A Risk Management Model for an Academic Institution's Information System

Abstract

This article describes a two-step decision support model for investing in information technology security, both development and application. In the first step, the risk level of each of the system's components is mapped, with the aim of identifying the subsystems that pose the highest risk. In the second step, the model determines how much to invest in various technological tools and workplace culture programs to enhance information security. An application of this model to an information system in an academic institution in Israel is described. This system comprises ten subsystems and the authors identify the three that bear the most risk. These findings are used to determine the parameters of the investment allocation problem and find the optimal investment plan. The results of the model's application indicate that hacking for the purpose of cheating is a greater threat than other types of security issues. Additionally, the results support the claim that information security officials tend to overinvest in security technological tools and underinvest in improving security workplace culture.