A General, But Readily Adaptable Model of Information System Risk

This article is the first of two whose goal is to advance the discussion of IS risk by addressing limitations of the current IS risk literature. These limitations include: inconsistent or unclear definitions of risk, limited applicability of risk models, frequent omission of the temporal nature of risk, and lack of an easily communicated organizing framework for risk factors. This article presents a general, but broadly adaptable model of system-related risk. The companion article, (CAIS Volume 14, Article 2) focuses on IS risk factors and how these factors can be organized. This article starts by identifying criteria for a general, but broadly applicable risk model. It compares alternative conceptualizations of risk and provides clarifications of the definitions of risk and of different treatments of goals, expectations, and baselines for assessing risk. It presents several of the risk models in the IS literature and discusses the temporal nature of risk. Based on that background it presents a general and broadly adaptable model of risk that encompasses: goals and expectations, risk factors and other sources of uncertainty, the operation of the system or project whose risks are being managed, the risk management effort, the possible outcomes and their probabilities, impacts on other systems, and the resulting financial gains or losses. The model\u27s adaptability allows users to eliminate facets that are not important for their purposes. For example, the majority of current practitioners would probably think of risk in terms of negative outcomes rather than the full distribution of possible outcomes. A comparison of the general model with other risk models in the IS literature shows that it covers most of the ideas expressed by previous IS risk models while also providing a practical approach that managers can use for thinking about IS risk at whatever level of detail makes sense to them