International Journal of Computer Science and Business Informatics

Nothing puzzles an enterprise’s Information Technology (IT) manager like the term “cost value†when deciding investments made in IT risk management. Today, businesses are more dexterous in planning as decision makers examine the value proposition towards controlling the enterprise’s IT risk. The conventional approach to managing IT risk is to look out for a change in the current business scenario, that is, a paradigm shift from value decision-making techniques to a pragmatic data-driven approach. The background behind the development of the data-driven approach is to arrive at a standardized methodology for an enterprise that strikes a correct balance between the cost and value elements of managing its IT risks, eliminating any disproportionate expenditure on controls. The approach has been architected in alignment with enterprise risk management concepts, industry best practices and data-driven techniques that have evolved over the years. This paper is structured in two major sections: the risk analysis stage, where IT risks are identified and estimated, and the control selection stage, where the cost of appropriate control is selected to reduce or eliminate a given IT risk. The paper works through a given scenario to practically demonstrate the data-driven approach.

Information technology risk, Data-driven techniques, Enterprise risk management, Expenditure.

Rameshkumar, A. V. (2010). Looking Information Technology Risk Differently. ISACA Journal, 1, 10 -12.

Harold, T., & Krouse, M. (2007). Information Security Management Handbook, 6th Edition, Auerback Publications.

Singleton, G., & Tommie, W. (2007). What Every IT Auditor should know About Auditing Information Security. Information Systems Control Journal, 2, 6 – 9.

Jackub, M. (2005). A Service-Oriented Approach to Identification of IT Risk. Proceedings of the TEHOSS’ 2005 first IEEE International Conference on Technologies for Homeland Security and Safety, 10 – 11.

Champlain, J. (2003). Auditing Information Systems. John Wiley & Sons Inc.

Sathiyamurthy, S. (2006). Is the IT Risk Worth a Control? Defining a Cost-Value Proposition paradigm for Managing IT Risks. Information Systems Control Journal, 6, 14 -16.

Srinivas, S. (2006). Continuous Auditing through leveraging Technology. Information Systems Control Journal, 2, 3 – 6.

Urs, F. (2009). Risk IT: Based on COBIT Objectives and Principles. ISACA, 4, 21 -23.

Westerman, G., & Hunter, G. (2007). IT Risk: Turning Business Threats into Competitive Advantage. ISACA and IT Governance Institute, Illinois, 54 – 66.

Vona, L. (2008). Fruad Risk Assessment: Building a Fraud Audit Program. ISACA and IT Governance Institute., Illinois, 16 – 26.

Reilly, F., & Brown, F. (2002). Investment Analysis and Portfolio management, Harcourt College Publisher, Illinois,12-18.

Canon, D. (2011). Certified Information Systems Auditor (CISA) Study Guide, 3rd Edition.