Rui Shantilau,Antonio Goncalves,Anacleto Correia

DOI: https://doi.org/10.48550/arXiv.1511.02903

2015-09-25

Cryptography and Security

Abstract:In general, the perspective customer / supplier followed by organizations, regarding information security management, is based mainly on management controls based on standards such as ISO / IEC 27001: 2015, resulting in the production of especially technical analysis reports, rather than a socio-technical approach. This leads to the perception by the customer of the delivery of a product instead of a service.The product concerned is reduced to a set of prescriptions, sometimes unrelated, which materialize in a descriptive and static view of client security management. As a result, the client can hardly use the product continuously, following the dynamics of changes in their organization, therefore recognizing value in the provision made by the supplier. The use of the paradigm Service Dominant Logic (LDS), in the development of a range of security management information, helps to change the focus of tangible resources to the intangible assets. The aspects of tangibility, materialized in a document that describes the client's vulnerabilities and attack vectors are referred to a secondary level, given the importance of the intangible aspects, such as the interaction that is established between the customer specialists and supplier. In this article we propose to analyze in the perspective of a socio-technical theory, the Activity Theory, the service provided by an artifact called 27001 Manager, designed to assist the entire cycle of analysis, development and maintenance of an information security management system (ISMS). The analysis aims at observing the existing interaction between customer / supplier, considering that the service is inherently dynamic and inter-subjective, ie the result of a compromise between the customer and the supplier.

Kitsios,Chatzidimitriou,Kamariotou

DOI: https://doi.org/10.3390/su15075828

IF: 3.9

2023-03-28

Sustainability

Abstract:In order to handle their regulatory and legal responsibilities and to retain trustworthy strategic partnerships, enterprises need to be dedicated to guaranteeing the privacy, accessibility, and authenticity of the data at their disposal. Companies can become more resilient in the face of information security threats and cyberattacks by effectively integrating security strategies. The goal of this article is to describe a plan that a corporation has implemented in the information technology industry in order to ensure compliance with International Organization for Standardization (ISO) 27001. This research demonstrates an examination of the reasons that force enterprises to make a investment in ISO 27001 in addition to the incentives that might be acquired from having undergone this process. In addition, the research examines the reasons that push firms to make an investment in ISO 27001. More particularly, the research investigates an international IT consulting services institution that is responsible for the implementation of large-scale business assistance insertion and projects. It demonstrates the risk management framework and the administrative structure of the appropriate situations so that its procedures are adequate and also in line with the guidelines founded by ISO 27001. In conclusion, it discusses the problems and difficulties that were experienced.

environmental sciences,environmental studies,green & sustainable science & technology

Gliner Dias Alencar,Hermano Perrelli de Moura,Ivaldir Honório de Farias Júnior,José Gilson de Almeida Teixeira Filho

DOI: https://doi.org/10.48550/arXiv.1807.06184

2018-07-17

Cryptography and Security

Abstract:The lack of security in information systems has caused numerous financial and moral losses to several organizations. The organizations have a series of information security measures recommended by literature and international standards. However, the implementation of policies, actions, and adjustment to such standards is not simple and must be addressed by specific needs identified by the Information Security Governance in each organization. There are many challenges in effectively establishing, maintaining, and measuring information security in a way that adds value. Those challenges demonstrate a need for further investigations which address the problem. This paper presents a strategy to measure the maturity in information security aiming, also, to assist in the application and prioritization of information security actions in the corporate environment. For this, a survey was used as the main methodological instrument, reaching 157 distinct companies. As a result, it was possible to classify the ISO/IEC 27001 and 27002 controls in four stages according to the importance given by the companies. The COBIT maturity levels and a risk analysis matrix were also used. Finally, the adaptable strategy was successfully tested in a company

Nilton Takagi,Carlos Ueslei Rodrigues de Oliveira,Fernando Escobar,António Trigo,Luis Silva Rodrigues

