A DEA-Based Approach for Information Technology Risk Assessment through Risk Information Technology Framework

The use of Information Technology (IT) in organizations is subject to various kinds of potential risks. Risk management is a key component of project management enables an organization to accomplish its mission(s). However, IT projects have often been found to be complex and risky to implement in organizations. The organizational relevance and risk of IT projects make it important for organizations to focus on ways in order to successfully implement IT projects. This paper focuses on the IT risk management, especially the risk assessment model and proposes a process oriented approach to risk management. To do this end, this paper applies the risk IT framework which has three main domains, i.e., Risk Governance (RG), risk analysis, Risk Response (RR) and 9 key processes. Then, a set of scenarios, which can improve the maturity level of risk IT processes, are considered and the impact of each scenario on the risk IT processes is determined by the expert opinions. Finally, the Data Envelopment Analysis (DEA) is customized to evaluate improvement scenarios and select the best one. The proposed methodology is applied to the Iran Telecommunication Research Centre (ITRC) to improve the maturity level of its IT risk management processes.