Information Technology Risk Measurement: Octave-S Method

The purpose of this research are to identify the risk of IT in the company and make some recommendation to solve any risk happened in the company, and also to give the reference in measure the risk of IT in the company. Research Method used are book studies, field studies, and analysis techniques. Book studies by collecting the information from books and journal. Then, for field studies, it done by interview, and observation to the company. Analysis techniques done by qualitative approach and using the Octave-S (Operational Threat Asset and Vulnerability Evaluation) – S as the method to measure the risk of IT in the company. The result of this research will be a description of Information Technology in the company and give any risk happened in IT and mitigation activity through the risk in the company. Conclusion of the research are looking for three critical areas, such the awareness and security training, security strategy, security management, and disaster recovery.Index Terms - Risk Management, Information Technology, Octave-S method


INTRODUCTION
I n this globalization area, IT roles become an important things in developing of business area especially for the company performance.Using IT in the company will help the company to get the valid information and help the management to make a right decision.Many company didn't realize the risk happened because of IT implementation in the company, so company have to take some action to control the risk happened that causing any loss of the company.
According to Papaioannou [8], measuring the risk can help the company to reduce the vulnerability which affected WKH SUR¿W PDUJLQ 7KHUH ¶V VRPH SULQFLSOHV LQ WDNLQJ WKH EHVW GHFLVLRQ RQ ULVN PDQDJHPHQW ¿UVW LW QHHG WR LGHQWL¿HG WKH type or exchange rate risk , then develop the exchange rate risk management strategy, creation a centralized entity in WKH ¿UP ¶V WUHDVXUH WR GHDO ZLWK WKH SUDFWLFDO DVSHFWV RI WKH execution of exchange rate, next develop a set of control to PRQLWRU D ¿UP ¶V H[FKDQJH UDWH ULVN DQG ODVW WR HVWDEOLVK D ULVN oversight committee.In managing currency risk, company XWLOL]H D GLIIHUHQW KHGJLQJ VWUDWHJLHV GHSHQGV RQ WKH VSHFL¿F type of currency risk.This research will be in the TIS.Ltd, which in this company still many risk happened and to control it, we use the Octave-S method to measure any risk happened and give some recommendation as a problem solving.

RESEARCH METHOD
To achieve the purpose of the company, this research ZLOO XVHG ERRN VWXGLHV ¿HOG VWXGLHV DQG DQDO\VLV WHFKQLTXHV In the book studies, collecting information from literature ERRNV DQG MRXUQDO 7KHQ IRU ¿HOG VWXGLHV GRQH E\ LQWHUYLHZ to the IT department in the company about data IT in the FRPSDQ\ DFFRUGLQJ WR WKH TXHVWLRQ DERXW WKH 2FWDYH 6 method and done by observation directly to the company./DVW IRU DQDO\VLV WHFKQLTXHV GRQH E\ XVLQJ WKH TXDOLWDWLYH approach and based on Octave-S method to measure the risk in the company which divided into three phases, such GHWHUPLQH WKH WKUHDW SUR¿OH DFFRUGLQJ WR WKH DVVHW LGHQWLI\ the employee infrastructure, and develop the security strategy and planning.

LITERATURE REVIEW
According to Anghelache et al. [2], operational risk DV D GLUHFW RU LQGLUHFW ULVN WKDW UHVXOWHG IURP WKH LQDGHTXDWH internal process, people, and system from external area, and it also become a risk of income, direct loss that connect to the important error or illegal behavior because the error of V\VWHP DQG SURFHVV LQDGHTXDWLRQ DQG LW FDQ EH LQWHUSUHWHG DV D YXOQHUDELOLW\ RI ¿QDQFLDO LQVWLWXWLRQ DQG QHHG WR EH HOLPLQDWH though an increased control.
According to Moteff [6], risk assessment will involve the integration of threat, and vulnerability but it also will involve on deciding which measure will take the based on risk reduction strategy.To assess risk it implies uncertain FRQVHTXHQFHV WKH LPSDFW FDQ EH FDWHJRUL]HG LQ QXPEHU RI ZD\V 7KH LPSDFW RU FRQVHTXHQFH PD\ EH PHDVXUHG PRUH accurately at the point of process.
According to Nekrasov, et.all [7], risk measurement LV WKH PRVW GLI¿FXOW VLQJOH WDVN LQ YDOXDWLRQ RI VHFXULW\ LW LV done to estimate the risk from return and obtain an expected discount payoff.Value in risk are created by the operating, LQYHVWLQJ DQ ¿QDQFLQJ DFWLYLWLHV DQG GLUHFWHG OLQN WR WKH process.To validate a risk measures result, it can be done in a different approach.First, it have to emphasized the price level creation to evaluate the method by compared it with the observed price.Second, to assess the accuracy of average value estimate, it have to examine the relation between the IXQGDPHQWDO EDVHG DQG WKH FRVW RI HTXLW\ E\ WKH FXUUHQW price.Third, it have to evaluate the realibility of alternative WR LPSOLHG WKH FRVW RI HTXLW\ E\ H[DPLQH WKH DVVRFLDWLRQ ZLWK know proxies from several information.
According to Branger and Schlag [3], model risk consider to the case where it need to be increased the uncertainty continuosly and it also arises when there are a class of model but not which model from this class is the true one.Solving the problem of model risk done by going the data in order to identify the process.Some probability distribution according the model risk.First, model risk seem WR EH TXLWH VLPLODU WR WKH PDUNHW LQFRPSOHWHQHVV WKDW GLGQ ¶W include the model risk, the number of risk factor just too high relative to the number of linearly.Model risk also didn't imply if the candidate model are incomplete.It is important to clear the notation about the risk measures.First, risk measure in case of model risk that used to measure overall amount,

