تجزیه و تحلیل ریسک IS مبتنی بر مدل کسب و کار

The disruption of operations due to IS failure becomes more important as IS has become an increasingly essential component of the organization’s operations and can affect its strategic objectives. Nevertheless, traditional IS risk analysis methods do not adequately reflect the loss from disruption of operations in determining the value of IS assets. Quantitative methods do not measure the loss from disruption of operations. Qualitative methods consider the loss, but their results are subjective and not suitable for cost-benefit decision support. There is a lack of systematic methods to measure the value of IS assets from the viewpoint of operational continuity. This study presents an IS risk analysis method based on a business model. The method uses a systematic quantitative approach dealing with operational continuity: the importance of various business functions and the necessity level of various assets are first determined. The value of each asset is then determined based on these two levels. The proposed method adds the first stage, organizational investigation, to traditional risk analysis. The process of the method utilizes various methodologies such as paired comparison, asset–function assignment tables, and asset dependency diagrams.

IS was introduced to the business as a means of improving operational efficiency. It was then treated only as a tool for performing an organization’s operations. Now, it is, however, an essential component of an organization’s survival. Almost no operations of an organization can be performed without IS. Organizations have become so dependent on IS that even a relatively short loss of the availability of a critical system can lead to a total failure of the business. The emergence of e-business accelerates this trend. IS managers, therefore, have to place an emphasis on the IS risk analysis and management. The disruption of operations can also become more important than the replacement of IS assets. The support of the operation is a major part of risk analysis. So, IS assets should be valued from the viewpoint of operational continuity in addition to their replacement costs. Traditional IS risk analysis methods cannot adequately reflect the loss due to disruption of operations. Quantitative risk analysis methods measure the value based on its replacement cost. Due to the measurement difficulty, such methods do not measure the loss from the disruption of operations. One of the disadvantages of these methods, the inappropriateness of monetary asset value, is due to the difficulty in measuring the costs. Qualitative risk analysis methods determine loss based on the knowledge and judgment of a risk analyst rather than on precise monetary values. This results in a lack of cost-benefit decision-making and the subjective results. IS risk analysis requires the identification of mission critical assets, the potential threats that might undermine the mission capability, and the consequences of loss of mission critical assets [10]. To meet these requirements, this study presents an IS risk analysis method based on a business model.

Traditional risk analysis methods cannot adequately reflect the loss from the disruption of operations resulting from asset failure: • Quantitative methods measure the value of assets based on their replacement costs. They do not measure the impact of the disruption of operations due to the measurement difficulty. • Qualitative methods consider the impact of the disruption. The methods, however, provide subjective results and are not suitable for cost-benefit decision support. This study presented the new IS risk analysis method based on a business model. This is a systematic quantitative approach from the viewpoint of operational continuity. The study proposed a risk analysis method that considers the replacement of assets and the disruption of operations together. IS continuation is the essential condition for the organization’s survival. Even a relatively short loss of availability can lead to total failure of the business. The disruption of operations becomes more important and costly than the loss of assets. The proposed method determines the value of assets by considering the relationship between assets and business functions. The value of assets, therefore, reflects the value of the business functions that the assets support. This sees assets as one of the essential conditions for performing the business functions. In addition, the method adopts a quantitative approach. This method, therefore, inherits the advantages of a quantitative approach and overcomes the disadvantages of the qualitative approach. Thus, it produces objective results. Moreover, the method provides a systematic approach to calculate the monetary asset value and therefore overcomes one of the disadvantages of the quantitative approach: inappropriateness of monetary asset value. The method also leads to the involvement of various field managers as well as the IS manager, increasing all managers’ understanding of the risks and threats. This leads field managers to accept the risk analysis and resulting security systems. The damages resulting from the disruption of operations do, however, include several elements, such as customer confidence, trust, and goodwill. Nor does our method consider partial dependency between assets. For example, it is possible that one asset is 50% dependent on another and this sort of effect is ignored in our analysis.