DOI: https://doi.org/10.12821/ijispm110404

2023-12-27

International Journal of Information Systems and Project Management

Abstract:The study of Information Systems Project Management (ISPM) practice is fundamental for developing knowledge in this field. Over the past few years, several studies have been conducted in organizations by professionals and academics to identify approaches, processes, tools, and techniques, among other relevant aspects of project management practice. The use of these practices can be related to various factors, such as trends in the world of work or even the cultural context. In this way, an insight into the context of a given region can support actions to improve ISPM practice and raise success rates in information systems projects. This paper presents the results of a systematic literature review that seeks to synthesize how project management on information systems is practiced in Portugal and identify opportunities for developing the project management body of knowledge.

Ellena Ike

DOI: https://doi.org/10.47941/ejikm.2063

2024-07-12

Abstract:Purpose: The general objective of the study was to analyze information security and knowledge management. Methodology: The study adopted a desktop research methodology. Desk research refers to secondary data or that which can be collected without fieldwork. Desk research is basically involved in collecting data from existing resources hence it is often considered a low cost technique as compared to field research, as the main cost is involved in executive’s time, telephone charges and directories. Thus, the study relied on already published studies, reports and statistics. This secondary data was easily accessed through the online journals and library. Findings: The findings reveal that there exists a contextual and methodological gap relating to information security and knowledge management. Preliminary empirical review revealed that integrating IS and KM was crucial for enhancing organizational performance, protecting intellectual assets, and fostering innovation. It emphasized the need for a holistic approach combining technological solutions, robust policies, and a culture of security awareness. The research found that this integration led to significant improvements in operational efficiency and innovation, with continuous evaluation and adaptation being essential. The study highlighted the importance of advanced security technologies, regular updates, and employee training to maintain effective IS and KM practices, ultimately ensuring the secure and effective utilization of knowledge assets for sustainable growth. Unique Contribution to Theory, Practice and Policy: The Socio-Technical Systems Theory, Knowledge-Based View of the Firm and Information Systems Success Model may be used to anchor future studies on information security and knowledge management. The study provided significant contributions to theory, practice, and policy by integrating various theoretical frameworks and emphasizing the need for a multi-layered approach to IS that includes advanced technology, strong policies, and employee training. It recommended the development of regulatory standards to enforce robust IS practices, the alignment of IS and KM with organizational strategies, and the implementation of continuous improvement programs. Additionally, it highlighted the importance of comprehensive training for employees and fostering a collaborative environment that balances security with innovation.

Ualison Rébula de Oliveira,Fernando Augusto Silva Marins,Henrique Martins Rocha,Valério Antonio Pamplona Salomon

DOI: https://doi.org/10.1016/j.jclepro.2017.03.054

IF: 11.1

2017-05-01

Journal of Cleaner Production

Abstract:Ruptures and interruptions in supply chains (SC) can cause large financial losses and undermine the reputation of firms. In this respect, there is growing interest among researchers in the theme of supply chain risk management (SCRM). SCRM involves analysis carried out in various steps. However, researchers diverge over the number and content of these steps. In light of this problem, the aim of the present study was to analyze whether it is possible to apply the ISO 31000 standard as a systematic procedure for SCRM. And, if so, how the standard can be implemented in the SCRM context, as a framework in a specific company. Through a systematic literature review, we compared and harmonized the risk management steps proposed by researches about SCRM. Additionally we developed a pathway to identify and prioritize which ISO 31000:2009 risk assessment tools and techniques are supposed to integrate a procedure for SCRM, based on the Analytic Hierarchy Process (AHP), exemplified in an automotive supply chain. Based on the research findings, we infer that ISO 31000 can be used beneficially as a standardized method to perform SCRM, as long as tools and techniques are selected according to the company needs and business characteristics.

environmental sciences,green & sustainable science & technology,engineering, environmental

