A framework for integrated risk management in
information technology
Kakoli Bandyopadhyay
Assistant Professor, Department of Information Systems and Analysis,
Lamar University, Beaumont, Texas, USA
Peter P. Mykytyn
Professor, Department of Information Systems and Management Sciences,
University of Texas at Arlington, Arlington, Texas, USA
Kathleen Mykytyn
Doctoral Student, Department of Computer Information Systems and
Quantitative Analysis, University of Arkansas, Fayetteville, Arkansas, USA
Keywords
Information technology, Introduction
Monitoring, Risk,
Risk management Business organizations annually invest hun-
dreds of billions of dollars in information
Abstract technology (IT) (Barua et al., 1995). Spending
The use of information technology
on IT accounts for almost a third of all
(IT) in organizations is subject to
various kinds of potential risks. expenditures and is the largest single item in
Explores the environment of IT in the capital spending budget of US corpora-
organizations, identifies the prob- tions (Schnitt, 1993). Investment in IT
able threats, and proposes a fra-
(exclusive of the amount spent on software)
mework for integrated risk
management. The risk manage- equals nearly half the spending on equipment
ment process has four major com- (Zuckerman, 1994).
ponents risk identification, risk As spending on IT rises steeply, organiza-
analysis, risk-reducing measures,
tions become increasingly technology-depen-
and risk monitoring. The frame-
work can be used to guide organi- dent and, consequently, they become highly
zations in reducing the losses vulnerable to the risks of IT failure. There-
resulting from the realization of fore, IT risk-management is one of the
threats to IT use.
important issues facing information systems
(IS) executives today.
The objective of IT risk management is to
protect IT assets such as data, hardware,
software, personnel and facilities from all
external (e.g. natural disasters) and internal
(e.g. technical failures, sabotage, unauthor-
ized access) threats so that the costs of losses
resulting from the realization of such threats
are minimized (Gottfried, 1989). The purpose
is to avoid or lessen losses by selecting and
implementing the best combination of secur-
ity measures (Rainer et al., 1991).
Four major components of risk manage-
ment have been identified in the literature
(Rainer et al., 1991; Eloffr et al., 1993; Epich
and Persson, 1994; Lightle and Sprohge, 1992;
Lochr et al., 1992; Vitale, 1986):
1 risk identification,
2 risk analysis,
3 risk-reducing measures, and
4 risk monitoring
Management Decision Frameworks that are currently available are
37/5 [1999] 437444 not comprehensive in that they describe only
# MCB University Press some subsets of these four major components
[ISSN 0025-1747]
of the IT risk management process. For
example, Vitale (1986) has proposed a frame-
work for identifying the strategic risks of IT.
Rainer et al. (1991) have proposed a risk
analysis process for IT by combining quali-
tative and quantitative methodologies. Epich
and Persson (1994) have proposed a disaster
recovery plan to reduce IT risks by metho-
dically restituting business functions in the
event of a disaster. Eloff et al. (1993) have
addressed the issue of risk monitoring to
ensure effective implementation of risk-con-
trol measures.
The purpose of our paper is to develop a
framework for integrated risk management
in IT. The framework includes the four major
risk-management components:
1 risk identification,
2 risk analysis,
3 risk-reducing measures, and
4 risk monitoring.
The framework does not emphasize any one
particular component of the risk manage-
ment process but concentrates on the
sequential linkage of the four components to
make up the entire system of IT risk man-
agement. This approach is an improvement
over other approaches (that address one or
more of the components in an isolated
manner), because it should enable managers
to smoothly move from one component to
another by identifying and understanding
the possible courses of action in the different
steps. Thus, our framework should provide
IT managers with a comprehensive view of
their overall risk management situation
(depicted in Figure 1).
The various elements of the integrated IT
risk management framework are presented
in the rest of the paper. Following the
framework, managerial implications are dis-
cussed. Suggestions for future research are
also made.
[ 437 ]
Kakoli Bandyopadhyay,
Peter P. Mykytyn and A framework for integrated IT risk
Kathleen Mykytyn management
A framework for integrated
risk management in The framework, integrating the four sequen-
information technology tial steps of:
Management Decision 1 risk identification,
37/5 [1999] 437444
2 risk analysis,
3 risk-reducing measures, and
4 risk monitoring,
is presented in Figure 1. The application of
this framework should take place as early as
the planning stage of systems development
and continue throughout the development
process. A sequential, in-depth discussion of
the specific elements in the proposed frame-
work is presented next.
