The risk mitigation components rely on expert opinion to determine the quality of the components in relation to risk
mitigation in IT governance. Thus the purpose is to provide professional judgments of quality. The question addressed in this kind of
evaluation is: How would professionals rate the components based on their associated metrics? The risk mitigation component model
was verified based on the data collected from an online survey tool that was applied to measure the metrics of each component. The online
survey tool was developed to collect data and measure the metrics within Malaysian institutions only.
Where survey is derived from paper-based questionnaires in this research. The respondents in the surveys are chosen based on
purposely sampling as stated previously; where the respondents are selected based on their experience and skill in risk mitigation practices
in their institution. Therefore IT practitioners in ICT divisions in selected Malaysia-based institutions; mainly the staffs in the ICT division
were selected for data collection. By using this instrument, data collection is instantaneous as the results are automatically sorted out.
The results of the survey can be viewed directly and quickly from analyzed data process instantly. The URL address of the online
survey instrument for risk mitigation components and related metrics measurement can be located by assessing this permanent link by
navigating to the following Web address: https://www.surveymonkey.com/s/8RFMDTM.
5.1 Component Model Verification Results
The survey comprises the risk mitigation components. The metrics being measured are based on their degree of importance and
level of implementation based on a five-point Likert scale, where one (1) is not very important and not implemented and five (5) represents
very important and fully implemented. Each of the five components in the surveynamely people, technology, technique, method, and
organizationand one dependent variable, which is risk mitigation metrics, are measured based on the five-point Likert scale ranging from
1 to 5. Respondents were required to give feedback on 35 questions in relation to risk mitigation practices in their institution. Table 7
shows the total number of respondents (IT practitioners) from 12 Malaysian institutions who were involved in the survey.
Table 8 Distribution of Respondents for Online Survey
Institution
1
2
3
4
5
6
7
8
9
10
11
Respondents
1
2
2
2
2
2
3
1
4
2
1
Position
IT Systems Analyst
ICT Officer
Network Administrator
Head of IT Projects
ICT Director
Head of ICT unit
ICT Manager
Head of ICT unit
IT Security Auditor
Head of ICT unit
Head of IT department
8|P a g e
12
Total Respondents =
Head of IT Unit
23
As seen in Table 8, a total of 23 respondents agreed to participate in the online survey to verify the model. About 80 requests was
sent to the email address of the practitioners and experts in selected Malaysian institutions to partake in the survey which took place from
February 2015 - May 2015 as stated previously, but only 23 practitioners responded to the survey. The respondents for the survey are
shown in Table 8.
To ensure each of the selected respondents are experts in risk mitigation, each respondent presented their post, qualifications and
working experience. After that, an official email containing a letter from the project leader, an overview of the research, reasons for the
survey and link to the survey was sent to the respondents official email address.
The survey comprises the risk mitigation components metrics measured based on their degree of importance and level of
implementation. There are five independent components in the survey namely people, technology, technique, method, organization and one
dependent component which is risk mitigation. Respondents were required to give feedback on 35 questions in relation to risk mitigation
practices. The results from the survey components are shown in Figures 4 to Figure 9.
12 | P a g e
Mohd, N. F., D. K. Banwet and R. Shankar, 2007. Information risks management in supply chains: an assessment and mitigation framework. Journal of
Enterprise Information Management. 20(6): 1741-0398.
Mohd, S. and W. A. Mohd, 2010. Software Risk Assessment and Evaluation Process (SRAEP) using Model Based Approach. International Conference on
Networking and Information Technology. 171-177.
Pankaj, R. S., L. E. Whiteman and D. Malzahn, 2004. Methodology to mitigate supplier risk in an aerospace supply chain. Supply chain management an
international journal. 9(2):154-168.
Pricewaterhouse, C. 2007. IT Governance in Practice Insight from leading CIOs. Pricewaterhouse Coopers International Limited. 1-13.
Robinson, N., 2005. IT excellence starts with governance. The Journal of Investment Compliance. 6(3): 45-49.
Ronke, O., 2012. Effective IT Governance through the Three Lines of Defence, Risk IT and COBIT. ISACA Journal. 5(4):10-21.
Sailesh, N., T. Eshahawil, N. Gindyl, Y. K. Tang, S. Stoyanov, S. Ridout, and C. Bailey, 2008. Risk Mitigation Framework for a Robust Design Process. 2nd
Electronics System integration technology conference.1075-1080.
Sandip, P. and Z. Jigish, 2010. A Risk-Assessment Model for Cyber Attacks on Information Systems. Journal of Computers. 5(3): 352-359.
Say-Wei, F. and M. Armugam, 2000. Software Risk assessment Model. Proceedings of the 2000 IEEE International Conference. 536-544.
Shan, L., T. Chen, Y. Liu and J. Zhang, 2009. Evaluating and Mitigating Information Systems Development Risk through Balanced Score Card.
International Symposium on Information Engineering and Electronic Commerce. 1-10.
Sneh, P. and R. Ujjawal, 2009. Software Risk Evaluation and Assessment using Hybrid Approach. National Workshop-Cum-Conference on Recent Trends in
Mathematics and Computing (RTMC) Proceedings. 6-8.
Solms, B. V., 2005. Information Security governance: COBIT or ISO 17799 or both?. Journal of Computers & Security Elsevier Advanced Technology
Publishers. 1-10.
Vu, T. and D. B. Liu, 2007. A Risk-Mitigating Model for the Development of Reliable and Maintainable Large-Scale Commercial-Off-The-Shelf Integrated
Software Systems. Proceedings Annual Reliability and Maintainability Symposium. 361367.
Weill, P., and J. W. Ross, 2005. IT Governance on One Page. CISR Working Paper.1-349.
Wei-Ming, M. 2010. Study on Architecture Oriented Information Security Risk Assessment Model. In International Conference on Computational Collective
Intelligence. 218226.
Wood, D. J., 2013. Assessing IT Governance Maturity: The Case of San Marcos, Texas. Applied Research Projects, Texas State University-San Marcos
Luis. 626-632.
XU, R., N. Pei-Yao, S. Ying, Q. Le-Hong and L. Yun-Ting, 2005. Optimizing Software Process Based on Risk Assessment and Control. Fifth International
Conference on Computer and Information Technology. 1-6.
13 | P a g e