IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation that Engenders a Security Culture

Metin, Bilgin, Duran, Sefa, Telli, Eda, Mutlutürk, Meltem and Wynn, Martin G ORCID: 0000-0001-7619-6079 (2024) IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation that Engenders a Security Culture. Information, 15 (1). pp. 1-28. doi:10.3390/info15010055

Pubs - Metin Wynn et al Information published version Jan 2024.pdf - Published Version
Available under License Creative Commons Attribution 4.0.

Download (1MB) | Preview


In today’s technology-centric business environment, where organizations encounter numerous cyber threats, effective IT risk management is crucial. An objective risk assessment— based on information relating to business requirements, human elements, and the security culture within an organisation — can provide a sound basis for informed decision making, effective risk prioritisation, and the implementation of suitable security measures. This paper focuses on asset valuation, supply chain risk, and enhanced objectivity — via a “segregation of duties” approach — to extend and apply the capabilities of an established security culture framework. The resultant system design aims at mitigating subjectivity in IT risk assessments, thereby diminishing personal biases and presumptions to provide a more transparent and accurate understanding of the real risks involved. Survey responses from 16 practitioners working in the private and public sectors confirmed the validity of the approach but suggest it may be more workable in larger organisations where resources allow dedicated risk professionals to operate. This research contributes to the literature on IT and cyber risk management and provides new perspectives on the need to improve objectivity in asset valuation and risk assessment.

Item Type: Article
Article Type: Article
Additional Information: This article belongs to the Special Issue Feature Papers in Information in 2023. Acknowledgements: The authors express their gratitude to the Information Systems Audit and Control Association (ISACA) Istanbul Chapter for their valuable collaboration in conducting the survey for this study.
Uncontrolled Keywords: risk assessment; asset value; information security; risk management; objective risk assessment;segregation of duties;security culture framework;COBIT2019;international standards; cyber security;supply chain security
Subjects: T Technology > T Technology (General)
Divisions: Schools and Research Institutes > School of Business, Computing and Social Sciences
Research Priority Areas: Applied Business & Technology
Depositing User: Martin Wynn
Date Deposited: 26 Jan 2024 09:14
Last Modified: 20 Feb 2024 12:53

University Staff: Request a correction | Repository Editors: Update this record

University Of Gloucestershire

Bookmark and Share

Find Us On Social Media:

Social Media Icons Facebook Twitter Google+ YouTube Pinterest Linkedin

Other University Web Sites

University of Gloucestershire, The Park, Cheltenham, Gloucestershire, GL50 2RH. Telephone +44 (0)844 8010001.