A RISK DECISION POLICY MODEL FOR MITIGATING RISK IN IT ORGANIZATIONS

Information Technology (IT) organizations are facing various risks such as strategic, operational and technical risks. These risks should be identified, measured and mitigated. After risks are identified, resources should be devoted to mitigate these risks. However, risk mitigation is a complicated problem especially in IT organizations. It leads to difficulty in choosing and executing mitigation actions. In risk mitigation, decision making based on the risk will be performed in order to have an efficient decision in the mitigation of identified risks. Risk mitigation in IT organizations provides a disciplinary environment for proactive decision making to measure and treat potential risk continuously. Unfortunately, present standards for risk mitigation show limitations when making decisions on how to mitigate availability risks. Existing model provides inadequate support to practitioners in making risk decision pertaining risk mitigation policies. This is due to the fact that existing approaches lack the capabilities to support practitioners, these dependencies make the technical problem of mitigating existing risks very challenging. In order to address this challenge, this research identifies the processes of risk decisions for mitigating risk in IT organizations by developing a risk decision policy model that focuses on mitigating both technical and operational risk that occurs in IT organizations.