Abstract  The use of Information Technology (IT) in organizat ions is subject to various kinds of potential risks. Risk management is a key component of project management enables an organization to accomplish its mission(s). However, IT projects have often been found to be complex and ri sky to implement in organizations. The organizational relevance and risk of IT projects make it important for organizations to focus on ways in order to successfully implement IT projects.  This paper focuses on the IT risk management, especially the r isk assessment model and proposes a process oriente d approach to risk management. To do this end, this paper applies the risk IT framework which has three main domains, i.e ., Risk Governance (RG), risk analysis, Risk Response (RR) and 9 key p rocesses. Then, a set of scenarios, which can improve the maturity level of risk IT processes, are considered and the impact of each scenario on the risk IT processes is determined by the expert opinions. Finally, the Data Envelopment Analysis (D EA) is customized to evaluate improvement scenarios and select the best one. The proposed methodology is applied to the Ira n Telecommunication Research Centre (ITRC) to impro ve the maturity level of its IT risk management processes.

References

[1] Alhawari S., Karadsheh L., Nehari Talet A., and Mansour E., Knowledge-Based Risk Management Framework for Information Technology project, the International Journal of Information Management , vol. 32, no. 1, pp. 50- 65, 2012.

[2] Andersen P. and Petersen C., A Procedure for Ranking Efficient Units in Data Envelopment Analysis, Management Science , vol. 39, no. 10, pp. 1261-1264, 1993.

[3] Baccarini D., Salm G., and Love D., Management of Risks in Information Technology Projects, Industrial Management and Data Systems , vol. 104, no. 4, pp. 286-295, 2004.

[4] Bandyopadhyay K., Mykytyn P., and Mykytyn K., A Framework for Integrated Risk Management iin Information Technology, Management Decision , vol. 37, no. 5, pp. 437- 444, 1999.

[5] Benaroch M., Lichtenstein Y., and Robinson K., Real Options in Information Technology Risk Management: An Imprical Validation of Risk- Option Relationships, MIS Quarterly, vol. 30, no. 4, pp. 827-864, 2006.

[6] Chapman B. and Ward C., Project Risk Management , Processes , Techniques and Insights , John Wiley, 2003.

[7] Charnes A., Cooper W., and Rhodes E., Measuring the Efficiency of Decision Making Units, the European Journal of Operational Research , vol. 2, no. 6, pp. 429-444, 1978.

[8] Cooper W., Seiford M., and Tone K., Data Envelopment Analysis: A Comprehensive Text with Models, Applications, References and DEA2 Solver Software , Kluwer Academic Publishers: Boston, 2000.

[9] Dey K. and Kinch J., Risk Management in Information Technology Projects, the International Journal of Risk Assessment and Management , vol. 9, no. 3, pp. 311-329, 2008.

[10] Dey K., Tabucanon T., and Ogunlana O., Planning for Project Control Through Risk Analysis; A Case of Petroleum Pipeline Laying A DEA2Based Approach for Information Technology Risk Assessment through Risk ... 57 Project, the International Journal of Project Management , vol. 14, no. 4, pp. 231-240, 1996.

[11] Fasanghari M., Amalnick S., Chaharsooghi K., and Ko S., The Fuzzy Evaluation of the Ict Projects in Strategic Environment (Case Study: Iran Telecommunication Research Center), the International Journal of Information Technology and Decision Making , vol. 10, no. 5, pp. 873- 890, 2011.

[12] Guiling L. and Xiaojuan Z., Research on the Risk Management of IT Project, in Proceedings of International Conference on E2Business and E2Government (ICEE) , pp. 2542-2545, 2011.

[13] Hatefi M. and Jolai F., A New Model for Classifying Inputs and Outputs and Evaluating The Performance of Dmus based on Translog Output Distance Function, Applied Mathematical Modelling , vol. 34, no. 6, pp. 1439-1449, 2010.

