Journal of Information Engineering and Applications

During the last 20 years many technological advances have inundated the entire spectrum of our everyday lives. None of these advances has had such an impact like the IT revolution which can only compare with the Industrial Revolution of the 18^th Century. The advent and acceptance of Information Technology as the norm rather the exception has seen this sector move from a tedious and cumbersome manually managed and run sector, to an almost paperless industry that is almost entirely dependent on Information Systems. With the growth of the dependency on IT, the impact of risk concerns on the development and exploitation of information systems has also increased exponentially. Within the financial services industry, risk management involves assessing and quantifying business risks, then taking measures to control or reduce them. These methods are generally built around a well structured process. However, the product coming from the different risk management steps is still largely informal, and often not analytical enough. This lack of formality hinders the automation of the management of risk-related information. Furthermore, these risk management system focuses on specific phases of the software life cycle, without recognizing that risks in one stage can have an impact on other stages. This necessitates the proposed study in order to propose a generic approach that may be deployed to mitigate risks from the early stages of financial information systems development for daily financial institution operations until the post-implementation phases. This paper proposes a new approach for performing a risk analysis study of financial information systems. It is aimed at developing a generic approach for Risk Analysis and Management applicable from the early phases of information system development unlike in the existing models which are applied after the development process. It can be utilized for identifying and valuating the assets, threats, and vulnerabilities of the information system, followed by a graphical modeling of their interrelationships using Bayesian Networks. The proposed approach will exploit the results of the risk analysis for developing a Bayesian Network model, which presents concisely all the interactions of the undesirable events for the system. Based on “what–if” studies of system operation, the Bayesian Network model identifies and prioritizes the most critical events.

Keywords: Riks, risk management, Bayesian Network model