Risk identification
Risk management for IT begins with the risk
identification process, which allows organi-
zations to determine early the potential
impact of the realization of internal and
external threats on the entire IT environ-
ment. The first step toward risk identifica-
tion is to define the IT environment. The IT
environment consists of three levels:
1 the application level,
2 the organizational level, and
3 the interorganizational level.
Figure 1
A framework for integrated IT risk management
[ 438 ]
There are potential risks associated with the
deployment of IT at all three levels. The
different types of IT risks at various levels
are summarized in Table I.
Application level
The application level concentrates on the
risks of technical or implementation failure
of IT applications. Such risks may arise from
both internal and external sources (Rainer
et al., 1991). External threats are:
. natural disasters,
. acts of competitors,
. hackers, and
. computer viruses.
Internal threats to IT assets may come from
either authorized or unauthorized physical
access leading to system abuse. These threats
can damage or destroy IT assets such as
hardware, software, data, personnel, and
facilities.
An empirical study (Loch et al., 1992) on
computer security reveals that, at the appli-
cation level, IS managers consider natural
disasters and employee accidental actions to
represent the greatest level of risk. They also
view the mainframe-computing environment
to be more secure than the microcomputer
environment.
Organizational level
At the organizational level, the focus is on the
impact of IT throughout all functional areas
of the organization rather than on any
isolated application. Businesses are increas-
ingly deploying IT at the organizational level
to achieve competitive advantage. Recent
studies (Barua et al., 1995) indicate that the
impact of IT is positive on capacity utiliza-
tion, inventory turnover, and product quality
at the organization level. Examples of cases
of strategic information systems (SIS) that
have positively affected the performance at
the organization level include Merrill
Lynch's Cash Management Account (CMA),
American Hospital Supply's ASAP order
entry system, and American Airlines'
SABRE reservation system (Kemerer and
Sosa, 1991).
The growing reliance on IT to obtain
strategic benefits for the organization can
make the organization subject to various
types of risks. A major study of strategic
risks of IS was conducted by Vitale (1986). He
collected several examples from field work,
the trade and business press, and consulting
work to show how an initial IS success could
eventually contribute to a firm's failure. An
organization investing heavily in IT may
have to continue doing so in order to remain
viable. If the organization cannot commit
Kakoli Bandyopadhyay, Table I
Peter P. Mykytyn and Overview of risk identification process
Kathleen Mykytyn
A framework for integrated IT environment Type of risk
risk management in
information technology Application level Natural disasters
Management Decision Competition
37/5 [1999] 437444 Hackers
Viruses
Data security risk: destruction of/denial of access to vital data
Organizational level Strategic/sustainability risk: lack of continuous IT investment to sustain competitive
advantage
Data security risk: destruction of/denial of access to vital data
Legal risk: violation of competitors' and customers' rights through use of IT
Suppliers' and customers' increased bargaining power owing to acquisition of skills
from company-provided IT expertise
Interorganizational Data security risk: destruction of/denial of access to vital data
level Natural disasters
Hackers
Weak and ineffective control

itself to continually invest in upgrading
rapidly changing technology, it may become
vulnerable to competitors with more re-
sources. Many organizations provide IT tools
and expertise to suppliers and customers as
an integral part of the total business devel-
opment. In the process, however, suppliers
and customers may acquire enough skills to
enhance their bargaining power. Also, docu-
menting and maintaining strategic IT appli-
cations may take more time and effort than
the benefits gained. This may eventually
make an organization concentrate more on
IT and neglect its core business (Vitale, 1986).
Another study by Lightle and Sprohge
(1992) identified three types of organizational
risks from the internal auditors' perspective:
1 sustainability risk,
2 data security risk, and
3 legal risk.
The sustainability risk refers to the risk
associated with the sustainability of com-
petitive advantage from the deployment of IT
applications on a long-term basis. In the
beginning, the benefits accrued from IT
applications enable firms to outperform their
rivals. The competitive edge is, however,
often short-lived because the competitors are
eventually able to imitate all IT applications.