João Henriques,Filipe Caldeira,Tiago Cruz,Paulo Simões

DOI: https://doi.org/10.1109/access.2023.3348552

IF: 3.9

2024-01-01

IEEE Access

Abstract:The broadening dependency and reliance that modern societies have on essential services provided by Critical Infrastructures is increasing the relevance of their trustworthiness. However, Critical Infrastructures are attractive targets for cyberattacks, due to the potential for considerable impact, not just at the economic level but also in terms of physical damage and even loss of human life. Complementing traditional security mechanisms, forensics and compliance audit processes play an important role in ensuring Critical Infrastructure trustworthiness. Compliance auditing contributes to checking if security measures are in place and compliant with standards and internal policies. Forensics assist the investigation of past security incidents. Since these two areas significantly overlap, in terms of data sources, tools and techniques, they can be merged into unified Forensics and Compliance Auditing (FCA) frameworks. In this paper, we survey the latest developments, methodologies, challenges, and solutions addressing forensics and compliance auditing in the scope of Critical Infrastructure Protection. This survey focuses on relevant contributions, capable of tackling the requirements imposed by massively distributed and complex Industrial Automation and Control Systems, in terms of handling large volumes of heterogeneous data (that can be noisy, ambiguous, and redundant) for analytic purposes, with adequate performance and reliability. The achieved results produced a taxonomy in the field of FCA whose key categories denote the relevant topics in the literature. Also, the collected knowledge resulted in the establishment of a reference FCA architecture, proposed as a generic template for a converged platform. These results are intended to guide future research on forensics and compliance auditing for Critical Infrastructure Protection.

computer science, information systems,telecommunications,engineering, electrical & electronic

Isaías Scalabrin Bianchi,Rui Dinis Sousa,Ruben Pereira

DOI: https://doi.org/10.3390/informatics8020026

2021-04-13

Informatics

Abstract:Information Technology governance (ITG) calls for the definition and implementation of formal practices at the highest level in the organization, involving structures, processes and relational practices for the creation of business value from IT investments. However, determining the right ITG practices remains a complex endeavor. Previous studies identify IT governance practices used in the health and financial sectors. As universities have many unique characteristics, it is highly unlikely that the ITG experiences of the financial and health industry can be directly applied to universities. This study, using Design Science Research (DSR), develops a baseline with advised practices for the university sector. The analysis of thirty-four case studies from the literature review provides a set of practices as a starting point for the development of the baseline model proposal through multiple case studies involving interviews with IT directors, in ten universities in five countries: eight new practices emerge in this study. The model proposed was evaluated by experts. The result is a baseline model with adequate practices for IT governance in universities as well as a set of guidelines for its implementation. Findings revealed that is possible to extend the ITG practices’ baseline when looking at specific contexts.

English Else

André Fernandes,João Cruz,Miguel Mira da Silva,Rúben Pereira

DOI: https://doi.org/10.3897/jucs.111677

2024-04-28

JUCS - Journal of Universal Computer Science

Abstract:Organizations are under increasing pressure to comply with various rules, standards, and policies in today’s regulatory environment. Compliance controls are put in place to avoid legal or regulatory violations, which could lead to severe penalties, loss of reputation, and financial damages. However, these controls may have similar scopes and objectives, resulting in duplicated work and unnecessary costs for the organizations. To address this issue, researchers carry out the mapping and integration of these standards to avoid duplication, streamline compliance efforts, and identify best practices. Our work aims to improve the State-of-the-Art by exploring the main benefits and problems resulting from these processes, as well as identifying methods or artifacts that can be reused in the future. We focus on the fields of Risk, Security, and Business Continuity, as these are critical areas where compliance is crucial for organizations. Through our research, we have found that current methods of generating mapping artifacts are not only cumbersome to execute but also ineffective, as they output a single artifact without the reasoning behind it.

computer science, theory & methods, software engineering

João Serrano,João Faustino,Daniel Adriano,Rúben Pereira,Miguel Mira da Silva,Miguel da Silva

DOI: https://doi.org/10.3390/info12030111

2021-03-05

Information

Abstract:Information technology (IT) service management is considered a collection of frameworks that support organizations managing services. The implementation of these kinds of frameworks is constantly increasing in the IT service provider domain. The main objective is to define and manage IT services through its life cycle. However, from observing the literature, scarcely any research exists describing the main concepts of ITSM. Many organizations still struggle in several contexts in this domain, mainly during implementation. This research aims to develop a reference study detailing the main concepts related with ITSM. Thus, a systematic literature review is performed. In total, 47 articles were selected from top journals and conferences. The benefits, challenges, opportunities, and practices for ITSM implementation were extracted, critically analysed, and then discussed.

