Available online at www.sciencedirect.

com

ScienceDirect
Available online at www.sciencedirect.com
Procedia Computer Science 00 (2018) 000–000
www.elsevier.com/locate/procedia
ScienceDirect
Procedia Computer Science 124 (2017) 569–576

4th Information Systems International Conference 2017, ISICO 2017, 6-8 November 2017, Bali,
Indonesia

Risks Assessment of Information Technology Processes Based on

COBIT 5 Framework: A Case Study of ITS Service Desk
Hanim Maria Astuti, Feby Artwodini Muqtadiroh, Eko Wahyu Tyas Darmaningrat*,
Chitra Utami Putri
Department of Information Systems, Faculty of Information and Communication Technology, Institut Teknologi Sepuluh Nopember (ITS)
Surabaya 60111 Indonesia

Abstract

Directorate of Information Technology and Systems Development (Direktorat Pengembangan Teknologi dan Sistem Informasi,
DPTSI) is an organization unit of Institut Teknologi Sepuluh Nopember (ITS) Surabaya which responsible for providing services
related to information technology and system for all stakeholders. Incident management and requests fulfillment are part of the
services managed by Service Desk unit of DPTSI. Incident management and requests fulfillment hold significant role yet prone
to error, they could pose threats and risks for the organization. Hence, identification and assessment of risks, especially risks of
IT processes, are highly required to avoid problem or disruption in organizational business processes and to minimize losses. In
this research, COBIT 5 Enabling Process is used as a framework to identify the IT processes, whereas COBIT 5 for Risks is used
to conduct the risk management activities. Risks are identified from Service Desk's business processes and existing condition of
DPTSI. Data and information are obtained from interviews and observation, then they are mapped to corresponding ideal
conditions based on COBIT 5 process DSS02 Manage Service Requests and Incidents. Furthermore, risks related to information
technology processes are being identified, assessed and managed based on COBIT 5 process APO12 Manage Risks. The output
of this research is a document containing list of IT risk assessment and risk control justification which can be used as a reference
document for Service Desk unit of DPTSI ITS in managing risks associated with IT Processes. A good risk management
processes will help the decisions’ maker of the organization to make strategic decisions. In addition, the document may be used
as a reference for other organizations with similar business processes.

© 2018 The Authors. Published by Elsevier B.V.

Peer-review under responsibility of the scientific committee of the 4th Information Systems International Conference 2017.

Keywords: Incident Management; Requests Fulfillment, Risk Management; Risk of IT Process; COBIT 5 for Risk

* Corresponding author. Tel.: +62-31-5999944; fax: +62-31-5964965.

E-mail address: tyas@is.its.ac.id

1877-0509 © 2018 The Authors. Published by Elsevier B.V.

Peer-review under responsibility of the scientific committee of the 4th Information Systems International Conference 2017.

1877-0509 © 2018 The Authors. Published by Elsevier B.V.

Peer-review under responsibility of the scientific committee of the 4th Information Systems International Conference 2017
10.1016/j.procs.2017.12.191
570 Hanim Maria Astuti et al. / Procedia Computer Science 124 (2017) 569–576
2 Hanim Maria Astuti et al. / Procedia Computer Science 00 (2018) 000–000

