Abstract
The inability to engage with systems risk during the development of integrated socio-technical systems presents a real threat to global and local socio-economic stability. Current theories on system risk engagement are driven by a functionalist orthodoxy. Accordingly, risk management is either non-existent, done in parallel to other development activity, or used by organisations as an instrument of control. Systems risk management needs to be addressed at the source of the problem: the systems engineering process. This paper addresses the predominant failure to appropriately engage with systems risk during development. It provides, with respect to the theoretical dimensions, a diversity of risk perspectives, complexity and socio-technical systems theory. A broad literature review on different risk concepts, risk management perspectives and organisational paradigms (functionalist, interpretive, radical humanist and radical structuralist) is also presented. In order to overcome a lack of a holistic and reflective risk management approach to systems development, this paper sketches an integrated soft systems methodology approach which can be used for engaging with systems risk during systems development.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.References
Alhawari S, Karadsheh L, Nehari Talet A, Mansour E (2012) Knowledge-based risk management framework for information technology project. Int J Inf Manage 32(1):50–65
Anderson EE, Choobineh J (2008) Enterprise information security strategies. Comput Secur 27(1–2):22–29
Appelbaum SH (1997) Socio-technical systems theory: an intervention strategy for organizational development. Manag Decis 35(6):452–463
Ardalan K (2011) Globalization and information technology: four paradigmatic views. Technol Soc 33(1–2):59–72
Ashenden D (2008) Information security management: a human challenge? Inf Secur Tech Rep 13(4):195–201
Aven T (2013) Practical implications of the new risk perspectives. Reliab Eng Syst Saf 115:136–145
Aven T, Krohn BS (2014) A new perspective on how to understand, assess and manage risk and the unforeseen. Reliab Eng Syst Saf 121:1–10
Bainbridge L (1983) Ironies of automation. Automatica 19(6):775–779
Bandyopadhyay K, Mykytyn PP, Mykytyn K (1999) A framework for integrated risk management in information technology. Manag Decis 37(5):437–444
Barros M d O, Werner CML, Travassos GH (2004) Supporting risks in software project management. J Syst Softw 70(1–2):21–35
Baxter G, Sommerville I (2011) Socio-technical systems: from design methods to systems engineering. Interact Comput 23(1):4–17
Belzer RB (2001) Getting beyond ‘grin and bear it’ in the practice of risk management. Reliab Eng Syst Saf 72(2):137–148
Bracken LJ (2012) Practices of doing interdisciplinary risk-research: communication, framing and reframing. In: Kearnes MB, Klauser FR, Lane SN (eds) Critical risk research: practices, politics and ethics. Wiley-Blackwell, Hoboken
Brownsword M, Setchi R (2012) A formalised approach to the management of risk: a conceptual framework and ontology. In: Lee WB (ed) Systems approaches to knowledge management, transfer, and resource development. IGI Global, Hershey, PA, pp 263–285
Burrell G, Morgan G (1979) Sociological paradigms and organisational analysis: elements of the sociology of corporate life. Heinemann Educational Books Ltd, Hants
Cartelli A (2007) ICT and knowledge construction: towards new features for the socio-technical approach. Learning Organization 14(5):436–449
Chapman RJ (2011) Simple tools and techniques for enterprise risk management, 2nd edn. Wiley, Hoboken
Checkland P (1993) Systems thinking, systems practice. Wiley, Chichester
Checkland P (2000) Soft systems methodology: a thirty year retrospective. Syst Res Behav Sci 17(1):11–58
Checkland P, Poulter J (2006) Learning for action: a short definitive account of soft systems methodology and it use practitioners, teachers and students. Wiley, Chichester
Checkland P, Scholes J (1990) Soft systems methodology in action. Wiley, Chichester
Checkland P, Scholes J (1999) Soft systems methodology in action: 30 year retrospective. Wiley, Chichester
Choobineh J, Dhillion G, Grimaila MR, Rees J (2007) Management of information security: challenges and research directions. Commun Asssoc Inf Syst 20(20):958–971
Ciborra C (2002) The labyrinths of information: challenging the wisdom of systems. Oxford University Press, Oxford
Ciborra C (2007) Digital technologies and risk: a critical review. In: Hanseth O, Ciborra C (eds) Risk, complexity and ICT. Edward Elgar, Cheltenham, pp 23–46
Coiera E (2007) Putting the technical back into socio-technical systems research. Int J Med Inf 76(Supplement 1(0)):S98–S103
Coles-Kemp L (2009) Information security management: an entangled research challenge. Inf Secur Tech Rep 14(4):181–185
Constantinides P, Chiasson MW, Introna LD (2012) The ends of information systems research: a pragmatic framework. MIS Q 36(1):1–10
Cook SC, Ferris TLJ (2007) Re-evaluating systems engineering as a framework for tackling systems issues. Syst Res Behav Sci 24(2):169–181
Delbridge R (2008) An illustrative application of soft systems methodology (SSM) in a library and information service context: process and outcome. Library Manag 29(6):538–555