Mauro Gonçalves Pinheiro,Mehran Misaghi

DOI: https://doi.org/10.1145/2684200.2684367

2014-12-04

Abstract:Technology and Information are vital to the success of companies. To leverage the successes in IT projects, companies have at their disposal, references globally accepted as good practices (COBIT, ITIL, PMBOK, ISO, TOGAF, etc.). In spite of this, it is still great the magnitude of spending on IT projects poorly designed or improperly implemented. This paper presents a brief description of standards and good practices related to governance and management of enterprise IT, defines the Lean Thinking, Lean IT, the Processes Management, the Portfolio, Program and Project Management, and the Work System Theory, and highlights the purpose of them, showing their characteristics and suggests a Framework of Lean Governance and Management of Enterprise IT, by demonstrating how the standards and good practices presented can work together, because it advocates that the Lean Thinking, the Process, Portfolio, Program, and Project Management, and the Work System Theory complement the standards and good practices of Governance and Management of Enterprise IT with an approach not referenced in these standards and good practices.

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Pedro Solana-González,Adolfo Alberto Vanti,María Matilde García Lorenzo,Rafael E. Bello Pérez

DOI: https://doi.org/10.3390/su131810130

IF: 3.9

2021-09-10

Sustainability

Abstract:Information quality and organizational transparency are relevant issues for corporate governance and sustainability of companies, as they contribute to reducing information asymmetry, decreasing risks, and improving the conduct of decision-makers, ensuring an ethical standard of organizational control. This work uses the COBIT framework of IT governance, knowledge management, and machine learning techniques to evaluate organizational transparency considering the maturity levels of technology processes applied in 285 companies of southern Brazil. Data mining techniques have been methodologically applied to analyze the 37 processes in four different domains: Planning and organization, acquisition and implementation, delivery and support, and monitoring. Four learning techniques for knowledge discovery have been used to build a computational model that allowed us to evaluate the organizational transparency level. The results evidence the importance of IT performance monitoring and assessment, and internal control processes in enabling organizations to improve their levels of transparency. These processes depend directly on the establishment of IT strategic plans and quality management, as well as IT risk and project management, therefore an improvement in the maturity of these processes implies an increase in the levels of organizational transparency and their reputational, financial, and accountability impact.

environmental sciences,environmental studies,green & sustainable science & technology

Hossein Moinzad,Mohammad H Akbarzadeh

DOI: https://doi.org/10.1002/hsr2.926

2022-11-18

Abstract:Background and aims: Although many health strategic plans have been developed by scholars and organizations, they still suffer from a limited view. Since most health-related strategies in the future will depend on information technology (IT), as the main driver of today's industry, technology, and society, IT merits attention in health strategic plans. While the majority of the health strategic plan developed based on the interviews and questioner and these plans didn't consider the role of IT in their actions, this research will develop a framework to integrate risk and maturity analysis with the strategic planning process in health information technology strategic plan. Methods: The present research introduces an integrated framework based on a balanced scorecard (BSC) and control objectives for information and related technologies (COBIT). Also, The American Productivity & Quality Centre framework and COBIT were employed in this model to define the processes and activities of health IT (HIT) organizations. The organization's maturity and risk are analyzed in terms of information and management criteria using BSC, COBIT, and the analytical hierarchy process. Results: Later this model was implemented in a Remote Health care System to improve the strategic management process for this technology. Using this framework, 17 business goals have been developed and presented for the case. Also, the total related risk was 48% and the maturity level was at 1/18. The results are presented as decision-making parameters and strategies for successful IT implementation. Conclusion: The presented framework provides deeper insight for the decision-maker through integrating risk and maturity analysis in the HIT strategic planning process. The results are presented as decision-making parameters and strategies for successful IT implementation. These strategies help investors decide about resource allocation based on the risk-taking capability, certainty, and uncertainty results of the plan.