1. Introduction

Directorate of Information Technology and Systems Development (Direktorat Pengembangan Teknologi dan
Sistem Informasi, DPTSI) is one of organization unit in Institut Teknologi Sepuluh Nopember (ITS) Surabaya which
is responsible for managing information technology (IT) problems, network and IT services for all stakeholders [1].
In this case, Service Desk unit of DPTSI ITS holds significant role for the sustainability of organizational business
processes. Service Desk is a major point of contact for user when there is service disruption, service request, or other
change request. Service Desk unit provides communication in one point between user and organization [2]. In daily
activities, Service Desk utilize IT to resolve requests from users. However, despite the use of IT that provides
convenience in various aspects of business activities, it frequently causes problems and threat to the organization [3].
Risks are variation in things which probably occurred naturally, or unpredictable events which can lead to
financial losses. Risk management is an approach toward risks which is conducted by understanding, identifying and
evaluating any possible risks [4]. Risk identification and management are important for organization to anticipate
any damage or loss both in terms of financial and operational [5]. Risks of IT process are risk arising from sequence
of systematically IT activities which lead to unique objective. IT risk is complex things, but also susceptible of
mistakes and threats. There are fewer studies which focus on risks of IT process than on risks of IT assets [6]. In
addition to risk identification, risk assessment also plays an important role in improving protection to the information
technology and its related aspects, since it gives information on which risk has most significant impact [3].
DPTSI is an organizational unit of ITS that evolve and has diverse activities. Therefore, threat, vulnerability and
risk of information technology processes, especially in Sub-directorate of Information Technology Services, are
getting complex [3]. Besides, DPTSI haven’t conducted any risk identification and assessment activities for incident
management and requests fulfillment. Risk identification and assessment required comprehensive framework or
standard [7]. One of the relevant frameworks related to this topic is COBIT 5. COBIT 5 for Risk is used as guidance
in performing risk management processes, while COBIT 5 Enabling Processes will be used as a guideline in
identifying incident management and requests fulfillment activities.
COBIT 5 for Risk defines IT risk as business risk, specifically, the business risk associated with the use,
ownership, operation, involvement, influence and adoption of IT within an enterprise. IT risk consists of IT-related
events that could potentially impact the business. IT risk can occur with both uncertain frequency and impact and
creates challenges in meeting strategic goals and objectives. IT risk always exists, whether or not it is detected or
recognized by an enterprise [8]. COBIT 5 includes a process reference model, defining and describing in detail a
number of governance and management processes. It provides a process reference model that represents all of the
processes normally found in an enterprise relating to IT activities, offering a common reference model
understandable to operational IT and business managers. The proposed process model is a complete, comprehensive
model, but it is not the only possible process model [9]. Fig. 1 shows the complete set of 37 governance and
management processes within COBIT 5.
In the previous study, risk assessment document for risks in ERP Project was obtained [10]. The study focused on
how to achieve successful implementation of ERP based on the determined Critical Success Factors. The risk
assessment is performed using COBIT 5 for Risk standard with reference to domain APO12 Manage Risk. This
study used two standards, namely CSF of Post ERP Implementation and COBIT 5 for Risk. However, the study did
not conduct risk analysis in detail. Moreover, it also did not describe the detail of risk type, risk scenario, and risk
factor. On the other hand, Sulistyaningrum et al. [11] in their research established a risk-based audit tool for
helpdesk of Drinking Water Company (PT. PDAM) Surabaya which refers to COBIT 5, ITIL v3 and ISO/IEC
27002: 2005. The research was emphasized on incident management process that refers to domain DSS02-Manage
Service Request and Incidents of COBIT 5. This study only focused on incident management, whereas the helpdesk
process also includes service request management. In another study, Illoh et al. [12] created a Service Level
Agreement (SLA) template for cloud services by mapping risk scenarios and risk types to SLA components. They
used domain APO12-Manage Risk in analyzing the risk.
By considering shortcomings of the previous studies and the existing condition of DPTSI, this research aims to
support IT processes optimization of Service Desk unit of DPTSI. In this research, we perform risk management
activities to ensure that any possible risk could be identified and be handled properly so that the organization’s
business processes run smoothly [13]. IT processes that have been identified from the existing condition will be
 Hanim Maria Astuti et al. / Procedia Computer Science 124 (2017) 569–576 571
Hanim Maria Astuti et al. / Procedia Computer Science 00 (2018) 000–000 3

mapped to the ideal IT processes on COBIT 5 Enabling Process. Since this research focused on incident
management and requests fulfillment activities, the suitable domains of COBIT 5 framework used in this research
are Deliver Service and Support (DSS) especially DSS02 Manage Service Request and Incidents, and Align, Plan
and Organize (APO) especially APO12 Manage Risks. The result of this research is a document of IT processes risk
management that can be used as a reference for the organization in anticipation of the risks and its impact.

Fig. 1 COBIT 5 Process Reference Model [9].

2. Research methodology

In this research, we mainly focused on key management practices of APO12.02 - Analyse Risk from COBIT 5
for Risk. The work is divided into three phases as described in the following section.