Rudy M. Harahap
Abstract -The purpose of this research are to identify the risk of IT in the company and make some recommendation to solve any risk happened in the company, and also to give the reference in measure the risk of IT in the company.Second, there are model risk measure that capture the risk model itself.
According to Chang et al. [4], managing the portfolio risk are necessary to be a concept of risk management and it LV LPSRUWDQW WR FRQVLGHU ZKDW WKH FRQVHTXHQFHV RI ULVN ZHUH not well managed.Risk is an essentially standard deviation of return on asset portfolio.To have a risk measure, it need some LPSURYHPHQW RI WKH ULVN PDQDJHPHQW PRGHO WKDW ZLOO TXDOLI\ the risk on the moneter scale,large losis, and encourage GLYHUVL¿FDWLRQ On this measurement, we will use the Octave-S approach.According to Alberts et al. [1], Octave is an approach who will manage the risk of information system and it presents an interview of the approach that developed in the Software engineering Institute (SEI).Octave targeted at organizational risk and focused on strategic, it also driven by two of aspect : operational risk and security practice.The main keys of Octave approach are: Identify information related to assets that are x important to the organization Focus risk analysis activities on those asset judged x to be the most critical to organization Consider the relationship among the critical assets.According to Panda [5], Octave approach is one of the framework that enables to understand, assess and get their information of security risk perspective.Octave will help WKH RUJDQL]DWLRQ WR GHYHORS TXDOLWDWLYH ULVN HYDOXDWLRQ criteria based on operational risk tolerance, (2) identify assets that are critical to the mission of organization (3) Identify vulnerabilities and threats to the critical assets, (4) Determine DQG HYDOXDWH SRWHQWLDO FRQVHTXHQFHV WR WKH RUJDQLVDWLRQ if threats are realized, and (5) Initiate corrective actions to mitigate risks and create practice-based protection strategy.

RISK MANAGEMENT IN THE COMPANY
Implementation of Information Technology in the company will support the business process in the company, but there's still any problem happened where the company haven't do the risk management of the company since they implement the IT into the system.So the company needs to measure the risk to know how far the risk will impact to the business process of the company.Information Technology Risk measurement will use the Octave-S (the Operational Critical Threat Asset and Vulnerability Evaluation -S).Octave S is a various approach that develop to company needed in the smaller scope.
&ULWHULD (YDOXDWLRQ ZDV WKH ¿UVW VWHS GRQH E\ WKH company to determine the level of impact in every criteria where this research just took 3 criteria, such : First, Reputation / customer trustworthy , in this criteria there will be three levels of impact, such low, medium, and high impact.Customer gets a little loss and didn't need any changing of loss that customer receive.Second, Financial.There's three impact from the ¿QDQFLDO FULWHULD VXFK RSHUDWLRQDO DQG UHYHQXH ORVLQJ FRVW in this criteria, there will be operational and revenue losing cost which if the operational cost increase less than 2%, so it will low impact, then if the operational cost increase from 2%-15% , it will in medium impact, and if the operational cost increase more than 15% it will cause high impact.Risk of using the Information Technology will cause the revenue losing, it will be low impact if the loss less than 5% in a year, then will be in medium impact if the los 5%-20% a year, and will be high impact if the los more than 20% per year.Third, Productivity, this thing seen from the working hour of every employee, which if the working hour increase less than 10% for 2 days, it will be a low impact, then if it increase between 10%-30% in 2 days, it will be a medium impact, and last id it increase more than 30% for 2 days, it will show the high impact.
$VVHW ,GHQWL¿FDWLRQ ZDV WKH VHFRQG VWHS RQ WKLV Octave-S framework.This step will identify the information system application and service in the supply IS, and also to identify the importance persons in the company who has a skill and knowledge.System, Information, Service, and asset that related to the supply process.System will the system using in the process, information about the product stock, Application and service about database application using SQL 2005, and the other asset related to the system such Delivery Order form, Invoice form, and Stock Report.Then for person will be the employee who has any skill and special NQRZOHGJH WKDW ZLOO EH GLI¿FXOW WR UHSODFH Security Practice was the last step on Octave-S IUDPHZRUN ,W LGHQWL¿HG LQWR DVSHFWV RI VHFXULW\ SUDFWLFHV WR evaluate how far the security practice has been implemented into the company.It will assess in three colors, Red when the company didn't do anything in security practices.Yellow when the company rarely did the security steps and need to improve the effort of the company, and green when the company did well the security steps and didn't need any improvement.
Choosing the critical asset could be the step of 2FWDYH 6 QHHGV WR EH LGHQWL¿HG E\ WKH FRPSDQ\ $FFRUGLQJ to the scope of research, it necessary to know the total of SURGXFW VWRFN 8VHU IURP WKLV V\VWHP DUH ORJLVWLF DQG ¿QDQFH department, and to maintain the system will give to the IT staff.The other asset related to this system : Information, the information needed are master product, initial product cost, sales production cost with FIFO method, the other aseet will be a computer and LAN network.

CONCLUSION
From this research we can took some conclusion about the risk happened in the IT from the critical areas: Awareness and security training.In this area, x company hasn't prepare the security awareness training to the employee related to the information system supply in the company and will done in periodically.Security strategy, this company didn't know and x understand how the strategy and security procedure will be in the IT department to the IS supply because there's no time to make any procedure .Security Management.In this area, procedure to x take care all the company with the IT hasn't been documentation so it need more activity to reduce it in the security management Disaster recovery.Company didn't have any plan x about the disaster happen, and it caused if it happened will give a big loss to the company.