The data security risk arises from the
strategic use of data within an organization.
Organizations have become largely depen-
dent on data for their survival and success
amidst intense competition. They run the
risk of incurring substantial losses from the
denial of access to, or destruction of their
data. Finally, the legal risk refers to the
probability of loss due to violation of the
rights of competitors and customers through
the use of IT. For example, American Air-
lines was charged with the violation of
antitrust laws because its successful use of
strategic information systems (the SABRE
reservation system) led to competitors'
claims of unfair practice. On another occa-
sion, Dun & Bradstreet was held liable for an
erroneous credit report on a construction
contractor (Lightle and Sprohge, 1992).
Interorganizational level
Here, the focus is on the IT risks of organi-
zations operating in a networked environ-
ment.
The most striking and powerful uses of IT
today involve networks that surpass organi-
zational boundaries. These are automated IS
shared by two or more organizations. Recent
growth in the use of these interorganiza-
tional systems (IOS) has contributed to
increased productivity, flexibility, and com-
petitiveness (Cash et al., 1992). Examples of
IOS include inter-corporate electronic mail
systems, electronic data interchange (EDI)
systems permitting buyers and suppliers to
exchange standardized business documents
electronically, and inter-corporate electronic
graphics data interchange of engineering
documentation (Riggins et al., 1994). Inter-
organizational systems bear a tremendous
impact on the competitive environment by
improving efficiencies and economies of
scale in production and distribution through
tying EDI and just-in-time (JIT) inventory
management together, reducing cost through
electronic purchasing and ordering, and
adding value to products and services (Cash
et al., 1992). For example, firms such as Levi
Strauss (apparel manufacturer), K-Mart (dis-
count retailer), Supervalue (grocery retailer),
and Bergen Brunswig (pharmaceutical
wholesaler) have significantly reduced their
[ 439 ]
Kakoli Bandyopadhyay, inventory holding costs through the use of
Peter P. Mykytyn and EDI (Premkumar et al., 1994).
Kathleen Mykytyn
A framework for integrated When organizations operate in a net-
risk management in worked environment, IT plays an important
information technology role in enhancing interfirm relationships. At
Management Decision the same time, the IT risks of organizations
37/5 [1999] 437444
compound. A study by Lightle and Sprohge
(1992) noted that the data security risk of a
distributed environment was high. Loch
et al. (1992) indicate that most managers view
the external environment to represent the
greatest level of risk. The top three threats
for the networked environment are:
1 natural disasters,
2 intrusion by computer hackers, and
3 weak and ineffective control.
Much of the scant empirical research on IT
risk management has addressed IT risks only
at the application level. This comes from an
isolated, partial view of the impact of IT.
Today, this closed world assumption of
searching only within a specific domain to
evaluate the risks associated with IT is
unrealistic. It is necessary to adopt a holistic
view and assess potential threats to IT by
considering the entire spectrum of the IT
environment. As the overall impact of IT
pervades the organization and its environ-
ment, IT risk management should focus on IT
risks at all three levels:
1 application,
2 organizational, and
3 interorganizational.
Following the identification of the IT envir-
onment and the associated IT risks, the
related vulnerabilities of IT assets need to be
determined. This provides the basis on which
risk management decisions are made.
Risk analysis
Several methodologies are currently avail-
able to comprehend and fathom the extent of
losses of IT assets from the realization of
internal and external threats identified in the
previous section. These methodologies are
categorized as quantitative, qualitative, or a
combination of both.
Quantitative approaches to risk analysis
are based on expected value analysis, i.e.
they assign dollar values to the various risks
using probability theory. These methodolo-
gies include annualized loss expectancy
(ALE), the Courtney method, and the Liver-
more risk analysis methodolgy (LRAM)
(Rainer et al., 1991).
Qualitative approaches use descriptive
variables for analyzing IT risks. These ap-
proaches include scenario analysis, Fuzzy
[ 440 ]
metrics, and survey questionnaires (Rainer
et al., 1991).
The Delphi technique can be used for both
quantitative and qualitative risk analysis
(Rainer et al., 1991). This technique is used
along with other methodologies to obtain a
general agreement among managers regard-
ing estimated value of IT assets as well as
probability estimates for the realization of
various threats.