2.1. Data collection phase

The initial requirements were obtained through interviews, documents review and observation of current
condition in DPTSI. Respondents for the interview process are four staffs and the head of service desk unit. The
interview protocol was divided into three sections, firstly to obtain the information about existing condition of
incident handling and request fulfillment, secondly to get detail information about problems and risks occurring in
the incident management and request fulfillment processes, and lastly to obtain detail information about plan and
strategy to anticipate the risks in the future. In this phase, the current process at Service Desk unit is mapped to the
572 Hanim Maria Astuti et al. / Procedia Computer Science 124 (2017) 569–576
4 Hanim Maria Astuti et al. / Procedia Computer Science 00 (2018) 000–000

ideal process of domain DSS02 COBIT 5 for Risk. Subsequently, risks were identified based on the mapping result.
Thus we obtained list of risks that will be used as the basis of risk assessment processes.

2.2. Data analysis phase

The input of this phase is list of risks obtained from the previous stage, while the output is risk event. Risk event
consists of a list of risk types, risk categories, also the internal and external factors of each risk.

2.3. Risk analysis phase

The risk analysis phase is performed by analysing risk scenario (impact) and assessing the probability of risks
that have been identified. The assessment is done by calculating the likelihood and the impact of risk that may affect
the organization's strategic objectives. Furthermore, the appropriate control for each risk is determined. There are
four possible actions that may be implemented, i.e. avoid, mitigate, transfer or accept the risks [9]. The input of this
phase is risk event, whereas the outputs are risk assessment result and its mitigation plan.

3. Result and discussion

3.1. The result of data collection phase

From a series of interview, document review and observation of the current condition, we obtained detail
information about job description and business process of Service Desk unit in DPTSI. The main responsibilities of
service desk staffs are to deal with incident management and request fulfillment. Since they will directly interact
with users in performing the jobs, the staffs of service desk unit must always be ready and be alert to handle every
incoming service request or complaint. Good service and incident management should follow the defined procedure,
starting from reporting, recording, escalating, and documenting the incident or service request. From the interview
and observation results, we found that incident management and request fulfillment processes in service desk unit of
DPTSI haven't meet the ideal processes of COBIT 5 for Risk. Spesifically, there are some activies specified in key
management practices of domain DSS02 of COBIT 5 for Risk that haven't been implemented. For example, not all
of the incoming requests are being documented, and there is no formal report for incident and request that have been
solved by the service desk unit. Table 1 shows the example of mapping result for exsisting activities in DPTSI to the
ideal activities in DSS02.01 Define incident and service request classification schemes.

Table 1. Example result of mapping the existing condition to the ideal condition.
No. Activities
Define incident and service request
1. classification and prioritisation schemes and
criteria for problem registration, to ensure
consistent approaches for handling, informing
users about and conducting trend analysis.
Define incident models for known errors to
2.
enable efficient and effective resolution.
Define incident escalation rules and
4. procedures especially for major incidents and
security incidents.
Define incident and request knowledge
5.
sources and their use.
Performed (√) or
Notes
Not (-)
Users report an incident or request a service by e-mail,
telephon or e-ticket system. Service desk have defined
categories of incoming incident and request to simplify
√
the distribution and escalation processes. In addiotion,
service desk also prioritize the incident and request
based on their urgency.
Service desk unit have defined incident model to help
√
them determine the right solution.
Service desk unit have not implemented incident
-
escalation rules and procedures.
Service desk unit have defined knowledge sources and
√ their use through communication and information
gathering from the user’s perspective.
 Hanim Maria Astuti et al. / Procedia Computer Science 124 (2017) 569–576 573
Hanim Maria Astuti et al. / Procedia Computer Science 00 (2018) 000–000 5

After mapping all the activities, we analyze any possible risks that might occur in each activities. The risk
identification is refer to the previous study [10] with adjustment to the existing condition. Table 2 describes the
example of identified risks for each activity including their causes.

Table 2. Example result of risk identification process.