[14] Hatefi M. and Torabi A., A Common Weight MCDA-DEA Approach to Construct Composite Indicators, Ecological Economics , vol. 70, no. 1, pp. 114-120, 2010.

[15] Hedelin L. and Allwood M., IT and Strategic Decision-Making, Industrial Management and Data System , vol. 102, no. 3, pp. 125-135, 2002.

[16] Hongxia W. and Baihua T., IT Project Risk Assessment Model Based on Fuzzy-AHP, in Proceedings of the 2 nd International Conference on Information Engineering and Computer Science , Wuhan, pp. 1-4, 2010.

[17] Hope C., Parker J., and Peake S., A Pilot Environmental Index for the UK in the 1980s, Energy Policy , vol. 20, no. 4, pp. 335-343, 1992.

[18] Huang M., Lu Q., Ching K., and Siu K., A Distributed Decision Making Model For Risk Management of Virtual Enterprise, Expert Systems with Applications , vol. 38, no. 10, pp. 13208-13215, 2011.

[19] Huang S., Chang C., Shing-Han H., and Lin T., Assessing Risk in ERP Projects: Identify and Prioritise the Factors, Industrial Management and Data Systems , vol. 104, no. 8, pp. 681-688, 2004.

[20] ISACA Committee, CobiT 4.1., IT Governance Institute, available at: http://www.isaca.org.ua/index.php/homepage/do wnload/category/2-standards?download=6:cobit- 4-1-eng, last visited 2007.

[21] ISACA Committee, Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0., IT Governance Institute, available at: https://www.isaca.org/Knowledge- Center/Val-IT-IT-Value-Delivery-/Documents/ Val-IT-Getting-Started-Jul-2008.pdf, last visited 2008.

[22] ISACA Committee, The Risk IT Framework., IT Governance Institute, USA, 2009.

[23] Johnson J., Chaos: The Dollar Drain of it Project Failures, Application Development Trends , vol. 2, no. 1, pp. 41-47, 1995.

[24] KarimiAzari R., Mousavi N., and Mousavi F., and Hosseini B., Risk Assessment Model Selection in Construction Industry, Expert Systems with Applications , vol. 38, no. 8, pp. 9105-9111, 2011.

[25] Li J., Li M., Wu D., and Song H., An Integrated Risk Measurement and Optimization Model for Trustworthy Software Process Management, available at: http://www.sciencedirect.com/ science/article/pii/S0020025511005354, last visited 2012.

[26] Liu P., Zhang X., and Liu W., A Risk Evaluation Method for the High-Tech Project Investment based on Uncertain Linguistic Variables, Technological Forecasting and Social Change , vol. 78, no. 1, pp. 40-50, 2011.

[27] Liu B., Zhang Q., Meng W., and Xu F., A Study of DEA Models without Explicit Inputs, Omega, vol. 39, no. 5, pp. 472-480, 2011.

[28] Lo C. and Chen J., A Hybrid Information Security Risk Assessment Procedure Considering Interdependences Between Controls, Expert Systems with Applications , vol. 39, no. 1, pp. 247-257, 2012.

[29] Mathrani S. and Mathrani A., Utilizing Enterprise Systems for Managing Enterprise Risks, Computers in Industry , vol. 64, no. 4, pp. 476-483, 2013.

[30] Michalk W. and Blau B., Risk in Agreement Networks, Information Systems and e2Business Management , vol. 9, no. 2, pp. 247-266, 2011.

[31] Mustafa A. and Al-Bahar F., Project Risk Assessment using the Analytic Hierarchy Process, IEEE Transaction on Engineering and Managment , vol. 38, no. 1, pp. 46-52, 1991.

[32] Othman M., Fuzzy Comprehensive Evaluation for IT Project Risk Management, available at: http://www.scientific.net/AMM.229-231.2753, last visited 2012.

[33] Rainer K., Snyder A., and Carr H., Risk Analysis for Information Technology, the Journal of Management Information Systems , vol. 8, no. 1, pp. 129-147, 1991.