Delbridge R, Fisher S (2007) The use of soft systems methodology (SSM) in the management of library and information services: a review. Library Manag 28(6):306–322
Dhillion GS (1995) Interpreting the management of information systems security. Unpublished thesis. The London School of Economics and Political Science
Dhillion G, Backhouse J (2001) Current directions in IS security research: towards socio-organizational perspectives. Inf Syst J 11(2):127–153
Finne T (2000) Information systems risk management: key concepts and business processes. Comput Secur 19(3):234–242
Furnell S, Clarke N (2012) ‘Power to the people? The evolving recognition of human aspects of security. Comput Secur 31(8):983–988
Gerber M, von Solms R (2005) Management of risk in the information age. Comput Secur 24(1):16–30
Ghaffarian V (2011) The new stream of socio-technical approach and main stream information systems research. Proc Comput Sci 3:1499–1511
Gill KS (2012) Human machine symbiotics: on control and automation in human contexts. In: Proceedings of the international federation of automation and control international conference on international stability and systems engineering. Elsevier, Waterford, pp 91–96
Goles T, Hirschheim R (2000) The paradigm is dead, the paradigm is dead…long live the paradigm: the legacy of Burrell and Morgan. Omega 28(3):249–268
Greer D, Bustard DW (1996) Towards an evolutionary software delivery strategy based on soft systems and risk analysis. In: Proceedings of the IEEE International symposium and workshop on engineering of computer based systems. IEEE Computer Society Press, Friedrichshafen, pp 126–133
Halliday S, Badenhorst K, von Solms R (1996) A business approach to effective information technology risk analysis and management. Inf Manag Comput Secur 4(1):19–31
Hanseth O (2007) Complexity and Risk. In: Hanseth O, Ciborra C (eds) Complexity, risk and ICT. Edward Elgar, Cheltenham, pp 75–96
Hillson D (2002) Extending the risk process to manage opportunities. Int J Proj Manage 20(3):235–240
Holten R, Dreiling A, Becker J (2005) Ontology-driven method engineering for information systems development. In: Green P, Rosemann M (eds) Business systems analysis with ontologies. IGI Global, Hershey, PA, pp 174–217
Horton K, Davenport E, Wood-Harper T (2005) Exploring sociotechnical interaction with Rob Kling: five “big” ideas. Inf Technol People 18(1):50–67
Hubbard D (2005) The failure of risk management: why it’s broken and how to fix it. Wiley, New Jersey
Jones A, Ashenden D (2005) Risk management for computer security: protecting your network and information assets, 1st edn. Butterworth-Heinemann, Amsterdam
Karabacak B, Sogukpinar I (2005) ISRAM: information security risk analysis method. Comput Secur 24(2):147–159
Kearnes MB (2012) Technologies of risk and responsibility: attesting to the truth of novel things. In: Kearnes MB, Klauser FR, Lane SN (eds) Critical risk research: practices, politics and ethics. Wiley-Blackwell, Hoboken, pp 125–147
Keil M, Wallace L, Turk D, Dixon-Randall G, Nulden U (2000) An investigation of risk perception and risk propensity on the decision to continue a software development project. J Syst Softw 53(2):145–157
Kotiadis K, Mingers J (2006) Combining PSMs with hard OR methods: the philosophical and practical challenges. J Oper Res Soc 57:856–867
Kuhn T (1996) The structure of scientific revolutions. University of Chicago Press, Chicago
Kumar K, Bjorn-Andersen N (1990) A cross-cultural comparison of IS designer values. Commun ACM 33(5):528–538
Kutsch E, Denyer D, Hall M, Lee-Kelley E (2013) Does risk matter? Disengagement from risk management practices in information systems projects. Eur J Inf Syst 22(6):637–649
Lacey D (2009) Managing the human factor in information security: how to win over staff and influence business managers. Wiley, Hoboken
Lane SN, Klauser FR, Kearnes MB (2012) Introduction: risk research after Fukushima. In: Kearnes MB, Klauser FR, Lane SN (eds) Critical risk research: practices, politics and ethics. Wiley-Blackwell, Hoboken, pp 1–20
Lock R (2012) Developing a methodology to support the evolution of System of Systems using risk analysis. Syst Eng 15(1):62–73
Mingers J (2000) Variety is the spice of life: combining soft and hard OR/MS methods. Int Trans Oper Res 7(6):673–691
Mingers J, Brocklesby J (1997) Multimethodology: towards a framework for mixing methodologies. Omega 25(5):489–509
Mingers J, Mutch A, Willcocks L (2013) Critical realism in information systems research. MIS Q 37(3):795–802
Morgan R (2010) Lessons from the global financial crisis: the relevance of Adam Smith on morality and free markets. Taylor Trade Publishing, Plymouth
Mouratidis H, Giorgini P, Manson G (2005) When security meets software engineering: a case of modelling secure information systems. J Inf Syst 30(8):609–629
Mumford E (2000) A socio-technical approach to systems design. Requir Eng 5(2):125–133
Mumford E (2006) The story of socio-technical design: reflections on its successes, failures and potential. Inf Syst J 16(4):317–342