No Activities
Define incident escalation
rules and procedures
1 especially for major
incidents and security
incidents.
Define incident models
for known errors to enable
2 users to report incidents and request IT
efficient and effective
resolution.
Potential risks
Mistakes in creating
categorization system or
prioritization system for
incident and service request
Fault in accessing e-ticket
system
Notes Causes
Service desk made a mistake in making
the categorization or prioritization
Service desk did not have
system for incident and service request.
sufficient knowledge to
The mistake can be categorization or
create a good prioritization
prioritization systems that are not
or categorization system of
relevant to the IT services, the
IT services.
categorization or prioritization system is
incomplete.
The e-ticketing system can’t be used by
System error or bug.
services caused by errors or bugs

3.2. The result of data analysis phase

After obtaining list of identified risks, in this phase we identify and determine the types of risk, risk
categorizations, and risk factors. According to [8] there are three types of risk:
• IT benefit/value enablement risk (type 1)—Associated with (missed) opportunities to use technology to improve
the efficiency or effectiveness of business processes or as an enabler for new business initiatives.
• IT programme and project delivery risk (type 2)—Associated with the contribution of IT to new or improved
business solutions, usually in the form of projects and programmes.
• IT operations and service delivery risk (type 3)—Associated with the operational stability, availability,
protection and recoverability of IT services, which can bring destruction or reduction of value to the enterprise.
‘P’ indicates a primary (higher degree) fit and an ‘S’ represents a secondary (lower degree) fit, while blank cells
indicate that the risk category is not relevant for the risk scenario at hand. Once the risks' type are identified, next
step is mapping the risk categories based on the categories specified in COBIT 5 for risks (there are 20 categories
available). Subsequently, we determine the risk factors (causes) that affecting the service request and incident
management processes, both internal and external factors. Table 3 summarize the result of data analysis phase.

Table 3. Example of determined risk types, risk categories, and risk factors.
Risk types Risk factors
No Risk Risk categories
T1 T2 T3 Internal External
Complexity of IT - Complex IT Technology status and
Staff operation system that must be met by users. evolution- The development
Mistake in data
1 S S P (human error and Operating Model - Users are not of recent technologies that
entry from user
malicious intent) accustomed with the operating lead to the complexity of IT
model of the incident reporting. service requests.

Technology status and

Fault in accessing e-
2 S
ticket system
Complexity of IT - The e-ticket
evolution- Technological
system is complex and has many
developments require the e-
bugs and errors.
ticket system to be
S P Software The risk management philosophy-
periodically maintenanced.
The organization does not set up
Threat landscape-
a strategy to prevent system
Threat of system attacks
failure caused by bugs and errors.
from unauthorized parties.
574 Hanim Maria Astuti et al. / Procedia Computer Science 124 (2017) 569–576
6 Hanim Maria Astuti et al. / Procedia Computer Science 00 (2018) 000–000

3.3. The result of risk analysis phase

In this phase, IT risk scenario or risk impact is created. The scenario is divided into two types, namely positive
scenario and negative scenario. Positive scenario means that the identified risk does not occur, thus it describes the
organization business processes that run smoothly and optimally. On the contrary, the negative scenario indicates
that the identified risk is happened, resulting in a disruption to the business processes. Table 4 indicates the example
of IT risk scenarios for some identified risks.

Table 4. Risk scenarios.

No Risk
Mistakes in creating
categorization system or
1 it will be easier to escalate the problem according
prioritization system for
incident and service request
2 Mistake in data entry from user
Fault in accessing e-ticket
3
system
Risk scenarios
Positive scenarios
Incident handling can be done appropriately and
to the specified category.
Users filled in the incident report or service
request correctly and completely so that the
incident identification and handling run smoothly
and on time.
Users can rely on the e-ticket systems to generate
incident report and service request. Service desk
unit can receive and manage reports from users
properly.
Negative scenarios
Incident and service request handling are
hampered or take longer to complete because
the data does not fit.
User filled in incorrect data or the data and
information are irrelevant so that the incident
identification and handling need more time.
Bottleneck of reporting through the manual
system (e-mail and phone). Besides, the service
desk could not keep track of the reporting
status.

The risk assessment carried out by calculating the frequency of risk occurrence and its impact (magnitude). Table
5 indicate the range of frequency that will be used in risk prioritization.

Table 5. Risk frequency assessment scale.

Frequency value Frequency
1 N ≤ 0,1
2 0,1 < N ≤ 1
3 1 < N ≤ 10
4 10 < N ≤ 100
5 100 < N
Description
Very Low
There is likely to occur in very special circumstances (small possibility).
Tends to occure less than 0.1 times in a year.
Low
There may be in some circumstances (rarely).
Tends to occure between 0.1-1 times in a year.
Moderate
Tends to occur in some circumstances (sometimes happens), usually ccured between 1-10 times in a
year.
High
There is likely to occur in most circumstances (may happen).
Tends to occure between 10-100 times in a year.
Very High
Tends to occur in most circumstances (often happens), usually occured more than 100 times in a year.