[34] Rotaru K., Wilkin C., Churilov L., Neiger D., and Ceglowski A., Formalizing Process-Based Risk with Value-Focused Process Engineering, Information Systems and e2Business Management , vol. 9, no. 4, pp. 447-474, 2011.

[35] Ruch M. and Sackmann S., Integrating Management of Customer Value and Risk in E- Commerce, Information Systems and e2Business Management , vol. 10, no. 1, pp. 101-116, 2010.

[36] Schmidt R., Lyytinen K., Keil M., and Cule P., Identifying Software Project Risks: An international Delphi study, the Journal of 58 The International Arab Journal of Information Techn ology Management Information Systems , vol. 17, no. 4, pp. 5-36, 2001.

[37] Seyedhoseini M. and Hatefi A., Two-Pillar Risk Management (TPRM): A Generic Project Risk Management Process, Scientia Iranica, Transaction E : Industrial Engineering , vol. 16, no. 2, pp. 138-148, 2009.

[38] Seyedhoseini M., Noori S., and Hatefi A., An Integrated Methodology for Assessment and Selection of the Project Risk Response Actions, Risk Analysis , vol. 29, no. 5, pp. 752-763, 2009.

[39] Stoneburner G., Goguen A., and Feringa A., Risk Management Guide for Information Technology Systems, Technical Report, NIST Special Publication, 2002.

[40] Tummala V., Rao M., and Leung H., Applying a Risk Management Process (RMP) to Manage Cost Risk for an EHV Transmission Line Projects, International Journal of Project Management , vol. 17, no. 4, pp. 223-235, 1999.

[41] Vitale R., The Growing Risks of Information System Success, MIS Quarterly, vol. 10, no. 4, pp. 327-334, 1986.

[42] Wang S., Designing Information Systems for E- Commerce, Industrial Management and Data Systems , vol. 101, no. 6, pp. 304-315, 2001.

[43] Wet D. and Visser K., An Evaluation of Software Project Risk Management in South Africa, South African Journal of Industrial Engineering , vol. 24, no. 1, pp. 14-28, 2013.

[44] Williams M., A Classified Bibliography of Recent Research Relating to Project Risk Management, European Journal of Operational Research , vol. 85, no. 1, pp. 18-38, 1995.

[45] Yang H., Software Quality Management and ISO 9000 Implementation, Industrial Management and Data Systems , vol. 101, no. 7, pp. 329-338, 2001.

[46] Yucel B., Cebi S., Hoege B., and Ozok F., A Fuzzy Risk Assessment Model for Hospital Information System Implementation, Expert Systems with Applications , vol. 39, no. 1, pp. 1211-1218, 2011.

[47] Zhang K., Guan J., Distinguishing Attack on Common Scrambling Algorithm, the International Arab Journal of Information Technology , vol. 12, no. 4, pp. 410-414, 2015. Morteza Hatefi received his BSc degree in statistics in 2005 and his MSc and PhD degrees in industrial engineering from University of Tehran in 2009 and 2013, respectively. His current research interests include: Supply chain network design, logistics planning, multi-criteria decision making, data envelopment analysis, information technology, risk management, uncertain programming and operations research applications. H e has published several papers in the aforementioned areas. Mehdi Fasanghari received his BSc degree in industrial engineering in 2004 and his MSc degree in information technology engineering in 2006, Iran. Currently, he is a PhD student in industrial engineering department, University of Tehran, Iran. His current research interests are IT Governa nce, E-government promotion, enterprise architecture, interoperability, soft computing, intelligent decis ion support systems and advanced multi-criteria decisio n analysis. He has published more than 50 conference and 20 journal papers in this regard and he is the editor of international journals and IEEE conferences. He has been involved in many scientific and managerial positions such as deputy head of IT Research Facult y at Cyber Space Research Institute these years.