Rainer et al. (1991) have proposed a
methodology combining quantitative and
qualitative approaches to risk analysis. This
method suggests employing a value chain
analysis for determining the risks inherent
in alternative uses of IT. The authors assert
that this combination method is more effec-
tive than any single method because of its
flexibility in considering a wide variety of IT
assets, all possible threats, and vulnerabil-
ities.
We have not digressed into a detailed
explanation of all the risk analysis
methodologies as these have been adequately
reported in the literature. There is little
empirical evidence to establish the super-
iority of one risk analysis method over
another. The literature (March and Shapira,
1987) indicates that many organizations deal
with risk depending on their managers'
perception of and attitude toward risk. These
organizations employ countermeasures
depending on the perceived importance of IT
risks and do not employ any structured
method to measure the overall IT risks.
March and Shapira (1987) found that the
perceptions of risk actually held by managers
were much different from the theoretical
concepts of risk which involved estimating
the probabilities of possible outcomes and
choosing from among alternative actions.
Managers were mostly unaffected by prob-
ability estimates of possible outcomes. Most
managers did not consider uncertainty of
possible outcomes as a significant risk. To
them, a risky choice was one that might have
a negative outcome. Managers were more
concerned about the volume of risk than the
probability of loss. The procedures for ana-
lyzing IT risks are summarized in Table II.
Risk-reducing measures
Implementing measures to reduce IT risks is
the third phase in our proposed risk man-
agement framework (Figure 1). Once the IT
assets and the many different threats to
which they are exposed are identified and the
related vulnerabilities assessed, necessary
steps should be taken to ensure that the
entire IT environment is protected from all
Kakoli Bandyopadhyay,
Peter P. Mykytyn and
Kathleen Mykytyn
A framework for integrated
risk management in
information technology
Management Decision
37/5 [1999] 437444
Table II
Overview of risk analysis process
Risk analysis approaches Procedures
Quantitative approaches Expected value analysis
Annualized loss expectancy (ALE)
Courtney method
Livermore risk analysis methodology (LRAM)
Qualitative approaches Scenario analysis
Fuzzy metrics
Survey questionnaires
Combined quantitative and qualitative approaches Delphi technique
Value chain analysis

sources of threats to the greatest extent developing and maintaining an effective

possible. The various security measures that written plan of how organizations will con-
may be implemented to mitigate different tinue to operate in the event of interruptions
types of risks are discussed here. The mea- of business functions'' (Andrews, 1990).
sures for reducing IT risks are summarized Several researchers have explicitly
in Table III. addressed the value-added capabilities that a
DRP offers to an organization. According to
Measures for reducing losses from natural Toigo (1992), a DRP offers an organization the
disasters security and integrity of its data processing
An investigative study by Loch et al. (1992) capability. Epich and Persson (1994) assert
indicated that at both application and inter- that a DRP ensures the protection of initial
organizational levels, IS managers consid- business assets and the methodical restitu-
ered natural disasters to represent the tion of business functions in the event of a
greatest level of risk. Many researchers (see disaster. Thus, a DRP can help an organiza-
Epich and Persson, 1994; Toigo, 1992) have tion considerably in avoiding major business
emphasized the importance of disaster losses such as duration of business interrup-
recovery planning by drawing attention to tions, lost revenue, lost customers, and lost
the positive correlation between the like- market share.
lihood of an organization's full recovery from Disaster recovery planning can also reduce
a disaster and the existence of a disaster losses that indirectly affect an organization's
recovery plan (DRP). Disaster recovery performance in the event of a disaster.
planning has been defined as ``the process of These losses come from employee stress,
legal exposure, insurance premiums, and
Table III customer dissatisfaction. A DRP helps
Overview of risk reducing process generate awareness among employees about
the after-effects of a disaster. This con-
Type of risk Risk-reducing measures sciousness helps employees better prepare
Natural disasters Disaster recovery plan (DRP) for a disaster and leaves them ready to face
Data security risks Backup files the aftermath (Epich and Persson, 1994).