The risk’s magnitude based on COBIT 5 for Risks are divided into four aspects, as shown in Table 6. The
productivity value measures the financial loss caused by service desk staffs’ performance in one-year period. While
cost of response indicates the amount of money spent to overcome the risk. In addition, the competitive advantage
value is measured from the reduction of user satisfaction caused by the risk. Subsequently, the legal aspect measures
the amount of fine that the organization should pay in accordance with the law. The value of risk magnitude
obtained form the average value of the four aspects and referred to as overall ranking.
The value of risk frequency determined based on the interview’s result, the value of competitive advantage
obtained from the questionnaire, while the value of productivity, cost responses, and legal aspect were obtained
from the interview result. Risk priority levels are determined based on the average of magnitude. The detail of risk
assessment result is presented in Table 7.
 Hanim Maria Astuti et al. / Procedia Computer Science 124 (2017) 569–576 575
Hanim Maria Astuti et al / Procedia Computer Science 00 (2018) 000–000 7

Table 6. Risk magnitude assessment scale.

Risk magnitude
Magnitude
value Productivity Cost of response Competitive advantage Legal

1 I≤1% I≤IDR 1 million I≤1 < IDR 1 million

2 1%<I≤3% IDR 1 million <I≤ IDR 10 million 1 < I ≤ 1,5 < IDR 10 million
3 3%<I≤5% IDR 10 million <I≤ IDR 100 million 1,5 < I ≤ 2 < IDR 100 million
4 5%<I≤10% IDR 100 million <I≤ IDR 500 million 2 < I ≤ 2,5 < IDR 500 million
5 10%<I IDR 500 million <I 2,5 < I > IDR 500 million

Table 7. Risk assessment result.

Risk ID Risk Frequency Average of magnitude Risk level
IES001 Errors in the creation of categorization and prioritization system 1 1.5 Low
IES004 Delays of helpdesk’s response 4 1,75 High
IDB002 The leaking of the report to other parties 1 1,75 Low
SOF001 E-ticket system malfunction or utdated 3 1,75 Medium
Incident management or request fulfillment procedures are not
REC001 4 1,75 High
available
MWR001 There is a virus attack 3 1,5 Medium

In this research, the mitigation strategy was determined based on IT process in COBIT 5, then some activities of
key management practices relevant to the specified process are selected to be implemented in the organization.
Table 8 summarizes the suitable COBIT 5 process for each category.

Table 8. Mapping risk mitigation strategy to COBIT 5 process.

Risk category COBIT 5 processes
IT expertise and skill APO07 Manage Human Resource
Staff operation (human error and malicious intent DSS01 Manage Operations, APO11 Manage Quality
Information (data,breach: damage, leakage and access) DSS05 Manage Security Services
Software BAI09 Manage Assets
Regulatory Compliance DSS01 Manage Operations
Malware BAI09 Manage Assets

The following is analysis of mitigation steps that are determined based on risk priority level. For high-level risk,
the mitigation steps will be described in detail per activity in order to minimize the organizational losses (will be
addressed in the next research). As for medium and low level risks, they are mapped to the appropriate key
management practices of COBIT 5 Enabling Process [14] as presented in Table 9.

Table 9. Mitigation plan

Risk COBIT 5
No Risk category ID risk Risk Mitigation plan based on COBIT 5 activities
level process
DSS01.01 Perform Operational Procedures - Maintain and
Staff perform operational procedures and operational tasks reliably
Mistakes of
operation DSS01 and consistently.
SOH00 informing
1 (human error Medium Manage • Develop and maintain operational procedures and related
3 escalation
and malicious Operations activities to support all delivered services.
procedures
intent)
• Implement policies and procedures to support the
effectiveness of business processes.
576 Hanim Maria Astuti et al. / Procedia Computer Science 124 (2017) 569–576
8 Hanim Maria Astuti et al/ Procedia Computer Science 00 (2018) 000–000

Risk COBIT 5
No Risk category ID risk Risk Mitigation plan based on COBIT 5 activities
level process
• Perform regular evaluations of the effectiveness of the
implemented policies and procedures.
Information The leaking DSS05 DSS05.06 Manage sensitive documents and output devices –
(data,breach: IDB00 of the report Manage Establish appropriate physical safeguards, accounting practices
2 Low
damage,leaka 2 to other Security and inventory management over sensitive IT assets, such as
ge and access parties Services special forms, special-purpose printers or security tokens.

