Risk Analysis and Management of IT Systems: Practice and Challenges

Risk analysis is important for safety-critical IT systems and services, both in public and private organizations. However, the actual practices and the challenges of risk analysis in these contexts have not been fully explored. This paper investigates the current practices of risk analysis by an interview-based investigation. This study investigates several factors of the risk analysis process, e.g., its importance, identification of critical resources, definitions of roles, involvement of different stakeholders, used methods, and follow-up analysis. Further more, this study also investigates existing challenges in the current practices of risk analysis. A number of challenges are identified,e.g., that risk analysis requires competence both about the risk analysis procedures and the analyzed system,which is challenging to identify, and that it is challenging to follow-up and repeat a risk-analysis that is conducted. The identified challenges can be useful when new risk analysis methods are defined.