Fotis Kitsios,Elpiniki Chatzidimitriou,Maria Kamariotou

DOI: https://doi.org/10.3390/su14031269

IF: 3.9

2022-01-24

Sustainability

Abstract:Organizations must be committed to ensuring the confidentiality, availability, and integrity of the information in their possession to manage legal and regulatory obligations and to maintain trusted business relationships. Information security management systems (ISMSs) support companies to better deal with information security risks and cyber-attacks. Although there are many different approaches to successfully implementing an ISMS in a company, the most important and time-consuming part of establishing an ISMS is a risk assessment. The purpose of this paper was to develop a risk assessment framework that a company followed in the information technology sector to conduct the risk assessment process to comply with International Organization for Standardization (ISO) 27001. The findings analyze the conditions that force organizations to invest in protecting information and the benefits they can derive from this process. In particular, the paper delves into a multinational IT consulting services company that undertakes and implements large business support installation and customization projects. It explains the risk assessment process and the management of the necessary configurations so that its functions are acceptable and in line with information security standards. Finally, it presents the difficulties and challenges encountered.

environmental sciences,environmental studies,green & sustainable science & technology

Rubio Sánchez Juan Luis,García Revilla Mercedes Raquel,Martínez Moure Olga

DOI: https://doi.org/10.3390/admsci13010002

2022-12-21

Administrative Sciences

Abstract:The information technology infrastructure library (ITIL) standard describes processes that should be implemented in Information Technology (IT) departments for proper operations management, which includes human resources management, economic management, and strategic management, among others. This should be especially considered in the business management of industries with no relation to information technologies (IT), such as tourism and hospitality companies. This work aims to present a method to establish the order of adoption of the IT management processes in companies that belong to the tourism industry. We conducted a survey to obtain the necessary data and developed a methodology that is based on an optimization procedure. This procedure generates the optimal sequence of IT tasks to adopt in a generic small company in the tourism industry. The methodology was then applied to a representative tourism company. Through the sequence obtained, it is shown that it is necessary to implement operative processes, and subsequently, strategic processes. A comparative study was developed to find the differences with other authors’ proposals. The most important result we found was the possibility of efficient use of organizations’ information to build an optimized list of IT procedures to improve their administration. The obtained list of processes is specific for each organization, and not dependent on the solutions offered by other authors who proposed a general or underoptimal list of processes.

English Else

Mayara Costa Figueiredo,Cleidson R.B. de Souza,Marcelo Zílio Pereira,Rafael Prikladnicki,Jorge Luis Nicolas Audy

DOI: https://doi.org/10.1016/j.infsof.2014.04.001

IF: 3.9

2014-10-01

Information and Software Technology

Abstract:ContextInformation Technology (IT) architects are the professionals responsible for designing the information systems for an organization. In order to do that, they take into account many aspects and stakeholders, including customers, software developers, the organization’s business, and its current IT infrastructure. Therefore, different aspects influence their work.ObjectiveThis paper presents results of research into how IT architects perform their work in practice and how different aspects are taken into account when an information system is developed. An understanding of IT architects’ activities allows us to better support their work. This paper extends our own previous work (Figueiredo et al., 2012) [30] by discussing aspects of knowledge management and tool support.MethodA qualitative study was conducted using semi-structured interviews for data collection and grounded theory methods (Strauss and Corbin, 1998) [5] for data analysis. Twenty-seven interviews were conducted with twenty-two interviewees from nine different companies through four cycles of data collection and analysis.ResultsCompanies divide IT architecture activities among different roles. Although these roles receive different names in different organizations, all organizations follow a similar pattern based on 3 roles: enterprise, solutions and software architects. These architects perform both the technical activities related to the IT architecture and the social activities regarding the communication and coordination with other stakeholders and among themselves. Furthermore, current tools used by IT architects lack adequate support for all these aspects.ConclusionThe activities of the different IT architects are highly interconnected and have a huge influence in the way the requirements are handled in every phase of the development of an information system. The activities of IT architects are also important for knowledge transfer, translation and transformation, since they receive from and spread information to different groups of stakeholders. We also conclude that they lack appropriate tool support, especially regarding support for their collaborative work.