4. Conclusion

The result of this study shows that most of the risks are in the category staff operations and IT expertise and
skills, so activities in DPTSI are most appropriate being mapped to DSS01 Manage Operations process. Risk
mitigation steps of staff operations category contain a series of activities to create and implement written procedures
aimed to minimize staff mismanagement. While APO07 Manage Human Resource process for risk mitigation
measures the IT expertise and skills category, this process involves a series of activities to enhance the skills of staff
to do their job. In addition, based on the results of risk mitigation analysis, restructuring is required to optimize the
organization of the implementation of business processes because the main duties and functions of Sub Directorate
of Service Technology and Information Systems is not specific yet. Hopefully, the result of this research will help
the decisions’ maker of the organization to make strategic decisions. In addition, this result may be used as a
reference for other organizations with similar business processes.

Acknowledgement

We would like to thank the Research Center of Institut Teknologi Sepuluh Nopember (ITS), Surabaya –
Indonesia for supporting this research under “Penelitian Pemula” Grant 2017, contract number: 804/PKS/ITS/2017.

References

[1] DPTSI ITS, “Tentang DPTSI,” 2016. [Online]. Available: https://dptsi.its.ac.id/?page_id=150.

[2] Office of Goverment Commerce, “ITIL Version 3 : Service Operation,” in ITIL V3, Buckinghamshire, OGC, 2011.
[3] D. Innike, B. C. Hidayanto and H. M. Astuti, “Penilaian Risiko Keamanan Informasi Menggunakan Metode Failure Mode and Effect
Analysis di Divisi TI Bank XYZ Surabaya,” in Seminar Nasional Sistem Informasi Indonesia, Surabaya, 2014.
[4] M. Labombang, “Manajemen Risiko dalam Proyek Konstruksi,” SMARTek (Sipil, Mesin, Arsitektur, Elektro), pp. 39-46, 2011.
[5] Glasgow Caledonian University, “Risk Management Strategy,” Risk Management Strategy, June 2015.
[6] G. Stoneburner, G. Alice and F. Alexis, “Risk Management Guide for Information Technology Systems (Recommendations of the National
Institute of Standards and Technology),” U.S. DEPARTMENT OF COMMERCE , Gaithersburg, 2002.
[7] A. Amri, “Manajemen Risiko – ISO 31000,” ITB BLOGS, 15 November 2015. [Online]. Available:
https://blogs.itb.ac.id/23215077auliakamriel5007mkisem1t15d16mr/author/auliak/. [Accessed 27 July 2017].
[8] ISACA, COBIT 5 for Risk, Illionis: ISACA, 2013.
[9] ISACA, COBIT 5 Enabling Process, Illionis: ISACA, 2012.
[10] D. R. Sulistyaningrum, A. H. N. Ali and H. M. Astuti, “Pembuatan Perangkat Audit Berbasis Risiko Untuk Manajemen Insiden Pada
Service Desk Unit Teknologi Sistem Informasi PDAM Surya Sembada Kota Surabaya,” Unpublished Thesis ITS, Surabaya, 2015.
[11] O. Illoh, S. Aghili and S. Butakov, “Using COBIT 5 for Risk to Develop Cloud Computing SLA Evaluation Templates,” in Service-
Oriented Computing - ICSOC 2014 Workshops, Switzerland, 2015.
[12] R. Stup, “Standard Operating Procedures: Managing The Human Variables,” in National Mastitis Council Regional Meeting Proceedings,
Pennsylvania, 2002.
[13] D. R. Indah, Harlili and A. Firdaus, “Risk Management for Enterprise Resource Planning Post Implementation Using COBIT 5 for Risk,” in
International Conference on Computer Science and Engineering, Bandung, 2014.
[14] R. K. CANDRA, A. Imelda and Y. Firdaus, “Audit Teknologi Informasi menggunakan Framework COBIT 5 Pada Domain DSS (Deliver,
Service, and Support) (Studi Kasus : iGracias Telkom University),” Universitas Telkom, Bandung, 2015.