Academic Publications: Risk Management
Financial Pricing of Software Development Risk Factors
Ajit Appari, Michel Benaroch
IEEE Software (vol. 27 no. 5) pp. 65-73
The ability to price (monetize) software development risks can benefit various aspects of software development. Cost estimators predict project cost by adjusting a project's nominal cost on the basis of risk factors' (cost drivers') expected values, but the predicted cost is often inaccurate because risk factors' actual values normally deviate from expectations. Because variability is a widely used risk measure in finance, this risk-pricing method relates risk factor variability to project cost variability. The method estimates two parameters for each risk factor: extra cost incurred per unit exposure and project sensitivity. Several areas can benefit from the benchmark risk-pricing parameters obtained when applying this method with a cost estimator such as Cocomo. More ›
Monetary Pricing of Software Development Risks: A Method and Empirical Illustration
Ajit Appari, Michel Benaroch
Journal of Systems and Software
The ability to price (monetize) software development risks can benefit various aspects of software development decision-making. This paper presents a risk pricing method that estimates two parameters for every individual risk factor: extra cost incurred per unit exposure, and project sensitivity, to that factor. Since variability is a widely used measure of risk in finance and decision sciences, the method derives risk pricing parameters by relating variability in risk factors to variability in project cost. This approach rests on the fact that a parametric cost estimator predicts project cost by adjusting the “nominal” cost of a project based on the expected values of risk factors (cost drivers), but the actual project cost often deviates from prediction because the actual values of risk factors normally deviate from expectations. In addition, to illustrate the viability of the method, the paper applies the method empirically with COCOMO data, to approximate risk pricing parameters for four risk factors (Personnel Capability, Process Maturity, Technology Platform, and Application Task). Importantly, though, the method could work equally well with data recorded based on other parametric cost estimators. The paper also discusses several areas that can benefit from benchmark risk pricing parameters of the kind we obtain. Received 13 October 2009; revised 14 April 2010; accepted 3 June 2010. Available online 11 June 2010. More ›
Managing Risk of IT Disruptions in Healthcare Settings: A Continuity of Operations Planning Process
Scott Dynes, Stephen Pixley, Douglas Madory
Proceedings of the 2009 AMCIS
Over the last few decades, a rapid adoption of information technologies in nearly every facet of patient care in healthcare settings has taken place; the recent U.S. government emphasis on the utilization of IT in healthcare will only serve to increase the dependency of care providers on IT. As IT becomes increasingly central to clinical and business practice, health care institutions must become increasingly vigilant about preparations for continuity of operations when normal IT functions are disrupted. In this paper we describe the development and use of a process designed to manage the risk to patient safety and clinical operations due to IT and communications failures; this process includes identifying critical applications and formulating plans for organizational and departmental responses in cases of IT and communication failures. Lessons learned will be discussed in the context of enabling other healthcare organizations to use this process.
in PDF Format (648K)
Information Risk of Inadvertent Disclosure: An Analysis of File-Sharing Risk in the Financial Supply
M. Eric Johnson
Journal of Management Information Systems, 2008
Firms face many different types of information security risk. Inadvertent disclosure of sensitive business information represents one of the largest classes of recent security breaches. We examine a specific instance of this problem—inadvertent disclosures through peer-to-peer file-sharing networks. We characterize the extent of the security risk for a group of large financial institutions using a direct analysis of leaked documents. We also characterize the threat of loss by examining search patterns in peer-to-peer networks. Our analysis demonstrates both a substantial threat and vulnerability for large financial firms.
Overview in PDF Format (1319K)
The Evolution of the Peer-to-Peer File Sharing Industry and the Security Risks for Users
M. Eric Johnson, Dan McGuire,
Proceedings of the 41st Hawaii International Conference on System Sciences, 2008
This paper examines the peer-to-peer file sharing phenomena, including an overview of the industry, its business models, and evolution. The authors describe the information security risks users’ face including personal identification disclosure and leakage of proprietary business information.
Overview in PDF Format (353K)
Economic Costs of Firm-Level Information Infrastructure Failures
M. Eric Johnson, Scott Dynes
International Journal of Logistics Management. 2007.
Risk and business have always been inseparable, but new information security risks pose unknown challenges. How should firms organize and manage to improve enterprise security? In this article, the authors address how chief information security officers (CISOs) are working to build secure organizations.
Supply Chain Management: Technology, Globalization, and Policy at a Crossroads
M. Eric Johnson
Interfaces, Volume 36, 2006
The forces of globalization and technology are changing supply chains. In many cases, the supply chains are literally disintegrating. Product designers, marketers, and manufacturers that were previously housed in a single facility are now spread over several continents in organizations with different cultures, languages, and business objectives. For example, not long ago, apparel firms, such as Levi Strauss and Company, did it all—operating their own US production plants along with their core design and marketing activities. In the past few years, that has changed.
Paper in PDF Format (46K)
Dual Sourcing Strategies
M. Eric Johnson
Supply Chain Excellence in Emerging Economies, Springer-Verlag, Editors Hau L. Lee and Chung-Yee Lee, 2006
This article examines a case study of Mattel and its decision process to add production capacity to a network of both outsourced and Mattel-operated facilities. Set during the Asian financial crisis, the case illustrates: 1) How toy makers manage demand and supply uncertainty; 2) Mattel's outsourcing strategy in Asia; 3) How Mattel integrates its marketing and supply chain strategy.
in PDF Format (174K)
Managing Information Risk and the Economics of Security
M. Eric Johnson
Springer, December 2005
Information has become a source of growing risk as more firms maintain information online. Managing Information Risk and the Economics of Security presents the latest research on economics driving both the risks and the solutions. Covering the implications of policy within firms and across countries, this volume provides managers and policy makers with new thinking on how to manage risk. Designed for managers, policy makers, and researchers focusing on economics of information security as well as advanced-level students in computer science, business management and economics. More ›
Overview in PDF Format (1,319K)
Information Security in the Extended Enterprise
What are the main drivers of private-section investment in information security? How exposed are firms to cyber risks arising from their reliance on the information infrastructure? Initial results are presented from a field study of a manufacturing company and four of its suppliers of different sizes. We find that many managers believe: that information security is less a competitive advantage than a qualifier for doing business; that firms’ internal networks are not at additional risk as a result of using the information infrastructure to integrate their supply chains; and that their supply chains are robust to internet outages of up to a week in duration. We discuss their security perceptions and actions in the context of a cost model.
Paper in PDF Format (253K)