Password control Thus, disaster recovery planning can reduce
Access codes the level of employee stress. In many
Fingerprinting organizations, a DRP is installed to reduce
Palm printing legal risks (Toigo, 1992). In many industries,
Hand geometry legal requirements mandate the installation
Retinal screening of a DRP. For example, national banks in the
Voice recognition USA must comply with the 1983 Banking
Data encryption Circular 177 (BC-177), which states that banks
Call-back modems must develop the means to reduce the impact
Computer viruses Monitoring computer usage and/or risk of losing data processing support
Stringent audit procedures (Toigo, 1992). The circular holds managers
Employee education legally liable for a bank's failure that is due
Use of company-provided software only to insufficient preparedness to face a com-
Virus-scanning and virus-removing software puter outage. Existence of a DRP can reduce
Strategic risks Patent protection insurance premiums for business interrup-
Innovative search for new ways to compete tion coverage. An adequate DRP ensures
Formal planning and control procedures
return to an acceptable level of operation in
Legal risks Expert consultants to reduce legal risks
the least possible time. This enables firms to
[ 441 ]
Kakoli Bandyopadhyay, provide uninterrupted service to customers.
Peter P. Mykytyn and The continuity of customer service provides
Kathleen Mykytyn
A framework for integrated greater customer satisfaction.
risk management in
information technology Measures for reducing data security risks
Management Decision Data security risks may arise from author-
37/5 [1999] 437444
ized or unauthorized access to IT assets in
either a stand-alone or a networked environ-
ment. Even authorized access may pose a
potential risk in the form of sabotage. For a
stand-alone system, data security can be
improved by generating backup files, and
introducing password control and access
codes (Bidgoli and Azarmsa, 1989). Some
other ways of restricting IT access to
authorized users are fingerprinting, palm-
printing, signature analysis, hand geometry,
retinal screening, and voice recognition
(Loch et al., 1992; Fried, 1993; Bidgoli and
Azarmsa, 1989). Fingerprinting requires the
matching of a user's fingerprints against a
template that contains his fingerprints before
gaining IT access. Palm-printing entails
scanning of the palm for identification.
Hand geometry electronically compares the
characteristics of the user's hand such as
finger length and thickness against
information stored in the computer. Retinal
screening involves scanning of the pattern of
the blood vessels in the back-of-the-eye retina
to compare with a pre-stored picture. Voice
recognition matches the user's voice with the
voice pattern stored on templates. In the
event of sabotage by an authorized user,
these measures are effective in tracking
down the saboteur.
In a networked environment, data encryp-
tion and call-back modems offer effective
security measures (Fried, 1993). Encryption
involves the encoding of plain text into
unreadable scrambled text during transmis-
sion. Many companies have built crypto-
graphic protection for protecting data
passing across networks. For example,
General Motors uses ANSI X.9 cryptography
to protect data passing through its EDI net-
work (Fried, 1993). A call-back modem con-
firms the authenticity of a user trying to gain
access by calling him back.
Measures for reducing risks from computer
viruses
Several measures to prevent infection from
computer viruses are available. These
include the use of passwords, back-up pro-
cedures, employee education, consistent
security policies, use of company-provided
software, use of virus-scanning and virus-
removing software, stringent audit pro-
cedures, and monitoring of computer usage
(Loch et al., 1992).
[ 442 ]
Measures for reducing strategic risks
Strategic risks arise mainly from an organi-
zation's inability to sustain its competitive
advantage from the use of IT. Vitale (1986)
posits that the first step toward managing
strategic risks is to understand them. The
key to understanding strategic risks is
dependent on an organization's ability to
foresee the long-term benefits from a new
system, assess the resources and capabilities
of its potential competitors, assess its own
financial and technical strengths, and align
its IT strategy with its overall business
strategy.
Once an organization has carefully
assessed its strategic risks, appropriate
measures can be taken to reduce them. Two
such measures have been suggested by Day
(1984). The first measure is patent protection.
Patent protection hinders competing firms
from copying the system, which provides a
competitive edge. The second measure is to
indulge in an innovative search for new ways
to compete. Support and commitment from
the top is also essential for an organization
facing exposure to strategic risks (Vitale,
1986). Additionally, formal planning and
control techniques, the use of external
consultants, or a steering committee can help
a firm to mitigate strategic risks (Ahituv
et al., 1994).
Measures for reducing legal risks
Organizations deploying IT for competitive
advantage can also face legal risks due to
possible violation of anti-trust laws and
violation of privacy (Lightle and Sprohge,
1992) as explained before. Policies and pro-
cedures should be created to promote the
understanding of potential legal risks. This
understanding will encourage organizations
to obtain help from legal experts to design
controls to subdue such risks (Lightle and
Sprohge, 1992).
