A Review of Research on Risk Analysis Methods for IT Systems Sardar Muhammad Sulaman Department of Comp. Science Lund University Sweden sardar@cs.lth.se Kim Weyns Department of Comp. Science Lund University Sweden kim.weyns@cs.lth.se Martin Höst Department of Comp. Science Lund University Sweden martin.host@cs.lth.se ABSTRACT Context: At the same time as our dependence on IT sys- tems increases, the number of reports of problems caused by failures of critical IT systems has also increased. This means that there is a need for risk analysis in the development of this kind of systems. Risk analysis of technical systems has a long history in mechanical and electrical engineering. Objective: Even if a number of methods for risk analysis of technical systems exist, the failure behavior of information systems is typically very different from mechanical systems. Therefore, risk analysis of IT systems requires different risk analysis techniques, or at least adaptations of traditional approaches. This means that there is a need to understand what types of methods are available for IT systems and what research that has been conducted on these methods. Method: In this paper we present a systematic mapping study on risk analysis for IT systems. 1086 unique papers were identified in a database search and 57 papers were iden- tified as relevant for this study. These papers were classified based on 5 different criteria. Results: This classification, for example, shows that most of the discussed risk analysis methods are qualitative and not quantitative and that most of the risk analysis methods that are presented in these papers are developed for IT sys- tems in general and not for specific types of IT system, like e-government systems. Conclusions: The results show that many new risk analy- sis methods have been proposed in the last decade but even more that there is a need for more empirical evaluations of the different risk analysis methods. Many papers were identified that propose new risk analysis methods, but few papers discuss a systematic evaluation of these methods or a comparison of different methods based on empirical data. Categories and Subject Descriptors H.1.0 [Information Systems]: Risk analysis and manage- ment Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. EASE ’13, April 14 - 16 2013, Porto de Galinhas, Brazil Copyright 2013 ACM 978-1-4503-1848-8/13/04 ...$15.00. Keywords Risk Analysis, IT systems, Mapping study 1. INTRODUCTION IT systems have become an essential part of our modern society. This evolution has not only created new opportuni- ties, but also new threats to our society. The presence of IT systems everywhere has made us dependent on IT systems for our daily life. This is the case both for individuals and organizations, both private as well as public organizations. However, at the same time as the usage of, and dependence on, IT systems increases, the number of reports of problems caused by failures of critical IT systems has also increased [18]. One of the common aspects of these failures is the faith in systems that are not sufficiently dependable. The core of the problem is not that these systems suddenly become unreliable, but that we have become critically dependent on a wide variety of systems without analyzing whether they are dependable enough and what the consequences could be of a possible failure [18]. To prevent critical systems from causing problems for the organizations dependent on them, risk analysis is a necessary activity. Risk analysis of technical systems has a long history in me- chanical and electrical engineering where many well-estab- lished methods exist. The failure behavior of IT systems is typically different from mechanical systems and, at the same time, the complexity can be significantly higher. The high rate at which new IT systems are being developed and up- dated for many critical applications usually means there is not enough historical data available for a strictly statistical analysis of the reliability of each system and its components, as is sometimes the case in risk analysis of mechanical sys- tems. For all these reasons, risk analysis of IT systems requires different risk analysis techniques or at least adaptations of these traditional risk analysis approaches. In this article we present a systematic overview of previously published research on risk analysis for IT systems. Risk analysis can be performed during the development of the system, at deployment of the system or at any time afterwards. In the ideal situation, the risk analysis should be re-evaluated each time major changes occur in the system or in the environment in which the system is used. In this article we present an overview of operational risk analysis methods for IT systems. This includes many dif- ferent types of systems and methods, but does not include project risk analysis methods, used to analyses the project DRAFT