Risk Evaluation Model for Information Technology Services in Integrated Risk Assessment
A risk evaluation model for information technology (IT) services in integrated risk assessment is proposed in this paper. The model covers management systems for information security and IT services. The component-impact coefficient parameter is introduced to define the strength of the relation between assets and IT services. The concept of composition of relations and the weighted sum principle are applied to analyze and evaluate the risk of IT services. When we applied the model to IT services in operation, the risk evaluation was output as quantities that reflect the component-impact coefficient, and risk treatment prioritization was attained in the descending order of numerical values. The proposed model therefore improves the precision of risk evaluation, and application of the model allows more accurate risk evaluation than the conventional method.
KeywordsIntegrated risk management Risk assessment Weighted sum Information security management system IT service management system
- 1.ISO/IEC 27013:2015: Information technology—Security techniques—Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1, pp. 8–9. International Organization for Standardization, Geneva (2015)Google Scholar
- 4.Barafort, B., Mesquida, A.L., Mas, A.: ISO 31000-based integrated risk management process assessment model for IT organizations. J. Softw.: Evolut. Process 31(1), e1984 (2019)Google Scholar
- 5.Matsumura, N., Hasegawa, T.: Integration of the risk assessment for an information security management system and that for an IT service management system using composition of relations. IPSJ (Inf. Process. Soc. Japan) J. 60(1), 250–259 (2019) (in Japanese)Google Scholar
- 6.IEC/ISO 31010:2009: Risk management—Risk assessment techniques, pp. 82–86. International Organization for Standardization, Geneva (2009)Google Scholar
- 7.ISO 31000:2009: Risk management—Principles and guidelines, International Organization for Standardization, Geneva (2009)Google Scholar