Risk monitoring
The risk monitoring component of IT risk
management is an additional layer to safe-
guard the IT environment. Active risk mon-
itoring ensures that effective counter-
measures to control risks are appropriately
implemented (Eloff et al., 1993). The results of
implementing risk-reducing measures are
evaluated to determine if the expectation that
risk management reduces loss is met. Then,
appropriate adjustments must be made so
that the organization remains prepared
against the exposure to risks. Thus, risk
monitoring not only evaluates the perfor-
mance of risk-reducing measures but also
Kakoli Bandyopadhyay,
Peter P. Mykytyn and
Kathleen Mykytyn
A framework for integrated
risk management in
information technology
Management Decision
37/5 [1999] 437444
Table IV
Overview of risk monitoring process
Activities
Ensuring risk-preparedness of
firm
Continuing audit functions
serves as a continuing audit function. A
number of audit tools, such as computer
assisted audit tools and techniques (CAATT),
and measurement tools for tracking Web
sites (On Technology Corporation's Audit-
Track, Tucows Interactive Limited's Net-
Gravity, etc.) are being used for auditing
(Gascoyne, 1993; Dryden, 1995). The com-
monly used procedures for IT risk monitor-
ing are summarized in Table IV.
Managerial implications
Even though IT risk management is one of
the important issues facing IS executives,
most organizations do not have a tested and
up-to-date risk management method (Rainer
et al., 1991; Vitale, 1986). Since organizations
are increasingly becoming technology-
dependent, they are also becoming more
vulnerable to IT threats. Thus, it behoves
organizations to perform their risk analyses
correctly, determine the risk level, and take
measures accordingly. The framework
described in this paper is designed to provide
IS managers with an integrated systems view
of all the major issues involved in the
identification and analysis of risks and the
implementation and control of risk-reducing
measures. The presentation of this ``whole
picture'' (Figure 1) should enable managers
to relate the different components of the risk
management process with one another and
understand the contents of each component
(summarized in Tables I-IV).
Risk identification and analysis should
precede any risk management decisions.
Our framework should help organizations
become more aware of their dependence on
the reliable functioning of IT by identifying
the potential threats from all external and
internal sources. Without such awareness,
firms would not be convinced about their
susceptibility to these threats and the value
of implementing risk-reducing measures for
their continued operations and eventual
survival.
The difficulty arises from the inability of
most managers to conceive risk from a
decision theory perspective (March and
Shapira, 1987). Managers generally do not
rely on precise probability estimates.
Procedures
Implementation of appropriate risk-reducing measures
Measurement tools for tracking Web sites
Computer assisted audit tools and techniques (CAATT)
Consequently, their perception of risk is
affected by factors such as mood and feelings
making the measurement of risk very sub-
jective. The implication is that IS managers
must change their way of thinking about
risk. Managers must be encouraged to take
three major steps: first, they must recognize
the concept of risk at all three levels
application, organizational, and interorgani-
zational; second, they must undergo training
in decision theory approaches to risk man-
agement; and third, they must actively par-
ticipate in the estimation of their
organization's overall IT risk. Without a
change in the managers' orientation, it
becomes extremely difficult to persuade them
to adequately invest in IT security measures.
Managers must thoroughly comprehend the
value of their IT assets, IT risks at different
levels, and the related vulnerabilities of IT
assets to these various risks. This under-
standing of the overall impact of IT risks on
the entire organization and its environment
will provide management with a foundation
for substantial and prudent investment in the
IT risk management process.
Considerations for future research
The proposed integrated IT risk management
framework can lead to research in several
important directions in the future.
Researchers can examine whether managers
using this framework:
1 develop a greater degree of awareness for
the impact of IT risks on the organization
and its environment;
2 adequately invest in IT risk management
methods; and
3 are actually able to manage their IT risks
better or more effectively than others.
Without more research in these areas, most
of the risk management-related problems
discussed in this paper will not be solved. At
the same time, management will continue to
remain skeptical about investing in a com-
prehensive risk management program.