Nabende P, Ahimbisibwe B, Lubega JT (2009) Relationship between information systems development paradigms and methods. In: Kizza JM, Lynch K, Ravi N, Aisbett J, Phoha Vir (eds) Special topics in computing and ICT research: strengthening the role of ICT in development, pp 75–84
Nandhakumar J, Avison DE (1999) The fiction of methodological development: a field study of information systems development. Inf Technol People 12(2):176–191
Olson GE (2005) Strategically managing risk in the information age: a holistic approach. J Bus Strategy 26(6):45–54
Organ J, Stapleton L (2012) Information systems risk through a socio-technical lens: future directions in systems risk research. In: Proceedings of the international federation of automation and control international conference on international stability and systems engineering. Waterford, Elsevier, pp 138–143
Organ J, Stapleton L (2013) Information systems risk paradigms: towards a new theory on systems risk. In: Proceedings of the international federation of automation and control international conference on international stability, technology and culture. Elsevier, Prishtina, Kosova, pp 116–121
Pelzer P (2009) The displaced world of risk: risk management as alienated risk (perception?). Soc Bus Rev 4(1):26–36
Perrow C (1999) Normal accidents: living with high-risk technologies. Princeton University Press, Princeton
Pfleeger SL (2000) Risky business: what we have yet to learn about risk management. J Syst Softw 53(3):265–273
Platt A, Warwick S (1995) Review of soft systems methodology. Ind Manag Data Syst 95(4):19–21
Renn O (2008) Risk governance: coping with uncertainty in a complex world. Routledge, London
Ruighaver AB (2008) Organisational security requirements: an agile approach to ubiquitous information security. Edith Cowan University, Perth
Shedden P, Smith W, Ahmad A (2010) Information security risk assessment: towards a business practice perspective. In: Proceedings of the 8th Australian information security management conference. Edith Cowan University, Perth, Western Australia, pp 119–130
Sherer AS, Alter S (2004) Information systems risks and risks factors: Are they mostly about information systems? Commun Assoc Inf Syst 14(2):29–64
Siponen M (2001) A paradigmatic analysis of conventional approaches for developing and managing secure IS. In: Proceedings of the 16th international conference on information security: trusted information: the new decade challenge. Kluwer Academic Publishers, Paris, France, pp 437–452
Siponen M (2002) Designing secure information systems and software: critical evaluation of the existing approaches and a new paradigm. Unpublished thesis. University of Oulu
Siponen M (2005) Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods. Inf Organ 15(4):339–375
Siponen M (2006) Information security standards focus on the existence of process, not its content. Commun ACM 49(8):97–100
Siponen M, Baskerville R (2001) A new paradigm for adding security into IS development methods. In: Eloff JHP, Labuschagne L, von Solms R, Dhillon G (eds) Advances in information security management & small systems security. Springer, New York, pp 99–111
Siponen M, Willison R (2009) Information security management standards: problems and solutions. Inf Manag 46(5):267–270
Smith ML (2006) Overcoming theory-practice inconsistencies: critical realism and information systems research. Inf Organ 16(3):191–211
Soros G (2009) Reflections on the crash of 2008 and what it means: an E-Book update to the new paradigm for financial markets. Public Affairs
Spagnoletti P, Resca A (2008) The duality of information security management: fighting against predictable and unpredictable threats. Journal of Information Systems Security 4(3):46–62
Stapleton L (1999) Information systems development (ISD) in complex settings as interlocking spirals of sense-making. In: Zupančič J, Wojtkowski W, Wojtkowski WG, Wrycza S (eds) Evolution and challenges in system development. Springer, New York, pp 389–404
Stapleton L (2001) Information systems development: an empirical study in Irish manufacturing companies. Unpublished thesis. University College Cork
Stewart G, Lacey D (2012) Death by a thousand facts: criticising the technocratic approach to information security awareness. Inf Manag Comput Secur 201(1):29–38
Tryfonas T, Kiountouzis E, Poulymenakou A (2001) Embedding security practices in contemporary information systems development approaches. Inf Manag Comput Secur 9(4):183–197
Vacca RJ (2009) Computer and information security handbook. Morgan Kaufmann, Burlington
von Solms R (1999) Information security management: why standards are important. Inf Manag Comput Secur 7(1):50–58
Werlinger R, Hawkey K, Beznosov K (2009) An integrated view of human, organizational, and technological challenges of IT security management. Inf Manag Computr Secur 17(1):4–19
Westerman G, Hunter R (2007) IT risk: turning business threats into competitive advantage. Harvard Business School Press, Boston
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Organ, J., Stapleton, L. Technologist engagement with risk management practices during systems development? Approaches, effectiveness and challenges. AI & Soc 31, 347–359 (2016). https://doi.org/10.1007/s00146-015-0597-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00146-015-0597-4