Risk Evaluation Model for Information Technology Services in Integrated Risk Assessment

  • Noriaki MatsumuraEmail author
  • Masakatsu Nishigaki
  • Takahiro Hasegawa
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 101)


A risk evaluation model for information technology (IT) services in integrated risk assessment is proposed in this paper. The model covers management systems for information security and IT services. The component-impact coefficient parameter is introduced to define the strength of the relation between assets and IT services. The concept of composition of relations and the weighted sum principle are applied to analyze and evaluate the risk of IT services. When we applied the model to IT services in operation, the risk evaluation was output as quantities that reflect the component-impact coefficient, and risk treatment prioritization was attained in the descending order of numerical values. The proposed model therefore improves the precision of risk evaluation, and application of the model allows more accurate risk evaluation than the conventional method.


Integrated risk management Risk assessment Weighted sum Information security management system IT service management system 


  1. 1.
    ISO/IEC 27013:2015: Information technology—Security techniques—Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1, pp. 8–9. International Organization for Standardization, Geneva (2015)Google Scholar
  2. 2.
    Barafort, B., Mesquida, A.L., Mas, A.: Integrating risk management in IT settings from ISO standards and management systems perspectives. Comput. Standard. Interfaces 54, 176–185 (2017)CrossRefGoogle Scholar
  3. 3.
    Mesquida, A.L., Mas, A.: Integrating IT service management requirements into the organizational management system. Comput. Standard. Interfaces 37, 80–91 (2015)CrossRefGoogle Scholar
  4. 4.
    Barafort, B., Mesquida, A.L., Mas, A.: ISO 31000-based integrated risk management process assessment model for IT organizations. J. Softw.: Evolut. Process 31(1), e1984 (2019)Google Scholar
  5. 5.
    Matsumura, N., Hasegawa, T.: Integration of the risk assessment for an information security management system and that for an IT service management system using composition of relations. IPSJ (Inf. Process. Soc. Japan) J. 60(1), 250–259 (2019) (in Japanese)Google Scholar
  6. 6.
    IEC/ISO 31010:2009: Risk management—Risk assessment techniques, pp. 82–86. International Organization for Standardization, Geneva (2009)Google Scholar
  7. 7.
    ISO 31000:2009: Risk management—Principles and guidelines, International Organization for Standardization, Geneva (2009)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Noriaki Matsumura
    • 1
    • 2
    Email author
  • Masakatsu Nishigaki
    • 1
  • Takahiro Hasegawa
    • 1
  1. 1.Shizuoka UniversityHamamatsuJapan
  2. 2.Shinshu UniversityMatsumotoJapan

Personalised recommendations