References
Ahituv, N., Neumann,S. and Riley, H.N. (1994),
Principles of Information Systems for
Management, 4th ed., Wm C. Brown Commu-
nications, Inc., Dubuque, IA.
Andrews, W.C. (1990), ``Contingency planning
for physical disasters'', Journal of Systems
Management, pp. 28-32.
Barua, A., Kriebel, C.H. and Mukhopadhyay, T.
(1995), ``Information technologies and busi-
ness value: an analytical and empirical in-
vestigation'', Information Systems Research,
Vol. 6 No. 1, pp. 3-23.
[ 443 ]
Kakoli Bandyopadhyay, Bidgoli, H. and Azarmsa, R. (1989), ``Computer
Peter P. Mykytyn and security: new managerial concern for the
Kathleen Mykytyn 1980s and beyond'', Journal of Systems
A framework for integrated
risk management in Management, pp. 21-7.
information technology Cash, J.I., McFarlan, F.W., McKenney, J.L. and
Management Decision Applegate, L.M. (1992), Corporate Information
37/5 [1999] 437444
Systems Management, Irwin, Inc., Homewood,
IL.
Day, G.S. (1984), Strategic Market Planning: The
Pursuit of Competitive Advantage, West
Publishing Company, St Paul, MN.
Dryden, P. (1995), ``Managers beef up network
security with AuditTrack'', Computerworld,
Vol. 29 No. 16, pp. 53-5.
Eloff, J.H.P., Labuschagne L. and Badenhorst,
K.P. (1993), ``A comparative framework for
risk analysis methods'', Computers &
Security, Vol. 12 No. 6, pp. 597-603.
Epich, R. and Persson, J. (1994), ``A fire drill for
business'', Information Strategy: The Execu-
tive's Journal, pp. 44-7.
Fried, L. (1993), ``Distributed information
security'', Information Systems Management,
pp. 56-65.
Gascoyne, R.J.N. (1993), ``Information technology:
CAATTs it if you can'', Singapore Accountant,
Vol. 9 No. 6, p. 19.
Gottfried, I.S. (1989), ``When disaster strikes'',
Journal of Information Systems Management,
pp. 86-9.
Kemerer, C.F. and Sosa, G.L. (1991), ``Systems
development risks in strategic information
systems'', Information & Software
Technology, Vol. 33 No. 3, pp. 212-23.
Application questions
1 Are information technology decisions in
organizations best taken by IT specialists
or general managers, or a combination of
the two?
[ 444 ]
Lightle, S. and Sprohge, H. (1992), ``Strategic
information system risk'', Internal Auditing,
pp. 31-6.
Loch, K.D., Carr H.H. and Warkentin, M.E. (1992),
``Threats to information systems: today's
reality, yesterday's understanding'', MIS
Quarterly, Vol. 16 No. 2, pp. 173-86.
March, J.G. and Shapira, Z. (1987), ``Managerial
perspectives on risk and risk taking'',
Management Science, Vol. 33 No. 11,
pp. 1404-18.
Premkumar, G., Ramamurthy, K. and Nilkanta, S.
(1994), ``Implementation of electronic data
interchange: an innovation diffusion per-
spective'', Journal of Management
Information Systems, Vol. 11 No. 2, pp. 157-86.
Rainer, R.K., Snyder, C.A. and Carr, H.H. (1991),
``Risk analysis for information technology'',
Journal of Management Information Systems,
Vol. 8 No. 1, pp. 129-47.
Riggins, F.J., Kriebel, C.H. and Mukhopadhyay,
T. (1994), ``The growth of interorganizational
systems in the presence of network external-
ities'', Management Science, Vol. 40 No. 8,
pp. 984-98.
Schnitt, D.L. (1993), ``Reengineering the
organization using IT'', Journal of Systems
Management, pp. 14-23.
Toigo, J.W. (1992), Disaster Recovery Planning:
Managing Risk and Catastrophe in
Information Systems, Yourdan Press Comput-
ing Services, Prentice-Hall, Englewood Cliffs,
NJ.
Vitale, M.R. (1986), ``The growing risks of infor-
mation systems success'', MIS Quarterly,
Vol. 10 No. 4, pp. 327-34.
2 What is your organization's risk manage-
ment plan? Are there any areas which you
think might need addressing based on the
authors' arguments/discussions?