computer science, information systems, software engineering

Rogelio Pegoretti C. Amorim,C. S. Menezes

DOI: https://doi.org/10.5555/3021955.3021959

2016-05-17

Abstract:This paper discusses the need for the study of government transparency from the perspective of information technology. So, is presented the building of an Evaluation Methodology of Municipal Transparency Websites, in light of the Standards series ISO/IEC 25000, and the Brazilian law. The proposed model contains 443 appraisal items, divided into a specific indicator to measure the level of transparency the Legislative Power, and another to the municipal Executive Power. The built methodology was based on objective criteria for the allocation of weights to each indicator and had focus on reducing the degree of subjectivity of the process of execution of the evaluation. The work also includes the development of an operational supporting software for the evaluation process, speeding up the fieldwork. The methodology was applied in the execution the measurement of transparency of cities of the Espirito Santo State, Brazil, and the results showed a low degree of achievement of established criteria.

Computer Science,Political Science

Michael Matthias Naumann,Stelian Mircea Olaru,Georg Sven Lampe,Fabian Pitz

DOI: https://doi.org/10.2478/picbe-2024-0043

2024-06-01

Proceedings of the International Conference on Business Excellence

Abstract:Abstract In the current global context, companies need a defined minimum level of information security to recognize and deal with related threats and risks. Due to market, customer or legal requirements, specifications and requirements for information security are implemented uniformly according to standards such as the information security management standard ISO/IEC 27001 or industry-specific standards such as Trusted Information Security Assessment Exchange - TISAX, ISO IEC 27019 Energy Utility Information Security Standard. The conformity to these standard requirements within the established management system is checked during periodically required audits. However, there are various reasons for which, even after many years of audits in companies, there are still insufficient process implementations for information security requirements. The aim of the paper is to analyze the status of conformity and thus also the process maturity in selected samples of companies that have already had information security management systems (ISMS) implemented for several years. In detail, the reasons for deviations from the minimum requirements with associated risks for the security of information in companies were analyzed, which allow conclusions to be drawn about possible process improvements. The paper also analyzes why, despite established measures and existing expertise, only a limited level of process maturity is achieved on average. Other possible approaches to the implementation procedure for dealing with non-conformities in information security are also considered. The results of this research show that there is a need for an adjusted continuous improvement process, which makes risks resulting from insufficient process maturity more visible. Proposals for such improvements are listed.

Carlos Santos,Armindo Rebelo,Carla Ferreira,José Tribolet

DOI: https://doi.org/10.48550/arXiv.1112.1661

2012-04-11

Abstract:This paper, framed in a vast investigation, describes the application of techniques and methodologies in Organizational Engineering connected to the associated risk to the processes developed in an Emergency Service of an important Portuguese Hospital. The transactions performed in an emergency service and the consequent risk identification (negative behaviour associated to those transactions) is done based on static and dynamic models, developed during the business modelling. Any non-trivial system is better portrayed trough a small number of reasonably independent models. From this point of view it is important to look at the systems from a "micro" perspective, which allows us to analyse the system at the transaction level. All processes have some associated risk (inherent risk). Its identification will be decisive for future analysis and for the consequent decision over the need, or not, to study internal control mechanisms. This decision will depend on the risk level that the organization considers acceptable.

Software Engineering