In this dissertation we propose a novel risk assessment (RA) methodology and a corresponding implementation tool, which are directed specifically towards electronic governance (EG) initiatives, while providing the possibility of adaptation and implementation in other RA scopes. The methodology aspires to differ from the conventional ones, in its field of implementation, on the way it is applied, on the way it forms its results and
in the methods it proposes to mitigate risk on the projects and systems it is implemented.
We describe its background and the motives and experiences that led us to develop it. We analyze the methodology and its implementation procedure, as well as the way results are extracted. The implementation tool incorporates a broad library of levels, areas and dimensions of risk, as well as countermeasures and critical success factors. We provide ways of calculating the probabilities and the impact of the risks, the cost of the
countermeasures and their coverage of risk, as well as a series of indices used to express inferences about risk, total coverage, margin of coverage and countermeasure cost. The methodology provisions for risk and project dependencies, employing Bayesian Belief
Networks and three dimensional matrices. In order to demonstrate its usage and the usefulness of its results, it is implemented in two public key infrastructure (PKI) projects, one that has already been implemented and one that is proposed for implementation.
The proposed methodology aspires to:
a) Be a quick, easy and effective RA methodology and tool, specialized in its field,
b) To better target the security and privacy goals in e-government projects, since a
contextualized tool promotes improved formulation and facilitation of accurate security-related decisions,
c) To form a connection between technical ICT RA methodologies and Information Technology Governance (ITG) frameworks,
d) To increase security and privacy awareness by promoting the active involvement of a larger variety of non-technical personnel,
e) To facilitate the application of baseline security and privacy policies,
f) To integrate long term and diverse experience and research in public administration project structures and procedures, so as to be an effective aid in project success and
g) To have logic and processes that can be adapted and implemented to other RA fields.
The novelty of its approach lies in:
a) Its integration of a large number of unconventional, non-technical, but common EG-related risk factors, from areas such as the society, the end-users, the public administration personnel, politics, legal and regulatory frameworks, even psychology, in an easy to use iterative RA process.
b) The expression of its results using practical, comparison-friendly and succinct risk indices.
c) Its diverse approach to EG systems and projects RA. Following a dissimilar philosophy than conventional RA methodologies and tools (which focus mainly on technical issues and processes), it specifically incorporates areas of risk particularly important in EG, which constitute the most common causes for failure. It attempts to provide an interface between the broader managerial philosophy of COBIT, ISO/IEC 27002 and ITIL and the technical methodologies, by adding
and integrating dimensions, upon which the attention of key EG stakeholders can be drawn and respective actions or measures can be undertaken.
d) Its promotion of self-check and self-evaluation of the RA process, beyond the limits of technical tools and into the realm of information technology governance (ITG) frameworks and effective EG practices.
e) In its great flexibility. The evaluators can choose (and add/subtract) from the elements provided those that they wish, without inhibiting the methodology’s ability to extract results. Naturally, the more comprehensive they are and the better they cover the case study, the more trustworthy the results are. However, the evaluators can choose the risks they evaluate, the results in case of their fulfillment, the factors that may cause them, the vulnerabilities that may be affected by them and the coverage of the countermeasures. As a result, the proposed methodology possesses the flexibility to be used as a template in virtually any kind of system, in any area of RA.
The critical success factors (CSFs) of the methodology itself and its ability to extract
useful results are:
a) The inclusion in the evaluation of the all the important for the project risk factors, even beyond, if necessary, the ones proposed in the methodology, according to the judgment of the evaluators.
b) The inclusion of all the essential, for the purposes of the project, CSFs and
c) The selection of effectual, attainable and cost-effective countermeasures that do
not operate against the functionality and friendliness of the system.
The main weakness of the methodology, in its current form, is that its performance
and effectiveness rests upon the determination, insight and experience of the professionals who will use it (which is true for all RA methodologies and tools anyway), complementary to other more established toolkits. This because, while it comprises a complete
tool with a rich library of data, it is not currently implemented in software, so as to
autonomously guide and assist in a systematic evaluation, determine a detailed security
approach for assets needing protection and suggest the security policies to apply.
As further development, we intent to implement the methodology as a software toolkit, with a knowledge base for the risks, CSFs and countermeasures, tools for dependency graph construction, probabilities calculation and reports, as well as an interface with other well-known toolkits.
As a subject of further research, we suggest the formation of the methodology into a template, for application in other areas of RA. Adjusting the risk areas, the CSFs and the countermeasures, the application algorithm and the risk indices can be fitted appropriately, so as to consist a useful tool in other fields, technological and non-technological, such as biological systems, ecosystems, social structures etc.